PRIVACY POLICY — CRYSTAL AI Last Updated: February 20, 2026 Crystal AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our mobile application Crystal AI (the "App"). By using the App, you agree to the collection and use of information in accordance with this policy. 1. WHO WE ARE Crystal AI is operated by [Your Full Legal Name or Business Name], based in Hannover, Germany. For any privacy-related inquiries, please contact us at: Email: [your email address] Address: [your address] Under the EU General Data Protection Regulation (GDPR), we are the data controller for the personal data we process through the App. 2. INFORMATION WE COLLECT 2.1 Account Information When you create an account, we collect: - Email address (if you sign up with email) - Display name (if provided) - Apple ID or Google account identifier (if you use Sign in with Apple or Google) This data is processed through Firebase Authentication (provided by Google LLC) to create and manage your account. 2.2 Subscription and Purchase Data When you subscribe to Crystal AI Premium, your purchase is processed by Apple through the App Store. We use RevenueCat, Inc. as our subscription management platform. RevenueCat receives: - An anonymous user identifier linked to your account - Subscription status (active, expired, or canceled) - Purchase receipts from Apple We do not receive or store your payment method details (credit card number, bank information). All payment processing is handled by Apple. 2.3 Crystal Identification Photos When you use the crystal identification feature, photos you take or upload are sent to our AI service provider (Google Gemini via OpenRouter) for analysis. These photos are: - Sent securely over encrypted connections - Used solely to generate your crystal identification result - Not stored permanently on our servers or by our AI providers after processing - Not used to train AI models We do not save, share, or sell your photos. 2.4 AI Chat Messages When you use the AI chat feature, your messages are sent to our AI service provider (Google Gemini via OpenRouter) for processing. Your messages are: - Used solely to generate a response to your query - Not stored permanently by us or our AI providers after processing - Not used to train AI models - Not reviewed by any human 2.5 Usage Data We may collect anonymous usage data to improve the App, including: - Features used and frequency of use - App crashes and error reports - Device type and operating system version - General geographic region (country level) This data is collected in aggregate and cannot be used to identify you personally. 2.6 Local Device Data The App stores certain data locally on your device, including: - Your crystal collection and notes - Free message usage counter - App preferences and settings This data remains on your device and is not transmitted to us unless you choose to sync it. 3. HOW WE USE YOUR INFORMATION We use the information we collect to: - Provide, maintain, and improve the App - Process your account registration and authentication - Manage your Premium subscription status - Process crystal identification requests - Respond to your AI chat queries - Send important service-related notifications - Analyze anonymous usage trends to improve the App - Comply with legal obligations We do not use your personal data for advertising purposes. We do not sell your data to third parties. 4. LEGAL BASIS FOR PROCESSING (GDPR) Under the GDPR, we process your personal data based on the following legal grounds: - Contract Performance (Article 6(1)(b)): Processing your account data and subscription information is necessary to provide you with the App's services. - Legitimate Interests (Article 6(1)(f)): We process anonymous usage data to improve our App and ensure its stability and security. - Consent (Article 6(1)(a)): Where required, we obtain your consent before processing (for example, for optional analytics). You may withdraw consent at any time. - Legal Obligation (Article 6(1)(c)): We may process data where required by law. 5. THIRD-PARTY SERVICES We use the following third-party services to operate the App: 5.1 Firebase Authentication (Google LLC) Purpose: User account creation and sign-in Data shared: Email address, authentication tokens Privacy Policy: https://firebase.google.com/support/privacy 5.2 RevenueCat, Inc. Purpose: Subscription management and purchase validation Data shared: Anonymous user ID, subscription status, purchase receipts Privacy Policy: https://www.revenuecat.com/privacy 5.3 OpenRouter / Google Gemini Purpose: AI crystal identification and chat responses Data shared: Chat messages, crystal photos (temporarily, for processing only) Privacy Policy: https://openrouter.ai/privacy, https://ai.google.dev/terms These providers are contractually obligated to process your data only as instructed by us and in accordance with applicable data protection laws. 6. INTERNATIONAL DATA TRANSFERS Some of our third-party service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including: - EU Standard Contractual Clauses (SCCs) - Adequacy decisions by the European Commission where applicable - Provider certifications under recognized frameworks You may contact us for more information about the specific safeguards applied to international data transfers. 7. DATA RETENTION - Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion. - Subscription data: Retained for as long as required by tax and accounting regulations (typically up to 10 years for financial records in Germany). - Crystal photos: Not stored after identification processing is complete. - Chat messages: Not stored after response processing is complete. - Usage data: Retained in anonymous, aggregated form indefinitely. 8. YOUR RIGHTS (GDPR) As a resident of the European Economic Area, you have the following rights: - Right of Access: You may request a copy of the personal data we hold about you. - Right to Rectification: You may request that we correct inaccurate or incomplete personal data. - Right to Erasure: You may request that we delete your personal data, subject to legal retention requirements. - Right to Restriction: You may request that we restrict the processing of your personal data under certain circumstances. - Right to Data Portability: You may request to receive your personal data in a structured, commonly used, machine-readable format. - Right to Object: You may object to the processing of your personal data based on legitimate interests. - Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing performed before withdrawal. To exercise any of these rights, contact us at [your email address]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. For Germany: Die Landesbeauftragte für den Datenschutz Niedersachsen https://www.lfd.niedersachsen.de 9. DATA SECURITY We implement appropriate technical and organizational measures to protect your personal data, including: - Encrypted data transmission (TLS/SSL) for all network communications - Secure authentication through Firebase Auth - No permanent storage of photos or chat messages on our servers - Regular review of our data processing practices While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. 10. CHILDREN'S PRIVACY The App is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at [your email address]. 11. HEALTH AND WELLNESS DISCLAIMER Crystal AI provides information about crystals and their traditionally attributed properties for educational and entertainment purposes only. The App does not provide medical advice, diagnoses, or treatment recommendations. Crystal healing is a complementary practice and should not replace professional medical care. Always consult a qualified healthcare provider for medical concerns. 12. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App with a new "Last Updated" date. Your continued use of the App after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this Privacy Policy periodically. 13. CONTACT US If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Email: [your email address] Address: [your full address] For GDPR-specific inquiries, you may also contact our data protection point of contact at the email address above.