Privacy Policy
Who We Are
Stimly (“we”, “us”, “our”) is an intelligent caffeine tracking application available on iOS, Android, and Web. Stimly is operated as an independent product. For all privacy-related matters, the data controller is reachable at privacy@stimly.me.
This Privacy Policy describes how Stimly collects, uses, stores, and protects your personal data when you use the Stimly application and services. It applies to all platforms: iOS app, Android app, and the web application at stimly.me.
If you are located in the European Economic Area (EEA) — including Poland — your data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy is written to satisfy both GDPR requirements and Apple App Store privacy disclosure requirements.
What Data We Collect
We collect only the data necessary to provide Stimly’s core features. Below is a complete inventory.
2.1 2.1 Account Data
When you create a Stimly account, we collect your email address, used solely for authentication and account recovery. If you sign in with Apple or Google, we receive the identifier and basic profile information (such as email, and a name only if you choose to share it) from that provider. We do not require your real name.
2.2 2.2 Caffeine Intake History
Every drink you log in Stimly is stored, including: drink name, category, caffeine amount (mg), number of servings, timestamp of consumption, metabolic mode (e.g. lipid delayed, organic buffered), and any sipping duration. This data is the core of the Stimly service — without it, the pharmacokinetic simulation cannot function.
2.3 2.3 Biometric & Health Data
GDPR Article 9 — Special Category Data. The following fields constitute health data under GDPR. They are collected only with your explicit, informed consent and are processed solely to power Stimly’s personalised metabolism engine. You may use Stimly without providing this data; doing so reduces the precision of caffeine curve predictions.
| Field | Purpose | Required for PRO |
|---|---|---|
| Age | CYP1A2 clearance decline — hepatic caffeine metabolism slows ~0.6%/year after age 30 | Yes |
| Weight | Volume of Distribution (Vd) calculation — determines how caffeine distributes through lean body mass | Yes |
| Biological sex | Vd coefficient (male: 0.60 L/kg, female: 0.55 L/kg) and hormonal modifier logic | Yes |
| Pregnancy status & trimester | Caffeine half-life triples in third trimester; safety thresholds adjusted accordingly | Free |
| Smoking status | CYP1A2 induction — smokers metabolise caffeine ~30% faster (×0.7 half-life) | Free |
| Hormonal contraception | CYP1A2 inhibition — increases caffeine half-life by up to 75% (×1.75) | Free |
| Metabolic profile (ADORA2A quiz) | Genetic proxy for adenosine receptor sensitivity and CYP1A2 clearance — calibrates fast/standard/slow profile | Yes |
2.4 2.4 App Settings & Preferences
We store your in-app preferences including: daily caffeine limit, target sleep time, metabolism base profile, notification preferences (Focus Exit Warning, Sleep Readiness Alert), preferred unit system (metric/imperial), and language preference (EN/PL).
2.5 2.5 Subscription Data
If you purchase Stimly PRO, we store your subscription tier, subscription status (active/cancelled/expired), and subscription expiry date. Payment and billing data (card details, billing address) is handled exclusively by our payment providers — <b>Stripe</b> for web purchases, and <b>Apple</b> (managed via Adapty) for in-app purchases on iOS. This data is never transmitted to or stored by Stimly servers. See Section 5 for details.
2.6 2.6 Product Analytics
With your consent, we collect pseudonymous usage events to understand how Stimly is used and where improvements are needed. These events include: app installation, first drink logged, PRO upgrade modal views, and checkout initiation. Events are keyed to a pseudonymous identifier rather than your name, and never include your health or biometric data. See Section 8 for full detail on analytics and your opt-out rights.
2.7 2.7 Technical & Diagnostic Data
We may collect device type (iOS/Android/Web), operating system version, and app version for the purpose of diagnosing crashes and ensuring compatibility. This data is not linked to your identity.
