Privacy Policy — Eureki
Version: 1.2 · Effective date: 2026-06-30
1. Data controller
The Eureki application is provided by:
- Eureki Unipessoal Lda.
- Registered address: Olhão, Portugal
- Contact: support@eureki.app
To exercise any right under this Policy or clarify questions about how your data is processed, contact us at the email above.
2. Scope
This Policy applies to the Eureki mobile application (Android package
app.eureki), the associated backend (api.eureki.app), the public
website (eureki.app) and all content, features, and services provided
by Eureki Unipessoal Lda.
It does not apply to third-party websites, external dashboards (Google Play Store, RevenueCat, Firebase Console) or sub-processor services with their own policies.
3. Personal data we collect
3.1 Data you provide directly
- Email (when you create an account with email/password or Google) — used for authentication and contact; stored in Firestore associated with your UID
- Name (optional) — used to personalize the mentor's messages
- Learning goal (required) — basis for generating your plan
- Experience level (zero / beginner / experienced) — calibrates content
- Messages sent to Ask Eureki chat — to reply and keep context
- Notes you create inside the app — stored only on device
3.2 Data collected automatically
- Firebase identifier (UID) — generated on first launch for authentication. May be anonymous (no email) or linked to email/Google when you create an account
- Usage progress — steps completed, streak, and current plan stage, stored locally on the device and replicated to Firestore for cross-device sync
- Crash diagnostics — technical stack trace via Firebase Crashlytics, with prior sanitization removing any personal information
- Operational telemetry — technical events sent to the backend (latencies, errors, aggregated counters) without literal content of questions or answers
- Subscription purchase info — product, price, currency, country, dates, via RevenueCat + Google Play Billing
- App version, build number, system locale, IP address (temporarily logged on the backend for diagnostics and security)
- App usage events (Firebase Analytics) — app opens, onboarding
completion, daily-drop starts and completions, and subscription —
collected in aggregate form and associated with an anonymous
identifier (
app_instance_id), with no link to your personal identity. Used to measure retention and improve the service.
3.3 Data we do NOT collect
- We do not collect GPS location nor access mobile/Wi-Fi network info for geolocation
- We do not access contacts, photos, videos, or other device files
- We do not use microphone, camera, or biometric sensors
- We do not share data with advertising intermediaries or data brokers
4. How we use your data
4.1 Primary purposes (contract performance)
- Deliver personalized mentorship through daily micro-steps
- Generate plans and daily drops adapted to your goal, language and level
- Process your Ask Eureki questions with context
- Process Pro subscriptions and trials via Google Play / RevenueCat
4.2 Legitimate interest
- Diagnose failures and crashes to improve stability
- Protect the service against abuse (per-user rate limiting)
- Aggregate usage analysis to prioritize improvements (no individualized decisions)
4.3 Legal obligations
- Retain purchase data for the period required by Portuguese tax law (7 years)
- Respond to requests from competent authorities when legally required
5. Legal basis (GDPR Art. 6)
- Art. 6(1)(b) (contract performance) — for all core features (mentorship, Ask, Pro)
- Art. 6(1)(f) (legitimate interest) — for Crashlytics, rate limiting, security, and aggregate analysis
- Art. 6(1)(c) (legal obligation) — for tax retention of purchases
- Art. 6(1)(a) (consent) — when applicable, e.g. optional push notifications (not currently implemented)
6. Automated decision-making and profiling (GDPR Art. 22)
Eureki uses large language models (LLMs) from sub-processors OpenAI (United States) and Mistral AI (France) to generate:
- Your learning plan map (3-phase structure)
- The detailed content of each daily drop (step, tips, examples)
- Replies to Ask Eureki
This processing produces no legal effects nor significantly affects your rights. It is pedagogical and suggestive, never binding.
