Introduction
TGLO Labs ("we," "us," or "our") operates the Gezana mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not use the Service.
Data Controller
TGLO Labs is the data controller responsible for your personal data. For privacy-related inquiries, data access requests, or to exercise your rights, contact our Data Protection Officer at support@gezana.app.
Last updated: March 8, 2026
Data Inventory
Audit table of core data categories, purposes, storage, sharing, and retention.
| Type | Purpose | Stored | Shared | Retention |
|---|---|---|---|---|
| Auth account data (PII) | Sign in and protect accounts | Supabase Auth | Supabase | Until account deletion |
| Profile data (PII) | Preferences and personalization | Supabase profiles | Supabase | Until account deletion |
| Chats/prompts/responses (PII, user content) | Generate AI responses | Supabase chat tables | Cloud AI service (processed), Supabase | Until account deletion + legal exceptions |
| Usage telemetry (non-content analytics) | Feature analytics and product improvement | PostHog | PostHog | 30d logs baseline |
| Subscription and entitlement data (PII) | Billing and access control | RevenueCat + Supabase webhook records | RevenueCat, app stores | 7d webhook logs + compliance retention for durable records |
| Crash/error diagnostics (device diagnostics) | Stability and incident response | Sentry | Sentry | 30d logs baseline |
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
| Data Type | Legal Basis |
|---|---|
| Account data (email, name) | Contract performance — necessary to provide the Service |
| Chat messages and prompts | Contract performance — necessary to generate AI responses |
| Subscription and billing data | Contract performance — necessary to process payments |
| Usage analytics | Legitimate interest — improving Service quality and user experience |
| Crash diagnostics | Legitimate interest — maintaining Service stability and security |
| Marketing communications | Consent — only with your explicit opt-in |
Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may object to processing based on legitimate interest by contacting support@gezana.app.
Third-Party Services
- Supabase (DB/auth)
- Cloud AI service (AI chats)
- RevenueCat (subs)
- Sentry (errors)
- PostHog (analytics)
Retention
| Category | Rule |
|---|---|
| Operational logs | 30d |
| Webhook traces | 7d |
| Durable account records | compliance req |
User Rights
- Access
- Delete (app/email)
- Correct
- Object
- Delete: In-app or email support@gezana.app.
AI Processing
Third-party cloud AI service. Prompts sent for responses. No training on your data. Not med/legal advice. Verify outputs. No liability for errors.
Children
Not for under 12.
International Transfers
Your data may be transferred to and processed in the United States and European Union where our service providers operate. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection.
Automated Decision-Making
Gezana uses artificial intelligence to generate conversational responses based on your inputs. This AI processing is essential to provide the core functionality of the Service.
What we do: AI generates text responses to your messages. Content moderation filters may automatically block certain inputs or outputs to prevent harmful content.
What we do NOT do: We do not use automated decision-making to make legal or similarly significant decisions about you. Account actions (suspension, termination) are reviewed by humans. Subscription eligibility is determined by your payment status, not AI profiling.
You have the right to request human review of any automated decision that significantly affects you. Contact support@gezana.app for such requests.
Your Privacy Rights (California - CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected: Identifiers (email, name), commercial information (subscription status), internet activity (usage data), and inferences (chat context).
Do Not Sell or Share My Personal Information: TGLO Labs does not sell your personal information as defined by the CCPA. We do not share personal information for targeted advertising purposes. Third-party data sharing is limited to service providers necessary to operate the Service.
To exercise your California privacy rights, contact support@gezana.app. We will verify your identity before processing requests.
How We Protect Your Data
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Sensitive data is encrypted at rest in our managed infrastructure using industry-standard encryption algorithms.
- Access Controls: Row-Level Security (RLS) policies ensure users can only access their own data. Administrative access is restricted and logged.
- Authentication: Secure authentication via email OTP, Apple Sign-In, and Google Sign-In. Session tokens are securely stored on your device.
- Third-Party Security: Our service providers (Supabase, cloud AI services, RevenueCat, Sentry, PostHog) maintain SOC 2 compliance and/or equivalent security certifications.
- Incident Response: We maintain incident response procedures to detect, investigate, and respond to potential data breaches. Affected users will be notified as required by applicable law.
While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.
Data Breach Notification
In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay, and no later than 72 hours after becoming aware of the breach where feasible. Notification will include the nature of the breach, likely consequences, and measures taken to address it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notifications or email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: support@gezana.app
- Data Protection Officer: support@gezana.app
If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.