Privacy Policy – Bester

Bester is operated by Lungoo Digital, a French micro-entreprise representing the Bester project and acting as the data controller for GDPR purposes.

Registered address: 4 Rue de Verdun, 78800 Houilles, France

Company / registration number: 994 556 900 R.C.S. Versailles

EU/UK representative and DPO: A Data Protection Officer is not required for our processing activities under GDPR Article 37. We will update this Policy if this changes.

Contact: contact@bester-app.com

We only collect data that is necessary to provide and improve the Service.

2.1 Account data

• Email address
• Username / display name
• Password (stored in hashed form via our authentication provider)
• Authentication identifiers (for example, “Sign in with Apple”)

2.2 Profile & social data

• Profile details you choose to add (bio, avatar, etc.)
• Followers / following, connections, and social relationships
• Public or shared posts, comments, reactions, and other user-generated content

2.3 Habit & well-being data

• Habits, routines, and goals
• Streaks and completion history
• Categories like productivity, movement, sleep, learning, etc.
• Reflections, notes, or self-reported moods linked to your habits

This information is self-reported for personal improvement and community interaction. It is not collected or used as medical or clinical health data, and Bester is not a medical or therapy service.

2.4 Usage & activity data

• Actions you take in the app (for example, creating habits, joining experiments/challenges, reacting, commenting)
• Timestamps of logins and major actions
• Basic interaction data (what screens are opened, feature usage)

2.5 Technical & device data

• IP address
• Device type, operating system, app version, browser
• Push notification tokens
• Device identifiers and advertising identifiers (if used)
• Log files and crash reports (for example, via Firebase Crashlytics)

2.6 Payments and purchases (if applicable)

• App Store / Play Store purchase receipts and transaction identifiers (handled by the store)
• Billing/plan metadata (for example, plan tier, renewal dates) if paid features are introduced later
• Payment processor data handled by Stripe, Inc. — we do not store full card details

2.7 Marketing and attribution data

• Campaign or referral source (for example, UTM parameters) where applicable
• Install/attribution data from analytics/attribution tools (where used, subject to consent/opt-out)
• Push notification engagement data when you have opted in

2.8 Cookies and similar technologies

On the web, we use: Essential cookies (for example, session, security), Preference cookies (for example, language), and Analytics tools (which may set cookies or similar identifiers).

You can control cookies through your browser settings and, where required by law, via our cookie banner/preferences.

2.9 What we do NOT collect (unless you choose to share it)

• Precise GPS location
• Your contacts or address book
• Photos or media outside of what you choose to upload
• Health data from device sensors or medical devices
• Government IDs

Under GDPR, we must have a legal basis for each type of processing. We use your data for:

3.1 Providing and operating the Service (performance of a contract – Art. 6(1)(b) GDPR)

• Creating and maintaining your account
• Authenticating you and securing access
• Tracking habits, goals, and progress
• Enabling social features (comments, reactions, followers, community experiments)
• Saving your settings and preferences

3.2 Improving the Service and user experience (legitimate interests – Art. 6(1)(f) GDPR)

• Understanding which features are used and how
• Fixing bugs and improving performance
• Developing new features that are useful to our community
• Balancing these interests against your rights and expectations, and minimizing/anonymizing data where needed

3.3 Safety, abuse prevention, and legal compliance (legal obligation – Art. 6(1)(c) and legitimate interests – Art. 6(1)(f))

• Detecting and preventing fraud, abuse, or violations of our Terms
• Enforcing our Terms of Service and community guidelines
• Responding to lawful requests from authorities where required

3.4 Public sharing and community interactions (performance of a contract and, where applicable, your consent)

• Some parts of your activity may be visible to others (for example, public posts, public experiments, or your public profile)
• We clearly indicate in the interface when something is public or shared

3.5 Consent-based processing (Art. 6(1)(a) GDPR)

• Where required (for example, certain cookies, certain types of analytics, or optional communications), we rely on your consent
• You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal

3.6 Communications and marketing (consent or opt-out, depending on your region)

• Transactional communications (for example, security, service updates)
• Optional marketing emails or push notifications, which you can opt out of in the app or via email links where applicable

You may choose to log information about your routines, moods, or well-being. We treat this carefully and use it only to provide the features you choose to use and to improve the Service in aggregated or pseudonymized form.

We do not:

• Provide medical diagnoses or treatment
• Market Bester as a medical or mental health service
• Sell this data to advertisers
• Use well-being entries for targeted advertising

Where applicable, we rely on your explicit action and explicit consent to process this type of data (for example, by choosing to log it and enabling related features). You can delete entries you have logged and withdraw consent at any time; withdrawing consent may disable related features.

Bester is a social platform. Depending on your settings and the features you use:

• Content you post publicly (for example, public experiments, comments, reactions) can be seen by other users
• Certain aspects of your profile (for example, username, avatar, joined experiments) may be visible to others
• We may present aggregated and anonymized stats (for example, “X users kept this habit for 30 days”)

We will always try to make it clear in the interface whether content is public, shared with certain people, or private to you. Please be careful not to post information publicly that you do not want others to see.

