CandleWithinCANDLEWITHIN

Legal

Privacy Policy

Last updated: June 2026

Controller

Dr. Farzaneh Samsami
Biebricher Allee 161 b, 65203 Wiesbaden, Germany

hello@candlewithin.com

What data we collect and why

Account: When you create an account, we store your email address and display name (via Supabase Auth) to provide your private space and enable paid services.

Newsletter: If you subscribe, we store your email address to send occasional reflections. You may unsubscribe at any time by contacting us.

AI conversations: Conversations with the AI reflection tools are stored in our database. Anonymous users are identified by a temporary session key derived from a hash of your IP address and the current date — your raw IP address is never stored. Authenticated users' conversations are linked to their account and can be deleted on request.

Purchases: Payment processing is handled directly by Stripe or PayPal. We do not store full payment card details.

Technical data: Your IP address and browser information are automatically processed by our hosting infrastructure (Vercel) for security and uptime purposes.

Cookies

We use two types of cookies:

  • Language preference (NEXT_LOCALE): stores your chosen language (en / fa / de). Duration: 1 year.
  • Authentication session: keeps you signed in when you have an account. Duration: up to 7 days, or until you sign out.

We do not use advertising, marketing, or cross-site tracking cookies.

Third-party services

  • Supabase: database and authentication
  • OpenAI: your conversation text is processed by OpenAI's API to generate responses; no additional personal data is shared
  • Stripe / PayPal: payment processing — their own privacy policies apply
  • Vercel: website hosting

Your rights (GDPR)

If you are located in the EU/EEA, you have the right to access, correct, erase, restrict processing of, and port your personal data.

To exercise any of these rights, contact us at hello@candlewithin.com.

Data retention

Account data is retained until you close your account. Anonymous AI session data is retained for 30 days. Newsletter subscriptions remain active until you unsubscribe.

Changes to this policy

We may update this policy from time to time. Significant changes will be published on this page.