This is the privacy policy for Mr. Anxiety, an anxiety-management app. Because Mr. Anxiety processes information about your emotional state, breathing sessions, mood, and reflections, it handles what most privacy laws classify as mental-health data (GDPR Art. 9 special-category data; CCPA/CPRA sensitive personal information; Washington Consumer Health Data under MHMDA). Sensitive purposes that involve your mental-health data are subject to explicit, separately-collected consent before they are activated. The Terms of Use and EULA also apply.
Mr. Anxiety is not a medical device, not a substitute for professional mental-health care, and not for use in a crisis. If you are in crisis, contact your local emergency services or a mental-health helpline.
Who we are
Mr. Anxiety is operated by Chai Magal, sole proprietor, Shani 4, Modiin, Israel. We are the data controller. For privacy questions write to support@chaimagal.com.
What we may collect
| Category | Includes |
|---|---|
| Account | Email, hashed password, sign-in tokens, sign-up time |
| Sessions (mental-health data) | Breathing-session timing and patterns, mood deltas before/after, exercise selections, completion state |
| Reflections (mental-health data) | Notes, journal entries, prompts you respond to, tags you select |
| Communications | Support emails, in-app feedback, ratings |
| Usage | Feature interactions, session timing, errors, device/OS, language, time zone |
| Purchase status | Store receipt ID, product ID, subscription state |
| Inferred data | Patterns, segments, propensities derived from the above |
Mental-health data
Mood deltas, reflections you save, and the exercise patterns derived from your sessions are mental-health data. We process mental-health data only for the purposes you have explicitly consented to. Sensitive purposes — such as using mental-health data for AI training, advertising targeting, sharing with non-essential third parties, or selling — require separate, granular, affirmative opt-in and can be revoked at any time in Settings. The strictly-necessary purpose of operating the features you use does not require a separate opt-in beyond your use of the app.
Why we use it
We may process personal data for any of the following purposes (sensitive purposes applied to mental-health data require separate explicit consent, as described in section 3):
- Operating the app and the breathing/reflection/insight features you use; cross-device sync.
- Detecting and preventing abuse, fraud, scraping, and security incidents.
- Customer support and product feedback.
- Marketing communications where you opt in or where we have a legitimate interest balanced against your rights.
- Personalization, recommendations, and contextual content.
- Analytics, A/B testing, performance, error reporting, and user research.
- Building, training, fine-tuning, evaluating, and improving artificial-intelligence and machine-learning models — own and third-party — including via human review of representative samples (sensitive-purpose, requires explicit opt-in for mental-health data).
- Serving, measuring, and personalizing advertising and marketing, including for cross-context behavioral advertising (sensitive-purpose for mental-health data; requires explicit opt-in).
- Sharing with affiliates, present or future, and with successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency.
- Generating de-identified, aggregated, or anonymized data, which we may use, disclose, license, or sell for any purpose without further restriction.
- Compliance with law, including tax, accounting, regulator response, and breach notification.
- Any other purpose disclosed at the point of collection or to which you consent.
AI and machine learning
Today, the on-device summary and any in-app suggestion is produced by Gemma 3 270M-IT, a small language model by Google running on your phone. Nothing about the prompt or reply leaves the device for those features. The Gemma model is provided under Google's Gemma Terms of Use at ai.google.dev/gemma/terms.
We may add cloud-based AI features and may use the content you provide — prompts, outputs, reflections, mood data — to train, fine-tune, evaluate, and improve our and third-party AI/ML models, including via human review of representative samples by our personnel or contractors under confidentiality. Categories of AI providers we may engage are listed below; specific providers may change over time. Use of your mental-health data for AI training is a sensitive purpose and requires explicit, separately-collected opt-in consent that you can revoke at any time.
Where your data lives
Today, account, session, and reflection data live on Supabase (Ireland / EU) — Postgres database with row-level security keying every row to your user id. TLS in transit and encryption at rest. We may add or change cloud providers; categories of recipients are listed below.
Who we may share with
We may disclose personal data, in the categories above, to:
- Cloud, hosting, content-delivery, storage, backup, email, customer-support, and similar infrastructure providers (today: Supabase).
- Apple and Google — app distribution and in-app purchase processing.
- Analytics, error-reporting, observability, and product-research providers.
