Privacy Policy

1. Who We Are

Mochi is operated by 140G Labs LLC, a company registered in the State of Wyoming, United States.

• Address: 30 N Gould St Ste R, Sheridan, WY 82801, United States
• Privacy Contact: privacy@stretchwithmochi.com

When this policy refers to “we,” “us,” or “our,” it means 140G Labs LLC. For the purposes of the EU/UK General Data Protection Regulation (“GDPR”), 140G Labs LLC is the data controller of your personal information.

2. Scope

This Privacy Policy applies to the Mochi mobile application (available on iOS and Android), our companion website at stretchwithmochi.com, and all related services (collectively, the “Service”). By using the Service you acknowledge that you have read and understood this policy.

3. Data We Collect

3.1 Account Data

• Email address: required to create an account. Used as your login and for essential service emails (account recovery, security notices, subscription receipts).
• Password: if you sign up with email and password, it is cryptographically hashed before storage. We never store or see your plaintext password. If you use Sign in with Apple, no password is set.
• Apple ID identifier: only if you choose Sign in with Apple (we receive a unique, app-scoped identifier and, optionally, your name and a private relay email if you permit it).
• Authentication tokens: session tokens issued by our authentication layer (Better Auth) so you do not have to log in on every launch. Tokens are stored on-device in iOS Keychain / Android Keystore via expo-secure-store.

3.2 Profile Data

• Timezone
• Preferred week start day (optional)
• Biological sex (optional)
• Fitness goal (optional)

3.3 Activity Data

• Stretching session completions (which routine, exercises performed, duration of each exercise, total session duration, and timestamp).
• Streak data (current streak, longest streak, last completion date).

3.4 Gamification Data

• Points balance and transaction history (items purchased or used within the app).
• Inventory of cosmetic and consumable items.

3.5 User-Created Content

• Custom stretching routines you create (name, description, exercise sequence).

3.6 Subscription Data

If you subscribe to Mochi, your purchase is processed by Apple (App Store) or Google (Play Store). We receive a confirmation of your subscription status (active, expired, or cancelled), the product identifier of the plan, and an anonymized original transaction identifier that lets us link your entitlement to your account. We never receive or store your payment card details, billing address, or financial account information.

3.7 Device and Technical Data

Automatically collected so the Service runs reliably on your device:

• Device model, operating system and version, app version, language, region, timezone.
• A pseudonymous install identifier generated by the app. This is not Apple’s IDFA or Google’s GAID.
• IP address and coarse network information when your device talks to our backend. We use IP addresses for security, fraud prevention, and country-level region inference; we do not use them to derive precise location.
• Crash logs and performance diagnostics, which may include stack traces and the state of the app at the moment of a crash.

3.8 Product Analytics

To understand how the app is used and to fix bugs, we collect product analytics through PostHog. This includes:

• Events describing your interactions with the app: screens viewed, buttons tapped, sessions started and completed, onboarding steps finished, features used.
• A pseudonymous distinct_id that we link to your Mochi account ID once you are signed in, so we can measure behaviour per user (not per device) and debug issues you report.
• Feature flag exposures and A/B test assignments, so we can measure whether changes we are testing improve the experience.
• Basic context such as app version, OS, device type, and language attached to each event.

We do not share analytics data with advertising networks, data brokers, or social media companies. You can turn off analytics at any time in Settings → Privacy → Analytics.

3.9 Session Recordings

To identify bugs that are hard to reproduce and improve the app’s usability, we record a sample of user sessions through PostHog’s session replay feature. A session recording is a reconstruction of the screens you interact with. It is not a video of your device and it is not a recording of your screen.

Session recordings capture:

• The screens you view, the order you view them in, and how long you stay on each.
• Your taps, scrolls, and other gestures within the app.
• Non-sensitive UI text visible on screen (e.g. button labels, workout names).
• Technical context: app version, OS, device type, performance metrics.

Session recordings do not capture:

• Text you type into any input field: all text inputs are masked by default and appear as asterisks in the recording.
• Passwords, authentication tokens, or payment information.
• Content flagged as sensitive in our code (e.g. email addresses, personal notes).
• The content of other apps, notifications, or anything outside the Mochi app.

You can disable session recordings at any time in Settings → Privacy → Analytics. Session recordings are retained for a maximum of 30 days (see Section 7).

3.10 Data We Do NOT Collect

Mochi does not collect or access:

• Precise GPS location
• Contacts, calendar, or photos
• HealthKit, Google Fit, or any other health-platform data
• Camera or microphone
• Device advertising identifier (IDFA/GAID)
• Browsing history or cross-app tracking data
• Biometric identifiers

4. How We Use Your Data

We process your personal data for the following purposes:

We do not use your data for advertising, profiling for third parties, or automated decision-making that produces legal effects.

