Privacy Policy

Effective Date: April 28, 2026

1. Introduction

Welcome to MoodFire, a mobile app designed to support mental wellness through mood tracking, guided breathing exercises, cognitive reframing, grounding exercises, gratitude journaling, and calming audio experiences. This Privacy Policy explains how we collect, use, store, and protect your personal information, and outlines your rights and choices.

MoodFire is operated by a UK company and this Privacy Policy is governed by the laws of England and Wales. Where you reside in the United States, Canada, or another jurisdiction with its own data protection regime, the supplementary notices in Sections 21 to 24 describe additional rights you may have under your local law. Those supplementary notices add to (they do not replace) the rest of this Privacy Policy.

2. Who We Are

MoodFire is owned and operated by MOODFIRE LTD, a company incorporated in England and Wales. We are committed to protecting your privacy and complying with applicable data protection laws.

MoodFire Ltd is registered with the Information Commissioner's Office (ICO) under registration number ZC123286. The ICO is our lead supervisory authority for data protection matters.

3. Information We Collect

We collect the minimum necessary personal information to provide our services. This includes:

• Name and email address
• Optional profile information such as date of birth, gender, and country
• Mood entries, reframe journal entries, gratitude entries, breathing session data, grounding session data, and calming audio usage
• App usage data such as login timestamps, subscription status, streak data, and feature usage patterns
• Device information, IP address, and user agent (collected when you accept our terms)
• Timezone and language preferences
• Push notification tokens (for delivering notifications you have opted into)
• Wellbeing check-in responses, where you have chosen to complete them. This constitutes special category health data and is processed only on the basis of your explicit consent.

We do not collect GPS location data or health records beyond the mood and wellness entries you choose to create within the app.

4. How We Use Your Information

We use your information to:

• Provide access to the MoodFire app and its features
• Manage your subscription and account status
• Sync your data securely across your devices
• Send push notifications you have opted into
• Track your usage streaks
• Support basic personalisation of your experience
• Respond to support requests or inquiries
• Improve app functionality and user experience

We do not use your data for advertising or sell it to third parties.

5. Legal Basis for Processing

We process your personal data on the following legal bases:

• For the provision of the MoodFire service and your account: performance of a contract (Article 6(1)(b) of UK GDPR).
• For analytics and service improvement: our legitimate interests in understanding how the app is used and improving the service (Article 6(1)(f) of UK GDPR).
• For wellbeing check-in data: your explicit consent under Article 9(2)(a) of UK GDPR, which you may withdraw at any time.
• For push notifications: your consent, which you may withdraw at any time through the app or your device settings.

6. Data Storage and Sync

Your wellness entries (mood, reframe, breathing, grounding, gratitude, and calming audio data) are stored locally on your device using AES-256 encryption. This data is also synced to our secure cloud infrastructure (Google Firebase Cloud Firestore) so that you can restore your data if you switch devices. All data in transit is protected using secure transmission protocols.

7. Analytics

We use Firebase Analytics (provided by Google) to collect anonymised, aggregated usage data such as which features are used and how often. This helps us understand how the app is used and where we can improve. This analytics data does not include the content of your mood entries, journal entries, or any free-text you enter. We do not log sensitive safety-related interactions to analytics. Google processes analytics data on our behalf under strict data processing agreements.

8. Push Notifications

If you opt in to push notifications, we store a device token provided by Firebase Cloud Messaging to deliver notifications to your device. You can disable notifications at any time through your device settings or within the app. We do not share your notification tokens with third parties.

9. Data Retention and Deletion

You have the right to be forgotten. If you unsubscribe or request deletion of your data, we will:

• Remove your account information, including name and email
• Delete all associated wellness entries, usage history, and cloud-synced data
• Remove all locally stored encrypted data
• Ensure no backups or residual data are retained

You can request account deletion directly within the app from your account settings.

Wellbeing check-in data is retained on your device for as long as you have the app installed and you have not deleted your check-in history. Anonymised aggregate data held on our servers is retained indefinitely for research purposes unless you request its deletion.