You can always: - Contact us to request human review of any plan or reply - Change goal, level, or language to regenerate content - Delete your account and stop all processing (see Section 10)
7. Sub-processors
We share the minimum necessary data with:
| Sub-processor | Country | Function | Data shared |
|---|---|---|---|
| Firebase / Google Cloud | United States (multi-region) | Anonymous auth, Firestore, Crashlytics, Analytics (aggregated usage events) | Firebase UID, crash reports without PII, anonymous usage events (app_instance_id) |
| Fly.io | European Union (Amsterdam) | Backend hosting | All backend traffic, IP |
| OpenAI | United States | AI generation of plans, drops, Ask replies | Goal, question, name (optional), short history |
| Mistral AI | European Union (France) | AI generation (Free tier, fallback) | Same fields as OpenAI |
| RevenueCat | United States | Subscription management | Anonymous identifier, purchase data |
| Google Play Billing | United States | Payment processing | Transaction, currency, country, payment method |
| SendGrid (or generic SMTP) | United States | Support emails (only when you send a bug report) | Bug description, technical metadata |
| Cloudflare, Inc. | United States + global edge | Hosting of the public website (eureki.app, eureki-website.pages.dev) and CDN |
HTTP requests from website visitors: IP, user-agent, requested URL. Policy: cloudflare.com/privacypolicy |
Each sub-processor has its own privacy policy, which binds you directly with them.
8. International data transfers
Some sub-processors (OpenAI, Firebase/Google, RevenueCat, Google Play Billing, SendGrid, Cloudflare) process data outside the European Economic Area (EEA), specifically in the United States.
These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, which ensure an adequate level of protection.
You can contact us to obtain a copy of the applicable SCCs.
9. Data retention
- Local data on your device: kept until app uninstall or manual cleanup in Settings → Privacy & Data.
- Remote data on Fly.io backend (goal, short conversation history, long-term memory files): deleted immediately when you use "Delete account" in the app. Inactivity greater than 12 months is a candidate for proactive anonymization.
- Firestore (
users/{uid}and subcollections): deleted immediately via "Delete account". - Firebase Crashlytics: retained for 90 days (Firebase default policy); per-user deletion requires manual request via Firebase Support.
- RevenueCat and Google Play Billing: retained while the subscription is active + 7 years for Portuguese tax obligations.
- Backend logs: retained for 30 days for diagnostics, with IP addresses anonymized/aggregated after 7 days.
10. Your rights (GDPR Arts. 15 to 22)
You can exercise the following rights at any time:
- Right of access — obtain a copy of your data (email to support@eureki.app)
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — via Settings → Privacy & Data → Delete account and data, or by email
- Right to data portability — receive your data in structured format (JSON) within 30 days (email to support@eureki.app)
- Right to object — oppose processing based on legitimate interest
- Right to restriction of processing — in specific circumstances
- Right not to be subject to automated decisions with legal effects (see Section 6 — currently not applicable because Eureki produces no such decisions)
You may also lodge a complaint with the CNPD (Portuguese data
protection authority, cnpd.pt), the supervisory authority in Portugal.
Users residing in other EU Member States may instead contact the data
protection authority of their country of residence.
Data Protection Officer (DPO): Eureki Unipessoal Lda. is not required to appoint a DPO under GDPR Art. 37, given the volume and nature of the processing. All data-protection requests are handled directly by company management through the email above.
11. Minors
Eureki is not directed to children under 16. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided us with data, contact us at support@eureki.app for immediate deletion.
12. Security
- Communications: TLS 1.2 or higher on all network calls. Backend rejects cleartext in production.
- Remote storage: encryption at rest applied by Firebase and Fly.io.
- Local storage on device: sensitive fields (name, goal) encrypted via Android KeyStore / iOS Keychain before being written to disk.
- Backend logs: we do not log the content of questions or answers literally. Only lengths and technical metadata.
- Crashlytics: active sanitization removes any key that looks like PII (email, name, phone, personal user ID) before sending.
13. Cookies and identifiers
The Eureki mobile app does not use web cookies. It uses the following essential technical identifiers:
- Firebase UID — anonymous identifier to maintain your account
- RevenueCat appUserID — anonymous identifier to associate purchases
- Android device ID — automatically collected by Google Play Billing for purchase processing
- Firebase app_instance_id — anonymous app-instance identifier, used by Firebase Analytics to measure aggregate usage; not linked to your identity nor shared with advertising networks.
None of these identifiers are shared with advertising networks.
14. Changes to this Policy
We may update this Policy to reflect changes to the service, new sub-processors, or legal requirements. We will notify you of material changes at the next app startup, with the effective date updated above.
If you continue to use Eureki after notification, we consider that you accept the new version. If you disagree, you can delete your account.
15. Contact
For any question, request, or complaint related to this Privacy Policy:
Eureki Unipessoal Lda. Email: support@eureki.app Address: Olhão, Portugal
We respond to GDPR requests within a maximum of 30 days. This period may be extended by up to 2 months in complex cases.
Last updated: 2026-07-06.