Privacy Policy

Effective: May 3, 2026

This Privacy Notice for Quan Ho (doing business as Salwa) ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
  • Download and use our mobile application (Salwa), or any other application of ours that links to this Privacy Notice
  • Use Salwa. Salwa is an iOS mindfulness app designed to support emotional processing through intentional reflection. The app guides users through a structured practice: write a brief reflection about something they are holding onto, sit with it during a 90-second meditative breathing session, then make a deliberate choice to release or hold the reflection. Reflections that are released are permanently deleted. No text is retained after release. Reflections that are held are stored temporarily in the user's personal practice space, with a maximum of seven held at one time. The app tracks a user's emotional practice over time, including reflection frequency, emotion tags selected, and release history. This data is used solely to display the user's own practice history within the app. Salwa does not analyze, share, or sell this data to third parties. The app offers optional account creation via Apple Sign-In or Google Sign-In to enable data sync across devices. Users may also use the app without signing in, in which case all data is stored locally on the device.
  • Engage with us in other related ways, including any marketing or events
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at hello@salwaspace.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice. You can find more details by using the table of contents below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services.

Do we process any sensitive personal information? Salwa collects emotion tags (words you select to label your emotional state, such as "anxious," "grief," or "joy"). These tags are health-adjacent in nature. They are stored in association with your account to display your own practice history. They are not end-to-end encrypted, but they are never sold, shared with advertisers, or used for any purpose beyond displaying your personal history within the app. We do not collect biometric data, precise health records, or any information requiring sensitive classification under most state or federal privacy laws.

Do we collect any information from third parties? We do not collect any information from third parties.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so.

How do we keep your information safe? Saved Moments are encrypted on your device before storage using AES-256 encryption. We cannot read the content of your saved Moments. Released reflections are permanently deleted. No electronic transmission can be guaranteed 100% secure.

What are your rights? Depending on where you are located, the applicable privacy law may mean you have certain rights regarding your personal information.

How do you exercise your rights? By submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.


1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect may include the following:
  • Email address. Collected when you register via Apple Sign-In or Google Sign-In.
  • Reflection text (user-generated content). Text you write during the reflection practice. Reflections you choose to save as Moments are encrypted on your device using AES-256 encryption before being transmitted or stored on our servers. The encryption key lives in your device's secure iOS Keychain; we cannot read the content of your saved Moments even with full database access. Reflections you choose to release are permanently and irrevocably deleted — no copy is retained anywhere.
  • Emotion tags. Short descriptive words (e.g., "anxious," "grief," "joy") you select to label your emotional state during a session. Emotion tags are stored in association with your account to power your in-app practice history. Unlike reflection text, emotion tags are not end-to-end encrypted. They are never shared with third parties or used for advertising.
  • Practice history metadata. Dates, session counts, release/hold outcomes — used solely to display your own history within the app.

Information We Do Not Collect. We do not collect, request access to, or process the following:
  • Precise or approximate location data
  • Contacts, phone numbers, or address book data
  • Microphone or camera input of any kind
  • Photos or media from your device library
  • Apple Advertising Identifier (IDFA) or any advertising identifier
  • Apple HealthKit data or any health platform data
  • Browsing history outside the app
  • Face ID or fingerprint biometric data

Sensitive Information. Salwa does not collect information that meets the legal definition of "sensitive personal information" under most US state privacy laws (e.g., precise geolocation, racial or ethnic origin, biometric identifiers, financial account numbers, health records in the clinical sense). Emotion tags, while emotionally personal, do not constitute protected health information under HIPAA or equivalent standards. See the Summary of Key Points above for how we treat emotion tags.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and the security code associated with your payment instrument. All payment data is handled and stored by Apple Inc. You may find their privacy notice here: https://www.apple.com/legal/privacy/.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section HOW DO WE HANDLE YOUR SOCIAL LOGINS? below.

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:
  • Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address.
  • Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we collect includes:
  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files.
  • Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services.

Google API

Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
  • To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.
  • To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
  • To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
  • To fulfill and manage your orders. We may process your information to fulfill and manage your orders, payments, returns, and exchanges made through the Services.
  • To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law.

If you are located in the EU or UK, this section applies to you.

The GDPR and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. We may rely on the following legal bases:
  • Consent. We may process your information if you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
  • Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you.
  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations.
  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party.
If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:
  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
  • For investigations and fraud detection and prevention
  • For business transactions provided certain conditions are met
  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
  • For identifying injured, ill, or deceased persons and communicating with next of kin
  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
  • If the collection is solely for journalistic, artistic, or literary purposes
  • If the information is publicly available and is specified by the regulations
  • We may disclose de-identified information for approved research or statistics projects, subject to ethics oversight and confidentiality commitments

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf. We have contracts in place with our third parties designed to help safeguard your personal information.