10. Children's Privacy

MoodFire is intended for use by individuals 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we discover that a minor has provided us with personal information, we will delete it immediately.

11. Wellbeing Check-Ins and Health Data

MoodFire offers optional wellbeing check-ins based on two validated self-report instruments: the Patient Health Questionnaire-4 (PHQ-4) and the Generalised Anxiety Disorder-7 scale (GAD-7). These are widely-used, non-proprietary instruments developed for measuring general wellbeing.

Your responses to these check-ins are classified as 'data concerning health' under Article 9 of the UK General Data Protection Regulation. We process this data on the basis of your explicit consent, which you provide by choosing to complete a check-in. You can withdraw that consent at any time by disabling wellbeing check-ins in your account settings, or by deleting your check-in history entirely.

Your individual check-in responses are stored locally on your device in encrypted form using AES-256. We may sync an anonymised subset of your data (your total score, the scale used, and the date of completion, but NOT your individual item responses) to our secure servers for the purposes of tracking your wellbeing trends over time and, in aggregated form, for research into the effectiveness of MoodFire.

We will never:

• Sell or license your wellbeing data to third parties.
• Share your individual wellbeing data with your employer, university, or any other organisation, even if you accessed MoodFire through an organisational account.
• Use your wellbeing data to personalise advertising or subscription pricing.
• Share identifiable wellbeing data with insurers, healthcare providers, or any third party without your separate, explicit consent.

You have the right to access, export, correct, or delete your wellbeing check-in data at any time from your account settings. Deletion is permanent and cannot be undone.

The PHQ-4 and GAD-7 are public-domain instruments. Attribution: Kroenke, Spitzer, Williams and Löwe (PHQ-4, 2009); Spitzer, Kroenke, Williams and Löwe (GAD-7, 2006).

12. Data Sharing and Third Parties

We do not sell or share your personal data with third-party advertisers. We use Google Firebase as our infrastructure provider for authentication, data storage, cloud sync, push notifications, and anonymised analytics. Google processes this data on our behalf under strict data processing agreements and does not use it for advertising purposes.

Subscription payments are handled securely through:

• Apple App Store
• Google Play Store

These platforms may collect data under their own privacy policies. We do not have access to your payment card details.

13. Cookies and Local Storage

Our website uses cookies and local storage to support essential functionality and, with your consent, to improve your experience.

• Essential cookies: We use local storage to remember your cookie consent preferences. This is strictly necessary for the site to respect your choices and does not track you.
• Analytics cookies: With your explicit consent, we may use analytics cookies to understand how visitors use the site. All data collected is anonymous and is not shared with third parties.

When you first visit our site, a consent banner will ask for your preferences. You can change your cookie settings at any time via the "Cookie Settings" link in the site menu. No non-essential cookies are set until you provide consent.

14. Data Security

We use industry-standard security practices to protect your data, including:

• AES-256 encrypted local storage on your device
• Secure transmission protocols for all data in transit
• Authentication safeguards including optional biometric authentication (Face ID / fingerprint)
• App integrity verification (Firebase App Check)
• Limited access by authorised personnel only
• Server-side security rules restricting data access to account owners

Although no system can guarantee complete security, we take appropriate steps to minimise risk.

Where we engage third-party processors (such as Google Firebase), we ensure appropriate data processing agreements (DPAs) are in place that meet the requirements of applicable data protection legislation.

15. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for data processing at any time
• Export your data
• Withdraw consent for wellbeing data processing at any time, without affecting the lawfulness of processing carried out prior to withdrawal
• Lodge a complaint with the Information Commissioner's Office (ICO), the United Kingdom's supervisory authority for data protection (see Section 16 for how to do this)

If you reside in the United States or Canada, additional rights may apply under your local law (see Sections 21 to 24).

