Privacy Policy – Burn2Earn

1. Who We Are

Burn2Earn is operated by Levelapp SRL, a company registered in Romania (collectively "we", "us", or "our"). If you have any questions about this Privacy Policy, please contact us at office@burn2earn.com.

2. Who This Policy Applies To

This Privacy Policy applies to all users of the Burn2Earn mobile application (iOS and Android). By using our app, you confirm that you are at least 18 years old. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

3. Data We Collect

3.1 Account Data

Full name and email address
Profile photo (optional, uploaded by you)
Password (stored as a BCrypt hash — we never store plain-text passwords)
OAuth identifiers when you sign in with Google, Facebook, or Apple

3.2 Fitness & Health Data

Step count, calories burned, active minutes — read from Apple HealthKit (iOS) or Google Fit / Health Connect (Android)
Challenge participation and completion records
Streak history

Important: Health data is used exclusively to calculate your points and display your progress. It is never sold, shared with advertisers, or used for any purpose other than operating the Burn2Earn service.

3.3 Financial Data

Points balance and transaction history
Subscription status (Basic / Premium)
Order history for redeemed rewards

We do not store your card details. All payment processing is handled by Stripe under their own PCI-DSS compliant infrastructure.

3.4 Technical Data

Device type, operating system version
App version, session duration
Push notification token (for sending you alerts)
IP address (used for rate limiting and fraud prevention)
Crash reports and error logs

4. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide and operate the app service	Contract performance (Art. 6(1)(b))
Calculate fitness points and challenges	Contract performance (Art. 6(1)(b))
Process payments and subscriptions	Contract performance (Art. 6(1)(b))
Send reward gift cards via Tremendous	Contract performance (Art. 6(1)(b))
Send push notifications and emails	Consent / Legitimate interest (Art. 6(1)(a/f))
Fraud prevention and rate limiting	Legitimate interest (Art. 6(1)(f))
Crash reporting and app stability	Legitimate interest (Art. 6(1)(f))
Usage analytics to improve the app	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

5. Third Parties We Share Data With

We share your data only with the following third-party processors:

Stripe — Payment processing and subscription billing

Tremendous — Gift card fulfillment for redeemed rewards

Amazon Web Services (AWS S3) — Secure storage of user-uploaded images

PostHog — Anonymous usage analytics and feature usage tracking

Sentry — Crash reporting and error monitoring

Google (OAuth) — Social sign-in authentication

Apple (Sign in with Apple) — Social sign-in authentication

Meta (Facebook Login) — Social sign-in authentication

We do not sell your personal data to any third party.

6. Health Data — Special Category

Health and fitness data (steps, calories, activity) constitutes special category data under GDPR Article 9. We process this data solely on the basis of your explicit consent, granted when you first connect HealthKit or Google Fit within the app.

Health data is never used for advertising, profiling, or sold to any third party.
Health data is not shared with insurance companies or employers.
You can revoke HealthKit / Google Fit access at any time from your device settings.
Revoking access stops future data collection but does not delete previously processed data. To delete all your data, use the "Delete Account" option in the app.

7. Data Retention

Account data: retained while your account is active
Fitness data: retained while your account is active
Financial records: retained for 5 years after account closure (Romanian tax law obligation)
Crash logs / analytics: retained for 90 days
After account deletion, all personal data is permanently deleted within 30 days, except where legal retention obligations apply.

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of access — request a copy of the data we hold about you
Right to rectification — correct inaccurate data
Right to erasure — delete your account and all associated data via the "Delete Account" screen in the app, or by emailing us
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interest
Right to withdraw consent — withdraw consent for health data processing at any time
Right to lodge a complaint — with the Romanian Data Protection Authority (ANSPDCP) at www.dataprotection.ro

To exercise any of these rights, contact us at office@burn2earn.com. We will respond within 30 days.

9. Data Security

All data is transmitted over HTTPS/TLS
Passwords are hashed using BCrypt (cost factor ≥ 12)
JWT tokens are signed with a 512-bit secret
Access to production databases is restricted to authorised personnel only
AWS S3 buckets are not publicly accessible

10. International Data Transfers

Our servers are hosted within the EU. Some third-party processors (Stripe, AWS, PostHog, Sentry) may process data outside the EU. When this occurs, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor holds a valid adequacy decision.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via a push notification or email at least 14 days before the changes take effect. Continued use of the app after that date constitutes acceptance of the updated policy.

12. Contact

Levelapp SRL
Email: office@burn2earn.com