1. Who is responsible (controller)
Anjuli Denise Hertle, Otto-Hahn-Str. 2, 72622 Nuertingen, Germany. Contact: breaking.life.patterns@gmail.com or the contact form on this site. There is no statutory requirement for a Data Protection Officer for a business of this size; if that changes we will name one here.
2. What this service is, in one line
A fully self-guided digital "Pattern Analysis". You answer questions over several sessions and an AI creates a personal written report and a Pattern Map. No human ever reads your answers or your report.
3. What data we process
- Your answers (free text and scales) about your life, feelings, relationships and wellbeing. These can reveal information about your mental health, which is special-category data under Art 9 GDPR.
- The report and Pattern Map the AI generates from your answers.
- Account and contact data: your email, login details, language preference, your age confirmation, and records of the consents you gave.
- Payment data: handled only by our payment provider (Stripe). We never see or store your card details.
- Technical and usage data with no answer content: how far through the analysis you are, session counts, timestamps, crisis-pause status, and usage counts we use to prevent abuse.
4. Why we process it, and the legal basis
- To deliver the analysis and your report: to perform our contract with you (Art 6(1)(b)) and, because your answers can be special-category data, your explicit consent (Art 9(2)(a)). We do not rely on any health-care exception, because we are not a health-care provider and this is not treatment.
- To run your account, save and resume your progress: to perform our contract (Art 6(1)(b)).
- To issue and keep invoices: legal obligation (Art 6(1)(c)) with German tax law (sec 147 AO, sec 257 HGB).
- To keep the service secure and prevent abuse, and to run the crisis-pause safety feature: our legitimate interest and duty of care (Art 6(1)(f)).
- To prevent abuse and fraud and keep the service secure, we keep a short record of when usage limits are hit: our legitimate interest (Art 6(1)(f), Recital 49). This uses technical usage metadata only (counts, timing, limit-hit events), with no answer content and no IP address or user-agent stored at launch.
- To send you launch or marketing emails (only if you separately opt in): your consent (Art 6(1)(a)), which you can withdraw any time.
5. The AI, and no human reading
Your report and Pattern Map are generated by an AI system. You are interacting with AI. No human reads your answers or your report in normal operation. The report is a reflective, non-clinical aid. It is not a medical diagnosis or treatment, and it is not an automated decision that has legal or similarly significant effects on you (Art 22 does not apply); we still tell you openly that AI produces it.
6. Who else processes your data (our processors)
- Supabase (servers in Frankfurt, EU): stores your answers and report, encrypted.
- Vercel (EU): runs and serves the app.
- Anthropic (AI provider): processes your answers to generate the questions and your report. The signed terms confirm Standard Contractual Clauses as the transfer mechanism, that your answers are not used to train any AI model, and that the provider retains them only briefly to process your request and then deletes them.
- Brevo (EU): sends the app's emails (purchase confirmation, withdrawal receipt, account and safety emails). No answer content is ever put in an email.
- Stripe: processes your payment as a separate controller for that payment data.
We have data processing agreements (Art 28) with our processors. Where data is transferred outside the EEA, it is protected by Standard Contractual Clauses or an adequacy framework; you can ask us for a copy of the safeguard.
7. How long we keep it
- Your answers and report: 12 months from purchase, then automatically deleted, unless you ask us to delete sooner. If your account is paused under the crisis-safety feature, your purchase stays usable free for 12 months (extendable once) and the data needed to resume is kept for that time.
- Invoices and tax records: 8 to 10 years, as German tax law requires, kept separately and containing only billing data, not your answers.
- Consent records: kept as long as needed to prove we had your consent.
- General security and usage logs: a short period (about 30 to 90 days); they never contain your answers.
- Abuse-evidence records (counts, timing, and limit-hit events only, never any content): kept up to 12 months and then deleted, or for as long as needed to pursue or defend a specific case.
8. Your rights
You have the right to access your data and get a copy (Art 15), to correct it (Art 16), to have it deleted (Art 17), to restrict processing (Art 18), to data portability (Art 20), and to object (Art 21). The copy and portability rights cover your own answers and your own report; they do not extend to our question bank, prompts, scoring logic or methodology, which are our protected materials (Art 15(4), Recital 63). You can withdraw any consent at any time with future effect (Art 7(3)); for the special-category consent, withdrawing it normally means we can no longer provide the analysis. You also have the right to complain to a data protection supervisory authority (Art 13(2)(d)); the competent one for us is Der Landesbeauftragte fuer den Datenschutz und die Informationsfreiheit Baden-Wuerttemberg (LfDI BW).
9. Is providing data required?
Yes, to use the service: without your answers and the explicit consent, the analysis cannot be created. You are never required to give more than the service needs.
10. When you write about other people
Sometimes you may write about other people in your answers, for example a partner, a parent or a friend. We only ever receive that information through what you choose to write, and we use it only to create your own private reflection. No human reads it, we never contact or build a profile of anyone you mention, we never share it, and it is deleted when your data is deleted. To help keep this to a minimum, the app reminds you at the start that you do not need to use other people's real names or details. If you believe someone has written about you here and you have a concern, contact us at hello@catchself.co and we will look into it.
11. Changes
We update this policy if the service or our processors change. The current version is shown with its date on this page.