Privacy Policy
Last updated: April 6, 2026
This Privacy Policy explains how Balance Breathing ("Balance Breathing," "we," "us") collects, uses, discloses, and safeguards information when organizations, their authorized users, and individual users ("you") use our breathwork reminder application and related services (the "Service").
1. Data controller and processor roles
Business (B2B) deployments
When an organization subscribes to the Service (the "Customer"), the Customer is the data controller and determines the purposes and means of processing personal data of its end users. Balance Breathing acts as the data processor, processing personal data solely on the Customer's behalf and in accordance with the Customer's instructions to provide the Service.
We offer a Data Processing Agreement (DPA) to all Customers on request. To obtain a copy, contact info@balance-breathing.nl.
Individual accounts
When you sign up directly for a personal or free account that is not associated with an organization, Balance Breathing is the data controller for your personal data and processes it to provide the Service to you.
Individual-to-organization transition
If your individual account is later associated with an organization (for example, when your employer subscribes to the Service), the organization becomes the data controller for your account data from that point forward. Your historical usage data (such as session completions and stress ratings) will become accessible to the organization's administrators as part of the B2B deployment. If an organization verifies ownership of your email domain as part of onboarding, accounts associated with that domain may be migrated automatically into the organization's workspace so the Service can be administered on the organization's behalf.
2. Information we collect
We collect the following categories of information, depending on how the Service is configured:
A. Account and organization information
- Organization name, workspace identifiers (e.g., Slack workspace ID, Microsoft Teams tenant ID), admin contact details, and/or individual account registration details such as name and email address
- Billing and subscription information (processed by Stripe; we do not store full payment card numbers)
B. Google Calendar data (if connected)
We request the following Google OAuth scopes:
| Scope | Purpose |
|---|---|
openid | Authenticate your identity via Google |
email | Retrieve your email address for account matching |
profile | Retrieve your display name |
calendar.readonly | Read calendar event times and attendee information to schedule breathing reminders before meetings and for specified contacts |
We access event start times, end times, calendar identifiers, and attendee information
(name and email address) to deliver breathing reminders before external meetings and for
meetings involving contacts specified by the user or organization administrator. We do not
read event descriptions, attachments, or other event content. Attendee data is used solely
for reminder delivery and is not retained beyond what is necessary for scheduling.
The calendar.readonly scope provides read-only access; we cannot create,
modify, or delete events on your calendar.
C. Microsoft Calendar data (if connected)
We request the following Microsoft OAuth scopes:
| Scope | Purpose |
|---|---|
openid | Authenticate your identity via Microsoft |
profile | Retrieve your display name |
email | Retrieve your email address for account matching |
offline_access | Maintain calendar sync when you are not actively using the Service |
User.Read | Read your basic Microsoft profile |
Calendars.Read | Read calendar event times and attendee information to schedule breathing reminders before meetings and for specified contacts |
As with Google Calendar, we access event timing metadata and attendee information (name
and email address) to deliver breathing reminders before external meetings and for meetings
involving specified contacts. We do not read event bodies, attachments, or other event
content. Attendee data is used solely for reminder delivery.
The Calendars.Read scope provides read-only access; we cannot create, modify,
or delete events on your calendar.
D. Slack data (if connected)
We request the following Slack scopes:
| Scope | Purpose |
|---|---|
channels:read | Identify workspace channels for configuration |
chat:write | Send breathing reminder messages to users |
files:write | Share breathing exercise media in messages |
groups:read | Identify private channels for configuration |
im:write | Send direct messages to users |
users:read | Look up user display names for personalized messages |
For user authentication via Slack, we additionally request openid,
profile, and email via Slack's OpenID Connect flow.
E. Microsoft Teams data (if connected)
The Balance Breathing Teams bot authenticates via the Microsoft Bot Framework using application-level credentials. It does not request additional user-level OAuth scopes beyond those listed in section 2C above. The bot sends breathing reminder messages via Teams conversations and receives user responses (such as stress ratings and session confirmations) through Teams interactive cards.
F. Usage and device data
- Server log data (IP address, timestamps, pages viewed, feature usage)
- Approximate location inferred from IP address (not precise geolocation)
3. How we use information and legal bases
Under the GDPR, we must have a lawful basis for each type of processing we carry out. The table below sets out how we use your information and the legal basis we rely on in each case:
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, maintain, and secure the Service (including sending reminders and notifications) | Performance of a contract (Article 6(1)(b)) |
| Administer accounts, provide support, and communicate about the Service | Performance of a contract (Article 6(1)(b)) |
| Improve features, debug issues, and analyze usage trends | Legitimate interest (Article 6(1)(f)) — maintaining and improving the quality and reliability of the Service |
| Prevent fraud, abuse, or security incidents | Legitimate interest (Article 6(1)(f)) — protecting the security of the Service and its users |
| Process meeting attendee information to deliver configured breathing reminders before external meetings and for specified contacts | Legitimate interest of the controller (Article 6(1)(f)) — supporting employee wellbeing in the context of scheduled meetings |
| Comply with legal obligations (e.g., tax records, lawful requests) | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms, taking into account the nature and scope of the processing, the expectations of users, and the safeguards we have in place. You may object to processing based on legitimate interest at any time (see Section 9).
We do not use personal data for profiling, automated decision-making, or purposes unrelated to the Service. If this changes in the future, we will update this policy and, where required, obtain consent before processing.
4. How we share information
We may share information with:
- Sub-processors who help us operate the Service. We maintain a sub-processor list with the identity, location, and purpose of each sub-processor. We will notify Customers at least 30 days before engaging a new sub-processor.