Legal Basis for Processing (GDPR)
For users in the EEA, each category of data we process has a documented legal basis under GDPR Article 6 or Article 9.
| Data Category | Legal Basis | GDPR Article |
|---|---|---|
| Email address (authentication) | Performance of a contract — necessary to provide the Stimly service | Art. 6(1)(b) |
| Caffeine intake history | Performance of a contract — the core service cannot function without it | Art. 6(1)(b) |
| Biometric & health data (age, weight, sex, pregnancy, smoking, contraception, genetics) | Explicit consent — special category data under GDPR Article 9; you are asked for consent before this data is collected | Art. 9(2)(a) |
| App settings & preferences | Performance of a contract — necessary to personalise the service | Art. 6(1)(b) |
| Subscription data | Performance of a contract — necessary to manage your PRO subscription | Art. 6(1)(b) |
| Product analytics | Consent — you are asked separately for analytics consent and may decline without losing app functionality | Art. 6(1)(a) |
| Technical & diagnostic data | Legitimate interest — necessary to maintain the security and stability of the service | Art. 6(1)(f) |
You may withdraw any consent given at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal. See Section 7 for how to exercise your rights.
How We Use Your Data
Core service operation
Your caffeine log, biometric profile, and settings are used exclusively to run Stimly’s pharmacokinetic simulation — modelling caffeine absorption, peak concentration, and elimination in real time across 8 metabolic archetypes. This calculation happens on our servers (Supabase, EU region) and the results are returned to your device.
Personalised metabolism modelling
If you provide biometric data, it is used to calculate your personalised caffeine half-life, Volume of Distribution, and metabolic modifiers. This data is never used for advertising, profiling for third-party purposes, or sold in any form.
Smart notifications
If you enable Smart Alerts, Stimly uses your caffeine curve data and target sleep time to schedule local device notifications — a Focus Exit Warning when active caffeine drops below 50 mg, and a Sleep Readiness Alert when it reaches approximately 35 mg. Notification scheduling happens on your device; no additional data is transmitted to our servers for this purpose.
Subscription management
We use your subscription data to determine which features you can access (Free vs. PRO tier) and to verify subscription status. This is enforced server-side via Supabase Row Level Security policies.
Service improvement
With your consent, pseudonymous analytics events are used to identify which features are most used, where users encounter friction, and what improvements to prioritise. These events do not include your health or biometric data and are not used to build a marketing profile of you.
We do not use your data for: targeted advertising, selling to data brokers, training external AI models, or any purpose not listed in this policy.
Data Processors & Third Parties
We use the following third-party data processors to operate Stimly. All processors are bound by data processing agreements and are prohibited from using your data for their own purposes.
| Processor | Role | Data Shared | Region |
|---|---|---|---|
| Supabase supabase.com | Database & authentication infrastructure | All user data stored in Stimly (caffeine log, biometrics, settings, subscription status) | EU — Frankfurt, Germany |
| PostHog posthog.com | Privacy-friendly product analytics | Pseudonymous usage events only (no health data, no biometrics). Only collected with your explicit consent. | EU — Frankfurt, Germany |
| Stripe stripe.com | Payment processing for web purchases | Email address, subscription tier, and the payment & billing details you enter at checkout. Stripe handles all card data; Stimly never receives or stores card numbers. | EU — Stripe Payments Europe (Ireland); some processing may occur in the US under Standard Contractual Clauses |
| Adapty adapty.io | Mobile subscription management (iOS in-app purchases) | A pseudonymous app user ID, subscription receipts, and entitlement status. No card data (handled by Apple). | United States (Standard Contractual Clauses) |
| Apple apple.com | App Store distribution & In-App Purchase billing (iOS) | Payment and billing data for in-app purchases, handled entirely by Apple under your Apple ID. Stimly receives only the resulting subscription status. | United States / global (Apple's own privacy terms apply) |
| Open Food Facts openfoodfacts.org | Barcode product lookup (when you scan a drink) | Only the scanned product barcode is sent to look up drink details. No account, health, or biometric data is shared. | EU — France (non-profit open database) |
| Hostinger hostinger.com | Web & landing site hosting | Standard server access logs (including IP address) generated when you visit stimly.me or stimly.app. | EU |
We do not sell your data to any third party. We do not share your data with advertising networks, data brokers, or social media platforms.