If you delete your account, we will delete or anonymize your public/shared content where technically feasible. Content that others have reshared or that appears in aggregated/anonymized statistics may persist.

We do not sell or rent your personal data, and we do not “sell” or “share” personal information for cross-context behavioral advertising under California/US state privacy laws. We may share your data with trusted third-party service providers who help us operate and improve Bester. These providers act as data processors and only process data on our instructions.

These include in particular:

• Supabase – database, authentication, file storage, and backend services
• Google Cloud Platform (GCP) – hosting, infrastructure, and storage
• Firebase (by Google) – analytics, crash reporting, and related services
• Railway – hosting and infrastructure for backend services
• Apple – when you use “Sign in with Apple” or install the app via the Apple App Store
• Developer and collaboration tools such as GitHub – limited data (for example, error logs or sample data) strictly for development and maintenance

We require all such providers to:

• Only process data as instructed by us
• Implement appropriate security measures
• Comply with applicable data protection laws

We may also share data where required:

• With authorities, regulators, or courts where we are legally obliged to do so
• In connection with a merger, acquisition, or other corporate transaction (we will inform you if this happens where required by law)

Some of our service providers may be located outside the European Economic Area (EEA), the United Kingdom, or Switzerland, or may store data there (for example, parts of Supabase, Google, Firebase, Railway, or Apple infrastructure).

When we transfer personal data outside these regions, we ensure that one of the following safeguards is in place:

• An adequacy decision by the European Commission or the UK/Swiss authorities
• Standard Contractual Clauses (SCCs) approved by the European Commission and, where needed, the UK IDTA/Addendum
• Other appropriate safeguards allowed under GDPR/UK GDPR/Swiss law

You can contact us if you would like more information about these safeguards.

We keep your personal data only for as long as necessary to provide the Service, to comply with legal obligations, and to resolve disputes and enforce our agreements.

Practical timelines

• Account, profile, and settings: as long as your account is active; accounts inactive for 24 months may be deleted after prior notice
• Backups: typically overwritten within ~30 days
• Security and access logs: up to 12 months unless needed longer for security/legal reasons
• Analytics events: up to 12 months, then aggregated or anonymized
• Support requests: up to 24 months after closure
• Public/shared content: retained while visible; removed or anonymized if you delete your account where technically feasible
• Aggregated or anonymized data (not linkable to you) may be retained for analytics and product improvement

If you delete your account, we will:

• Delete or anonymize personal data that can reasonably be deleted, subject to legal retention requirements
• Retain some limited information where we are legally obliged to do so (for example, records needed for security or legal claims)

If you are in the EU/EEA or other regions with similar rights, you have the following rights regarding your personal data:

• Right of access – to obtain a copy of your personal data we hold
• Right to rectification – to correct inaccurate or incomplete data
• Right to erasure (“right to be forgotten”) – in certain circumstances
• Right to restriction of processing – in certain circumstances
• Right to data portability – to receive your data in a structured, commonly used format and transmit it to another controller
• Right to object – to certain processing based on legitimate interests or direct marketing
• Right to withdraw consent – where we rely on consent

To exercise any of these rights, please contact: contact@bester-app.com or use in-app privacy settings where available. We may request information to verify your identity. We aim to respond within one month (or the applicable legal timeframe) and will inform you if we cannot comply for legal or security reasons.

US (including California/CPRA) privacy rights

• We do not sell or share personal information for cross-context behavioral advertising.
• You can exercise rights to access, delete, correct, and opt out of sale/share/targeted advertising. Use the in-app privacy settings or contact us at contact@bester-app.com.
• We confirm that Bester does not sell or share your personal information. No opt-out is required as we do not engage in these practices.
• You can appeal a denied request by replying to our response; we will review and respond within applicable timelines.
• We will not discriminate against you for exercising your privacy rights under California law.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (Commission Nationale de l’Informatique et des Libertés).

Bester is not intended for children under 16 in the European Union, or under 13 in other regions (including the United States, per COPPA). We do not knowingly collect personal data from individuals under these ages.

If you believe a child has provided us with personal data, please contact us at contact@bester-app.com and we will take appropriate steps to delete it.

We use technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS) and at rest (via our infrastructure providers)
• Access controls and least-privilege access for staff
• Security measures provided by our infrastructure and database providers (Supabase, GCP, Firebase, Railway, etc.)
• Ongoing monitoring and vulnerability management

However, no online service can be 100% secure. You are responsible for using a strong, unique password, keeping your login credentials confidential, and letting us know if you suspect unauthorized access to your account. We will notify users and regulators of data breaches where required by law.

We may update this Privacy Policy from time to time to reflect changes in our Service, legal or regulatory developments, or improvements in how we explain things.

We will update the “Last updated” date at the top and, where changes are significant, we will notify you via the app, email, or other appropriate means. If we change purposes or legal bases that require new consent, we will seek that consent before applying the change.

If you have any questions about this Privacy Policy or how we process your data, or if you want to exercise your rights, please contact us at: contact@bester-app.com

We will do our best to respond within a reasonable time and in accordance with applicable law.