Privacy Policy

NineWays ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect through our website at nineways.app and through the NineWays mobile application, why we collect it, who we share it with, and your rights regarding that data.

This policy covers both the website and the mobile app. Where a section applies only to one or the other, we say so explicitly.

1. Who We Are

NineWays is a relationship app for couples built on the Enneagram personality system. The data controller is ETL Consult, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland under tax identification number (NIP) 7221428289. Full registration details are publicly available in the Polish Central Registration and Information on Business (CEIDG) at prod.ceidg.gov.pl.

For any privacy-related questions, contact us at …. We respond within 30 days.

2. What Data We Collect

Through the website (nineways.app)

• Email address. Collected when you voluntarily sign up for our waitlist through the form on our landing page.
• Basic analytics data. Page views, approximate location (country/region level), browser type, and device type. Aggregated, not personally identifying.
• Cookies. See Section 6.

Through the mobile app

When you create an account or use the app, we collect the following:

• Account data. Email address and password (stored hashed, never in plaintext); display name.
• Demographic data. Gender and date of birth, which you provide during onboarding. Used to personalize content and confirm you meet our minimum age requirement.
• Personality data. Your Enneagram type (1 through 9), wing, assessment kind (quick or full), confidence band, and timestamps of when these were determined. This includes any answers you give in our Enneagram assessment quiz.
• Partnership data. If you connect with a partner, we store the relationship link between your two accounts and the invite code used. Both partners can see each other's name, type, and certain shared content (check-ins, joint challenges, etc.).
• Profile photo. If you choose to upload a photo, it is stored as a 512×512 JPEG on our servers and made visible to your partner.
• In-app activity. Daily check-ins, completed challenges, journey progress, repair-mode sessions, and notification preferences.
• Repair Mode conversation data. When you use the AI-assisted repair feature, the trigger you describe, your relationship context (your name, partner's name, both Enneagram types), and the situation details you enter are sent to Anthropic's Claude API to generate a personalized response. See Section 4 for details.
• Push notification token. An Apple-issued device token (APNs) used to deliver notifications you've opted into. This token does not identify you personally to Apple but does allow us to send notifications to your specific device.
• Subscription data. If you purchase NineWays Premium, the purchase is processed entirely by Apple. We receive a subscription status (active / inactive / expired) and the original transaction ID from Apple's servers, but we never see your payment method or billing information.
• Crash and diagnostic data. When the app crashes or encounters an unhandled error, we collect the stack trace, device model, OS version, and your account ID (so we can correlate crashes across sessions). We do not collect your name, email, IP address, or screen contents in crash reports. See Section 4 (Sentry).
• Server logs. When the app talks to our backend, we log the request type, timestamp, response status, and a hashed version of your IP address (we do not store the raw IP). These logs are retained for 30 days for security and debugging purposes, then deleted.

What we do NOT collect

• We do not access your contacts, photos library (other than the one photo you explicitly select for your avatar), camera, microphone, or location.
• We do not track you across other apps or websites.
• We do not collect advertising identifiers (IDFA).
• We do not perform any kind of advertising or behavioral profiling.

3. Why We Collect It

• To provide the app's core functionality. Accounts, partnerships, content personalization, check-ins, challenges, journeys, and repair mode all require the data described above.
• To send you push notifications you've opted into (daily insight, daily challenge, check-in reminder, partner activity).
• To send you transactional emails related to your account (password reset, email verification, partnership invites).
• To diagnose and fix crashes and bugs through anonymized stack traces.
• To process your subscription (handled by Apple; we only receive status flags).
• To respond to support requests when you email us.
• To comply with legal obligations (GDPR data requests, lawful subpoenas, etc.).

We do not use your data for advertising. We do not sell, rent, or share your personal data with third parties for marketing purposes. Full stop.

4. Third-Party Services

We use the following third-party services that may process your data. Each service operates under its own privacy policy, which we link below.

Service infrastructure

• Render. Cloud hosting provider where our backend runs. Stores all the database content described in Section 2 (account, partnership, in-app activity). Privacy policy.
• Cloudflare. Content delivery and security in front of our website. Privacy policy.
• Hostinger. Web hosting provider for nineways.app landing page. Privacy policy.

