Privacy Policy

Last updated: January 2026

This Privacy Policy explains how Lonya ("Lonya", "we", "us", or "our") collects, uses, and protects your personal data when you use our website and services (the "Service").

1. Data Controller

The data controller responsible for your personal data is:

Tomáš Svojanovský
IÇO: 10835148
Czech Republic
Email: tomas.svojanovsky33@gmail.com

2. What Personal Data We Collect

Account Information

  • Email address
  • Username
  • Profile information (if provided)

Challenge Data

  • Goals and challenge descriptions
  • Daily reflections
  • Progress tracking
  • User-generated content

Technical Data

  • IP address
  • Device and browser information
  • Log data
  • Session identifiers

Subscription Data

Payments are processed by Lemon Squeezy. We do not store full payment card details.

We may receive limited billing-related information such as:

  • Subscription status
  • Payment confirmations
  • Billing email
  • Transaction identifiers

3. Legal Basis for Processing (Article 6 GDPR)

We process personal data based on:

  • Contract performance — to provide and operate the Service
  • Legal obligation — for accounting and tax compliance
  • Legitimate interests — to ensure security, prevent abuse, and improve the Service
  • Consent — where required (e.g., optional communications or non-essential cookies)

4. How We Use Your Data

We use personal data to:

  • Create and manage user accounts
  • Provide challenge tracking functionality
  • Process subscriptions
  • Improve product performance
  • Ensure platform security
  • Provide customer support
  • Comply with legal obligations

We do not sell personal data.

5. Data Storage and Infrastructure

Your data is stored and processed using the following service providers:

Hosting Provider

Hetzner Online GmbH — infrastructure hosting and server environment.

Database Provider

Neon — serverless PostgreSQL database provider.

Payment Processor

Lemon Squeezy — handles payment processing and subscription management.

These providers process personal data on our behalf under contractual agreements.

6. International Data Transfers

Some of our service providers may process data outside the European Union.

Where personal data is transferred outside the EU, we ensure appropriate safeguards are in place in accordance with GDPR, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Contractual data protection agreements

7. Data Retention

We retain personal data:

  • For as long as your account remains active
  • As required by accounting and tax laws
  • Until deletion is requested

Upon account deletion, personal data will be deleted unless retention is required by law.

8. Security

We implement reasonable technical and organizational measures to protect personal data, including:

  • Secure server infrastructure
  • Access controls
  • Encrypted connections (HTTPS)

However, no system can guarantee absolute security.

9. Your Rights Under GDPR

If you are located in the European Union, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Object to processing
  • Request data portability
  • Withdraw consent at any time

To exercise these rights, contact:

tomas.svojanovsky33@gmail.com

You also have the right to lodge a complaint with your local supervisory authority.

In the Czech Republic, this is the Office for Personal Data Protection (ÚOOÚ).

10. Children's Privacy

The Service is not intended for individuals under 18 years of age.

We do not knowingly collect personal data from minors.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

The latest version will always be published on this page with the updated "Last updated" date.

12. Contact

For questions regarding this Privacy Policy, contact:

tomas.svojanovsky33@gmail.com