Privacy Policy

Last updated: March 10, 2026

MVAT Studio ("we", "us", "our") operates the MVAT Focus mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the App. By using the App, you consent to the practices described in this policy.

1. Data Controller

The data controller responsible for your personal data is:

MVAT Studio
Email: privacy@mvat.ai

For any privacy-related inquiries or data subject requests, contact us at the email address above. We will respond within 30 days of receiving your request.

2. Information We Collect

Account Data

When you sign in with Google or Apple, we receive:

• Your email address
• Your display name (if provided by the identity provider)
• A unique user identifier from the identity provider

If you continue without an account, we create an anonymous Firebase Auth session. No personal information is collected in anonymous mode.

Timer & Usage Data

• Focus session durations and completion status
• Timer settings (focus, short break, long break durations)
• Session history (stored in Firestore for signed-in users, or locally on your device for anonymous users)

Purchase Data

• Purchase status (free tier or Pro tier)
• Purchase receipts from Apple App Store or Google Play (processed server-side for validation only)
• If using Stripe: a Stripe customer ID linked to your Firebase account. We never see or store full payment card details — all payment processing is handled by Stripe.

Device & Technical Data

• Device type, operating system, and version
• App version
• Crash reports and performance diagnostics (if applicable)

3. Legal Basis for Processing

We process your personal data under the following legal bases (as applicable under GDPR and similar laws):

• Contract performance: Processing necessary to provide the App and its features, manage your account, sync timer data, and fulfill purchases.
• Legitimate interest: Processing necessary for improving the App, preventing fraud, ensuring security, and maintaining service quality. We balance these interests against your rights and freedoms.
• Consent: Where required by law, we obtain your consent before processing (e.g., for optional analytics). You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings.

4. How We Use Your Information

• To provide, operate, and maintain the App
• To sync your timer data across devices (signed-in users)
• To process and validate purchases
• To manage your account and respond to data requests
• To detect, prevent, and address technical issues or security incidents
• To comply with legal obligations

We do not sell your personal information. We do not use your data for advertising or profiling.

5. Automated Processing

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. Purchase validation is automated but serves only to confirm transaction legitimacy.

6. Data Processors & Third-Party Services

We share your data with the following third-party processors, each of which processes data according to their own privacy policies and our data processing agreements:

• Firebase Authentication (Google LLC) — user identity and session management. Privacy info
• Cloud Firestore (Google LLC) — timer data and user profile storage. Privacy info
• Google Sign-In (Google LLC) — authentication. Privacy policy
• Apple Sign-In (Apple Inc.) — iOS authentication. Privacy policy
• Stripe, Inc. — payment processing for web-based purchases. Privacy policy
• Apple App Store (Apple Inc.) — in-app purchase processing and distribution. Privacy policy
• Google Play (Google LLC) — in-app purchase processing and distribution. Privacy policy

We do not share your personal data with any other third parties except as required by law.

7. Cookies & Tracking Technologies

The App itself does not use cookies. As a native mobile application, it does not place cookies on your device. However:

• Firebase may use local storage or device identifiers for authentication session management.
• The App Store and Google Play platforms may collect their own analytics data per their respective policies.
• Our website (mvat.ai) may use minimal cookies for essential functionality only. No third-party advertising or tracking cookies are used.

We do not use any third-party advertising SDKs, analytics trackers, or behavioral tracking tools in the App.

8. International Data Transfers

Your data is stored on Google Cloud (Firebase) servers located in the United States. If you access the App from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: these transfers are conducted in accordance with applicable data protection laws, relying on Google's and Stripe's standard contractual clauses (SCCs) and/or other approved transfer mechanisms to ensure adequate protection of your data.

9. Data Storage & Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• All data transmitted over HTTPS/TLS encryption
• Firebase Security Rules ensuring users can only access their own data
• Secure server-side purchase validation
• Regular review of data access controls

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law)
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Document the breach, its effects, and remedial actions taken

11. Data Retention

We retain your data for as long as your account is active or as needed to provide the App. Specifically:

• Account data is retained until you delete your account
• Timer history for free-tier users is limited to 7 days
• Purchase records are retained as required for financial and legal compliance

You can request deletion of your account and all associated data at any time (see Section 12).

12. Account Deletion

You can delete your account directly from the App: Settings → Delete Account. This permanently removes:

• Your Firebase Auth account
• All Firestore data (timer history, settings, profile)
• Any purchase records associated with your account

Deletion is irreversible. Processing completes within 30 days. Some data may be retained longer only where required by law (e.g., financial transaction records).

13. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (see Section 12).
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, contact us at privacy@mvat.ai. We will respond within 30 days.

14. Your Rights Under CCPA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell your personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@mvat.ai. We will verify your identity and respond within 45 days.

15. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will promptly delete that data. If you believe a child under 13 has provided us with personal information, please contact us at privacy@mvat.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes by updating the "Last updated" date at the top of this page. For material changes, we may also provide notice within the App. Continued use of the App after changes constitutes acceptance of the revised policy.

17. Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the remaining provisions remain in full force and effect.

18. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

MVAT Studio
Email: privacy@mvat.ai

We aim to respond to all inquiries within 30 days.