The categories, the recipients.

Aegin is operated from India. Aegin Labs (the operator) is the data controller for all personal data processed through the aegin.live website, the Aegin mobile applications, and any associated services (collectively, the "Services").

For questions, requests, or complaints relating to your personal data, contact support@aegin.live. We respond within thirty days, extendable to ninety days where the request is complex.

We process the following categories of personal data. Each category is broad on purpose — the protocol is a behavioral system and requires substrate to function.

IDENTITY

Account identifiers including but not limited to email address, chosen username, and any OAuth provider identifier you elect to use.

BEHAVIORAL

Usage telemetry including but not limited to screen-time totals, per-app usage, plea submissions, verdict history, in-app interactions, session metadata, and device-level activity events.

BIOMETRIC

Where you elect to connect a wearable or health source: derived summaries including but not limited to sleep, movement, heart-rate variability, and other physiological signals provided by the source.

INFERRED

Derived signals including but not limited to discipline score, addiction-risk indicators, behavioral pattern vectors, dopamine-loop signals, identity-drift indicators, and any other model-generated assessments computed from the categories above.

TECHNICAL

Operational data including but not limited to IP address, device identifier, operating system, application version, language, timezone, and crash/diagnostic logs.

TRANSACTIONAL

Subscription tier, billing status, and processor-issued transaction identifiers. Card details and bank-account data are handled by Paddle (global) or Razorpay (India) and never reach our systems.

We process the categories above for the following purposes. The legal basis varies by jurisdiction.

Service delivery — to provide the protocol, render verdicts, compute scores, and maintain your account. Legal basis: performance of contract.

Behavioral inference — to generate the discipline score, weekly diagnosis, addiction-risk signals, and other model outputs that the protocol relies on to operate. Legal basis: performance of contract and our legitimate interest in operating a behavioral enforcement system you have chosen to use.

Behavioral health inferences and biometric processing — where the protocol generates inferences that relate to your health (including addiction-risk indicators, dopamine-loop signals, identity-drift signals, and any inference derived from biometric inputs you elect to share from a connected wearable or health source), we process that data on the basis of your explicit consent under Article 9(2)(a) of the EU and UK General Data Protection Regulation and equivalent conditions under your applicable law. This consent is captured at onboarding by a separate affirmative action distinct from your acceptance of these Terms, and may be withdrawn at any time by writing to support@aegin.live. Withdrawal halts further processing of biometric inputs and behavioral health inferences; lawfulness of processing carried out prior to withdrawal is unaffected.

Security and fraud prevention — to detect, prevent, and respond to abuse, account takeovers, and payment fraud. Legal basis: legitimate interest and legal obligation.

Aggregate analytics — to understand product usage in aggregate and improve the Services. Legal basis: legitimate interest. Aggregate analytics use anonymized or pseudonymized data only.

Legal compliance — to meet tax, regulatory, and law-enforcement obligations applicable to us. Legal basis: legal obligation.

We do not sell your personal data. We do not engage in cross-context behavioral advertising. We do not share your personal data with data brokers.

We share personal data with the following categories of service providers acting on our instructions under written data-processing agreements.

INFRASTRUCTURE

Cloud database and authentication providers that host your account and stored data on our behalf.

AI PROCESSORS

Third-party AI providers that process model inputs and outputs for verdict generation, analyst conversations, and weekly diagnosis. AI providers act as our processors under written terms that prohibit use of your data to train their foundation models and that limit retention to the minimum necessary to deliver the service. Raw account identifiers are not transmitted to AI providers; behavioral context is transmitted in pseudonymized form.

PAYMENTS

Paddle (global) and Razorpay (India) for transaction processing. They receive only what is required to bill you.

OAUTH PROVIDERS

If you sign in with Apple or Google, those providers receive sign-in identifiers as part of the authentication exchange.

LEGAL AND COMPLIANCE

Tax authorities, law enforcement, courts, and regulators where compelled by valid legal process or where disclosure is necessary to protect rights, safety, or the integrity of the Services.