We may disclose your data if required to do so by law or by a valid order from a competent authority, but only to the minimum extent required.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account & authentication data | Until you delete your account |
| Caffeine intake history | Until you delete your account or manually clear history |
| Biometric & health data | Until you delete your account or revoke consent |
| App settings & preferences | Until you delete your account |
| Subscription records | 7 years from transaction date (tax and accounting legal requirement) |
| Anonymous analytics events | 12 months (PostHog default; not linked to your identity) |
| Backups | Deleted within 30 days of account deletion |
When you delete your account (see Section 7), all personal data is permanently deleted from our systems and from Supabase within 24 hours. Subscription transaction records are retained for the legally required period but contain no health or biometric data.
Your Rights
Under GDPR, you have the following rights regarding your personal data. These apply to all users, and we provide in-app tools to exercise them without needing to contact us.
Right of access
You have the right to know what personal data we hold about you. You can export a complete copy of your data at any time from Settings → Privacy & Data → Export my data. The export is delivered as a structured JSON file within seconds.
Right to erasure (“right to be forgotten”)
You have the right to request permanent deletion of all your personal data. You can do this at any time from Settings → Privacy & Data → Delete my account. This action is irreversible and immediately deletes all data from Stimly’s systems including your caffeine history, biometric profile, and account. You will be logged out and unable to recover the data.
Right to rectification
You can update any data Stimly holds about you directly within the app — your biometric profile, settings, and preferences are all editable in Settings.
Right to withdraw consent
You may withdraw consent for biometric data processing or anonymous analytics at any time from Settings → Privacy & Data. Withdrawal of consent for biometric data means Stimly will revert to a standard (non-personalised) metabolism model. It does not affect data already processed.
Right to data portability
Your data export (see Right of Access above) is provided in JSON format, which is machine-readable and can be imported into other services.
Right to object
You may object to processing based on legitimate interest (diagnostic/technical data) by contacting us at privacy@stimly.me.
Right to lodge a complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority. For users in Poland, this is the Urząd Ochrony Danych Osobowych (UODO) at uodo.gov.pl. For users in other EU member states, please contact your national supervisory authority.
Analytics & Tracking (ATT)
PostHog analytics
Stimly uses PostHog, a privacy-friendly analytics platform hosted in the EU, to collect pseudonymous usage data. Analytics are used solely to understand feature usage and improve the app. PostHog is configured with the following privacy settings: no cookie storage (localStorage only), no cross-site tracking, no session recording, and no sharing with advertising networks.
Apple App Tracking Transparency (ATT)
On iOS, Apple requires us to request permission before collecting any data that could be used for tracking across apps and websites. When you first open Stimly on iOS, you will be shown an explanation of what analytics data is collected and why, followed by Apple’s standard permission dialog.
If you allow tracking: pseudonymous usage events (feature interactions, screen views) are sent to PostHog. No health data or biometric data is included in these events.
If you deny tracking: no analytics events are collected. All app features, including PRO features, remain fully functional. Your decision has no effect on the quality of your Stimly experience.
What we do not do
Stimly does not use your data for targeted advertising. We do not share data with advertising networks, social media platforms, or data brokers. We do not use cross-app tracking. The analytics we collect are not used to identify you personally or to track you across other apps and websites.
Changing your preference
On iOS, you can change your ATT decision at any time in your device’s Settings → Privacy & Security → Tracking. Within the app, you can toggle anonymous analytics from Settings → Privacy & Data → Anonymous analytics.
Children’s Privacy
Stimly is not directed at children under the age of 13, or under the age of 16 in the European Economic Area. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us at privacy@stimly.me and we will delete the data promptly.
Note: Stimly’s pregnancy trimester modifier and other health modifiers are designed for adult use. Users under 18 should consult a parent or guardian before using the advanced biometric features.
Medical Disclaimer
Stimly is a personal tracking and information tool. It is not a medical device and does not provide medical advice, diagnosis, or treatment recommendations. The pharmacokinetic models used in Stimly are based on published scientific research and are intended for informational purposes only.
