UnSit.me
Legal

Privacy Policy

Last updated: 2026-05-03

In short

The UnSit app contains zero third-party tracking SDKs. Your session data (squat counts, sit-stand minutes, exercise history) stays on your device and only syncs through Apple's encrypted iCloud — we never see it. The website uses Plausible Analytics: cookieless, no IP storage, GDPR-compliant by design. We do not sell, rent, or share your data with anyone.

1. Who we are (Data Controller)

UnSit is built by PileaNova SAS, a French Société par Actions Simplifiée headquartered in France. PileaNova is the data controller for any personal data processed in connection with UnSit.

Contact: support@unsit.me

For data protection inquiries (access, deletion, rectification, objection): the same address. We do not have a designated Data Protection Officer (DPO) — DPO designation is not mandatory for our scale of processing per Article 37 GDPR — but we treat data requests with the same seriousness.

2. What the app collects

The UnSit app collects the minimum data needed to function:

  • Session records: squat counts per break, exercise type chosen, completion timestamps, sit-stand transitions, accumulated standing minutes per cycle, optional notes you type yourself. Stored locally on your device. If iCloud is enabled and you sign in to the same Apple ID across devices, this data syncs via Apple's iCloud, encrypted by Apple. We do not have access to it.
  • Preferences: reminder interval, daily goal, sit-stand quota, snooze delay, exercise type weights. Stored locally and synced via iCloud as above.
  • Purchase receipts: handled entirely by Apple's StoreKit. We see only your subscription status (free / monthly / yearly / lifetime) for entitlement validation — never your name, email, payment method, or transaction details.
  • HealthKit integration (optional, future): if you grant permission, the Apple Watch app may write Stand Hours and Exercise Minutes to Apple Health. The data is owned by Apple Health, not by us — we only write, we do not read it back.

The app contains zero third-party SDKs: no Google Analytics, no Firebase, no Meta pixel, no Sentry, no Mixpanel, no Branch, no advertising IDs, no fingerprinting libraries. Your behavior inside the app is yours alone.

3. Health and well-being data — Special category (Article 9 GDPR)

UnSit's session records (squat counts, exercise breaks, sit-stand patterns) and any HealthKit data we write qualify as "data concerning health" under Article 9 GDPR, which is a special category requiring enhanced protection.

Our approach to handling this special category:

  • By design, this data does not leave your devices. We do not transmit your health data to our servers (we have no servers handling user data) or to any third party other than Apple's iCloud at your explicit choice.
  • Legal basis: processing is based on your explicit consent (Article 9(2)(a) GDPR) — granted by your installation and use of the app — combined with contractual necessity (Article 9(2)(h) is not invoked: we are not a healthcare provider).
  • You can withdraw consent at any time by deleting the app, which removes all locally stored health data. iCloud-synced copies persist on Apple's infrastructure under Apple's privacy controls — you can wipe these via Settings → Apple ID → iCloud → UnSit → Delete Data.
  • HealthKit data written to Apple Health is governed by Apple's HealthKit policies, which require user consent per data type and are subject to Apple's strict review.

We do not perform any profiling, scoring, or automated decision-making based on your health data. The "heart mascot level" feature is computed locally on your device for personal motivation — it is not a medical assessment.

4. Legal basis for processing (Article 6 GDPR)

For each category of data, the legal basis under Article 6 GDPR is:

  • Session records and preferences (in app + iCloud): contractual necessity (Article 6(1)(b)) — required to deliver the timer, reminders, statistics, and habit-tracking that the app exists to provide.
  • Health data specifically: explicit consent (Article 9(2)(a)) — see Section 3 above.
  • Purchase receipts (Apple-handled): contractual necessity and legitimate interest (Article 6(1)(b) and 6(1)(f)) — required to validate your subscription entitlement.
  • Website analytics (Vercel Web Analytics): legitimate interest (Article 6(1)(f)) — operating and improving the website. Vercel Analytics uses anonymized session hashing rather than persistent cookies. Per CNIL's guidance, anonymized analytics with proper aggregation may be exempt from prior consent; we operate within those constraints.
  • Support emails: consent and legitimate interest — replying to inquiries you initiate.

