KOMPAS Privacy Policy
1. Data Controller
The controller of your personal data in KOMPAS is:
Lidia Brózda, an individual residing in Poland, operating under the brand AI Bridge., website: aibridgeco.com.
Privacy contact: contact@aibridgeco.com
Legal form: individual (no registered business, no tax ID). Postal address is not published — GDPR Article 13 is satisfied through identification by name, brand, and contact email; the postal address will be disclosed to a supervisory authority on request.
2. Purposes and Legal Basis
We process your data for the following purposes under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"):
| Purpose | Data categories | Legal basis |
|---|---|---|
| Detect and fix application errors (crash reporting) | Anonymous crash report (stack trace, device model, OS version) | Article 6(1)(f) GDPR — legitimate interest (maintaining application stability) |
| Generate personalized AI analysis ("Look deeper") | Your archetype, top 10 values, clusters, interface language, device identifier | Article 6(1)(a) GDPR — your informed, voluntary consent expressed by tapping the "Look deeper" button |
| Backup and historical snapshot comparison (Time Capsule) | Device identifier, value list over time, archetype, timestamp | Article 6(1)(a) GDPR — your consent expressed by activating the Time Capsule feature |
| Rate limiting of API calls | Device identifier, timestamp | Article 6(1)(f) GDPR — legitimate interest (protecting infrastructure against abuse) |
| Product event counting (analytics) | Device identifier, event name, event context | Article 6(1)(f) GDPR — legitimate interest (understanding how people use the app, no advertising profiling) |
We do not collect: email address, name, surname, phone number, contacts, GPS location, payment data, advertising identifiers (AAID/IDFA), biometric data. The app does not require an account.
3. Categories of Data Processed
Specifically, KOMPAS may process:
- Device identifier (device_id) — a random UUID v4 generated locally on your device and stored in the operating system's secure storage (
expo-secure-store). It is NOT an advertising identifier or a hardware identifier. It does not allow us to identify you as a person. - Crash reports (Sentry) — in case of application error, we send the stack trace, device model, OS version (Android or iOS) and app version. The
sendDefaultPii: falseconfiguration disables collection of IP addresses and user identifiers. - Time Capsule snapshots (if enabled) — your list of 10 values after calibration, the assigned archetype, language, timestamp. Linked to device_id.
- AI prompts and responses — when you tap "Look deeper", the names of your top 10 values, archetype, and language are sent to the AI model. The model's response is not stored in our database — it is displayed in the app.
- Analytics events — e.g. "phase 7 completed", "BuyMeACoffee tapped", without the content of your values.
- BuyMeACoffee redirect — tapping the BMC icon opens the external page
buymeacoffee.com/aibridgeco. From that point on, BuyMeACoffee's privacy policy applies.
4. Subprocessors
We use the following infrastructure providers:
| Provider | Role | Location | Privacy policy |
|---|---|---|---|
| Sentry GmbH | Crash reporting | Germany (EU) | sentry.io/privacy/ |
| Cloudflare, Inc. | Workers + D1 database (snapshots, rate limit, analytics), Workers AI (GLM-4.7-Flash model) | USA (with optional EU regions) | cloudflare.com/privacypolicy/ |
| Google LLC (Google Play) | App distribution, optional Play services (Play Protect, Integrity) | USA | support.google.com/googleplay |
| Apple Inc. | App distribution (iOS), optional App Store services (e.g. integrity check) | USA | apple.com/legal/privacy |
| BuyMeACoffee (Hithard Inc.) | Optional tipping (external redirect) | United Kingdom | buymeacoffee.com/privacy |
5. International Data Transfers (outside EEA)
Some providers are based outside the European Economic Area (EEA):
- Cloudflare, Inc. (USA) — transfer takes place under the EU-US Data Privacy Framework (DPF), in which Cloudflare is certified. Additionally, Cloudflare offers Standard Contractual Clauses (SCC) under European Commission Decision 2021/914.
- Sentry GmbH (Germany) — based in the EU, no transfer outside the EEA for our plan.
- Google LLC (USA) — transfer based on the EU-US Data Privacy Framework + SCC.