5. Third-Party Service Providers

We use a limited number of third-party processors to operate the Service. Each one acts as a processor under the GDPR, meaning they only process your data on our behalf, under our instructions, and under a data processing agreement.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties for their own marketing purposes. We may update this list as our infrastructure evolves; material changes will be reflected here and, where significant, notified in the app (see Section 14).

6. International Data Transfers

Our backend infrastructure (Convex) is hosted in the United States, and PostHog and Superwall also process data in the United States. If you are located outside the United States, including in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We rely on the following safeguards for these transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
• Data Processing Agreements with each sub-processor.
• Supplementary technical measures (encryption in transit, at-rest encryption, access controls).

You may request a copy of the relevant safeguards by contacting privacy@stretchwithmochi.com.

7. Data Retention

• Account data: retained while your account is active.
• Activity and gamification data: retained while your account is active, to maintain your streaks, history, and progress.
• Session tokens: expire after 1 year of inactivity and are refreshed automatically during active use.
• After account deletion: personal data is removed from live production systems within 30 days. Encrypted backups are retained for up to 90 days on a rolling basis and are then overwritten.
• Subscription and billing records: retained for up to 7 years after the end of the relationship, as required by tax and accounting law.
• Crash logs and diagnostic data: retained for up to 90 days.
• Product analytics events: retained for up to 13 months in identifiable form, then aggregated or deleted.
• Session recordings: retained for a maximum of 30 days, after which they are automatically deleted by PostHog.
• Support communications: retained for up to 3 years after your last interaction.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under the GDPR (EEA, UK, Switzerland)

• Access: request a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data (“right to be forgotten”).
• Restriction: request that we limit processing of your data.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interest, including our analytics processing.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
• Lodge a complaint: with your local data protection supervisory authority.

8.2 Rights Under the CCPA/CPRA (California, USA)

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: request deletion of your personal information.
• Right to Correct: request correction of inaccurate personal information.
• Right to Non-Discrimination: we will not discriminate against you for exercising your rights.
• No Sale or Sharing: we do not sell your personal information and we do not share it for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA.

8.3 How to Exercise Your Rights

• Delete your account: use the in-app option (Settings → Delete Account). This permanently removes your profile, activity history, streaks, inventory, transactions, and custom routines, subject to the retention windows in Section 7.
• Export your data: in-app (Settings → Account → Export my data) or by email.
• Other requests: email us at privacy@stretchwithmochi.com. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before acting on a request.

8.4 Turn Off Analytics and Session Recordings

You can stop product analytics and session replay capture immediately from inside the app: Settings → Privacy → Analytics. Essential service functionality (login, sync, subscriptions) is not affected.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted over TLS 1.2+ encryption.
• Authentication tokens are stored in platform-native secure storage (iOS Keychain / Android Keystore) via expo-secure-store, never in plain files.
• Passwords, where applicable, are cryptographically hashed using a modern password-hashing function and are never stored in plaintext.
• Access to production systems is restricted to a limited number of authorized personnel on a need-to-know basis and is protected by multi-factor authentication.
• Regular review of our dependencies, configurations, and third parties.

No method of transmission or storage is 100% secure. If we become aware of a personal data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

10. Children’s Privacy

Mochi is not directed at, and not intended for use by, children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children under these ages. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@stretchwithmochi.com and we will promptly delete it.

11. Cookies and On-Device Storage

Inside the mobile app we do not use cookies or web beacons. We use platform-native secure storage (iOS Keychain / Android Keystore) for session tokens and on-device encrypted storage for preferences and cached content. PostHog uses a pseudonymous first-party distinct_id stored on-device; it is not an advertising identifier and is not shared across apps.

Our website may use essential first-party cookies strictly necessary for functionality (such as authentication and remembering your theme preference). We do not use advertising cookies, marketing pixels, or third-party tracking pixels. If this changes, we will update this Policy and, where required, present a cookie consent banner.

We do not participate in cross-app or cross-site behavioural advertising.

12. App Tracking Transparency (Apple)

Apple’s App Tracking Transparency (ATT) framework requires apps to obtain your permission before tracking you across apps and websites owned by other companies.

Mochi does not track you as defined by Apple. We do not link any of your Mochi data with third-party data for targeted advertising, and we do not share any identifier with data brokers or ad networks. Because of this, we do not present the ATT permission prompt. Our product analytics (Section 3.8) and session recordings (Section 3.9) are first-party and used solely to operate and improve the Service.

13. Third-Party Links

The Service may contain links to third-party websites or services (for example, the Apple App Store or Google Play Store). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last Updated” date at the top of this page.
• Notify you through the app or by email if the changes materially affect how we process your data.

Continued use of the Service after a change constitutes acceptance of the updated policy. You can always return to this page at stretchwithmochi.com/privacy.

15. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

• Email: privacy@stretchwithmochi.com
• Mail: 140G Labs LLC, 30 N Gould St Ste R, Sheridan, WY 82801, United States

EU/UK users also have the right to contact their local data protection authority directly at any time.