The third parties we may share personal information with include:
  • Allow Users to Connect to Their Third-Party Accounts — Google account (via Google Sign-In). Apple account (via Apple Sign-In).
  • Cloud Computing Services and DatabaseSupabase (data storage and authentication infrastructure). User account data, encrypted Moments, and emotion tags are stored on Supabase servers located in the United States. Supabase's privacy policy is available at https://supabase.com/privacy.
  • User Account Registration and Authentication — Google Sign-In (Google LLC) and Apple Sign-In (Apple Inc.).
  • Crash Reporting and App StabilityFirebase Crashlytics (Google LLC). When the app crashes or encounters a critical error, Crashlytics automatically collects a crash report containing: the device model and iOS version, a stack trace (code path that led to the crash), a randomly-generated Crashlytics installation identifier, your Supabase account identifier (a UUID assigned when you create an account, used to correlate crash reports with a specific account for debugging), and the time and date of the crash. Crashlytics does not collect your name, email address, reflection content, or emotion tags. Crash reports are used solely to identify and fix bugs. Firebase Crashlytics privacy information is available at https://firebase.google.com/support/privacy.
  • Payment ProcessingApple Inc. (via the App Store and StoreKit). All subscription purchases and payment processing are handled entirely by Apple. We do not receive or store your payment card number, billing address, or any other payment instrument details. See Apple's privacy policy at https://www.apple.com/legal/privacy/.
We also may need to share your personal information in the following situations:
  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your existing Apple or Google account.

Apple Sign-In. When you use Sign in with Apple, Apple authenticates your identity and provides us with a unique stable identifier and an email address (or a private relay email address if you choose "Hide My Email"). If you choose Hide My Email, Apple generates an anonymous relay address (e.g., randomstring@privaterelay.appleid.com) that forwards messages to your real inbox. We store and use this relay address exactly as we would a normal email address — to identify your account and send transactional communications if needed. We do not attempt to resolve or identify your real email address. You can disable the Hide My Email relay at any time in your Apple ID settings, which will prevent us from being able to reach you by email. Apple Sign-In never shares your Apple ID password or biometric data with us.

Google Sign-In. When you use Google Sign-In, Google provides us with your name, email address, and profile picture URL. We use your email address to identify your account. We do not use your Google profile picture for any purpose beyond optional display within the app.

We will use the information we receive only for the purposes described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by Apple or Google. We recommend reviewing their respective privacy policies to understand how they collect, use, and share your personal information: Apple Privacy Policy | Google Privacy Policy.

6. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties with whom we may share your personal information, including facilities in the United States and other countries.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law, including by using the European Commission's Standard Contractual Clauses.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law. No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible, then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

Encryption of Reflection Content. For saved Moments, we use client-side AES-256 encryption. Your reflection text is encrypted on your device before it is transmitted or stored on our servers. The encryption key is generated on your device and stored in your device's secure iOS Keychain. We are technically unable to read the content of your saved Moments, even with full access to our database. In the event of a data breach, the content of your saved Moments would remain unreadable to any party that accessed our servers.

Emotion Tags and Metadata. Emotion tags and practice history metadata (session dates, release/hold outcomes) are stored in our database without end-to-end encryption. They are protected by Supabase's infrastructure security, access controls, and our own server-side access restrictions. We apply the principle of least privilege — access to user data is restricted to systems that require it to deliver the service.

Breach Notification. If we discover a data security incident that has materially compromised the security or integrity of your personal information, we will notify you without undue delay and in accordance with applicable law. Notification will be sent to the email address associated with your account (including Apple Hide My Email relay addresses). We will describe the nature of the breach, the categories of data affected, the steps we have taken to address it, and what you can do to protect yourself. If applicable law requires notification to a supervisory authority or state attorney general, we will make such notifications.

General Limitations. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security measures. Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

9. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 13 years of age.

We do not knowingly collect, solicit data from, or market to children under 13 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 13 years of age. Users between the ages of 13 and 17 must have the consent of a parent or legal guardian to use the Services. If we learn that personal information from a child under 13 has been collected without verifiable parental consent, we will deactivate the account and promptly delete such data from our records. If you become aware of any data we may have collected from children under age 13, please contact us at hello@salwaspace.com.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your state of residence in the US or in some regions, such as the EEA, UK, Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right to: (i) request access and obtain a copy of your personal information, (ii) request rectification or erasure; (iii) restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us using the contact details provided in the section HOW CAN YOU CONTACT US ABOUT THIS NOTICE? below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us using the contact details provided in the section HOW CAN YOU CONTACT US ABOUT THIS NOTICE? below.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:
  • Log in to your account settings and update your user account.
  • Use the "Erase Everything" option in the app's Settings screen to erase all your data and close your account.
  • Email us at hello@salwaspace.com to request an export of your personal data. We will provide a machine-readable copy of the data we hold about you within 30 days.
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

If you have questions or comments about your privacy rights, you may email us at hello@salwaspace.com.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you, correct inaccuracies, get a copy of, or delete your personal information.

Categories of Personal Information We Collect

The table below shows the categories of personal information we have collected in the past twelve (12) months.