App-specific processors

• Anthropic (Claude). Used by Repair Mode. When you describe a relationship trigger and ask for guidance, we send the trigger description, your situation details, both partners' first names, and both Enneagram types to Anthropic's Claude API, which returns a personalized response. Anthropic processes this data only to generate the response and, per their commercial terms, does not use it to train their models. We do not send your email, password, full name, exact birth date, or any other identifying information beyond first names. Anthropic privacy policy.
• Apple Push Notification service (APNs). Delivers push notifications to your device. Apple processes the device token and notification payload. We do not include personally identifying content in the notification body itself. Apple privacy policy.
• Apple App Store / In-App Purchases. Processes all NineWays Premium subscriptions. Apple is the merchant of record. We never see your payment method. Apple privacy policy.
• Sentry. Collects anonymized crash reports and unhandled errors from the app. We have configured Sentry to NOT send default personally identifying information; we attach only your account ID so we can correlate crashes for the same user across sessions. Sentry privacy policy.

Website-only

• EmailOctopus. Email marketing platform that stores and processes your email address when you join our waitlist. Privacy policy.
• Google Fonts. Web fonts loaded from Google servers when you visit nineways.app. Privacy policy.

All third parties listed above are bound by data processing agreements (or equivalent commercial terms) requiring them to handle your data in accordance with this policy and applicable law.

5. Where Your Data Is Stored

Most data is stored on servers in the European Union (Frankfurt, Germany) operated by Render. Some third parties (Anthropic, Apple, Sentry, Cloudflare) may process data in the United States or other regions; in those cases, transfers are protected by Standard Contractual Clauses or equivalent safeguards as required by GDPR.

6. Cookies

Our website uses the following cookies:

• Essential cookies. Set by Cloudflare for security and performance. These are necessary for the website to function and cannot be disabled.
• Preference cookies. We store your cookie consent choice locally on your device so we don't ask you again.

The mobile app does not use cookies. It uses local device storage (UserDefaults, Application Support directory) to cache your authentication tokens, Enneagram type, and avatar image, so the app works smoothly between launches and during brief offline periods.

You can manage cookies through your browser settings at any time.

7. Your Rights (GDPR / EEA Users)

If you are located in the European Economic Area, you have the following rights under GDPR:

• Access. Request a copy of the data we hold about you.
• Rectification. Request correction of inaccurate data.
• Erasure. Request deletion of your data ("right to be forgotten"). Note: you can also delete your account directly in the app under Profile → Delete Account, which removes all your data within 30 days.
• Restriction. Request that we limit how we process your data.
• Portability. Request your data in a machine-readable format.
• Objection. Object to processing of your data for specific purposes.
• Withdraw consent. You can unsubscribe from emails using the link in every email; you can disable push notifications under Profile → Notifications.

To exercise any of these rights, email us at …. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), uodo.gov.pl.

8. Data Retention

• Account data. Retained for as long as your account is active. When you delete your account, all your data is removed within 30 days.
• Partnership data. When you disconnect from a partner, the partnership record is deleted but the data each of you generated remains tied to your individual accounts.
• In-app activity. Retained for as long as your account is active.
• Server logs. 30 days, then automatically deleted.
• Crash reports. Retained by Sentry for 90 days.
• Backups. Encrypted database backups are retained for 30 days for disaster recovery, then deleted.
• Waitlist email. Retained as long as you remain subscribed; removed from active mailing list when you unsubscribe.

After deletion, some data may persist in encrypted backups for up to 30 additional days before being permanently overwritten.

9. Data Security

We take reasonable measures to protect your data:

• All data transmission uses HTTPS encryption (TLS 1.2 or higher).
• Passwords are hashed using bcrypt; we never store or transmit them in plaintext.
• Database access is restricted to authorized backend processes only.
• Authentication tokens expire after a defined period and can be revoked by logging out.
• Crash reports do not include personally identifying information.

That said, no method of electronic transmission or storage is 100% secure. We will notify affected users and the relevant authorities within 72 hours if we become aware of a personal data breach that poses a risk to your rights, as required by GDPR.

10. Children's Privacy

NineWays is intended for adults aged 18 and older. We do not knowingly collect personal data from anyone under 18. We confirm age during onboarding by collecting your date of birth.

If we discover we have collected data from a person under 18, we will delete it promptly. If you believe we have inadvertently collected such data, please contact us at ….

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the app (in-app notice) or via email if you have an account. Minor changes (clarifications, formatting) will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

12. Contact

For any questions or concerns about this privacy policy or your data, contact us at:

…

← Back to NineWays