Privacy Policy

Last updated: February 21, 2026

This policy explains transparently what personal data we collect on GoalGuardian, why, who we share it with, how long we keep it, and what your rights are. If anything is unclear, write to contact@goal-guardian.app.

1. Data controller

DKA Digital Tech LLC, a company registered in Dubai (United Arab Emirates) under trade license number 2538289.01, with registered office at Meydan Grandstand — 6th Floor, Al Meydan Rd, Nad Al Sheba, Nadd Al Shiba First, Dubai, United Arab Emirates.

For any data-protection question, contact: contact@goal-guardian.app.

GoalGuardian is available worldwide. When you use the service from the European Union, GDPR (Regulation (EU) 2016/679) applies to the processing of your data.

1. Data collected

We limit collection to what is strictly necessary. Full inventory:

  • Create my account email address, password (Argon2-hashed, never stored in plaintext), display name, preferred language.
  • Invite by email (optional) first name, last name, short bio, date of birth, gender, timezone, preferred currency. None of these fields is mandatory after account creation.
  • 1. Data collected habits you create and their check-ins, Digital Self bubbles, weekly snapshots, badges, points, last login, daily mood if you enter it.
  • User-generated content: messages exchanged with Astra (our AI coach), Digital Self notes, community posts and messages.
  • 3. Subscriptions and payments only your Stripe customer ID and subscription status. No card number is stored on our side.
  • 1. Data collected IP address (for security and anti-fraud), browser user-agent, server logs kept for a limited time.

Some data (mood, wellness habits, content of your notes) may fall under special categories within the meaning of GDPR Article 9 (health, psychological well-being). You freely choose to enter this information and you can delete it at any time.

3. Purposes and legal bases

2. PurposesGDPR legal basis
Creating and managing your accountContract performance (Art. 6(1)(b))
Provision of the Digital Self / Astra / Brain Connect serviceContract performance (Art. 6(1)(b))
Billing and subscription managementContract performance + legal obligation (Art. 6(1)(b)(c))
Transactional emails (password reset, security, account activity)Contract performance (Art. 6(1)(b))
Marketing emails, tips, product updatesConsent (Art. 6(1)(a)) — explicit opt-in, unsubscribe at any time
Anonymized usage analytics (Plausible, no cookies)Legitimate interest (Art. 6(1)(f))
Security, fraud prevention, community moderationLegitimate interest (Art. 6(1)(f))
Sensitive data (mood, health habits) entered by youExplicit consent (Art. 9(2)(a))

4. Subprocessors and data sharing

We work with a limited number of carefully selected providers. None receives more data than is necessary for its mission.

RenterStaff roleAuthentication
OpenAIAstra response generation, analysis for Digital Self report, Brain Connect suggestionsUnited States
AnthropicOptional: only if you use your own API key in Studio. No data sent otherwise.United States
StripePayment processing and subscription managementIreland / United States
SendGrid (Twilio)Sending transactional and marketing emailsUnited States
Heroku (Salesforce)Application hosting, databaseUnited States / EU
Plausible AnalyticsAnonymous audience statistics, no cookies (only if enabled)Germany (EU)
SentryCollection of technical errors and execution traces. User PII is never transmitted (send_default_pii disabled).Germany (EU)
GitHub, Strava, Discord, GoogleOAuth sign-in if you choose these options. We only receive the minimal data needed (email, name, ID).United States

We never sell your data. We never share it with any third party for advertising purposes.

5. International transfers and EU representative

GoalGuardian is operated from the United Arab Emirates. Some subprocessors are based in the United States. For users located in the European Union, these non-EU transfers are governed by the European Commission's Standard Contractual Clauses (SCCs), in accordance with GDPR Article 46.

Regarding the obligation to designate a representative in the Union (Article 27 GDPR), we rely on the exemption provided in Article 27(2)(a): our processing is occasional, does not involve large-scale processing of special categories of data (Article 9), and presents a limited risk to the rights and freedoms of individuals. This assessment is documented in an internal self-assessment, updated annually and triggered by specific thresholds (EU user volume, share of the user base, sensitive processing).

The technical measures supporting this assessment include: systematic pseudonymization of logs and analytics (an internal UUID identifier replaces the email wherever user identity is not strictly necessary), granular opt-out of mood tracking (Article 9 data), explicit opt-in for marketing emails, encryption of passwords (Argon2) and third-party keys (Fernet/AES-128), and account export and deletion directly accessible from the interface.

A copy of the applicable Standard Contractual Clauses, or the Article 27(2)(a) self-assessment, can be obtained on request at contact@goal-guardian.app.

4. Retention period

  • Active account: as long as your account exists.
  • After account deletion: immediate erasure of all personal data (full cascade in DB + deletion of the associated Stripe customer).
  • Billing data: kept 7 years after the last transaction to comply with applicable accounting and tax obligations.
  • Technical logs: 30 days maximum, except in case of security incident.
  • Backups: progressive erasure within 30 days after account deletion.

5. Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of all data we hold about you.
  • Modèles de notification (Art. 16) — correct any inaccurate information. Most fields are editable directly from your settings.
  • Right of erasure (Art. 17) — You can reactivate emails any time from your settings.
  • Right of restriction (Art. 18) — request suspension of processing of your data in certain cases.
  • Right of portability (Art. 20) — download all your data in a structured JSON format via the "Export my data" button.
  • Right to object (Art. 21) — object to processing based on legitimate interest, including marketing communications.
  • Method not allowed. (Art. 22) — Astra and the Digital Self report generate suggestions, never decisions with legal effect. You can always contest a recommendation and request human review via support.

To exercise a right, write to contact@goal-guardian.app. We respond within 30 days maximum.

If you reside in the European Union and feel your rights are not being respected, you may file a complaint with a supervisory authority. In France, this is the CNIL (3 Place de Fontenoy, 75007 Paris — cnil.fr). For other EU countries, the list of authorities is available on the EDPB website.

8. Automated decision-making and AI

Astra (our AI coach), the Digital Self report and Brain Connect suggestions rely on language models (primarily OpenAI gpt-4o-mini). These features produce recommendations, not decisions with legal effect on you. The content of your exchanges with Astra is sent to OpenAI for the time needed to generate the reply.

To limit exposure, the Digital Self PDF report sends only aggregated counters to OpenAI (no first name, no date of birth, no entry labels). For other AI calls, only strictly necessary data is transmitted.

Ops & security

  • Passwords: Argon2 hashing (state-of-the-art, never stored in plaintext).
  • Third-party API keys you provide (Studio): encrypted in DB with Fernet (AES-128).
  • Transport: HTTPS / TLS exclusively, HSTS enabled.
  • Data access: restricted to strictly authorized personnel.

10. Minors

GoalGuardian is reserved for people 15 and older. This threshold matches the digital-consent age set by France. At signup, you confirm you have reached this age. If we discover an account has been opened by a minor under 15 without parental consent, we will delete it.

Cookies

See our cookie policy for the list of cookies used and how to manage your consent.

Notifications

This policy may change. For any significant change, we will notify you by email or via an in-app notification at least 30 days before it takes effect. The date of the last update is shown at the top of this page.

6. Contact

For any question about this policy or your data: contact@goal-guardian.app.