Category Examples Collected
A. IdentifiersContact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account nameYES
B. Personal information as defined in the California Customer Records statuteName, contact information, education, employment, employment history, and financial informationNO
C. Protected classification characteristics under state or federal lawGender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic dataNO
D. Commercial informationTransaction information, purchase history, financial details, and payment informationNO
E. Biometric informationFingerprints and voiceprintsNO
F. Internet or other similar network activityBrowsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisementsYES
G. Geolocation dataDevice locationNO
H. Audio, electronic, sensory, or similar informationImages and audio, video or call recordings created in connection with our business activitiesNO
I. Professional or employment-related informationBusiness contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with usNO
J. Education InformationStudent records and directory informationNO
K. Inferences drawn from collected personal informationInferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual's preferences and characteristicsNO
L. Sensitive personal InformationNO

We will use and retain the collected personal information as needed to provide the Services or for: Category A — as long as the user has an account with us. Category F — as long as the user has an account with us.

Sources of Personal Information

Learn more about the sources of personal information we collect in "WHAT INFORMATION DO WE COLLECT?"

How We Use and Share Personal Information

Learn more about how we use your personal information in the section, "HOW DO WE PROCESS YOUR INFORMATION?"

Will your information be shared with anyone else?

We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information.

We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. The categories of third parties to whom we disclosed personal information for a business or commercial purpose can be found under "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

Your Rights

You have rights under certain US state data protection laws. These rights include:
  • Right to know whether or not we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request the deletion of your personal data
  • Right to obtain a copy of the personal data you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California's privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")
Depending upon the state where you live, you may also have the following rights:
  • Right to access the categories of personal data being processed (as permitted by applicable law, including the privacy law in Minnesota)
  • Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in California, Delaware, and Maryland)
  • Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in Minnesota and Oregon)
  • Right to obtain a list of third parties to which we have sold personal data (as permitted by applicable law, including the privacy law in Connecticut)
  • Right to review, understand, question, and depending on where you live, correct how personal data has been profiled (as permitted by applicable law, including the privacy law in Connecticut and Minnesota)
  • Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including the privacy law in California)
  • Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including the privacy law in Florida)

How to Exercise Your Rights

To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at hello@salwaspace.com, or by referring to the contact details at the bottom of this document.

Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

Request Verification

Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.

If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at hello@salwaspace.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine The Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact details provided in the section HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at hello@salwaspace.com.

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please fill out and submit a data subject access request, or email us at hello@salwaspace.com. You may also delete all your data directly in the app using the "Erase Everything" option in Settings.

16. DO WE USE TRACKING OR ADVERTISING IDENTIFIERS?

In Short: No. Salwa does not use the Apple Advertising Identifier (IDFA), does not engage in cross-app tracking, and does not serve advertising of any kind.

Salwa does not request permission to track you across apps or websites owned by other companies. We do not use the Apple Advertising Identifier (IDFA) or any equivalent advertising identifier. We do not participate in ad networks, retargeting campaigns, or behavioral advertising. We do not share your data with data brokers or marketing platforms.

Under Apple's App Tracking Transparency (ATT) framework, apps must request user permission before tracking. Because Salwa does not engage in cross-app or cross-website tracking, we do not present an ATT prompt. If this changes in the future, we will request your explicit permission and update this Privacy Notice to explain the purpose and scope of any tracking.

Firebase Crashlytics, which we use for crash reporting, assigns a random installation identifier to your app install for deduplicating crash reports. If you are signed in, we also set your Supabase account UUID as a user identifier in Crashlytics so that crash reports can be correlated with a specific account during debugging. This UUID is not your email address, name, or Apple ID, and cannot be used to track you across other apps or advertising platforms.

17. WHAT HAPPENS IN A DATA BREACH?

In Short: We will notify you promptly if a security incident materially affects your personal information, and we will describe what happened and what you can do.

What is protected even in a breach. Your reflection text (saved Moments) is encrypted on your device with AES-256 encryption before it ever reaches our servers. The encryption key is stored only in your device's iOS Keychain — not on our servers. If our database were ever accessed by an unauthorized party, the content of your saved Moments would be unreadable ciphertext. They could not recover your reflection text without physical access to your device.

What could be exposed in a breach. In a hypothetical breach of our database, an attacker could potentially access: your email address (or Apple Hide My Email relay address), your emotion tags, your practice history metadata (session dates, release/hold outcomes), and your account identifiers. We would treat exposure of this data as a notifiable incident.

Our response procedure. Upon discovering a material security incident, we will: (1) contain the incident and assess its scope as quickly as possible; (2) notify affected users by email within a reasonable time and no later than required by applicable law; (3) describe in plain language what data was affected, how the breach occurred, and what we have done to address it; (4) advise you on any steps you can take to protect yourself, such as changing your password or monitoring for suspicious activity; and (5) notify applicable regulatory authorities as required by law (e.g., state attorneys general under US state breach notification statutes).

If you believe your account may have been compromised, contact us immediately at hello@salwaspace.com.