5. What this website collects

The unsit.me website uses Vercel Web Analytics for aggregated, privacy-friendly traffic statistics. Vercel Analytics is designed for GDPR/CCPA compliance:

  • Uses anonymized session hashing rather than persistent cookies — no cross-session tracking of individuals
  • Hashes IP addresses on receipt; raw IPs are not stored
  • Does not build cross-site behavioral profiles or apply fingerprinting
  • Does not share data with advertisers, social networks, or other third parties
  • Vercel is operated by Vercel Inc. Data may be processed on Vercel's global infrastructure (primarily United States) under Standard Contractual Clauses for any transfers from the EEA
  • Full Vercel Analytics privacy details: vercel.com/docs/analytics/privacy-policy

If you contact us via support@unsit.me, we keep your email and message only as long as needed to reply and to maintain a conversation history — see Section 9 (Data retention). We do not add you to any marketing list.

6. What we do not collect

  • Your real name or postal address
  • Your location (GPS, geofencing, beacon, IP-derived)
  • Your contacts, photos, microphone, camera, calendar
  • Your payment details (Apple handles all billing)
  • Your behavior or content from any other app or website
  • Your social profiles or social graph
  • Any data subject to Article 9 GDPR beyond the health data described in Section 3 (no racial origin, political opinions, religious beliefs, biometric data for ID, sex life, sexual orientation)
  • Your session data, beyond what you choose to sync via iCloud (which we cannot read)

7. Subprocessors and third-party processors

To operate UnSit, we rely on the following processors. Each acts strictly on our behalf and under contractual obligations consistent with GDPR Articles 28-29:

Processor Role Data location
Apple Inc. App distribution (App Store), payment processing (StoreKit), encrypted sync (iCloud), HealthKit data store Global (primarily United States, with EU mirrors). Apple uses Standard Contractual Clauses for transfers.
Vercel Inc. Static hosting, edge CDN, DNS, DDoS protection, and Vercel Web Analytics (anonymized session hashing) Primarily United States, with global edge points (Vercel Edge Network). Vercel uses Standard Contractual Clauses for EEA transfers.
Fontshare (ITF Inc.) Web font CDN delivery (Satoshi, Cabinet Grotesk) Global CDN. No personal data is collected for font delivery.

None of these subprocessors have access to your in-app session data. Apple's iCloud holds your synced data in encrypted form that only your devices can decrypt.

8. International data transfers

Some of our processors operate globally and may transfer data outside the European Economic Area (EEA), notably to the United States:

  • Apple's iCloud may store data on servers located in the United States or other regions, depending on your Apple ID's region. Apple has self-certified to the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) approved by the European Commission for any transfers.
  • Vercel serves the website from its global Edge Network, with US headquarters. Vercel uses Standard Contractual Clauses for any cross-border transfers from the EEA.
  • Plausible processes all data on EU servers (Estonia). No transfer outside the EEA.
  • Fontshare serves font files via CDN; no personal data is transferred.

By using UnSit and syncing your data via iCloud, you accept that some data processing may occur in third countries under the safeguards above.

9. Data retention

We retain data only as long as necessary for the stated purpose:

  • Session records on your device: indefinitely, until you delete them or uninstall the app. The app maintains a rolling 90-day window for active stats but keeps older records archived locally.
  • iCloud-synced data: retained as long as you use UnSit on at least one device with iCloud enabled. Apple retains data per its own policies; you control deletion via your Apple ID settings.
  • Support emails: retained for 3 years from the last interaction (period chosen to allow follow-up on a known issue or refund request, then deleted unless required by legal obligation).
  • Vercel Web Analytics: aggregated event counters retained per Vercel's standard retention (typically up to 12 months of detailed events, with longer retention for summary statistics). Individual session hashes are short-lived and not linked across sessions.
  • Vercel server logs: retained for the minimum operational period (typically a few days) for security, debugging, and abuse prevention, then automatically purged per Vercel's standard retention.