16. How to Make a Complaint

If you have a concern about how we handle your personal data, please contact us first using the details in Section 26. We will acknowledge your complaint within five working days and provide a substantive response within 30 days. Where a complaint is complex we may extend this period and will tell you why.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the United Kingdom's supervisory authority for data protection matters. You do not need to contact us before raising a complaint with the ICO, but we would welcome the opportunity to address your concerns first. You can contact the ICO at:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

If you reside outside the United Kingdom, you may also have the right to lodge a complaint with the supervisory authority in your country, state, or province. See Sections 21 to 24 for the authorities applicable to residents of California, other US states, Canada, and US state consumer health data laws.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If material changes are made, we will notify you through the app or via email. Your continued use of MoodFire after changes have been made means you accept the revised policy.

18. Business Transfers

In the event that MoodFire or MOODFIRE LTD is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity as part of that transaction. We will notify you via the app or email before your data is subject to a different privacy policy. The successor entity will be required to honour the commitments made in this Privacy Policy.

19. Organisational Access

Where MoodFire is provided through your employer, university, or another organisation, we may share aggregated, anonymised usage data with that organisation (such as overall engagement rates). We will never share your individual mood entries, journal content, or personal wellness data with any organisation without your explicit consent. Your organisation may have access to administrative data such as whether your account is active and your subscription status.

Where MoodFire is provided through your employer, university, or another organisation, we will NEVER share your individual wellbeing check-in responses, scores, or trends with that organisation. Aggregate, de-identified wellbeing data may be shared with organisational partners only where the aggregation is large enough to prevent re-identification of individual users, and only with your informed consent via the app.

20. White-Label and Branded Versions

Where MoodFire is offered in a white-label or branded version through a partner organisation, this Privacy Policy continues to apply in full. Partner branding does not change how your data is collected, stored, or processed. The data controller remains MOODFIRE LTD regardless of the branded version you use.

21. Notice for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), gives you specific rights regarding your personal information. These rights are in addition to, and do not replace, the rights described elsewhere in this Privacy Policy.

Categories of personal information collected. In the twelve months preceding the effective date of this Privacy Policy we have collected the categories of personal information described in Section 3, which under the CCPA correspond to:

• Identifiers (name, email address, IP address, device identifiers, push notification tokens)
• Customer records (account information)
• Commercial information (subscription status and history)
• Internet or other electronic network activity (app usage data, feature interactions, login timestamps)
• Inferences drawn from the above (for example, your engagement streak)
• Sensitive personal information, namely your wellbeing check-in responses, which are health-related self-report data

Sources, purposes, and recipients. We collect this information directly from you and from your use of the app. We use it for the purposes set out in Section 4 and share it only with the service providers identified in Section 12 (principally Google Firebase) under written contracts that prohibit them from using your information for any other purpose.

No sale or sharing for cross-context behavioural advertising. MoodFire does not "sell" or "share" your personal information as those terms are defined in the CCPA, including your sensitive personal information. We have not done so in the twelve months preceding the effective date of this Privacy Policy. Because we do not engage in those practices, we do not provide a "Do Not Sell or Share My Personal Information" link. There is nothing to opt out of.

Use of sensitive personal information. We use your sensitive personal information only for the purposes you have explicitly consented to and as described in Section 11. We do not use it to infer characteristics about you. You therefore do not need to exercise the CCPA right to limit the use and disclosure of sensitive personal information, but you may do so at any time by disabling wellbeing check-ins or contacting us.

Your CCPA rights. As a California resident you have the right to:

• Know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Limit the use and disclosure of sensitive personal information
• Opt out of the sale or sharing of personal information (we do not engage in either)
• Non-discrimination for exercising any of these rights

How to exercise your rights. You can exercise your rights by contacting us at the address in Section 26, or by using the in-app data export and deletion tools in your account settings. We will verify your request by matching the information you provide with the information we hold on your account. You may designate an authorised agent to act on your behalf; the agent must provide signed permission and we may still ask you to verify your identity directly. We will respond within the time limits set by the CCPA (generally 45 days, extendable by a further 45 days where reasonably necessary).

22. Notice for Other US State Residents

If you are a resident of a US state with a comprehensive consumer privacy law (including, without limitation, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), New Hampshire (NHPA), New Jersey (NJDPA), Indiana (INCDPA), and any other state with a comparable law), you may have rights similar to those described in Section 20.

