Skip to main content
Privacy policy

Your data, your breath.

Last updated June 6, 2026 · View change history

Short version: we collect only what's needed to run Chill Flows, we never sell your data, and you can download or delete everything any time. The long version lives below.

1. What we collect

Account data: email, display name, password hash, optional profile picture, bio, dosha, wellness goals, dark-mode preference. Content you post: posts, comments, journal entries, vision boards, direct messages, donations, and supporters-wall opt-ins. Technical data: IP address, device/browser type, and cookies needed to keep you logged in.

2. How we use it

To run the platform: authenticate you, render feeds, deliver notifications and direct messages, process donations, and send transactional email. To improve the product: aggregate and anonymized analytics. We do not sell your personal data. We do not run third-party advertising on Chill Flows.

3. Dhatu wellness companion

Dhatu is a rule-based Ayurvedic guidance surface (symptom wizard, knowledge base, decision-tree guide). Your selections never leave our servers and are not shared with any third party. Crisis-language search terms automatically surface vetted hotlines instead of search results.

3a. Sensitive wellness data

Some of what you share with Chill Flows could be considered health-adjacent: symptoms entered into Dhatu, dosha quiz results, meal logs, mood / journal entries, scheduled yoga or meditation practices, and vision-board reflections. Chill Flows is a consumer wellness app and is NOT a HIPAA-covered entity, but we treat this data with extra care: it lives only inside your account, is never sold, is never shared with insurers, employers, healthcare providers, advertisers, or data brokers, and is not used to train any AI model. You can export or delete any of it at any time from Settings.

3b. Voice features (yoga guide voice)

The voice-guided yoga timer and asana read-aloud use your device's built-in text-to-speech engine (Web Speech API), audio is generated locally and never leaves your device. We do not access your microphone, we do not record audio, and no audio is uploaded to our servers. Your saved voice preferences (which voice to use, pace, pitch, volume) are stored only in your browser (a SameSite=Strict cookie on web, on-device storage in the native app).

3c. Location

The Events and Practitioners pages can sort by distance. If you opt into location, your approximate coordinate stays in your browser and is used only to compute distances locally before rendering, it is not stored on our servers. You can revoke location at any time via your browser's site permissions.

4. Payment processors

Donations are handled off-platform as Venmo / Zelle manual claims, we only store the handle you sent to, a short reference, and the amount you claim. Paid event tickets and host tips are processed through Stripe Checkout (and Stripe Express for host payouts). When you buy a ticket or tip a host, Stripe collects the payment details (card / bank info, billing address, sometimes ID verification for hosts) under its own privacy policy at https://stripe.com/privacy. Chill Flows itself never sees or stores your card number, CVC, or bank credentials. We do store the resulting Stripe Customer ID, Connect Account ID (for hosts), session IDs, payment amounts, platform fees, payout amounts, and check-in timestamps so we can show your tickets, the host's earnings, and the event check-in list. Hosts who sell tickets pass identity-verification info (name, address, SSN/last 4, tax ID where required) directly to Stripe; Chill Flows receives back only capability flags (`charges_enabled`, `payouts_enabled`), never the underlying ID documents.

5. Email

Transactional email (donation confirmations, ticket receipts, account notices) is sent via Resend. We don't send marketing email without opt-in. You can unsubscribe from optional emails in Settings. If you reply to a transactional email we sent, Resend forwards your reply to our support inbox. We don't otherwise process inbound mail or scrape your inbox.

5a. Push notifications

If you opt into push notifications (Settings → Notifications), we store a device push token issued by your operating system (Apple Push, Firebase Cloud Messaging, or the Web Push protocol). The token lets us deliver alerts but doesn't reveal who you are to Apple / Google by itself. You can revoke push at any time, uninstall the PWA, deny notifications in your OS settings, or toggle them off in our Settings page.

5b. Offline cache (PWA service worker)

If you install Chill Flows as a Progressive Web App, our service worker caches a small set of read-only GETs (your feed, posts, profile, places, events) on your device so the app still opens when you're offline. The cache lives entirely on your device, never syncs to our servers, and is cleared when you uninstall the PWA or clear site data in your browser settings.

6. Cookies and local storage

We use a session cookie (Google OAuth) and/or an auth token in your browser (a SameSite=Strict cookie on web, on-device storage in the native app) (email/password login) to keep you signed in. We also store your theme preference locally. We don't use tracking or advertising cookies.

7. Sharing

We share data only (a) with the service providers listed above, strictly to deliver our service, (b) when legally required (subpoena, safety emergency), or (c) if we merge with or are acquired by another company, in which case we'll notify you in advance.

8. Your rights

You can view, edit, export, or delete your data at any time from Settings. If you delete your account, we remove your profile and posts; anonymized totals (e.g. the supporters wall total raised) may remain. Residents of the EU/UK have additional GDPR rights (access, rectification, erasure, portability, objection); residents of California have CCPA rights (know, delete, non-discrimination). Exercise them by emailing hello@chillflows.com.

9. Security

Passwords are hashed with bcrypt. Traffic is encrypted in transit via HTTPS. Direct messages are encrypted at rest. No system is perfectly secure, please use a unique password and enable a strong device passcode.

10. Retention

We keep your account data while your account is active. Once you delete, we purge it within 30 days, except where legal or financial records (e.g. tax-relevant donation receipts) require longer retention.

11. International users

Chill Flows is operated from the United States. By using the service you consent to transferring and processing your data in the US (or wherever our processors operate).

12. Changes

Material changes to this policy will be announced in-app or by email. The "Last updated" date at the top of this page tells you when we last revised it.

13. Contact

Privacy questions? Email hello@chillflows.com.

One-Tap Install

Add Chill Flows to your home screen.