Privacy Policy – ObsessLess
Last updated: 13 May 2025
Hi there 👋
We’re ObsessLes , a small Dutch team building a mental-wellness app that helps you manage your OCD, practise healthier habits and feel more in control.
Registered address: Maanlander 47, Amersfoort, Netherlands
E-mail support@obsessless.com.
In GDPR terms, we are the data controller for anything described below.
1. Introduction
1.1 Scope
This policy applies to the ObsessLess iOS and Android apps, obsessless.com, our help-centre, support e-mails and social-media channels. Third-party sites we simply link to are outside our control; check their policies.
1.2 What ObsessLess is, and is not
ObsessLess is not medical treatment or therapy. It is a self-help tool that gives daily nudges, short exercises and reflections. You stay in charge of your mental-health journey; we simply provide guidance.
2. Data We Collect and Why
2.1 Data you give us directly
We collect your e-mail address (and, optionally, your name) so you can sign in with Apple, Google or e-mail and keep your data safe.
We also store any journal entries, mood logs or intrusive-thought notes you create. These entries may reveal mental-health information and are treated as special-category data under GDPR Article 9. We process them only after you tap “I give explicit consent”, and you can withdraw that consent at any time in Settings → Delete Account or by deleting the entries. (note that by doing this, you can experience loss of functionality while using the app)
Legal bases , contract (to deliver the service) and explicit consent (for special-category data).
2.2 Data collected automatically
We receive anonymised usage events (which screens you open, how long sessions last) to improve features, plus device information and crash logs to keep the app stable and secure.
Legal bases , legitimate interest (security, improvement).
Where national law or app-store rules require it, we obtain consent for analytics first.
2.3 Payments
Subscriptions are handled by RevenueCat. They receive Apple/Google receipt IDs and country codes; we never see your card number.
Legal bases , contract (to give you paid features) and legal obligation (tax compliance).
3. Tools We Trust
We only work with providers that meet GDPR standards and have signed Standard Contractual Clauses (SCCs) if they are outside the EEA.
- Firebase (Google Cloud) , authentication, database, encrypted storage, push notifications. Primary storage is in Belgium (europe-west4); US support access is covered by SCCs.
Privacy Policy - OpenAI, LLC , generates AI chat replies. Prompts and responses stay at OpenAI ≤ 30 days, never train public models, and are protected by SCCs.
Privacy Policy - RevenueCat , subscription validation; US servers under SCCs.
Privacy Policy
- Google Analytics , website metrics, active only after you accept the cookie banner; IP-anonymisation enabled.
Privacy Policy - Mixpanel , product-usage analytics.
Privacy Policy - ManyChat , Instagram Messaging; covered by SCCs.
Privacy Policy - Kit.com , Email campaigns from us; covered by SCCs.
Privacy Policy
We keep the list up-to-date and will add any new providers to the list above.
4. International Transfers
Data is stored primarily in the EU. When it travels to the United States (for the vendors above) we rely on SCCs plus strong encryption in transit and at rest. These measures give your data essentially the same protection it enjoys in Europe.
5. How Long We Keep Your Information
Active-account data stays until you delete your account. Inactive accounts receive a reminder after 12 months of no use; 30 days later we erase journals and profile data. Back-ups roll off after 30 days. Tax-relevant purchase records are kept for seven fiscal years. Crash logs and anonymised analytics are removed after 24 months.
6. Security
All network traffic is protected by TLS 1.2+. Databases are encrypted at rest with AES-256. Internal access is strictly role-based and logged. We run regular penetration tests and vulnerability scans. If a personal-data breach poses a risk to you, we will notify you and the Dutch Data Protection Authority within 72 hours, as GDPR Articles 33-34 require.
7. Your Rights
You may access, correct, delete, export or restrict your data; withdraw consent; or object to certain uses. Exercise these rights in-app (Settings → Privacy) or by e-mailing support@obsessless.com. We reply within 30 days. You can also complain to the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.
8. Marketing and Cookies
We send newsletters only if you explicitly opt in. Every message includes an unsubscribe link
Our website loads essential cookies automatically; analytics cookies load only after you click “Accept”. Full details are in our Cookie Policy at obsessless.com/cookies.
9. Children
ObsessLess is not for children under 13. Users aged 13-17 must have parental or professional supervision. We delete any under-13 account immediately on discovery.
10. Notice-and-Action (Digital Services Act)
Think something in the app is illegal? E-mail support@obsessless.com with a screenshot/URL, why it is unlawful and your contact details. We will investigate and send a reasoned decision, typically within 72 hours, in line with Article 16 DSA.
11. Changes
If we materially change this policy we’ll announce it in-app or by e-mail at least 15 days before it takes effect. An archive of previous versions is kept at obsessless.com/privacy-archive.
12. Contact
Questions? E-mail support@obsessless.com
By creating an account or continuing to use ObsessLess you confirm that you have read and understood this Privacy Policy.
Take the first step toward reclaiming your life.
Join the waitlist now to access early features and begin your journey towards OCD relief . Don’t let OCD control your life—let’s take it back, together.