These rights typically include:

• The right to confirm whether we are processing your personal data and to access that data
• The right to correct inaccurate personal data
• The right to delete your personal data
• The right to obtain a portable copy of your personal data
• The right to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects (none of which we engage in)
• The right to consent (or withdraw consent) to the processing of sensitive data, which we treat your wellbeing check-in responses as

Appeals. If we deny a request you have made under these laws, you may appeal by replying to our response. We will respond to appeals within the period required by the law of your state (typically 60 days). If your appeal is denied, you may submit a complaint to your state Attorney General.

How to exercise your rights. Use the in-app data tools or contact us at the address in Section 26.

23. Notice for Canadian Residents (PIPEDA and Provincial Laws)

If you reside in Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy laws (including Quebec's Act to modernize legislative provisions as regards the protection of personal information (Law 25), British Columbia's Personal Information Protection Act, and Alberta's Personal Information Protection Act) give you rights regarding the personal information MoodFire holds about you.

We process your personal information for the purposes identified in Section 4. We rely on your consent (implied through your use of MoodFire and explicit for sensitive data such as wellbeing check-in responses) as the basis for processing. Where reasonably practicable, we will obtain your express consent at the point of collection for any new use that is not consistent with the purposes set out in this Privacy Policy.

Your rights under Canadian privacy law include:

• The right to know what personal information we hold about you and the purposes for which it is being used
• The right to access and obtain a copy of your personal information
• The right to challenge the accuracy and completeness of your personal information and to have it corrected
• The right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice
• The right to data portability where required by Quebec Law 25 or other applicable provincial law
• The right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial privacy regulator

Cross-border processing. Your personal information is stored on servers operated by Google Firebase and may be processed outside Canada, including in the United States, the United Kingdom, and the European Union. We use contractual and technical safeguards (including data processing agreements and encryption in transit and at rest) to protect your information when it is processed outside Canada.

How to exercise your rights. Contact us at the address in Section 26 or use the in-app data tools.

24. Consumer Health Data and HIPAA Notice (US)

MoodFire is not a "covered entity" or "business associate" under the United States Health Insurance Portability and Accountability Act ("HIPAA"). Information you provide to MoodFire is therefore not "protected health information" under HIPAA, and HIPAA's rights and restrictions do not apply.

However, your wellbeing check-in responses, mood entries, and related wellness inputs may constitute "consumer health data" under certain US state laws, including:

• Washington's My Health My Data Act
• Nevada's Consumer Health Data Privacy law (SB 370)
• Connecticut's amendments to the CTDPA covering consumer health data

Where any of these laws applies to you, we process your consumer health data only with your explicit consent (which you provide by choosing to complete a wellbeing check-in or otherwise enter wellness information into the app), and you have the following rights:

• To confirm whether we are collecting, sharing, or selling your consumer health data, and to access the data we hold
• To withdraw consent and to have your consumer health data deleted, including from any of our service providers
• To receive a list of all third parties with whom we have shared or sold your consumer health data (we do not sell consumer health data and we do not share it for any purpose other than the cloud infrastructure services described in Section 12)

We do not sell consumer health data and we do not use it for targeted advertising. To exercise any of these rights, contact us at the address in Section 26 or use the in-app data tools to delete your check-in history.

25. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this Privacy Policy are subject to the exclusive jurisdiction of the courts of England and Wales.

Notice for users outside the United Kingdom. MoodFire is operated by MOODFIRE LTD, a company incorporated in England and Wales. By using MoodFire you acknowledge that your personal data is processed under United Kingdom data protection law (the UK GDPR and the Data Protection Act 2018) and that this Privacy Policy is governed by English law. The jurisdiction-specific notices in Sections 21 to 24 supplement, but do not displace, the rest of this Privacy Policy. Where any of those supplementary notices grant you rights, those rights apply in addition to (not instead of) the rights described elsewhere in this Privacy Policy. Mandatory consumer protections granted to you by the law of your country, state, or province of residence are not displaced by this clause and continue to apply where they cannot be lawfully waived.

26. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your personal data (including any request made under the supplementary notices in Sections 21 to 24), please contact us at: