Privacy Policy

Introduction

YOUR PRIVACY MATTERS TO US. This Privacy Policy explains how SHAYO OÜ ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the PUSHIN application and related services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Estonian data protection laws.

1. Data Controller and Contact Information

1.1 Data Controller

The data controller responsible for your personal data is:

Company: SHAYO OÜ
Brand Name: SHAYO APPS
Registry Code: [PENDING COMPANY REGISTRATION via e-Residency Hub OÜ]
Address: [Registered via e-Residency Hub OÜ, Estonia]
Country: Estonia (European Union)
Email: info@shayoapps.com
Website: https://shayoapps.com

1.2 Supervisory Authority

If you have concerns about our data practices, you may contact:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Väike-Ameerika 19
10129 Tallinn, Estonia
Email: info@aki.ee
Website: https://www.aki.ee

2. Scope of This Policy

This Privacy Policy applies to:

• The PUSHIN mobile application (iOS and Android)

• The website shayoapps.com

• All related features and services

This policy does not apply to:

• Third-party websites or services linked from our Services

• Third-party integrations (Apple Health, Stripe, etc.) which have their own privacy policies

3. Personal Data We Collect

3.1 Information You Provide Directly

Account Information:

• Authentication data: Email address, name, profile picture (when using Apple Sign-In or Google Sign-In)

• User ID: Unique identifier for your account

• Profile information: Optional profile picture, display name, preferences

Payment Information:

• Billing data: Processed through Stripe (we do not store complete payment card details)

• Transaction history: Subscription status, payment dates, amounts

• Email: For payment receipts and billing communication

Communication Data:

• Support requests: When you contact customer support

• Email correspondence: Messages between you and our team

• Feedback: Surveys, reviews, feature requests

3.2 Information Collected Automatically

Workout Data:

• Exercise logs: Workout type, repetition count, duration, timestamps

• Performance metrics: Progress over time, personal records

• Session history: Unlock sessions, earned screen time

• Important: Camera feeds during workouts are processed locally in real-time and are NOT recorded, stored, or transmitted

App Usage Data:

• Feature usage: Which features you use and how often

• Screen time logs: Unlock/lock status, blocked app lists

• App interactions: Buttons clicked, screens viewed

• Session duration: Time spent in the app

Device and Technical Information:

• Device information: Device type, OS version, device ID

• App information: App version, build number

• IP address: For security and analytics

• Error logs: Crash reports, diagnostic data

3.3 Health and Fitness Data

With your explicit permission, we access:

• Apple Health data: Step count, workout summaries, activity rings (read-only access)

• Important: Health data is accessed locally on your device and is not stored on our servers unless you explicitly save it within PUSHIN

3.4 Analytics Data

We use PostHog for analytics, which collects:

• User behavior patterns (anonymized where possible)

• Feature adoption metrics

• App performance data

• Session recordings (anonymized and only with your consent)

3.5 Information We Do NOT Collect

We explicitly do NOT collect or store:

• Camera footage: Workout videos are processed in real-time locally and never saved

• Complete payment card details: Handled securely by Stripe

• Precise location data: We do not track your GPS location

• Contacts or call logs: We never access your contacts or calls

• Messages or photos: We do not access your messages or photo library (except when you choose a profile picture)

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

PurposeLegal BasisAccount creation and authenticationPerformance of contract (GDPR Art. 6(1)(b))Providing app features and servicesPerformance of contract (GDPR Art. 6(1)(b))Processing payments and subscriptionsPerformance of contract (GDPR Art. 6(1)(b))Customer support and communicationLegitimate interest (GDPR Art. 6(1)(f))Analytics and app improvementLegitimate interest (GDPR Art. 6(1)(f))Health data integration (Apple Health)Explicit consent (GDPR Art. 9(2)(a))Marketing communications (if applicable)Consent (GDPR Art. 6(1)(a))Legal compliance and fraud preventionLegal obligation (GDPR Art. 6(1)(c))

5. How We Use Your Personal Data

5.1 Primary Purposes

• Provide Services: Enable workout tracking, app blocking, unlock sessions, and all app features

• Account Management: Create and maintain your account, authenticate you, manage preferences

• Process Payments: Handle subscriptions, process payments, send receipts

• Customer Support: Respond to your questions, troubleshoot issues, provide assistance

