How Breviya handles your data

This Privacy Policy explains how Breviya handles information when you use the Breviya website, web application, account system, guided session player, breathwork tools, journaling features, admin tools, backups, and related APIs. It applies to information processed through the product experience itself, including account creation, consent, onboarding, subscriptions, content generation, and continuity tools such as exports or imports.

Breviya is designed as a premium meditation and visualization platform, not an ad-supported tracking business. The app uses data primarily to operate your account, personalize sessions and programs, preserve progress, support subscriptions, secure the service, and give you continuity across devices or restores.

• Account and identity data. Email address, hashed password, display name, timezone, email verification records, password reset records, session tokens, and role or tier information needed to keep your account working.
• Onboarding and preference data. Goal focus, experience level, preferred session length, sound and voice preferences, meditation frequency, baseline mood or stress values, theme choices, and similar settings that shape your defaults.
• Practice and progress data. Meditation history, completed session metadata, saved or generated sessions, favorites, recently played history, streaks, total minutes, program enrollment and progress, Silva-style method progress, achievements, and dashboard curation signals.
• Journal and reflection data. Reflection prompts, encrypted journal content, gratitude items, mood or stress ratings, and other reflective entries that you choose to store in the app.
• Breathwork and wellbeing interaction data. Chosen breathing pattern, duration, custom pacing configuration, and before or after state inputs when you log them.
• Subscription and billing data. Tier, subscription status, Stripe customer or subscription identifiers, checkout and portal events, and entitlement state. Breviya does not store full payment card numbers in its own database.
• Security and operational logs. Login success or failure events, export and admin actions, abuse-prevention metadata such as IP address or user agent when relevant, and rate-limit events used to protect the service.
• Device-side storage and continuity data. Browser local storage values used for dashboard layout, recent sessions, unfinished playback, chosen voice settings, recent wisdom stories, last mood check-in, and similar convenience features.
• Backup and restore payloads. Personal account backup files and admin-level user-base backup files. Personal backups focus on account continuity data. Admin organization backups can include identity fields, role and subscription state, and password hashes for restoration purposes.

Breviya uses information to operate and improve the product, including to:

• Create and secure your account, authenticate you, and prevent unauthorized access.
• Guide first-time onboarding, personalize the dashboard, recommend sessions, choose relevant programs, and preconfigure calmer defaults based on what you share.
• Save your progress, favorites, resume state, streaks, recent activity, and continuity between sessions.
• Generate original guided meditation plans, reflective prompts, and adaptive audio or voice playback settings based on your inputs and preferences.
• Provide journaling, export, import, backup, restore, subscription, billing, and admin functions.
• Detect misuse, enforce rate limits, investigate issues, monitor service health, and maintain logs necessary for reliability and safety.

Breviya includes generated and adaptive experiences, including generated meditation plans, configurable narration, locally generated ambient soundscapes, and optional AI-assisted flows. Some of that processing happens locally in the browser or on Breviya-managed infrastructure. Some processing can also depend on the provider configuration used by the deployment.

• Local processing. Parts of the audio and voice stack can run locally, including browser-side ambient generation, device-side continuity state, and locally hosted model paths such as Ollama or Kokoro where configured.
• Third-party model processing. If the deployment is configured to use a third-party provider such as OpenAI, prompts, generated text, or narration requests may be sent to that provider for processing under that provider's terms and privacy commitments.
• No clinical profiling promise. Generated outputs are meant to support reflection, relaxation, and guided practice. They are not intended to diagnose health conditions or replace a qualified professional.

Breviya does not describe itself as selling your personal information. Information may be shared in these limited contexts:

• Service providers and infrastructure. Hosting, database, storage, queueing, backup, and observability providers that help run the service.
• Payments. Stripe and related billing workflows, only to the extent needed to process subscriptions, customer portal actions, or webhook-based entitlement updates.
• Configured AI providers. When a deployment uses third-party model APIs for generation or narration.
• Admin and organization restore tools. Authorized admins can export and import full user-base backups for legitimate operational continuity, migration, or recovery use.
• Legal, security, or business events. To comply with law, protect users or the service, respond to lawful requests, or support a merger, financing, acquisition, or asset transfer.

Breviya stores data in a mix of application database records, storage volumes, browser local storage, and optional S3-compatible object storage depending on deployment configuration. Backup and restore features are part of the product, so some data may persist in backup archives until those archives are rotated or deleted.

• Account records, progress, subscriptions, and operational logs are retained as long as needed to run the service, keep your account active, preserve continuity, or satisfy security and legal obligations.
• Personal account exports are generated on request. Imported backups are merged into your account rather than replacing the entire system state.
• Admin organization backups can preserve a broader snapshot of user records for recovery and migration. Those files should be treated as highly sensitive.
• Device-level state such as recent sessions, dashboard arrangement, voice preferences, and certain reminders may remain in your browser until you clear site storage.

Breviya uses layered controls that are intended to reduce risk, including password hashing, token based authentication, rate limiting on sensitive endpoints, audit logging for key security and admin actions, and application-level encryption for journal content.

Journal entries are encrypted within the application using AES-256-GCM before storage. That said, no internet-connected service can guarantee absolute security, and you remain responsible for protecting your device, browser session, exported files, and account credentials.

Depending on where you live, you may have rights to access, correct, export, delete, or limit certain uses of your personal information. Breviya is designed with practical user controls inside the product wherever possible.

• In-app controls. You can review and adjust profile or preference data in Settings.
• Export and backup. You can export sessions, export journal data, and create a personal account backup from within the product.
• Deletion. You can request deletion of your account through in-app controls. Some records may remain in logs, backups, or security archives for a limited period where necessary.
• Browser storage controls. You can clear site storage in your browser to remove local-only conveniences such as recent stories, saved layout, or voice preferences.

Breviya is intended for personal wellbeing and reflective practice. It is not designed as a children's service and is not intended for use by children under 13. If you believe a child has provided personal information without appropriate authorization, the account should be removed.

Breviya is also not a hospital, clinic, insurer, or emergency service, and it is not offered as a HIPAA-regulated medical record system unless separately agreed in writing. Do not rely on the service for emergency help, diagnosis, treatment decisions, or crisis support.

Breviya may update this Privacy Policy as the product, infrastructure, or legal obligations evolve. The current version will be posted on this page with an updated effective date.

For account-level privacy actions, start with the in-app controls available in Settings and related export or deletion tools. If the service later publishes a dedicated support or legal contact, that channel may also be used for privacy questions or rights requests.