Cookies, briefly

Focarly uses essential cookies to keep you signed in. We don't use marketing trackers. Analytics help us make the product better — your call. Details.

Privacy Policy

Effective: April 24, 2026. Version:1.0. We'll update this page when we add or remove a processor, and annotate the change at the top with a dated note. Questions? Email privacy@focarly.com.

1. Who we are

MB Biomica, trading as Focarly (“Focarly,” “we,” “us”), is the data controller for your personal information.

Registered office: MB Biomica, Vilniaus g. 33, Vilnius, Lithuania
Company code: available on request
Contact: privacy@focarly.com
DPO: dpo@focarly.com

2. What we collect

Information you provide: email address, date of birth (for age verification; stored as a flag only after verification), display name (optional), timezone and locale preferences, onboarding responses about focus preferences, messages you send to the AI coach, and tasks you create.

Information collected automatically: IP address, device and browser information, usage patterns, cookie data.

Payment information: processed by Stripe. We do not store full payment card numbers. We receive and store only the last 4 digits, card brand, expiration, and Stripe customer ID.

3. Legal bases for processing (GDPR)

  • Contract performance:to provide the Service you've subscribed to
  • Legitimate interests: service improvement, fraud prevention, security
  • Consent: marketing communications, optional features, sensitive data
  • Legal obligation: tax, accounting, compliance

4. How we use your data

To provide and maintain the Service; process payments; send transactional communications (receipts, renewal reminders); analyze usage to improve the Service; detect fraud and abuse; comply with legal obligations; and — with explicit consent — send marketing communications.

We do NOT: sell your personal information, share it with advertisers for targeted advertising, or use your messages to train AI models (unless you explicitly opt in).

5. AI processing

Messages you send to the Focarly coach are processed by Anthropic PBC (Claude API) to generate responses. Anthropic receives message content but does not store it for training, per our Data Processing Agreement.

If you enable voice in chat, one additional vendor is involved: ElevenLabs — both speech-to-text (transcribing what you say) and text-to-speech (the coach's spoken replies). ElevenLabs may retain transmitted audio and text per their published terms. Focarly does not store audio on our servers. Before voice is activated for the first time you see the specific vendor disclosure on the chat toggle and explicitly consent — the consent record (with version) is logged so we can show exactly what you agreed to.

Voice input is temporarily unavailable in Illinois pending a finalized BIPA-compliant consent flow; voice output (replies) is available everywhere, and text chat works for everyone. You can disable voice at any time via the chat toggle, which revokes consent for future voice processing.

6. Who receives your data

We share data only with the processors listed below. Every one is bound by a Data Processing Agreement (DPA).

Core product processors

  • Anthropic PBC(AI coaching responses via Claude) — US, EU-US DPF + SCCs. Your messages are sent to Anthropic's API to generate replies. Anthropic does not use your data to train their models (see our AI Disclosure).
  • Stripe Inc. / Stripe Payments Europe (payment processing, subscription billing, invoice email) — US affiliate: EU-US DPF + SCCs; EU affiliate (Ireland) processes EU customer billing. Card data is handled entirely by Stripe; Focarly never touches PAN/CVV.
  • Supabase Inc. (primary database + auth + file hosting; EU Frankfurt region) — data stays inside the EU. US parent: EU-US DPF + SCCs cover any incidental US-side support access.
  • Resend (transactional email: magic-link, confirmation, pre-renewal, cancellation, newsletter) — US, EU-US DPF + SCCs.
  • Cloudflare (DNS + CDN edge) — global, EU-routed where possible. US parent: EU-US DPF + SCCs.
  • Vercel Inc.(compute hosting for Focarly's Next.js app; Frankfurt region pinned) — US parent, EU-region processing, EU-US DPF + SCCs.
  • Upstash Inc. (Redis for rate limiting — IP/user counters, no message content) — US, SCCs.

Analytics & observability processors

  • PostHog (product analytics — which pages and steps people use, so we can improve the product) — US region, EU-US DPF + SCCs for any incidental EU visitors. Loaded only if you accept analytics cookies, and served through our own domain (we proxy it). Product analytics only — no session recording, no surveys, no autocapture. We do not send your email or message content to PostHog. Bound by PostHog's Data Processing Agreement.
  • Functional Software, Inc. (Sentry)(error & performance monitoring so we can find and fix crashes) — US, EU-US DPF + SCCs. Receives technical error/diagnostic data, not your message content. Session Replay is not enabled.

