Privacy Policy

Grapla ("we", "us", "our") is operated from Dublin, Ireland. This policy explains what personal data we collect when you use the Grapla iOS app and this website, how we use it, and your rights under the General Data Protection Regulation (GDPR).

We collect the minimum data necessary to operate the service. We do not sell your personal data to third parties.

Depending on how you use Grapla, we may process the following:

• —Anonymous usage analytics — a randomly generated distinct ID and a small set of structured event names (session start, tab switches, position views, technique creation, training logs, feedback taps), processed by PostHog. See section 08 — Analytics for the full list. Opt-in by default; can be turned off in Settings.
• —Usage data — which positions, techniques, and transitions you view, to power the Pathfinder feature and personalise your experience.
• —Subscription status — your active tier (Explorer, Competitor, Black Belt), managed entirely by Apple In-App Purchase. We do not store payment card details.
• —Device information — iOS version and device model, collected by Apple and shared with us in aggregate for crash reporting.
• —Crash logs — anonymous stack traces sent via Apple's built-in crash reporting to help us fix bugs.

Under GDPR, we rely on the following legal bases:

• —Contract performance — processing your account and subscription data is necessary to deliver the service you signed up for.
• —Legitimate interests — analysing usage patterns (in aggregate) to improve app features and content.
• —Legal obligation — retaining billing records as required by Irish tax law.

• —Authenticate you and maintain your account session.
• —Restore your subscription tier across devices.
• —Personalise drill paths and Pathfinder suggestions based on your usage history.
• —Send transactional emails (account creation, password reset) — no marketing emails without explicit consent.
• —Diagnose crashes and improve app stability.

We do not sell or rent your personal data. We share data only with:

• —Apple Inc. — for In-App Purchase billing and App Store analytics. Apple's privacy policy governs their handling of this data.
• —PostHog, Inc. — processes anonymous product analytics events from the iOS app on our behalf under a Data Processing Addendum. See section 08 — Analytics.
• —Vercel Inc. — this website is hosted on Vercel. Server logs may include your IP address for a limited period.
• —Law enforcement — only where required by a valid legal obligation under Irish or EU law.

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g. billing records, which we keep for 7 years under Irish Revenue requirements).

If you are in the European Economic Area, you have the right to:

• —Access — request a copy of the personal data we hold about you.
• —Rectification — ask us to correct inaccurate data.
• —Erasure — ask us to delete your data ("right to be forgotten").
• —Portability — receive your data in a machine-readable format.
• —Restriction — ask us to restrict processing while a dispute is resolved.
• —Object — object to processing based on legitimate interests.
• —Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@grapla.app. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie.

To improve Grapla, the iOS app collects anonymous usage analytics through PostHog (PostHog, Inc.), a third-party analytics processor acting on our behalf under a Data Processing Addendum: posthog.com/dpa.

What we collect. Each analytics event consists of:

• —An anonymous distinct ID — a randomly generated identifier created on first launch. It is not linked to your Apple ID, email address, or any other personal information, and we never call PostHog's identify() API with personal data.
• —session_started — recorded on each cold launch.
• —tab_switched — records the tab navigated from and to (e.g. from: "Atlas", to: "FlowLab").
• —position_viewed — records the position identifier and perspective type (e.g. position_id: "mount", perspective: "controlling").
• —technique_created — recorded when a technique is saved in FlowLab.
• —training_logged — recorded when a training session is saved.
• —feedback_button_tapped — recorded when the in-app feedback action is triggered.

What we do not collect.

• —No name, email address, or any personally identifiable information (PII).
• —No Apple Identifier for Advertisers (IDFA) — we do not request advertising tracking permission.
• —No data shared with third-party advertisers or ad networks.
• —No sensitive data categories (health, financial, biometric, etc.).

Opt-out. Analytics collection is on by default and can be toggled off at any time in Settings → Privacy → Share anonymous usage data. The onboarding tour includes a Privacy card that surfaces this option on first launch. When the toggle is off, no events are sent to PostHog. Your choice is stored locally and respected immediately — no restart required.

Data retention. PostHog's default retention period is 7 years. We intend to keep a conservative retention window (12 months) and will update this policy once that configuration is confirmed in our PostHog project settings.

Data location. PostHog processes data on infrastructure located in the United States and/or the European Union. See PostHog's privacy policy at posthog.com/privacy for details.

This website uses no advertising or analytics cookies. Vercel may set a strictly necessary session cookie for performance and security. The Grapla iOS app uses PostHog anonymous analytics (see section 08) and no third-party advertising SDKs.

Grapla is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

We may update this policy as the app evolves. Material changes will be communicated via an in-app notice. Continued use after the effective date constitutes acceptance of the updated policy.

Data controller: Grapla, Dublin, Ireland.
Email: privacy@grapla.app