Privacy policy
Last updated: April 22, 2026
This policy describes how Innoflow SAS processes the personal data of users of the horeb.app website and the Horeb application (iOS, Android, web), in accordance with Regulation (EU) 2016/679 (the “GDPR”) and the French Data Protection Act.
1. Data controller
Innoflow SAS, share capital €1,000, 75 allée du Talus, 13540 Aix-en-Provence, France — RCS Aix-en-Provence 913 632 808.
Contact: via the website's contact form, with “GDPR” in the subject line, or from the app via the menu “Profile → Help & Support”.
2. Data we process
We process the following data:
- Account: email address, password (stored hashed), language, registration date.
- Content entered in the app: goals, habits, priorities and graces of the day, reflections, sessions (prayer, breathing, cold, stretching, sport), favorites, custom routines and poses.
- Website contact form: name, email, subject and message — used only to handle your request.
- Premium subscription: Stripe customer identifiers (web) or RevenueCat (iOS/Android), subscription status and dates. No banking data is stored — payments are processed only via Stripe, Apple, or Google.
- Technical data: IP address, device type, event logs, push notification token (if enabled).
The site and application do not collect geolocation, contacts, or photos (except those you voluntarily add to a pose), or health data within the meaning of medical regulation. No accounts are allowed for users under 15.
Content you enter may reflect your religious beliefs (Article 9 GDPR). Processing relies on your explicit consent, indicated by voluntary entry, and may be withdrawn at any time by deleting the data or your account.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Creating and managing the account; providing features | Performance of the contract (Art. 6(1)(b) GDPR) |
| Processing religious beliefs reflected by your content | Explicit consent (Art. 9(2)(a) GDPR) |
| Responding to requests via the contact form | Legitimate interest / consent |
| Premium subscription, payment, invoicing | Performance of the contract + legal obligation (accounting) |
| Transactional emails (welcome, password reset, receipts) | Performance of the contract |
| Website analytics (Matomo, with consent) | Consent (Art. 6(1)(a) GDPR) |
| Security; fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Accounting and legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. Processors and transfers
Your data are not sold or rented. They are disclosed only to processors necessary to provide the service, bound by contracts compliant with Article 28 GDPR:
| Processor | Role | Location |
|---|---|---|
| Supabase Inc. | Hosting, database, authentication | EU (Frankfurt) |
| Vercel Inc. | Hosting for the site and web app | EU / US |
| Matomo Cloud | Website analytics (with consent) | EU |
| Stripe Payments Europe Ltd | Web payments | Ireland / EU |
| RevenueCat Inc. | Mobile subscriptions | US |
| Apple / Google | Distribution and mobile payments | EU / Worldwide |
| Sendinblue SA (Brevo) | Transactional email and contact form | France |
Any transfers outside the European Union are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework.
5. Retention periods
- Active account and content: for the lifetime of the account.
- Inactive account: deletion or anonymization after 3 years and 6 months without login.
- Deleted account: immediate deletion of identifying data; technical backup retention for up to 30 days.
- Messages sent via the website contact form: 3 years from the last exchange.
- Invoices and accounting records: 10 years (French Commercial Code Art. L.123-22).
- Technical logs: 12 months maximum.
- Support messages: 3 years after the last contact.
6. Your rights
Under Articles 15 to 22 GDPR, you have the following rights: access, rectification, erasure, portability, restriction, objection, withdrawal of consent, and instructions for arrangements after death.
Exercise your rights in the app
- Edit your profile and password: “Profile” screen.
- Export your data in JSON: “Profile → Export my data”.
- Delete your account and all your data: “Profile → Delete my account”.
Contact us
Any other request may be sent via the website's contact form(subject: “GDPR”) or from the app via “Profile → Help & Support”. We will reply within one (1) month.
Complaint to the CNIL
If you consider that processing does not comply with applicable law, you may contact the French supervisory authority (CNIL) — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — cnil.fr.
7. Security
We implement appropriate technical and organizational measures: encryption in transit (HTTPS/TLS), encryption at rest, hashed passwords, strict Row Level Security on each table (auth.uid() = user_id), role-based access, regular backups.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, you will be informed without undue delay, in accordance with Article 34 GDPR.
8. Cookies and local storage
The mobile app does not use cookies: it stores a secure session token locally to keep you signed in.
The marketing site (horeb.app) and the web application (app.horeb.app) use:
- Strictly necessary cookies (session, language and theme preferences, CSRF protection), exempt from consent under Article 82 of the French Data Protection Act;
- a privacy-friendly audience measurement tool (Matomo Analytics, hosted in Europe), loaded only after your explicit consent via our banner. Data collected (pages viewed, visit duration, traffic source, device, country) are strictly limited to analytics. No data is shared for advertising, and no third-party marketing cookies are set.
You may accept, refuse, or change your choice at any time via the consent banner or the preferences below.
Manage preferences
Update your choice about Matomo analytics at any time.
Current status
No choice saved
9. Automated decision-making
We do not carry out solely automated decision-making that produces legal effects concerning you within the meaning of Article 22 GDPR.
10. Changes
This policy may be updated to reflect legal, technical, or functional changes. Any material change will be notified at least fifteen (15) days before it takes effect, by email or in-app notification.