10. Data security

Security measures we apply:

  • End-to-end encryption of synced data via Apple's iCloud (AES-256 at rest, TLS 1.3 in transit) — neither Apple nor we can read your synced data without your Apple ID credentials.
  • HTTPS only on the website (TLS 1.3, HSTS enabled, HTTP/2). No mixed content.
  • No backend with user data — by architecture, there is no database of users we operate. The attack surface is reduced to zero on our side.
  • Source code minimization — the app contains no third-party SDKs that could become attack vectors.
  • Apple's app review performs security checks on every app version before App Store distribution.
  • Vercel platform protections on the website infrastructure (DDoS mitigation, automatic HTTPS, edge isolation).

11. Data breach notification

In the unlikely event of a data breach affecting your personal data, we will notify the French data protection authority (CNIL) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay, per Article 34 GDPR.

Given our zero-server architecture, the most likely breach scenarios involve our subprocessors (Apple, Vercel). We monitor their public security disclosures and would forward relevant notifications.

12. Apple's role

UnSit is distributed through the Apple App Store. Apple processes payments via StoreKit, handles iCloud sync, and provides aggregated, anonymous app analytics to us through App Store Connect (download counts, retention, crashes — no individual user identification). Apple's privacy practices are described in Apple's Privacy Policy.

For data Apple processes about you on its own behalf (your Apple ID, your iCloud account, your purchase history), Apple is the data controller — not PileaNova. Direct your data requests for that scope to Apple.

13. Children's privacy

UnSit is rated 4+ on the App Store and is suitable for general audiences, but it is designed for adults in workplace contexts. We do not intentionally collect personal data from children under 13 (or under 16 in jurisdictions where the GDPR digital age of consent is set higher). If you are a parent or guardian and believe your child has used UnSit and provided personal data, please contact us at support@unsit.me and we will act promptly to delete it.

14. Cookies and similar technologies

The unsit.me website does not use advertising or cross-site tracking cookies. No Meta pixel, no Google Analytics, no third-party retargeting, no ad networks.

Vercel Web Analytics uses anonymized session hashing (a short-lived in-memory hash derived from the request, not a persistent identifier). It is not a tracking cookie in the meaningful sense — it cannot link a user across sessions and does not build a profile. Per CNIL guidance on cookieless or strictly aggregated analytics, this is generally exempt from prior consent.

The UnSit app does not use cookies, beacons, fingerprinting, or any equivalent tracking technology beyond what is strictly necessary for the app's local functionality (e.g., reading and writing to UserDefaults / iCloud Key-Value Store on your own device).

Because we do not use consent-requiring trackers, no consent banner is displayed. If our analytics setup ever changes in a way that requires consent, we will introduce a banner and notify users via the app and the "Last updated" date on this policy.

15. Your rights under GDPR

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) — request correction of inaccurate data
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data
  • Right to restriction of processing (Art. 18) — limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest, including profiling
  • Right not to be subject to automated decision-making (Art. 22) — UnSit does not perform automated decisions with legal effects on you
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of past processing

To exercise any of these rights, email support@unsit.me. We will respond within 30 days as required by Article 12 GDPR. We may extend the deadline by up to two further months for complex requests, with notification.

Right to lodge a complaint: if you consider that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL):

  • Postal address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France
  • Phone: +33 1 53 73 22 22
  • Website: cnil.fr

If you are in another EEA country, you may also lodge a complaint with your national supervisory authority. The list is available at edpb.europa.eu.

16. California residents (CCPA)

If you reside in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as defined by CCPA/CPRA. To exercise your rights, contact support@unsit.me.

17. Changes to this policy

If we make material changes to this policy, we will:

  • update the "Last updated" date at the top of this page
  • display an in-app notice on next launch describing the change
  • for material changes affecting how your data is processed, request renewed consent where legally required

For non-material updates (formatting, clarifications), we will only update the date.

18. Contact

For any privacy question, data request, complaint, or concern: support@unsit.me.

Postal address: PileaNova SAS, France. Full address available on request to support@unsit.me.