LovinFreqLOVINFREQ
Hazte Premium
Legal

Privacy Policy

Last updated: July 7, 2026

This Privacy Policy explains how Zion Enterprises Ltd., a company organized under the laws of the Federative Republic of Brazil ("Zion Enterprises," "we," "us"), collects, uses, shares, and protects personal data in connection with the LovinFreq application and lovinfreq.com (the "Service"). Zion Enterprises is the data controller for this processing. This Policy is designed to satisfy, among others, Brazil's LGPD (Lei nº 13.709/2018), the EU/UK GDPR, the California Consumer Privacy Act as amended by the CPRA, other U.S. state privacy laws (including Virginia, Colorado, Connecticut, Texas, and Utah), Canada's PIPEDA, and Australia's Privacy Act 1988. Where local law grants you more protection than this Policy, local law prevails.

1. Data We Collect

  • Account data (provided by you): name, email address, phone number, city, and state, plus a hashed password. We never store passwords in plain text.
  • Usage and journal data (generated by your use): custom presets, favorites, and Frequency Journal entries — play/stop timestamps, optional before/after mood ratings on a 5-point scale, and optional free-text notes. Mood entries are self-reported wellness impressions you choose to record; they are not medical records, and we recommend not entering health information in free-text notes. Where local law treats such data as sensitive, we process it only with your consent, expressed by your voluntary act of recording it, and you can delete it at any time.
  • Transaction data: plan type, subscription status, and payment events, processed by Stripe. We receive limited metadata (e.g., last four card digits, card brand); full card numbers never touch our servers.
  • Technical data (collected automatically): IP address, device type, app version, language preference, authentication tokens, and server logs used for security, debugging, and abuse prevention.

We do not collect precise geolocation, we do not use third-party advertising trackers, and we do not perform profiling that produces legal or similarly significant effects.

2. Purposes and Legal Bases

Under LGPD Article 7 and GDPR Article 6, we process personal data to:

  • Provide the Service — create and secure your account, sync presets and journal data across devices, deliver Premium entitlement (performance of a contract);
  • Process payments and maintain purchase records (performance of a contract; compliance with legal obligations, including tax law);
  • Personalize journal insights — compute your own "moods lifted" and "most replayed" lists from your data, visible only to you (performance of a contract; consent for any sensitive-classified data);
  • Secure and improve the Service — logging, fraud and abuse prevention, debugging, aggregate analytics (legitimate interest, balanced against your rights);
  • Communicate with you — transactional emails (contract), and optional marketing only with your consent, which you may withdraw at any time;
  • Comply with law — respond to lawful requests and enforce our Terms (legal obligation; legitimate interest).

3. Cookies and Local Storage

The website uses only strictly necessary storage: authentication tokens, your language preference, and session integrity cookies. We do not use advertising or cross-site tracking cookies, and therefore the site does not "sell" or "share" personal information as defined by the CCPA/CPRA.

4. Sharing and Processors

We do not sell personal data and never have. We share data only with processors necessary to run the Service, bound by data-processing agreements: payment processing (Stripe, Inc.), cloud hosting and databases (Railway Corp.), and transactional email delivery. We may also disclose data if required by law, to protect rights and safety, or as part of a merger or acquisition (in which case this Policy continues to apply and you will be notified of any material change).

5. International Transfers

Our infrastructure providers may store data in the United States or other countries. Where data of Brazilian, EEA, or UK residents is transferred internationally, we rely on recognized safeguards — including standard contractual clauses and, where available, adequacy decisions — as required by LGPD Chapter V and GDPR Chapter V.

6. Retention and Deletion

We keep personal data while your account is active. When you request deletion via the account deletion page, your account is deactivated immediately and underlying data is permanently erased within 30 days, except for records we must retain to comply with legal obligations (e.g., tax and payment records, kept for the statutory period and then deleted) and time-limited encrypted backups that are cycled out automatically.

7. Security

We apply technical and organizational measures appropriate to the risk: encryption in transit (TLS) and at rest where applicable, hashed passwords, short-lived access tokens (15 minutes) with rotating refresh tokens, tenant isolation, access controls, and security headers. No system is perfectly secure; if a breach likely to create risk to you occurs, we will notify you and the competent authority (including the ANPD in Brazil) as required by law.

8. Your Rights — Everyone

Wherever you live, you can: access the data we hold about you; correct it; delete it; receive a portable copy; object to or restrict certain processing; and withdraw consent at any time without affecting prior lawful processing. Exercise any right by emailing support@enterpriseszion.com or using the in-Service tools (profile editing, account deletion). We respond within the period required by your local law (15 days under LGPD; one month under GDPR; 45 days under CCPA/CPRA and other U.S. state laws, extendable as permitted). We will verify your identity before acting and will not discriminate against you for exercising rights. You may use an authorized agent where local law allows.

9. Brazil (LGPD)

You have all rights in LGPD Article 18, including confirmation of processing, access, correction, anonymization, blocking or deletion of unnecessary or non-compliant data, portability, information about sharing, and information about the consequences of refusing consent. You may also petition the Autoridade Nacional de Proteção de Dados (ANPD). Our privacy contact (encarregado/DPO function) is reachable at support@enterpriseszion.com.

10. EEA / United Kingdom (GDPR / UK-GDPR)

In addition to Section 8, you have the right to lodge a complaint with your local supervisory authority (or the UK ICO). Where processing rests on legitimate interest, you may object on grounds relating to your particular situation. We do not make automated decisions producing legal or similarly significant effects.

11. United States — State Privacy Rights

California (CCPA/CPRA): you have the rights to know, access, correct, delete, and to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as defined, and we do not use or disclose sensitive personal information for purposes requiring a "Limit Use" right. We honor these rights without discrimination. In the last 12 months we collected the categories listed in Section 1 for the purposes in Section 2 and disclosed them only to the processors in Section 4. Because we do not sell/share data, no "Do Not Sell or Share" link is required; we also honor Global Privacy Control signals for any future scenario in which they would apply. Virginia, Colorado, Connecticut, Texas, Utah, and similar state laws: you have equivalent access/correction/deletion/portability rights and the right to appeal a refusal — appeal by replying to our decision email, and we will respond within the statutory appeal window; Colorado/Connecticut residents may then contact their Attorney General.

12. Canada and Australia

We comply with PIPEDA's ten fair information principles for Canadian users and with the Australian Privacy Principles for Australian users, including rights of access and correction and complaint routes to the OPC (Canada) and OAIC (Australia).

13. Children

The Service is not directed to children under 13, and we do not knowingly collect personal data from them (COPPA; LGPD Art. 14; GDPR Art. 8). The Baby Frequencies category is intended for use by a parent or guardian playing audio in the room — the account holder is always the adult. If you believe a child provided us data, contact us and we will delete it promptly.

14. Do Not Track

We do not track users across third-party sites, so there is nothing for a DNT signal to disable; we treat Global Privacy Control as stated in Section 11.

15. Changes and Contact

We may update this Policy; material changes will be announced by email or in-Service notice at least 15 days before taking effect, and the "Last updated" date will change. Continued use after the effective date means you acknowledge the update; where consent is legally required for a new processing purpose, we will ask for it. Questions, requests, or complaints: Zion Enterprises Ltd. — support@enterpriseszion.com (privacy/DPO contact).