- Integration partners you connect (Google, Microsoft, Slack) to the extent required for the integration to function, limited to the scopes described in Section 2
- Customer administrators (for B2B deployments) who may access certain account and usage information for users within their organization
- Legal and safety: if required by law, regulation, legal process, or governmental request, or to protect rights, safety, and security
- Business transfers: in connection with a merger, acquisition, or asset sale, in which case we will notify affected users
We do not sell personal information.
Where the Service processes meeting attendee data on behalf of a Customer, the Customer is responsible for ensuring it has an appropriate legal basis to instruct Balance Breathing to process that data.
5. Data retention
We retain different categories of data for different periods:
- Account and profile data: retained for as long as the account is active. After account closure or removal from an organization, account data is deleted within 30 days unless the Customer or user requests earlier deletion.
- Usage and session data (breathwork session records, stress ratings): retained for as long as the account is active to provide continuity of service. Deleted within 30 days of account closure.
- Server logs (IP addresses, access logs): retained for 12 months, then automatically purged.
- Billing records: retained as required by applicable tax and accounting law (typically 7 years).
- Calendar event cache: event timing metadata and attendee information is refreshed continuously and removed when the calendar integration is disconnected or the account is closed. Attendee data is used solely for reminder scheduling and is not retained beyond what is necessary for that purpose.
Customers and individual users may request deletion of their data at any time by contacting info@balance-breathing.nl. Deletion will be completed within 30 days, subject to any legal retention obligations.
6. Security
We implement technical and organizational measures to protect your data, including:
- Encryption in transit: all data transmitted between your browser or application and our servers is encrypted using TLS (HTTPS). API calls to third-party services (Google, Microsoft, Slack, Stripe) are also encrypted in transit.
- Encryption at rest: OAuth and integration tokens are stored server-side in encrypted form.
- Authentication: we use OAuth-based authentication exclusively (Google, Microsoft, Slack). We do not store user passwords.
- Access control: production infrastructure access is restricted to authorized personnel. Stored credentials are not exposed to end users.
- Infrastructure: the Service is hosted on dedicated servers at Hetzner in Nuremberg, Germany, and our primary application hosting and database remain in the EU. Some personal data is transferred to non-EEA sub-processors for payment processing and product integrations as described in Sections 4 and 8.
- Session security: session cookies are signed, marked
HttpOnly,SameSite=Lax, andSecurein production.
We are pursuing SOC 2 Type II certification. For details on our current security practices or to request security documentation, contact info@balance-breathing.nl.
Additional compliance materials, including our standard security overview, data processing documentation, and responses to reasonable customer security questionnaires, are available upon request.
No system is 100% secure. If you believe your account has been compromised, contact us immediately.
7. Breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- We will notify affected Customers without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the nature of the breach, the data affected, and the measures taken or proposed.
- Where the breach is likely to result in a high risk to individuals, we will also notify affected end users directly.
8. International data transfers
Our primary application hosting and database are located in Germany (EU). When personal data is transferred to sub-processors outside the European Economic Area (EEA), including for payment processing or connected product integrations, we rely on the following legal mechanisms, as applicable:
- EU-US Data Privacy Framework: for transfers to US-based sub-processors that are certified under the framework
- Standard Contractual Clauses (SCCs): where the Data Privacy Framework does not apply, we enter into EU-approved Standard Contractual Clauses with the sub-processor
A list of our sub-processors and their locations is available on our sub-processor page.
9. Your rights
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access (Article 15): request a copy of the personal data we hold about you
- Right to rectification (Article 16): request correction of inaccurate or incomplete personal data
- Right to erasure (Article 17): request deletion of your personal data, subject to legal retention obligations
- Right to restriction of processing (Article 18): request that we limit how we process your data in certain circumstances
- Right to data portability (Article 20): receive your personal data in a structured, commonly used, machine-readable format
- Right to object (Article 21): object to processing of your personal data in certain circumstances
- Rights related to automated decision-making (Article 22): we do not currently engage in automated decision-making or profiling that produces legal or similarly significant effects
For B2B users: because your organization is the data controller, please first contact your organization's administrator. If your administrator is unable to address your request, or if the request relates to Balance Breathing's own processing, contact us directly.
For individual users: contact us directly at info@balance-breathing.nl.
We will respond to verified requests within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.
10. Cookies and tracking
We use a minimal set of cookies that are strictly necessary to operate the Service:
- Session cookie: a signed, encrypted cookie that maintains your
authenticated session. It is marked
HttpOnly,SameSite=Lax, andSecure(in production). It does not contain personal data beyond a session identifier. - Theme preference: stored in your browser's local storage (not a cookie) to remember your light/dark mode preference.
We do not use third-party tracking cookies, advertising cookies, or analytics services that share data with third parties (such as Google Analytics, Meta Pixel, or similar). We do not participate in cross-site tracking or ad networks.
All usage analytics are first-party only, processed on our own infrastructure, and used solely to operate and improve the Service.
11. Children
The Service is intended for workplace use by adults and is not directed to children under 16.
12. Changes
We may update this Privacy Policy from time to time. The "Last updated" date will change when we do. For material changes, we will notify Customers via email or an in-app notice at least 30 days before the changes take effect.
13. Contact
Balance Breathing is registered in the Netherlands.
Email: info@balance-breathing.nl
Phone / WhatsApp: +31 6 82856075
For data protection inquiries, you may also contact our data protection point of contact at the email address above.