• Improve Services: Analyze usage patterns, fix bugs, develop new features

• Security: Detect and prevent fraud, abuse, and security threats

• Legal Compliance: Comply with legal obligations, enforce our Terms of Service

5.2 Analytics and Performance

We use analytics to:

• Understand how users interact with the app

• Identify and fix technical issues

• Measure feature effectiveness

• Optimize user experience

5.3 Communication

We may contact you for:

• Transactional emails: Account notifications, payment receipts, security alerts (cannot opt out)

• Service updates: Important changes to our Services or policies

• Marketing: Optional promotional content about new features (you can opt out)

6. Data Sharing and Disclosure

6.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal data to third parties for marketing purposes.

6.2 Third-Party Service Providers

We share data with trusted service providers who help us operate our Services:

Service ProviderPurposeData SharedLocationStripePayment processingBilling information, email, transaction dataUSA (GDPR-compliant using Standard Contractual Clauses)PostHogAnalytics and product insightsUsage data, device info (anonymized)USA (GDPR-compliant)Apple / GoogleAuthentication, push notifications, app distributionAuthentication tokens, device tokensGlobal infrastructureCloud Hosting ProviderServer infrastructure and data storage (Railway, PostgreSQL)All app dataUSA / EU (Railway servers)

All service providers are contractually obligated to protect your data and use it only for specified purposes. We have Data Processing Agreements (DPAs) in place with all our active third-party data processors as required by the GDPR.

6.3 Legal Requirements

We may disclose your data if required to:

• Comply with legal obligations (court orders, subpoenas)

• Enforce our Terms of Service

• Protect our rights, property, or safety

• Prevent fraud or security threats

• Respond to government or law enforcement requests

6.4 Business Transfers

If SHAYO OÜ is acquired, merged, or sells assets, your data may be transferred to the new entity. You will be notified of any such change.

6.5 Aggregated Data

We may share aggregated, anonymized data (e.g., "50% of users complete workouts in the morning") that cannot identify you personally.

7. International Data Transfers

7.1 Data Storage Location

Your data is primarily stored on servers located in the European Union. However, some service providers may process data outside the EU.

7.2 Safeguards for International Transfers

When data is transferred outside the EU, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements

• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission

• Standard Contractual Clauses (SCCs): For US-based service providers, we use the standard contractual clauses approved by the European Commission.

• GDPR-compliant Data Processing Agreements: With all service providers

7.3 Your Rights Regarding International Transfers

You have the right to object to international data transfers. Please contact us for more information.

8. Data Retention

8.1 How Long We Keep Your Data

Data TypeRetention PeriodReasonAccount dataWhile account is active + 30 days after deletionProvide services, allow account recoveryWorkout logsWhile account is active + 30 days after deletionProvide historical data, analyticsPayment records7 years after transactionTax and legal compliance (EU/Estonian law)Support communications3 years after last contactQuality assurance, legal protectionAnalytics data26 months (anonymized after 12 months)Product improvement, trend analysisError logs and diagnostics90 daysBug fixing, performance optimization

8.2 Deletion After Retention Period

After retention periods expire, we securely delete or anonymize your data so it can no longer identify you.

8.3 Immediate Deletion Requests

You may request immediate deletion of your data at any time (subject to legal retention requirements). See Section 10 for your rights.

9. Data Security

9.1 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: Data in transit (TLS/SSL) and at rest (AES-256)

• Access Controls: Role-based access, minimum necessary principle

• Authentication: Secure authentication mechanisms (OAuth 2.0)

• Secure Storage: Sensitive data stored using Flutter Secure Storage

• Regular Audits: Security assessments and vulnerability testing

• Monitoring: Real-time threat detection and logging

• Employee Training: Staff trained on data protection and privacy

9.2 Local Data Processing

Sensitive operations are processed locally on your device:

• Workout videos: Processed in real-time, never uploaded

• Health data: Accessed locally through Apple Health API

• App blocking: Managed through device APIs (Screen Time, Digital Wellbeing)

9.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

• Notify supervisory authorities within 72 hours (GDPR requirement)

• Notify affected users without undue delay

• Provide information about the breach and steps being taken

9.4 Your Responsibility

Please help protect your data by:

• Using strong, unique passwords

• Not sharing your account credentials

• Keeping your device secure (PIN, biometrics)

• Logging out on shared devices

10. Your Privacy Rights (GDPR)

As a user in the EU, you have the following rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you. We will provide this information in a commonly used electronic format within 30 days.