A current and authoritative list of every named sub-processor that receives personal data on our behalf — including the categories of data each one receives, the data-processing agreement that governs the relationship, the jurisdiction in which they process, and the transfer mechanism we rely on — is maintained on the dedicated Recipients page below. The list is version-controlled and every change ships as a public commit so the historical record is verifiable. The page satisfies our obligation to identify specific recipients on request, including under the Court of Justice of the European Union's January 2023 ruling in Case C-154/21 (RW v. Österreichische Post) on the scope of Article 15 GDPR, and is consistent with the February 2025 ruling in Case C-203/22 (Dun & Bradstreet) on the explainability of automated decision-making.

Aegin is operated from India and our infrastructure providers may be located in jurisdictions other than yours. Where personal data is transferred out of your jurisdiction, we rely on the safeguards available under your local law, including but not limited to Standard Contractual Clauses, adequacy decisions where applicable, and provider-level certifications.

If you are located in a jurisdiction that requires a specific transfer mechanism, contact us and we will identify the mechanism that applies to your transfer.

We retain personal data for as long as your account is active and for as long thereafter as is necessary to meet our legal, accounting, tax, and dispute-resolution obligations. Inferred data and behavioral telemetry may be retained for the lifetime of your account because the protocol depends on longitudinal patterns to function.

Backup systems may retain copies of deleted data for up to ninety days as a function of disaster-recovery practice.

We use only strictly necessary cookies. Specifically, the Services set first-party authentication and session cookies (issued by our authentication provider with the `sb-` prefix) that are required to keep you signed in, maintain your session across pages, and protect against cross-site request forgery. Without these cookies the Services cannot function — you would not be able to sign in or stay signed in.

We do not use cookies or any similar tracking technology for analytics, advertising, retargeting, behavioral profiling for marketing, cross-site tracking, or audience measurement. We do not embed Google Analytics, Meta Pixel, TikTok Pixel, Mixpanel, Amplitude, PostHog, Hotjar, FullStory, Microsoft Clarity, or any equivalent third-party tag. We do not load session-replay technology.

Because we use only strictly necessary cookies, prior consent is not required under the EU ePrivacy Directive (2002/58/EC as amended), the UK Privacy and Electronic Communications Regulations 2003, or the consent provisions of equivalent laws in other jurisdictions that exempt strictly necessary cookies from prior-consent requirements. You may delete or block cookies at any time through your browser settings; doing so will sign you out of the Services and may prevent you from signing back in.

If we ever introduce non-essential cookies or third-party tracking technologies, we will update this section, present a consent interface that allows you to accept or refuse each non-essential category before any such technology is loaded, and update the effective date of this policy.

The rights available to you depend on your jurisdiction. We honor the rights below in accordance with your applicable law.

ACCESS

You may request confirmation of whether we process your personal data and obtain a summary of the categories of data we hold, the purposes of processing, the categories of recipients, and the retention applicable to each category. Request via support@aegin.live.

CORRECTION

You may request correction of inaccurate identity fields. Behavioral telemetry is system-recorded and cannot be edited; you may annotate a specific record you contest.

DELETION

You may delete your account at any time from in-app settings. Deletion is irrevocable and triggers the retention timelines in §06.

PORTABILITY

Where your applicable law grants a statutory right to data portability — including the European Union, the United Kingdom, the European Economic Area, Quebec, Brazil, China, California, and other jurisdictions that have enacted equivalent rights — we will provide a structured, machine-readable export of the raw and observed personal data you provided to us. Inferred and derived data is outside the scope of statutory portability rights and is not included in the export. Request via support@aegin.live.

OBJECTION AND RESTRICTION

Where your applicable law grants rights to object to or restrict processing, you may exercise them by writing to support@aegin.live. We will assess the request against the lawful basis for the processing in question.

WITHDRAW CONSENT

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

COMPLAIN

You may lodge a complaint with your local data protection authority. For users in India, the Data Protection Board of India. For users in the European Union and European Economic Area, your national supervisory authority. For users elsewhere, the regulator with jurisdiction over your data.

