Privacy Policy
Last updated: May 5, 2026
1. Who We Are
Smirk ("we," "us," "our") is operated from the Netherlands. If you have questions about this policy, contact us at [email protected].
2. Data We Collect
We collect the minimum data needed to provide and improve Smirk:
| Category | Examples |
|---|---|
| Account | Email address, hashed password, date of birth |
| Profile | Practice preferences, skill goals, experience level |
| Conversations | Messages you send and AI responses during practice sessions |
| Performance | Quality scores, streaks, XP, levels, achievements |
| Usage Analytics | App opens, feature usage, session duration (via PostHog) |
| Purchase Data | Subscription status, transaction IDs (via RevenueCat; we never see your payment card) |
| Device | Push notification token, timezone, platform (iOS/Android) |
We do not collect location data, contacts, photos, or health data.
3. How We Use Your Data
- Generate AI responses and score your messages during practice conversations
- Track your progress (XP, streaks, levels, performance analytics)
- Send push notifications you've opted into (streak reminders, daily practice)
- Process subscriptions and gem purchases
- Improve the app through anonymized, aggregated usage analytics
- Respond to support requests
4. AI Processing
AI Processing Disclosure
Smirk uses artificial intelligence to power conversations, coaching, and scoring. This section explains what happens to your data when you interact with AI features.
What data is sent to AI
When you practice a conversation, the messages you type are sent to an AI language model to generate character responses and evaluate your message quality. The AI also receives the conversation context (scenario type, character personality, mood state) to produce relevant responses.
AI providers
We use Google Gemini models accessed through OpenRouter (an API routing service). Your messages are processed in real time and are not stored by these providers beyond what is necessary to complete the API request. Per Google's API Terms of Service, data sent through the Gemini API is not used to train Google's models.
What AI does not do
- AI does not access your email, contacts, or any data outside the active conversation
- AI does not make decisions about your account, billing, or access
- AI-generated scores are informational and do not affect your account standing
- AI does not create profiles about you that persist across sessions
5. Sub-Processors
We share data with the following service providers, each under their own data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database | Account data, conversations, progress |
| OpenRouter | AI model routing | Conversation messages (in transit) |
| Google (Gemini) | AI language model | Conversation messages (in transit) |
| RevenueCat | Subscription management | User ID, purchase events |
| PostHog | Product analytics | Anonymized usage events |
| Railway | Backend hosting | All server-side data (encrypted at rest) |
| Expo / Firebase | Push notifications | Device push token |
6. Data Retention
- Conversations: Stored while your account is active. Deleted when you delete your account.
- Performance data: Stored while your account is active. Anonymized aggregates may be retained for analytics.
- Analytics events: Retained for 12 months, then deleted.
- Account data: Deleted within 30 days of account deletion request.
7. Your Rights (GDPR)
If you are in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data.
- Erasure: Request deletion of your data. You can delete your account in the app (Profile → Delete Account) or email us.
- Portability: Request your data in a machine-readable format.
- Restriction: Ask us to limit processing in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: You can withdraw AI processing consent at any time by deleting your account.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Legal basis for processing: consent (AI processing, marketing), contract performance (account, conversations), legitimate interest (analytics, security).
8. EU AI Act Transparency
In compliance with the EU AI Act (Regulation 2024/1689):
- Smirk is classified as a limited-risk AI system (conversational AI).
- All conversations are with AI-generated characters, not real people. This is made clear throughout the app.
- AI models used: Google Gemini (via OpenRouter). No proprietary training data from users.
- Content moderation is handled through prompt-level safety rules and category-based filtering.
9. Age Requirement
Smirk is intended for users aged 18 and older. We verify age during registration and enforce age restrictions at the App Store level. We do not knowingly collect data from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly.
10. Security
We protect your data with:
- Encryption in transit (TLS) and at rest
- Row-level security on all database tables
- Hashed passwords (never stored in plain text)
- Rate limiting and request validation
- Access controls and audit logging
11. International Data Transfers
Your data may be processed by sub-processors located in the European Union and the United States. Where data is transferred outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with each sub-processor
- EU-US Data Privacy Framework where applicable
Hosting locations: Supabase (EU), Railway (EU), Google Gemini (US, via OpenRouter), PostHog (EU), RevenueCat (US), Firebase/FCM (US).
12. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights, as required by GDPR Article 34
- Document the breach, its effects, and remedial actions taken
13. Cookies
Smirk is a mobile app and does not use browser cookies. This website uses no tracking cookies. Analytics on the website (if any) use privacy-friendly, cookieless methods.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the app. Continued use of Smirk after changes constitutes acceptance.
15. Contact
For privacy-related questions, data requests, or complaints:
Email: [email protected]
Operator: Smirk, Netherlands
If you are unsatisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.