10.2 Right to Rectification (Art. 16 GDPR)

You can update or correct inaccurate personal data through the app settings or by contacting us.

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data by:

• Deleting your account in app settings

• Contacting us directly

Note: Some data may be retained for legal compliance (e.g., payment records for tax purposes).

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we process your data in certain circumstances (e.g., while verifying accuracy or contesting processing).

10.5 Right to Data Portability (Art. 20 GDPR)

You can request your data in a structured, machine-readable format (JSON, CSV) to transfer to another service. Available through app settings or by request.

10.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent (e.g., health data, marketing), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate or your local data protection authority if you believe we have violated your privacy rights.

10.9 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us: info@shayoapps.com

• Use in-app settings: Account > Privacy > Data Rights

• Include: Your name, email, and specific request

We will respond within 30 days (may be extended to 60 days for complex requests).

11. Children's Privacy

11.1 Age Restrictions

PUSHIN is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16 without parental consent.

11.2 Parental Consent

Users aged 16-18 must have parental or guardian consent to use our Services.

11.3 If We Discover Child Data

If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information immediately.

11.4 Parents' Rights

Parents/guardians can:

• Review their child's personal data

• Request deletion of their child's data

• Refuse further collection of their child's data

12. Cookies and Tracking Technologies

12.1 Mobile App

The PUSHIN mobile app does not use traditional web cookies. However, we use:

• Local Storage: To save your preferences and session data on your device

• Analytics SDKs: PostHog for usage analytics (anonymized where possible)

• Authentication Tokens: To keep you logged in securely

12.2 Website (shayoapps.com)

Our website may use cookies for:

• Essential cookies: Required for website functionality (cannot be disabled)

• Analytics cookies: To understand website traffic (can be disabled)

• Preference cookies: To remember your settings

12.3 Cookie Management

You can control cookies through:

• Your browser settings (for website cookies)

• App settings (for mobile analytics)

• Cookie consent banner (on website)

12.4 Third-Party Trackers

We minimize third-party tracking. Analytics providers (PostHog) may use identifiers to track usage patterns. You can opt out of analytics in app settings.

13. Push Notifications

13.1 Types of Notifications

We may send push notifications for:

• Transactional: Unlock session expiring, workout reminders you set

• Promotional: New features, tips (optional)

• Security: Unusual account activity

13.2 Managing Notifications

You can control notifications through:

• App settings > Notifications

• Device settings (iOS Settings > Notifications > PUSHIN)

13.3 Data Collected

For push notifications, we collect device tokens (managed by Apple/Google). We do not access notification content sent by other apps.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: What personal data we collect and how it's used

• Right to Delete: Request deletion of your personal data

• Right to Opt-Out: Opt-out of "sale" of personal data (we do not sell data)

• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise CCPA rights, contact us at info@shayoapps.com. We will verify your identity and respond within 45 days.

15. Changes to This Privacy Policy

15.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices

• New features or services

• Legal or regulatory requirements

• User feedback

15.2 Notification of Changes

We will notify you of material changes by:

• In-app notification

• Email to your registered address

• Prominent notice on our website

15.3 Your Acceptance

Continued use of our Services after changes constitutes acceptance of the updated Privacy Policy. If you do not agree, please stop using our Services and delete your account.

15.4 Version History

Previous versions of this Privacy Policy are available upon request.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SHAYO OÜ (SHAYO APPS)
Privacy Contact / Data Protection Officer:
Email: info@shayoapps.com
Website: https://shayoapps.com
Address: [Registered via e-Residency Hub OÜ, Estonia]
Registry Code: [PENDING COMPANY REGISTRATION via e-Residency Hub OÜ]

Response Time

We aim to respond to all privacy inquiries within:

• General questions: 5 business days

• GDPR rights requests: 30 days (may extend to 60 days for complex requests)

• Urgent security issues: 24-48 hours

17. Consent and Acknowledgment

By using PUSHIN and our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.

For processing that requires explicit consent (e.g., health data, marketing), we will obtain your separate opt-in consent through the app interface.