We respond to rights requests within thirty days where required by applicable law, and within ninety days otherwise (matching the response window under India's Digital Personal Data Protection Rules, 2025). Identity verification is required before a request will be processed.

We do not provide a self-service data export tool. All rights are exercised by written request to support@aegin.live. Where you do not have a statutory right to a specific outcome, the right will be honored where we are able and declined where we are not.

The protocol uses automated processing to render verdicts on unlock requests, compute the discipline score, generate weekly diagnoses, and produce other model outputs. These decisions are automated. The logic involves your behavioral history, the context of each request, and inferred signals derived from prior activity.

Where your applicable law grants a right to human review of an automated decision that produces legal or similarly significant effects on you, you may request review by writing to support@aegin.live.

Aegin is not intended for individuals under the age of eighteen. We do not knowingly collect personal data from individuals under eighteen. Where we discover that such data has been collected, we delete it. This age floor is set to satisfy the highest applicable threshold across the jurisdictions we serve, including the requirement under India's Digital Personal Data Protection Act 2023 for verifiable parental consent before processing the personal data of any individual under eighteen.

If you are a parent or guardian and believe a minor in your care has created an account, contact support@aegin.live and we will close the account and purge the data.

This section supplements the Privacy Policy for residents of California and applies where the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is applicable to our processing of your personal information.

Categories of personal information collected map to the categories enumerated in §02 (Identity, Behavioral, Biometric, Inferred, Technical, Transactional). Sources of personal information are you directly, your device, your connected wearable (if any), and our payment processors. Business and commercial purposes are set out in §03 (Purposes and legal bases). Categories of third parties with whom personal information is disclosed are set out in §04 (Categories of recipients).

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA without your consent.

Categories of sensitive personal information collected map to the following. (i) Biometric information from a wearable or health source you elect to connect (the "BIOMETRIC" category in §02), processed only to compute derived behavioral signals and never used to identify you as a consumer. (ii) Information concerning health, in the form of inferred behavioral-health signals — including addiction-risk, dopamine-loop, and identity-drift indicators — generated by the protocol from the behavioral telemetry you have chosen to provide. We use and disclose sensitive personal information solely for the purposes enumerated in California Code of Regulations, title 11, section 7027(m): to perform the services you have requested, to detect, prevent, and respond to security incidents and malicious or illegal activity, and to verify or maintain the quality of the Services. Because our use of sensitive personal information is restricted to these permitted purposes, the right to limit the use of sensitive personal information under California Civil Code §1798.121 does not apply to our processing, and a "Limit the Use of My Sensitive Personal Information" link is not provided. We will provide such a link if our practices change.

California residents may exercise the right to know, the right to delete, the right to correct, the right to data portability, the right to opt out of sale or sharing (which we honor as a default — no opt-out request is required because we do not sell or share), and the right to limit the use of sensitive personal information. Submit requests to support@aegin.live. Authorized agents may submit requests on your behalf with proof of authorization.

We do not discriminate against California residents who exercise their rights under the CCPA.

We apply commercially reasonable technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, and monitoring.

No system is perfectly secure. In the event of a security incident affecting personal data, we will notify the relevant authorities and you in accordance with applicable law.

On Android, the lock-enforcement layer of the Aegin mobile application requires you to grant the Accessibility permission. We use this permission for the sole and narrow purpose of detecting when an application you have placed under enforcement is launched, so that the unlock-plea interface can be presented to you. The permission is requested only after you have read a prominent disclosure of its purpose and have affirmatively consented to grant it, in accordance with the Google Play Developer Program Policy on Accessibility API use.

No data collected via the Accessibility permission is transmitted off-device beyond the application names and timestamps required to render verdicts and compute screen-time totals, as described under "BEHAVIORAL" in §02. We do not capture screen contents, keystrokes, or the contents of any other application. You may revoke the permission at any time from Android system settings; doing so disables the lock-enforcement layer but does not otherwise affect your account.

We may update this policy from time to time. Material changes will be communicated to active subscribers by email and posted at the top of this page with the updated effective date. Continued use of the Services following an update constitutes acceptance of the updated policy.