Caffeine affects individuals differently. The predictions generated by Stimly are estimates based on population-level research and your self-reported biometric profile. They are not a substitute for professional medical advice.
If you are pregnant, have a cardiovascular condition, are taking medication that may interact with caffeine, or have any other health concern, please consult a qualified healthcare professional before making decisions based on Stimly’s output.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes — such as collecting new categories of data, adding new data processors, or changing the legal basis for processing — we will notify you via an in-app consent prompt (which will require you to review and re-accept the updated terms), update the “Last updated” date at the top of this document, and increment the consent version stored against your account.
Changes that are purely cosmetic (rewording, formatting, corrections that do not affect data practices) will be reflected in the document without triggering a re-consent prompt.
We encourage you to review this policy periodically. Continued use of Stimly after notification of changes constitutes acceptance of the updated policy, except where re-consent is legally required.
Contact & Data Requests
For any privacy-related questions, data subject requests, or concerns, please contact us:
Email: privacy@stimly.me
Subject line for data requests: “Data Request — [your request type]” (e.g. “Data Request — Deletion”, “Data Request — Export”)
Response time: We aim to respond to all privacy-related requests within 72 hours, and to complete all GDPR data subject requests within 30 days as required by law.
In-app tools: For the fastest response, account deletion and data export are available directly in Settings → Privacy & Data and do not require contacting us.
United States Users
Applicability of US privacy laws
Stimly is available to users in the United States. This section supplements the rest of this Privacy Policy with information relevant to US-based users. In the event of a conflict between this section and the rest of the policy, the terms most protective of your privacy apply.
California residents — CCPA/CPRA
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents specific rights regarding their personal information. At Stimly’s current scale, we do not meet the thresholds that trigger mandatory CCPA compliance (100,000+ consumers processed annually, or revenue derived from selling personal data). However, we voluntarily extend the following rights to all California residents:
Right to know: You have the right to know what personal information we collect, use, and share. This is documented in full in Section 2 of this policy.
Right to delete: You have the right to request deletion of your personal information. This is available directly in the app at Settings → Privacy & Data → Delete my account, with no need to contact us.
Right to correct: You have the right to correct inaccurate personal information. All your data is editable directly within the app.
Right to opt out of sale or sharing: Stimly does not sell your personal information, and does not share it with third parties for cross-context behavioural advertising. There is nothing to opt out of.
Right to non-discrimination: Stimly will not discriminate against you for exercising any of your privacy rights. Exercising these rights has no effect on the features or quality of service available to you.
To exercise any California privacy right not covered by in-app tools, contact us at privacy@stimly.me with the subject line “CCPA Request — [request type]”. We will respond within 45 days as required by law.
Other US state privacy laws
Several US states have enacted consumer privacy legislation, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA), among others. These laws share significant overlap with GDPR — covering rights of access, deletion, correction, and opt-out from data sales. As Stimly does not sell personal data and already provides in-app tools for access, deletion, and correction, we are aligned with the core requirements of these frameworks. If your state has enacted a privacy law that grants rights not addressed in this policy, please contact us at privacy@stimly.me and we will respond in good faith.
HIPAA — important clarification
Stimly is not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies to healthcare providers, health plans, and their business associates — not to consumer wellness applications. The biometric and caffeine data you enter into Stimly is not protected health information (PHI) under HIPAA, and Stimly makes no representation that it provides HIPAA-compliant data handling.
This does not diminish the protections we provide. Your health and biometric data is protected under GDPR Article 9 (if you are an EEA resident) and under the terms of this policy regardless of your location. We simply want to be transparent that the specific HIPAA framework does not apply to consumer caffeine tracking applications, and any app claiming HIPAA compliance in this context should be viewed with scepticism.
Data transfers from the US
Stimly’s core infrastructure is hosted in the EU (Supabase and PostHog, both in Frankfurt, Germany), where your account and caffeine data are stored. Some payment and subscription processors operate in the United States — Adapty and Apple, and Stripe may process certain payment data in the US. Where data is transferred outside the EEA, it is protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses. As a US-based user, your core account data is stored in the European Union and benefits from GDPR infrastructure standards.