SoloLevel

Privacy Policy

Effective Date: March 28, 2026|Last Updated: March 28, 2026

SoloLevel ("we," "us," or "our") operates the website located at sololevel.io and the SoloLevel mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Email Address. We collect your email address when you create an account. Authentication is performed via a passwordless magic link (email one-time passcode). We do not store passwords.
  • Display Name. You may optionally provide a display name for your profile.
  • Task Data. Tasks you create, including task titles, scheduled dates, completion status, and project associations.
  • Projects. Project names and associated color preferences you configure.
  • User Preferences. Your timezone, day start hour, and sound preferences.

1.2 Information Collected Automatically

  • Device Tokens (iOS). If you use the SoloLevel iOS application and opt in to push notifications, we collect your Apple Push Notification service (APNs) device token to deliver daily notifications.
  • Session Data. We use secure, httpOnly session cookies issued by our authentication provider (Supabase) to maintain your logged-in state. These are strictly functional and are not used for tracking or advertising.
  • Usage Metrics. We track certain in-app metrics such as XP earned, streak count, level, and achievement unlocks. This data is used solely to power in-app gamification features and is never shared with third parties for advertising purposes.

1.3 Information From Third-Party Services

  • X (formerly Twitter) Integration. If you choose to connect your X account to share content from SoloLevel, we receive and store your X user ID and username. We also store encrypted OAuth access and refresh tokens to facilitate posting on your behalf. You may disconnect your X account at any time through the Service, which will delete these stored tokens.

1.4 Information We Do Not Collect

We do not collect or store: passwords, payment or financial information, precise geolocation data, biometric data, contacts or address book data, browsing history outside of the Service, or any data from third-party analytics or advertising platforms.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and maintain the Service, including user authentication, task management, gamification features, and daily review workflows.
  • To generate AI-powered content. We use the Anthropic Claude API to generate personalized daily nudge messages and nightly reflection poems from "Nana," your in-app companion. To generate this content, we send limited task data (task titles, completion status, streak count, and level) to Anthropic. We do not send your email address or other personally identifiable information to Anthropic.
  • To deliver push notifications. If you opt in, we send daily motivational nudges via Apple Push Notification service at your configured day start hour.
  • To enable social sharing. If you connect your X account, we facilitate posting content you choose to share.
  • To improve the Service, including debugging, performance optimization, and feature development.

3. Third-Party Service Providers

We engage the following third-party service providers to operate the Service:

  • Supabase (Database & Authentication). Supabase provides our database infrastructure and authentication. Your data is stored in a PostgreSQL database hosted in the United States with row-level security policies ensuring that each user can only access their own data. For more information, see Supabase's Privacy Policy.
  • Anthropic (AI Content Generation). Anthropic's Claude API generates personalized motivational content. Limited, non-identifying task data is transmitted to Anthropic for this purpose. Anthropic does not use data submitted via their API to train models. For more information, see Anthropic's Privacy Policy.
  • Apple Push Notification service (APNs). Apple delivers push notifications to iOS devices. Device tokens are transmitted to Apple solely for notification delivery. See Apple's Privacy Policy.
  • X Corp (Social Sharing). If you opt to connect your X account, data is shared with X Corp. per their Privacy Policy.

We do not sell, rent, or share your personal information with third parties for advertising or marketing purposes. We do not use any third-party analytics, tracking pixels, or behavioral advertising tools.

4. Cookies and Local Storage

We use a limited number of strictly functional cookies:

  • Authentication session cookies (httpOnly, secure, sameSite=lax) to maintain your logged-in state. These are issued by Supabase and are essential for the Service to function.
  • Temporary OAuth cookies (httpOnly, secure, sameSite=lax, 10-minute expiry) used during the X account connection flow for security (PKCE code verifier and CSRF state token). These are automatically deleted after use.

We also use browser localStorage to store non-sensitive session state for the daily review workflow (e.g., current review step). This data is stored locally on your device and is not transmitted to our servers.

We do not use advertising cookies, third-party tracking cookies, or any cookies for behavioral profiling.

5. Data Security

We implement industry-standard security measures to protect your information:

  • All data is transmitted over HTTPS/TLS encrypted connections.
  • Database access is controlled by row-level security (RLS) policies ensuring users can only access their own data.
  • X OAuth tokens are encrypted at rest using AES-256-GCM encryption.
  • Authentication uses secure, httpOnly cookies that are not accessible to client-side JavaScript.
  • The X OAuth flow uses PKCE (Proof Key for Code Exchange) for maximum security.
  • API keys and secrets are stored in environment variables and never exposed to the client.

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

6. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide you the Service.

Account Deletion. You may request deletion of your account and all associated data at any time by contacting us at the email address listed below. Upon account deletion, all of your data is permanently and irrevocably deleted from our database, including: your profile, tasks, projects, achievements, poems, nudges, device tokens, and any connected third-party account tokens. This deletion is cascading and complete.

Individual Data Deletion. You may delete individual tasks, projects, and vault items through the Service at any time. You may also disconnect your X account, which immediately deletes stored OAuth tokens.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete personal information.
  • Delete your personal information (see Section 6).
  • Object to or restrict certain processing of your personal information.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at the email address listed below. We will respond to your request within 30 days.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, the purposes for which it is used, and whether it is sold or disclosed. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may request access to or deletion of your personal information by contacting us below.

European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, our legal basis for processing your personal information is: (a) performance of our contract with you (providing the Service); (b) your consent (e.g., connecting your X account, opting into push notifications); and (c) our legitimate interests (improving and securing the Service). You may contact your local data protection authority if you believe we have not adequately addressed your concerns.

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at the email address below.

9. International Data Transfers

Your information is stored and processed in the United States. If you are accessing the Service from outside the United States, you acknowledge that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those of your jurisdiction.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date above. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@sololevel.io