- Apple Inc. (USA) — transfer based on the EU-US Data Privacy Framework + Standard Contractual Clauses (SCC).
- BuyMeACoffee (UK) — transfer based on the European Commission's adequacy decision of 28 June 2021 confirming an adequate level of protection in the UK.
6. Data Retention
| Data | Retention period |
|---|---|
| Sentry crash reports | 90 days (Sentry plan default, automatic deletion) |
| Time Capsule snapshots in D1 | Until device account deletion (see section 8) or app uninstallation + manual deletion request |
| Rate limit | 10 minutes (sliding window, data continuously overwritten) |
| Analytics events | Until device account deletion or deletion request |
| Local data on device (AsyncStorage) | Until app uninstallation or "Reset everything" use |
| Google Play data (e.g. install count) | Managed by Google according to their policy |
| App Store data (e.g. install count) | Managed by Apple according to their policy |
7. Your Rights
Under the GDPR, you have the right to:
- (a) access your data (Article 15 GDPR),
- (b) rectification of incorrect data (Article 16 GDPR),
- (c) erasure ("right to be forgotten", Article 17 GDPR),
- (d) restriction of processing (Article 18 GDPR),
- (e) object to processing based on legitimate interest (Article 21 GDPR),
- (f) data portability (Article 20 GDPR),
- (g) withdraw consent at any time (Article 7(3) GDPR) — for AI insights and Time Capsule,
- (h) lodge a complaint with your local data protection authority. If you are in the EU, this is typically the supervisory authority of your country (e.g. CNIL in France, BfDI in Germany, ICO in the UK, Garante in Italy, UODO in Poland — edpb.europa.eu/about-edpb/about-edpb/members_en lists all EU DPAs).
Note: in the current app version, withdrawing Time Capsule consent is done by disabling notifications from KOMPAS in your device's system settings. A dedicated toggle in the app's settings is planned for a future release.
To exercise these rights, write to contact@aibridgeco.com. We respond within 30 days in line with Article 12(3) GDPR.
8. How to Delete Your Data
You have two paths:
1. Local data deletion (immediate):
- uninstalling the app — removes all local data, including device_id and snapshots. Reinstalling generates a new random identifier.
2. Server-side data deletion (Cloudflare D1 — snapshots, analytics):
Send an email to contact@aibridgeco.com with the subject "GDPR data deletion".
Your record is identified based on the email address you write from, and the approximate install date or first-use date you provide in your message.
We process the request within 30 days. After deletion you receive a confirmation email.
Technical note: Currently, deletion from the D1 database is manual (cf-worker does not yet have a public DELETE endpoint — see "Flags to verify"). For an indie-launch-scale app this is acceptable — no automated profiling or data sale takes place in the meantime.
3. Sentry crash report deletion: Reports are automatically deleted after 90 days. You may also request earlier deletion by email.
9. Cookies and Tracking
All data transmitted between the app and our servers is encrypted in transit using HTTPS/TLS 1.2 or higher.
The KOMPAS app does not use cookies, web view trackers or advertising SDKs. No Google Analytics, no Facebook Pixel, no AppsFlyer, no Adjust. No device fingerprinting.
The aibridgeco.com website (where this policy is hosted) may use minimal session cookies — see the aibridgeco.com cookie policy.
10. Children
KOMPAS is not intended for persons under 16 years of age. We do not knowingly collect children's data. If you are a parent/guardian and believe your child used the app, write to contact@aibridgeco.com — we will delete the related data immediately.
Enforcement is via age rating categorization in App Store and Google Play, in line with their classification policies.
11. GDPR Contact
Direct all privacy questions, requests, objections and complaints to:
Email: contact@aibridgeco.com Website: aibridgeco.com/kompas Controller: Lidia Brózda (individual), operating under the brand AI Bridge.
We have not appointed a Data Protection Officer (DPO) because we do not meet the Article 37 GDPR thresholds (no large-scale profiling, no special-category data at a scale requiring a DPO). All requests go directly to the controller.
12. Version and Last Update Date
Version: 1.0 Last update: 2026-05-01 Effective date: 2026-05-01
In case of significant changes to this policy, we will inform you on the aibridgeco.com/kompas/privacy page and, if the change is material, in the app itself.