Privacy Policy — Eureki

Version: 1.0 · Effective date: 2026-05-25

1. Data controller

The Eureki application is provided by:

• Eureki Unipessoal Lda.
• Registered address: Olhão, Portugal
• Contact: support@eureki.app

To exercise any right under this Policy or clarify questions about how your data is processed, contact us at the email above.

2. Scope

This Policy applies to the Eureki mobile application (Android package app.eureki), the associated backend (eureki-ai-backend.fly.dev) and all content, features, and services provided by Eureki Unipessoal Lda.

It does not apply to third-party websites, external dashboards (Google Play Store, RevenueCat, Firebase Console) or sub-processor services with their own policies.

3. Personal data we collect

3.1 Data you provide directly

• Name (optional) — used to personalize the mentor's messages
• Learning goal (required) — basis for generating your plan
• Experience level (zero / beginner / experienced) — calibrates content
• Messages sent to Ask Eureki chat — to reply and keep context
• Notes you create inside the app — stored only on device

3.2 Data collected automatically

• Anonymous Firebase identifier (UID) — authentication without email
• App interactions — steps started, completed, time on screens, daily ritual completion
• Crash diagnostics — technical stack trace via Firebase Crashlytics, with prior sanitization removing any personal information
• Subscription purchase info — product, price, currency, country, dates, via RevenueCat + Google Play Billing
• App version, build number, system locale, IP address (temporarily logged on the backend for diagnostics and security)

3.3 Data we do NOT collect

• We do not collect GPS location nor access mobile/Wi-Fi network info for geolocation
• We do not access contacts, photos, videos, or other device files
• We do not use microphone, camera, or biometric sensors
• We do not share data with advertising intermediaries or data brokers

4. How we use your data

4.1 Primary purposes (contract performance)

• Deliver personalized mentorship through daily micro-steps
• Generate plans and daily drops adapted to your goal, language and level
• Process your Ask Eureki questions with context
• Process Pro subscriptions and trials via Google Play / RevenueCat

4.2 Legitimate interest

• Diagnose failures and crashes to improve stability
• Protect the service against abuse (per-user rate limiting)
• Aggregate usage analysis to prioritize improvements (no individualized decisions)

4.3 Legal obligations

• Retain purchase data for the period required by Portuguese tax law (7 years)
• Respond to requests from competent authorities when legally required

5. Legal basis (GDPR Art. 6)

• Art. 6(1)(b) (contract performance) — for all core features (mentorship, Ask, Pro)
• Art. 6(1)(f) (legitimate interest) — for Crashlytics, rate limiting, security, and aggregate analysis
• Art. 6(1)(c) (legal obligation) — for tax retention of purchases
• Art. 6(1)(a) (consent) — when applicable, e.g. optional push notifications (not currently implemented)

6. Automated decision-making and profiling (GDPR Art. 22)

Eureki uses large language models (LLMs) from sub-processors OpenAI (United States) and Mistral AI (France) to generate:

• Your learning plan map (3-phase structure)
• The detailed content of each daily drop (step, tips, examples)
• Replies to Ask Eureki

This processing produces no legal effects nor significantly affects your rights. It is pedagogical and suggestive, never binding.

You can always: - Contact us to request human review of any plan or reply - Change goal, level, or language to regenerate content - Delete your account and stop all processing (see Section 10)

7. Sub-processors

We share the minimum necessary data with:

Each sub-processor has its own privacy policy, which binds you directly with them.

8. International data transfers

Some sub-processors (OpenAI, Firebase/Google, RevenueCat, Google Play Billing, SendGrid) process data outside the European Economic Area (EEA), specifically in the United States.

These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, which ensure an adequate level of protection.

You can contact us to obtain a copy of the applicable SCCs.

9. Data retention

• Local data on your device: kept until app uninstall or manual cleanup in Settings → Privacy and data.
• Remote data on Fly.io backend (goal, short conversation history, long-term memory files): deleted immediately when you use "Delete account" in the app. Inactivity greater than 12 months is a candidate for proactive anonymization.
• Firestore (users/{uid} and subcollections): deleted immediately via "Delete account".
• Firebase Crashlytics: retained for 90 days (Firebase default policy); per-user deletion requires manual request via Firebase Support.
• RevenueCat and Google Play Billing: retained while the subscription is active + 7 years for Portuguese tax obligations.
• Backend logs: retained for 30 days for diagnostics, with IP addresses anonymized/aggregated after 7 days.

10. Your rights (GDPR Arts. 15 to 22)

You can exercise the following rights at any time:

• Right of access — obtain a copy of your data (email to support@eureki.app)
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — via Settings → Privacy and data → Delete account and data, or by email
• Right to data portability — receive your data in structured format (JSON) within 30 days (email to support@eureki.app)
• Right to object — oppose processing based on legitimate interest
• Right to restriction of processing — in specific circumstances
• Right not to be subject to automated decisions with legal effects (see Section 6 — currently not applicable because Eureki produces no such decisions)

You may also lodge a complaint with the CNPD (Portuguese data protection authority, cnpd.pt) or with your local data protection authority.

11. Minors

Eureki is not directed to children under 16. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided us with data, contact us at support@eureki.app for immediate deletion.

12. Security

• Communications: TLS 1.2 or higher on all network calls. Backend rejects cleartext in production.
• Remote storage: encryption at rest applied by Firebase and Fly.io.
• Local storage on device: sensitive fields (name, goal) encrypted via Android KeyStore / iOS Keychain before being written to disk.
• Backend logs: we do not log the content of questions or answers literally. Only lengths and technical metadata.
• Crashlytics: active sanitization removes any key that looks like PII (email, name, phone, personal user ID) before sending.

13. Cookies and identifiers

The Eureki mobile app does not use web cookies. It uses the following essential technical identifiers:

• Firebase UID — anonymous identifier to maintain your account
• RevenueCat appUserID — anonymous identifier to associate purchases
• Android device ID — automatically collected by Google Play Billing for purchase processing

None of these identifiers are shared with advertising networks.

14. Changes to this Policy

We may update this Policy to reflect changes to the service, new sub-processors, or legal requirements. We will notify you of material changes at the next app startup, with the effective date updated above.

If you continue to use Eureki after notification, we consider that you accept the new version. If you disagree, you can delete your account.

15. Contact

For any question, request, or complaint related to this Privacy Policy:

Eureki Unipessoal Lda. Email: support@eureki.app Address: Olhão, Portugal

We respond to GDPR requests within a maximum of 30 days. This period may be extended by up to 2 months in complex cases.

Last updated: 2026-05-25.