← Back to Home

Privacy Policy

Sealed

Last Updated: January 27, 2026

1. INTRODUCTION

Sealed ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service"). This Privacy Policy applies to all users of the Service, regardless of location, and describes your data protection rights.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) for users in the European Union and European Economic Area, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents, the UK Data Protection Act 2018 for users in the United Kingdom, and other applicable data protection and privacy laws worldwide.

2. DATA CONTROLLER AND CONTACT INFORMATION

For the purposes of the GDPR and other applicable data protection laws, the data controller responsible for your personal data is:

Sealed
Contact Person: Luca Diaz Hilterscheid
Email: luca@orlyn.ai

You may contact us at any time with questions, concerns, or requests regarding your personal data or this Privacy Policy.

3. INFORMATION WE COLLECT

We collect several types of information from and about users of our Service. This section provides a comprehensive overview of the categories of personal data we collect.

3.1 Information You Provide Directly

Account Registration Information: When you create an account, we collect your name, email address, password (encrypted), profile picture (optional), date of birth, and any other information you choose to provide during registration.

Profile Information: Information you add to your profile, including biographical information, fitness goals, personal preferences, and any other details you choose to share.

Commitment and Goal Data: Information about the commitments and goals you create, including descriptions, target metrics, timeframes, stake amounts, and verification methods.

Payment Information: When you place stakes or make purchases, we collect payment card information (processed and stored by our payment processors), billing address, transaction history, and refund requests.

Communications: When you contact us for support or communicate through the Service, we collect the content of your messages, feedback, and any attachments.

User Content: Photos, videos, comments, progress updates, and other content you submit through the Service.

3.2 Information Collected Automatically

Device Information: Device type and model, operating system and version, unique device identifiers (including IDFA, IDFV, Android ID), mobile network information, browser type and version, and hardware settings.

Usage Information: Pages and features accessed, time spent on each page, click patterns and interactions, search queries within the app, error logs and crash reports, and session duration and frequency.

Screen Time Data: With your explicit consent, we may collect data about your device usage patterns, including time spent in specific applications, total screen time, and app usage frequency. This data is used solely to verify screen time-related commitments.

Location Data: With your explicit consent, we may collect precise geolocation data (GPS coordinates), approximate location based on IP address, and location history for commitment verification. Location data is collected only when you grant permission and is used for verifying location-based commitments (such as gym attendance), providing location-relevant features, and improving the accuracy of our services.

Log Data: IP address, access times and dates, app features used, referring URLs, and other standard log information.

3.3 Health and Fitness Data

With your explicit consent, we collect health and fitness data from integrated third-party services. This is sensitive personal data that we handle with the highest level of care and security.

Apple HealthKit Data: Step counts and walking/running distance, workout data (type, duration, calories), heart rate data, sleep analysis, active energy burned, exercise minutes, stand hours, and other health metrics you choose to share.

Apple Watch Data: Activity rings (Move, Exercise, Stand), workout metrics, heart rate during activities, and fitness achievements.

Strava Data: Activities (running, cycling, swimming, etc.), distance, pace, elevation, and workout timestamps.

Other Fitness Platforms: Similar data from Garmin Connect, Fitbit, Google Fit, Samsung Health, and other connected services.

IMPORTANT: In compliance with Apple's HealthKit requirements: We do not use health data for advertising or marketing purposes. We do not sell health data to third parties. We do not share health data with third parties except as necessary to provide the Service or as required by law. Health data is used solely to verify your commitment progress and provide the core functionality of the Service.

3.4 Information from Third Parties

Social Media Platforms: If you log in using social media credentials, we may receive your public profile information, email address, and friends list (if you grant permission).

Payment Processors: Our payment processors (including Stripe, Apple Pay, Google Pay) may provide us with transaction status, payment method type, and limited billing information.

Analytics Providers: We may receive aggregated analytics data about Service usage from our analytics partners.

3.5 Cookies and Similar Technologies

We use cookies, mobile identifiers, and similar tracking technologies to collect information about your browsing activities. These include essential cookies required for the Service to function, performance cookies to understand how users interact with our Service, functionality cookies to remember your preferences, and analytics cookies to measure and improve our Service. You can control cookies through your browser or device settings. However, disabling certain cookies may affect the functionality of the Service.

4. HOW WE USE YOUR INFORMATION

We use the information we collect for various purposes, all of which are designed to provide, improve, and protect our Service.

4.1 To Provide and Maintain the Service

This includes creating and managing your account; processing and verifying your commitments and goals; handling payments, stakes, and refunds; syncing data from connected fitness platforms; providing customer support and responding to inquiries; and sending transactional communications (confirmations, receipts, alerts).

4.2 To Improve and Personalize the Service

We use your information to understand how users interact with our Service; develop new features and functionality; personalize your experience based on your preferences; conduct research and analysis to improve our algorithms; and test new features and optimize user experience.

4.3 To Communicate with You

This includes sending service-related notifications (commitment reminders, progress updates); marketing communications (with your consent, where required); responding to your comments, questions, and requests; and providing information about updates, security alerts, and policy changes.

4.4 To Ensure Safety and Security

We use your information to detect, prevent, and address fraud; verify user identity and prevent unauthorized access; monitor for violations of our Terms of Service; protect the rights, property, and safety of our users and the public; and comply with legal obligations and law enforcement requests.

4.5 For Analytics and Research

We analyze usage patterns to understand user behavior; measure the effectiveness of our features; conduct surveys and collect feedback; and generate aggregated, anonymized statistics about our Service.

5. LEGAL BASES FOR PROCESSING (GDPR)

For users in the European Union, European Economic Area, and United Kingdom, we process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b) GDPR): Processing necessary to perform our contract with you, including account creation, commitment processing, payment handling, and service delivery.

Consent (Article 6(1)(a) GDPR): Where you have given explicit consent, such as for processing health and fitness data, location data, marketing communications, and optional data collection. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate interests, provided these are not overridden by your rights, including service improvement and development, fraud prevention and security, analytics and research, and direct marketing to existing customers (with opt-out option).

Legal Obligation (Article 6(1)(c) GDPR): Processing necessary to comply with legal obligations, including tax and accounting requirements, responding to legal requests, and regulatory compliance.

Special Categories of Data (Article 9 GDPR): Health data is processed only with your explicit consent (Article 9(2)(a) GDPR) and is limited to what is necessary to provide the requested Service functionality.

6. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who perform services on our behalf, including payment processors (Stripe, Apple Pay, Google Pay) for transaction processing, cloud hosting providers (AWS, Google Cloud) for data storage, analytics providers for usage analysis, customer support platforms for inquiry management, and email service providers for communications. All service providers are contractually obligated to protect your data and use it only for the purposes for which it was disclosed.

6.2 Accountability Partners

If you choose to designate accountability partners, we will share your commitment progress and relevant data with those individuals as specified by you.

6.3 Charitable Organizations

If you forfeit a stake designated for charity, we will process the donation to the selected charitable organization. We share only the minimum information necessary to process the donation.

6.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). This includes responding to subpoenas, court orders, or legal process; protecting our rights, property, or safety, or those of our users or the public; detecting, preventing, or addressing fraud, security, or technical issues; and enforcing our Terms of Service.

6.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

6.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analysis, or other purposes.

7. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

For transfers from the European Union, European Economic Area, or United Kingdom to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission (Commission Decision 2021/914), Supplementary measures where necessary to ensure the effectiveness of the transfer mechanism, and Data processing agreements with all recipients.

For transfers from the United States, we comply with applicable state privacy laws and implement appropriate security measures. You may request a copy of the safeguards we use for international transfers by contacting us at luca@orlyn.ai.

8. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Account Data: Retained while your account is active and for six (6) years after account deletion for legal and compliance purposes.

Commitment Data: Retained for the duration of the commitment plus three (3) years for dispute resolution and compliance.

Transaction Records: Retained for seven (7) years as required by tax and financial regulations.

Health and Fitness Data: Retained only for the duration of the relevant commitment plus thirty (30) days, unless you request earlier deletion.

Location Data: Retained only for the duration of the relevant commitment plus thirty (30) days.

Marketing Consent Records: Retained for three (3) years from the date consent was given or withdrawn.

Log Data: Retained for up to twelve (12) months for security and operational purposes.

When your personal data is no longer required, we will securely delete or anonymize it in accordance with our data retention procedures.

9. YOUR PRIVACY RIGHTS

Depending on your location, you may have certain rights regarding your personal data. We are committed to honoring all applicable privacy rights.

9.1 Rights for EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights:

Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data and receive information about how it is processed.

Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed.

Right to Erasure (Article 17): You have the right to have your personal data deleted in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restriction (Article 18): You have the right to restrict processing of your personal data in certain circumstances.

Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

9.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected personal information, our business or commercial purpose for collecting or selling personal information, the categories of third parties with whom we share personal information, and the categories of personal information we have sold or disclosed for a business purpose.