Optional voice processors (only if you enable voice)

  • ElevenLabs Inc.(voice — both directions) — US, EU-US DPF + SCCs. When you speak, your audio is sent to ElevenLabs (Scribe) for transcription; for the coach's spoken replies your message text is sent to ElevenLabs to synthesize audio. ElevenLabs may retain transmitted audio and text per their click-through Data Processing Addendum. Focarly does not store audio.

Observability + analytics (consent-gated)

  • Sentry (Functional Software Inc.) — error tracking + performance monitoring. US, EU-US DPF + SCCs. PII scrubbed before send; we never send your message content.
  • PostHog — product analytics (page views, feature events). US-hosted instance. Only runs if you accept analytics cookies.
  • Langfuse — AI prompt/response observability (so we can debug when the coach misbehaves). EU-hosted. Only carries your coach interactions; gated by your AI consent.
  • Hotjar Ltd. — heatmaps + session recordings, marketing pages only (never on the authenticated app). EU. Only runs if you accept analytics cookies.

Compelled disclosures

  • Tax authority or law enforcement, when legally required (and only to the extent required).

7. International transfers

Some processors are in the United States. We rely on the EU-US Data Privacy Framework (where the processor is certified) supplemented by Standard Contractual Clauses, under Article 46 GDPR. The transfer mechanism for each processor is noted next to its entry in section 6.

8. Data retention

  • Active account data: retained while account is active
  • Deleted account data: hard-deleted within 30 days of deletion request
  • Financial/tax records: retained 5 years per Lithuanian law
  • Crisis event logs (anonymized): retained 3 years for safety
  • Marketing opt-ins: retained until you unsubscribe
  • Voice data: NOT retained (stream-only)

9. Your rights

Under GDPR (EU/EEA/UK): right to access, rectify inaccurate data, erasure, restrict processing, data portability, object to processing, withdraw consent, and lodge a complaint with your local data protection authority (in Lithuania: VDAI).

Under CCPA/CPRA (California): right to know, delete, correct, opt out of sale/sharing (we do not sell/share), limit use of sensitive personal information, non-discrimination.

Under other US state laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, New Hampshire, New Jersey, Florida, Maryland): substantially similar rights apply.

To exercise: visit Settings → Privacy → Data Rights, or email privacy@focarly.com. We respond within 30 days.

Global Privacy Control: we honor GPC browser signals as opt-out requests.

10. Security

We use industry-standard measures including encryption in transit (TLS) and at rest, multi-factor authentication for admin accounts, row-level security, and regular security audits. No system is 100% secure; we cannot guarantee absolute security.

11. Breach notification

In the event of a personal data breach likely to result in risk to your rights, we will notify affected users within 72 hours per GDPR Article 33/34 and applicable state laws.

12. Children's privacy

Focarly is an 18+ Service. We do not knowingly collect personal information from anyone under 18. If we discover such data, we delete it promptly.

13. Changes to this policy

Material changes will be notified 30 days in advance via email and posted on focarly.com.

14. Cookies

We use strictly necessary cookies by default. Analytics and marketing cookies only run after you grant consent via the cookie banner.

Strictly necessary (always on)

  • focarly_consent — your consent choices. 12 months. First-party.
  • sb-<project>-auth-token, sb-<project>-auth-token-code-verifier — Supabase authentication session. Up to 1 year. Set by Supabase (processor) on the focarly.com domain.
  • focarly_attrib_first, focarly_attrib_last — first/last-touch UTM, fbclid, gclid so we can measure which channels work. 90 days. First-party. Set after analytics or marketing consent.

Analytics (only if you consent)

  • ph_* — PostHog (Cloud US). Anonymised product analytics. Up to 1 year. Set on focarly.com.
  • _hjSessionUser_*, _hjSession_*, _hjIncludedInSessionSample_* — Hotjar (EU) heatmaps and session replays on public marketing pages only (never on the authed app). Session-scoped to ~1 year.

Marketing

Focarly does not currently set any marketing cookies. We do not run paid ads on Meta/Facebook/Instagram, Google, TikTok or other ad networks at this time. If that changes, we’ll update this list 30 days before any new tracker is enabled and re-prompt your consent.

Changed your mind?

15. Contact

Data controller: MB Biomica (trading as Focarly), Vilniaus g. 33, Vilnius, Lithuania
Privacy email: privacy@focarly.com
DPO: dpo@focarly.com
Lithuanian Data Protection Authority: vdai.lrv.lt