- Artificial-intelligence and machine-learning model providers, prompt-evaluation services, and human-review contractors (mental-health-data sharing requires explicit opt-in).
- Advertising networks, ad-measurement, attribution, retargeting, and marketing-automation providers, including for cross-context behavioral advertising (mental-health-data sharing requires explicit opt-in).
- Marketing-list providers, customer-data platforms, and email-delivery services.
- Push-notification gateways and consent-management platforms.
- Professional advisors — lawyers, accountants, auditors, insurers, consultants.
- Authorities, regulators, courts, and law enforcement, where we are legally compelled or where, in good faith, we believe disclosure is necessary to comply with legal process or to protect rights, property, or safety.
- Affiliates, present or future, and successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency proceedings.
- Other recipients to whom you direct us to share or to whom you consent.
Subscriptions and payments
Mr. Anxiety is free to install. Paid features may be offered as a one-time purchase or recurring subscription processed exclusively through the App Store or Google Play. We do not see or store card or bank details. Subscriptions auto-renew under the store's terms; you cancel in your Apple ID or Google account. Statutory withdrawal and cancellation rights (the EU 14-day right of withdrawal, the UK Consumer Contracts Regulations 2013, the Israeli Consumer Protection Law 5741-1981, California's Automatic Renewal Law, and Australian Consumer Law guarantees) are unaffected.
Advertising
Mr. Anxiety may, now or in the future, display advertising. Where ads are enabled we may work with third-party ad networks, ad-measurement, attribution, retargeting, and marketing partners, including for cross-context behavioral advertising as defined under California privacy law. We do not permit ad partners to target ads to you based on sensitive categories (mental-health, health, religion, political views, sexual orientation, precise geolocation) derivable from Mr. Anxiety. Use of mental-health data for advertising requires explicit opt-in. Users in the EU, EEA, UK, and Brazil will see an in-app consent prompt before non-essential ad tracking. Users in California and similar US states have a "Do Not Sell or Share My Personal Information" control in Settings; we honor Global Privacy Control (GPC) signals.
International transfers
Account, session, and reflection data are stored in the European Union. Transfers outside the EU/EEA and Israel are covered by an adequacy decision where one applies, or by the European Commission's 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards.
Retention and deletion
Sessions and reflections live until you delete them. Delete your account in Settings and every record is removed within 30 days. Backups containing your data roll off on their own lifecycle (up to 35 days). We may retain limited records as required for tax, accounting, fraud prevention, or defense of legal claims (typically up to seven years from last activity), and we may keep de-identified or aggregated data indefinitely.
Your rights
Subject to applicable law you have the right to access, rectify, delete, port, restrict, and object to processing of your personal data; to withdraw consent (without affecting processing already done); and to lodge a complaint with a supervisory authority. Most rights can be exercised in-app; for the rest, email support@chaimagal.com.
California rights and consumer health data
California residents have additional rights under CCPA/CPRA: access, deletion, correction, opt-out of "sale" or "sharing," limit use of sensitive personal information (including mental-health data), and non-discrimination. We honor Global Privacy Control (GPC) signals. To opt out by email, write to support@chaimagal.com with the subject "Do Not Sell or Share."
Washington residents (and others covered by My Health My Data Act) have rights to access, delete, withdraw consent for, and receive notice about our processing of consumer health data, including mental-health data. Sales of consumer health data require separate, signed valid authorization; we do not sell consumer health data.
Minors
Mr. Anxiety is intended for users 13 and older. Where the age of digital consent in your jurisdiction is higher (e.g. 16 in Germany, Ireland, the Netherlands, Poland, and several other EU member states), users below that age need parental consent. In California, users between 13 and 15 must opt in to "sale" or "sharing" rather than opt out. We do not knowingly collect personal data from children under 13.
What we will not do
We will not:
- Sell raw, identifiable personal data — including consumer health data and mental-health data — to data brokers (we may sell de-identified or aggregated data).
- Share personal data with insurers, employers, or law enforcement absent valid legal process or your consent.
- Use personal data for political-advertising targeting.
Security and changes
TLS in transit, short-lived rotating tokens, row-level security at the database, encryption at rest. If we become aware of a breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours where required and notify you without undue delay.
We may update this policy. The "Updated" date at the top reflects the latest revision. For material changes we will notify you in-app and, where we hold a verified email, by email, before the change takes effect.