GDPR Information

This page explains how GentleStep processes personal data for users in the European Economic Area (EEA), the United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR) and related laws. It complements our Privacy Policy.

GentleStep is the controller for the personal data we process to provide the GentleStep service.

You can export your data, delete your account, and manage consents in the app settings. For GDPR/privacy questions, contact [email protected].

Depending on how you use GentleStep, we may process:

• Account and identity data: name, email, and login identifiers from sign-in providers (e.g. app-scoped IDs).
• App data you provide: taper plans, schedules, notes, reminders, and related progress/history you store in the app.
• Purchase/subscription data: transaction identifiers and subscription status from payment platforms.
• Support communications: messages you send to support and our replies.
• Technical data: basic device/browser information and IP address for security, fraud prevention, and service reliability.

Health-related data: information you enter about medications, doses, or tapering can be considered health data (a special category of personal data under GDPR).

We process personal data for the following purposes and legal bases:

• Provide the service (account access, sync, core features): contract (GDPR Art. 6(1)(b)).
• Customer support: contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
• Security and abuse prevention: legitimate interests (Art. 6(1)(f)).
• Billing, accounting, and compliance (where applicable): legal obligation (Art. 6(1)(c)).
• Optional notifications and reminders you configure: contract (Art. 6(1)(b)) and/or consent where required (Art. 6(1)(a)).

For health-related data you enter, we process it to provide taper planning features based on your explicit consent (GDPR Art. 9(2)(a)). You can withdraw consent in the app settings; withdrawing consent blocks health features until you re-grant consent.

We do not sell personal data. We share data only with service providers (processors) needed to run GentleStep, such as:

• Authentication providers (Apple, Google, Facebook) to support sign-in
• Payment processing (Stripe) for web subscriptions
• Email delivery (SendGrid) for account and notification emails
• Hosting and infrastructure (DigitalOcean App Platform; managed Postgres)
• Push notification delivery (Apple APNs, Google FCM)
• Optional AI providers (OpenAI) only when you opt in

Contact us if you need a copy of our processor agreements or the latest subprocessor list.

Our service providers may process data outside the EEA/UK/Switzerland. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms with providers like Stripe (payments), SendGrid/Twilio (email), OpenAI (optional AI features, opt-in), and infrastructure/hosting vendors (e.g., DigitalOcean). Authentication providers (Apple/Google/Facebook) also process data under their standard transfer mechanisms and SCCs where applicable.

GentleStep uses only essential cookies to maintain secure sessions (e.g., refresh tokens for sign-in). We do not use analytics, advertising, or cross-site tracking cookies.

You may block cookies in your browser, but this can prevent login/session persistence.

We keep your account data while your account is active. If you request deletion, we delete or anonymize your personal data unless we must retain certain records to meet legal obligations (e.g. accounting).

Data deletion instructions for connected sign-in providers are available at gentlestep.app/data-deletion.html.

Backups are retained 30–90 days for disaster recovery and are not used to restore deleted accounts. If a backup must be restored, previously completed deletions will be re-applied.

Commerce/gifting: invite emails and claim codes are stored only as needed (claim codes are hashed and encrypted); Stripe subscription/payment references are kept for billing. Commerce records are retained for up to 12 months for accounting/support and then redacted (invite email, claim codes, Stripe IDs).

Subject to applicable law, you can request:

• Access to your personal data
• Rectification of inaccurate data
• Erasure (deletion) of your data
• Restriction of processing
• Portability (export) of your data
• Objection to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)

Many requests can be initiated from the app settings (export, deletion, consent management). If you need assistance, email [email protected]. We may need to verify your identity.

If you are in the EEA/UK/Switzerland, you may lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve your concern quickly.

GentleStep does not use automated decision-making or profiling that produces legal or similarly significant effects about you within the meaning of GDPR Art. 22.

While we strive for accuracy, GentleStep cannot guarantee that the content on this page is free from errors, omissions, or typographical mistakes. We reserve the right to update or modify this information at any time without prior notice.