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information.

Right to Opt-Out of Sale/Sharing: You have the right to opt-out of the sale or sharing of your personal information. Note: We do not sell personal information in the traditional sense. However, some data sharing for targeted advertising may constitute a "sale" under CCPA.

Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to what is necessary to perform the services you request.

Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

Categories of Personal Information Collected: In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers; customer records; protected classification characteristics; commercial information; internet or network activity; geolocation data; sensory data; professional or employment-related information; inferences; and sensitive personal information (precise geolocation, health data).

9.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us at luca@orlyn.ai with your specific request. Please include sufficient information to verify your identity (such as your account email address and any other information we may reasonably request). We will respond to your request within the timeframe required by applicable law: for GDPR requests, within one (1) month, extendable by two (2) additional months for complex requests; and for CCPA requests, within forty-five (45) days, extendable by an additional forty-five (45) days. We do not charge a fee for processing requests unless they are manifestly unfounded or excessive.

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Technical Measures: Encryption of data in transit using TLS 1.3; encryption of data at rest using AES-256; secure password hashing using bcrypt or similar algorithms; regular security assessments and penetration testing; firewalls, intrusion detection, and prevention systems; and secure development practices.

Organizational Measures: Access controls limiting data access to authorized personnel; employee training on data protection and security; confidentiality agreements with all staff and contractors; incident response procedures; regular review and update of security policies; and data minimization practices.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach affecting your personal data as required by applicable law.

11. CHILDREN'S PRIVACY

Our Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us at luca@orlyn.ai. If we become aware that we have collected personal data from children without verification of parental consent, we will take steps to remove that information from our servers promptly.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). In the European Union, we comply with GDPR provisions regarding children's data. We encourage parents and guardians to monitor their children's Internet usage and to help enforce this Privacy Policy by instructing their children never to provide personal information through our Service.

12. DO NOT TRACK SIGNALS

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. We currently respond to DNT signals and do not track users who have enabled this feature in their browsers. Additionally, California law requires us to disclose how we respond to Global Privacy Control (GPC) signals. We honor GPC signals as opt-out requests for the sale/sharing of personal information under CCPA.

13. THIRD-PARTY LINKS AND SERVICES

Our Service may contain links to third-party websites, services, or applications that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Our integrations with third-party fitness and health platforms (Apple HealthKit, Strava, Garmin, Fitbit, etc.) are governed by this Privacy Policy regarding how we handle data received from those services. However, your use of those third-party services is governed by their respective privacy policies and terms of service.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy; sending you an email notification (if you have provided us with your email address); and providing notice through the Application before the changes become effective.

For material changes that affect how we process your personal data, we will provide at least thirty (30) days' notice before the changes take effect. Your continued use of the Service after such modifications constitutes your acknowledgment of the modified Privacy Policy and agreement to abide and be bound by the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

15. SENSITIVE PERSONAL INFORMATION

Sealed processes certain categories of sensitive personal information to provide our core Service functionality. Sensitive personal information we may collect includes precise geolocation data (with your consent, for location-based commitments) and health data (with your consent, from integrated fitness platforms for commitment verification).

We use sensitive personal information only for purposes necessary to provide the Service, specifically to verify your commitment progress and outcomes, and as otherwise permitted by law.

California residents have the right to limit the use and disclosure of sensitive personal information. To exercise this right, contact us at luca@orlyn.ai.

16. FINANCIAL INCENTIVES (CALIFORNIA)

We may offer financial incentives, such as discounts or loyalty programs, that require the collection of personal information. These incentives are reasonably related to the value of your data to us. You may opt into or out of any incentive program at any time. We will describe the material terms of each program when you sign up.

17. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Sealed
Data Controller: Luca Diaz Hilterscheid
Email: luca@orlyn.ai

For GDPR-related inquiries, you may also contact your local data protection authority.

18. EU REPRESENTATIVE

If required by Article 27 of the GDPR, we will appoint a representative in the European Union. Information about our EU representative will be provided upon request to luca@orlyn.ai.

19. SUPERVISORY AUTHORITY

If you are located in the European Union or United Kingdom and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. For the United Kingdom, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk/.

20. SUPPLEMENTAL PRIVACY NOTICES

We may provide additional privacy notices or supplemental terms for specific features, services, or jurisdictions. These supplemental notices will be provided at the point of data collection or through the Service and should be read together with this Privacy Policy.

21. ACKNOWLEDGMENT

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO ITS TERMS. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICE.