Privacy Policy

Last updated — 2026-04-19 · Version 1.0

Who we are

Anthony Eli Rasch, a sole proprietor registered in the Slovak Republic, is the controller ("Controller," "we," "us") of personal data processed through Today. The product is published under the brand name Sapplify.

Postal address:
Anthony Eli Rasch – sapplify
PO Box 004
91501 Nové Mesto nad Váhom
Slovakia

General contact: hello@sapplify.com
Privacy inquiries: privacy@sapplify.com

What this covers

This Policy explains what personal data we collect when you use the Today mobile application or this website, why we process it, how long we keep it, and the rights you have over it.

What we collect

To operate Today, we collect the following categories of personal data:

• Account data — name (optional), email address, authentication credentials.
• Health-related data you enter — body weight, menstrual cycle events, mood entries, free-text journal notes, food notes. This is considered special category data under GDPR Article 9.
• Conversation data — messages you send to the in-app partner and the responses generated.
• Technical data — device type, operating system, app version, crash reports, anonymised usage events (e.g. "log event recorded"). No precise location is collected.
• Website analytics (first-party) — when you visit this website, we record each page view with path, referrer hostname, a coarse device class (mobile / tablet / desktop), and a coarse user-agent class. No cookies, no sessionStorage, no visitor identifier, no IP address is stored in our row, no full user-agent string, no query strings. We cannot tell whether two page views came from the same person. Events are stored in our own Supabase database — no third-party analytics provider is involved.

Lawful basis for processing

We process your data on the following legal bases under GDPR Article 6 and, for health data, Article 9:

• Your explicit consent (Article 6(1)(a) and Article 9(2)(a)) — given during onboarding and revocable at any time — for processing health-related data.
• Performance of a contract (Article 6(1)(b)) — to provide the service you requested.
• Legitimate interests (Article 6(1)(f)) — limited to operating and securing the service (e.g. crash diagnostics).

How your data is used

We use your data only to:

• Deliver the Today experience — store your entries, generate the daily summary line, respond when you open chat.
• Improve the product based on aggregated, pseudonymous usage metrics (event counts per user, token costs per call — never the content of your entries or chats).
• Send operational emails related to the beta programme. We do not send marketing unless you separately opt in.

We do not sell your data. We do not use your personal data to train third-party AI models. We do not share it with advertisers.

Who we share your data with (sub-processors)

We use a small number of carefully-chosen service providers to run Today. These are our data processors:

• Supabase, Inc. — database, authentication, Edge Functions, and file storage infrastructure. Data is hosted in the EU West (Ireland) region.
• Anthropic, PBC. — AI model provider (Claude API). Your messages and relevant context are sent to Anthropic solely for the purpose of generating a response. Anthropic processes this data under its commercial terms and, per its current policy, does not train its models on API customer data. See Anthropic's legal page.
• Resend, Inc. — transactional email delivery (beta welcome, invite, feedback notifications). Your email address and the message body are processed by Resend only for the purpose of delivering these emails.
• Apple Inc. / Google LLC — app distribution via App Store / Google Play and, if applicable, in-app purchase processing.

About the AI partner

When you ask the AI a question, your message plus a short context block (recent weight, cycle day, mood entries, recent food notes, age, and the name you gave us if any) is sent to Anthropic over a server-to-server connection. Anthropic returns the response, and we pass it back to you. Per Anthropic's current API terms, customer messages are not used to train their models.

A few things to know:

• The AI's responses are generated text — probabilistic, not looked-up. They can be wrong, out-of-date, or entirely hallucinated. Treat them as a second opinion, not a medical source. See the Health Disclaimer and the AI section of our Terms.
• We log a small record of each AI call (user id, model, token counts, timestamp) for cost modelling and rate-limiting. We do not log the content of messages or responses for analytics.
• You can delete your chat history at any time from within the app.

International transfers

Some sub-processors are located outside the European Economic Area (Anthropic, Resend, Supabase, Apple, and Google are US-incorporated). Where transfers occur, we rely on Standard Contractual Clauses approved by the European Commission and, where available, additional safeguards recommended by the EDPB. These sub-processors have each published their SCCs / Data Processing Addenda publicly.

How long we keep your data

• Account and health data — kept for as long as your account is active. Deleted within 30 days of you deleting your account.
• Conversation data — every message you send the AI and every reply it returns are stored in your account so the partner can remember context across sessions. You can wipe the entire conversation history at any time via Settings → Reset memory (your weight, cycle, mood, and food data are kept separately and stay intact). Deleting your account wipes everything.
• Technical logs (analytics events, error traces, AI-usage records) — retained for a limited period, generally no more than 90 days.
• Backups — encrypted, retained for a maximum of 30 days after deletion from production.

Your rights

Under GDPR and comparable regimes, you have the right to:

• Access the data we hold about you.
• Correct inaccuracies.
• Delete your data ("right to erasure").
• Export your data in a portable format.
• Restrict or object to processing.
• Withdraw consent at any time (does not affect prior lawful processing).
• Lodge a complaint with your local supervisory authority. In Slovakia, this is the Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic) — dataprotection.gov.sk.

To exercise any of these rights, email privacy@sapplify.com. We respond within 30 days.

Children

Today is not intended for anyone under 16. We do not knowingly collect data from children under 16. Under Slovak implementation of GDPR, 16 is the age of digital consent; users under that age require a parent or legal guardian's consent, which we cannot currently verify — so we ask those users not to sign up.

Security

We use encryption in transit (TLS 1.2+) and at rest, restrict access to personal data to the people who need it, and maintain audit logs. No system is perfectly secure, and we will notify you without undue delay of any breach that materially affects your rights.

Changes

When we change this Policy materially, we'll tell you in-app and by email before the change takes effect. The current version lives at this URL.

Contact

Privacy questions, concerns, or rights requests: privacy@sapplify.com.
Anything else: hello@sapplify.com.

This policy has been drafted to align with the General Data Protection Regulation (EU 2016/679) and the Slovak Act No. 18/2018 on the Protection of Personal Data. It is not a substitute for independent legal advice — users with specific concerns are welcome to reach out at the addresses above.