Legal

Privacy Policy

Last updated: 31 May 2026 · Effective: 31 May 2026

We built Pauza so you'd spend less time on your phone. That includes less time worrying about what happens to your data. This policy explains, in plain English, what we collect, why, where it lives, and the rights you have over it.

TL;DR — your Screen Time data stays on your device. We sync aggregate numbers (tokens, streaks, challenge progress) to our servers so multiplayer works. We don't sell anything to anyone. You can delete your account and all data at any time.

1. Who we are

This app and website are operated by A24Z LTD ("Pauza", "we", "us", "our") — a company registered in England and Wales at 128 City Road, London, EC1V 2NX, United Kingdom.

For the purposes of the UK GDPR and the Data Protection Act 2018, A24Z LTD is the data controller for personal data processed through Pauza.

Contact for privacy matters: info@pauza.ai

2. What we collect

2.1 Information you give us

Account info — email, display name, and (optionally) profile picture when you sign in via Apple ID.
Payment info — if you subscribe to Pauza PRO. Payments are processed by Apple via in-app purchase. We never see or store your card details.
User content — challenge messages, mood-journal entries, profile settings.

2.2 Device & usage data processed on-device

The following is read from Apple frameworks directly on your iPhone. Raw data never leaves your device.

Screen Time / DeviceActivity — per-app usage duration, app opens, timestamps. Used locally to calculate tokens, streaks, and challenge scores.
HealthKit — steps, distance, and active energy, only if you grant permission. Used to calculate step-bonus tokens.
Bluetooth — short-range proximity signals, only when you start a "meetup" session. No continuous scanning.
Notifications — delivery/open state for challenge reminders.

2.3 Data synced to our servers

To run multiplayer challenges, leaderboards, referrals, and cloud backup, we sync aggregates and identifiers, not raw timelines:

A coarse daily activity bucket (e.g. "low", "medium", "high") for the category you chose to track. We never sync exact minutes or per-app timelines.
Token balance, streak length, current Aura level.
Challenge records (participants, token commitment, start/end time, outcome).
Referral code, device model, iOS version, app version.
Crash and diagnostic logs (anonymised).

We do not sync the names or bundle identifiers of individual apps you use, nor per-minute logs. Bucket calculations happen on-device; only the final bucket label leaves your phone.

3. Why we process it (legal basis)

Under UK GDPR we rely on the following lawful bases:

Contract (Art. 6(1)(b)) — to provide the app features you signed up for: challenges, tokens, Aura, PRO subscriptions.
Legitimate interests (Art. 6(1)(f)) — to prevent fraud, secure the service, improve product reliability. Balanced against your rights.
Consent (Art. 6(1)(a)) — for optional integrations (HealthKit, Bluetooth, notifications, marketing emails). You can withdraw consent any time in settings.
Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and lawful requests.

4. Who we share it with

We share only the minimum needed, and only with processors that meet UK/EU data-protection standards:

Google Firebase / Firestore (EU regions) — authentication, database, cloud functions, crash reporting, push notifications, and the in-house analytics pipeline (Cloud Function ingestAnalytics writing to our own Firestore collection — no third-party analytics SDK is embedded in the app).
Apple — in-app purchase receipts and Sign in with Apple.
Sentry — anonymised crash and performance reports. Personal identifiers and on-device app identifiers are stripped before submission.
OpenAI — only when you actively request an AI insight; we send a short anonymised summary, never raw Screen Time data or personal identifiers.
fal.ai — only when you generate a custom avatar; we send your prompt and any reference image you choose, plus a non-identifying generation ID. We never include account identifiers, Screen Time data, or analytics.
Ad networks (only with your ATT consent) — when you allow tracking, Apple may share your device's IDFA with the ad networks listed in our app's SKAdNetworkItems entry (e.g. Meta, TikTok, Google, AppLovin, Unity) so they can attribute your install to the campaign that brought you here. See section 4a for details and how to opt out.

