Privacy Policy
Last updated: 16 May 2026
Exhale is built around a simple promise: the moments you reach for it are private, and we treat them that way. This policy explains, in plain language, what we collect, what we don't, who else sees it, and what rights you have.
The short version
- The press itself is never recorded. Not on your device, not on our server. We do not store a timestamp, a duration, a count, or any per-press telemetry.
- We provision a device-bound anonymous account on first launch so the app can talk to its backend at all. Nothing else is collected by default.
- We never sell your data. We never share it for advertising. We don't run third-party trackers, ad SDKs, or analytics SDKs inside the app or on this website.
- Exhale never sends engagement push notifications. The only reminder is one optional local notification you schedule yourself, fired from your device.
- Exhale is for adults. You must be 18 or older (or the age of majority where you live) to use it.
Who we are
Exhale is operated by a single independent developer. For all privacy questions, the controller of your personal data is reachable at hello@useexhale.com.
What gets sent to our server
When you open Exhale, the app talks to our backend on Fly.io. Each request includes:
- An anonymous device identifier the app generates the first time you open it. This lets the app authenticate to our backend without making you create an account.
- An authentication token derived from that identifier.
- Standard network metadata your device sends to any internet service (IP address, request timestamps, basic device/OS strings). We use this for transient operational purposes — abuse prevention, debugging, rate-limiting — and don't combine it with any other data.
What is not sent: the press itself. Tapping the button, the duration of the press, the time of day you pressed, your fallback choice, whether the optional reminder fired — none of that leaves your device. The button is not instrumented.
What gets stored
- On your device: your anonymous device id and authentication tokens, kept in iOS Secure Enclave via
expo-secure-store. Your theme, language, and notification preferences also live only on the device. - On our server: the anonymous user record (a row with an id, the device identifier hash, and timestamps) and refresh-token rows so we can rotate auth tokens. Nothing about your presses.
Future aggregate counts (opt-in, not in v1)
A future version may offer an explicit opt-in toggle to contribute an anonymous, per-day "the app was opened" counter to a global aggregate — off by default, with no per-user history shown back to you, and the toggle can be flipped off at any time. As of today's version, this does not exist.
How long we keep it
We keep your account record for as long as your anonymous account exists. When you delete your account from inside the app, we delete that record from our active systems within 30 days. Encrypted backups may persist for up to 90 days after that before they roll off. Transient network logs (IP, request metadata) are kept for at most 30 days for security and debugging, then deleted.
Third parties we share data with
We use a small number of service providers to run Exhale. They process data on our behalf, under contract, and only for the purposes described here:
- Fly.io, Inc. — hosts our backend servers. Servers are located in the United States.
- Supabase, Inc. — managed Postgres for the account record described above. Data is processed in the United States.
- Cloudflare, Inc. — DNS and hosting for this marketing website (no app traffic).
- Apple Inc. — distributes the app via the App Store. Apple's own privacy terms apply to your relationship with Apple.
We do not sell your personal information. We do not share it for advertising. We do not run third-party analytics SDKs, attribution SDKs, or ad SDKs inside the app or on this website.
Cookies and trackers
This website does not set cookies, run JavaScript, or use any analytics or tracking technology. The app does not include any third-party analytics, advertising, or attribution SDKs.
Data security
Traffic between the app and our backend is encrypted in transit (TLS). Tokens on the device are stored in the iOS keychain via expo-secure-store. No system is impervious — if we ever learn of a breach affecting your data, we will notify affected users without undue delay, as required by applicable law.
Children
Exhale is for adults. You must be at least 18 years old (or the age of majority in your jurisdiction, whichever is greater) to use the app. The app is not directed to children, and we do not knowingly collect personal information from anyone under 16 (or under 13 in the United States, per COPPA). If you believe a child has used the app, email hello@useexhale.com and we will delete the data.
Your rights
You can wipe everything Exhale knows about you from inside the app: Settings → Delete account & data wipes the local store and deletes your server-side record. You can also email hello@useexhale.com and we'll delete the server-side record within 30 days.
Depending on where you live, you may have additional rights described in the sections below. To exercise any of them, email us. We'll respond within 30 days. We won't discriminate against you for exercising any privacy right.
If you're in the EU, UK, or EEA
Under the GDPR (and UK GDPR), you have the right to: access your personal data; correct it; have it erased; restrict or object to its processing; data portability; and withdraw any consent you previously gave. You also have the right to lodge a complaint with your local data protection supervisory authority. Our legal basis for processing your data is (a) performance of a contract with you (running the app) and (b) our legitimate interests in operating, securing, and improving the service.
Your data is processed in the United States. Where applicable, transfers from the EU/UK to the US are made under the European Commission's Standard Contractual Clauses (and the UK Addendum) with our service providers, and we rely on supplementary measures (TLS in transit, access controls) to protect your data.
If you're a California resident
Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what personal information we collect about you, the right to delete it, the right to correct it, the right to opt out of "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under California law. To exercise any of these rights, email us at the address above.
Where data is processed
Our backend runs on Fly.io. Our database runs on Supabase. Both process data in the United States. If you are using Exhale from outside the US, your data is transferred to and processed in the US — by using the app, you understand and consent to that transfer.
Changes
If we change this policy in any meaningful way, we'll update the date at the top and, where it matters, surface the change inside the app. Continued use of the app after a change means you accept the updated policy. Trivial wording fixes won't be announced.