We do not sell, rent, or trade your personal data to any third party, ever.

4a. Advertising attribution (ATT, SKAdNetwork, Apple Search Ads)

If we run paid marketing campaigns, we need to know which ad brought you to Pauza — without that we can't justify the spend and we waste money on channels that don't work. We do this in the most privacy-preserving way Apple offers, and only for attribution. None of the data described in this section reveals your screen-time activity, app usage, or the contents of anything you do inside Pauza.

App Tracking Transparency (ATT) — on day 2 after install, your in-app companion mentions that Apple is about to ask about tracking and explains why. The actual choice is made on Apple's system prompt. If you tap Allow, Pauza can read your device's IDFA (Identifier for Advertisers); if you tap Ask App Not to Track, we do not access it. You can change your choice at any time in iOS Settings → Privacy & Security → Tracking.
What we do with the IDFA — when granted, the IDFA is shared with the ad networks listed in our SKAdNetworkItems so they can attribute your install to a specific campaign. It is never used to build a profile of your behaviour inside Pauza, and never combined with your Screen Time data.
SKAdNetwork — regardless of your ATT choice, Apple's SKAdNetwork framework sends a privacy-preserving "postback" to the ad network that delivered the ad (e.g. install / signup / trial / paid). The postback is aggregated and time-randomised by Apple before delivery; ad networks receive coarse conversion data, not your identity.
Apple Search Ads (AdServices) — if you arrived via an Apple Search Ads campaign, on first launch we ask Apple's AdServices API for an attribution token, exchange it with Apple for campaign metadata (campaign ID, ad group, keyword, click date), and store that metadata under your account on our backend so we can measure campaign performance.

You can opt out of the IDFA component at any time via iOS Settings. SKAdNetwork postbacks and Apple Search Ads attribution are managed by Apple and cannot be individually opted out of, but neither contains directly identifying information about you.

5. International transfers

Our primary infrastructure runs in EU and UK regions. Some processors (Apple, Sentry, OpenAI, fal.ai) may transfer data outside the UK/EEA. In those cases we rely on the UK International Data Transfer Agreement or Standard Contractual Clauses, plus supplementary safeguards.

6. How long we keep it

Account data — until you delete your account.
Challenge records — 2 years after challenge end, then anonymised.
Payment records — 6 years (required for UK tax law).
Analytics — maximum 26 months, anonymised.
Device-local data — for as long as the app is installed. Uninstalling the app deletes it.

7. Your rights

Under UK GDPR you have the right to:

Access — request a copy of your data.
Rectification — ask us to fix inaccurate data.
Erasure ("right to be forgotten") — delete your account and all associated data.
Restriction — limit how we process your data.
Portability — receive your data in a machine-readable format.
Object — to processing based on legitimate interests.
Withdraw consent — for anything we rely on consent for.

Most of these are a single tap in the app: Settings → Account → Export / Delete. Or email info@pauza.ai. We respond within 30 days.

If you're not happy with our response, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Children

Pauza is not directed at children under 13 (under 16 in some EEA countries). We do not knowingly collect data from them. If you're a parent and believe your child gave us data, email us and we'll delete it.

9. Security

All traffic is encrypted in transit (TLS 1.2+). Data at rest is encrypted by our infrastructure providers. Payment data never touches our servers. We do regular security reviews. No system is bulletproof — if a breach affecting your data ever occurs, we will notify you and the ICO within 72 hours, as required by law.

10. Cookies & website analytics

Our website pauza.ai uses minimal first-party analytics to understand which features land with visitors. We do not use advertising cookies. If we add any non-essential cookies in the future, we'll ask for your consent via a banner first.

11. Changes to this policy

We'll update this page when practices change. Material changes will be announced in-app or via email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

12. Contact

A24Z LTD
128 City Road, London, EC1V 2NX, United Kingdom
info@pauza.ai