Privacy Policy

Privacy Policy

Last updated: 16 June 2026

BreathFree2 BV (“we”, “us”, “our”), Test Street 2, 1010 TT Amsterdam, the Netherlands, is the data controller responsible for your personal data when you use the BreathFree2 “Quit Smoking in 21 Days” Service. This Privacy Policy explains what data we collect, why, how we protect it, and your rights under the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet AVG.

1. Data We Collect

1.1 Data You Provide Directly

• Account information: name, email address, password (hashed).
• Profile & programme data: smoking history, quit date, daily check-in responses, goals, and progress notes you enter into the app.
• Payment information: billing name, address, and payment method details (processed directly by our payment processor; we do not store full card numbers).
• Communications: messages you send to our support team.

1.2 Data Collected Automatically

• Usage data: pages visited, features used, session duration, click-through events.
• Device & technical data: IP address, browser type, operating system, device identifiers.
• Cookies & similar technologies: see Section 7 below.

1.3 Special Category Data

Information about your smoking habits and health-related behaviours may constitute health-related personal data under GDPR Article 9. We process this data only on the basis of your explicit consent (Article 9(2)(a)), which you provide when you create your account and complete the programme intake. You may withdraw this consent at any time (see Section 9).

2. Why We Process Your Data (Legal Bases)

• Contract performance (Art. 6(1)(b) GDPR): To create and manage your account, deliver the programme, process payments, and provide customer support.
• Legitimate interests (Art. 6(1)(f) GDPR): To improve the Service, ensure security, prevent fraud, and send service-related communications. We have assessed that our legitimate interests do not override your rights.
• Legal obligation (Art. 6(1)(c) GDPR): To comply with Dutch tax, accounting, and consumer protection law.
• Consent (Art. 6(1)(a) / Art. 9(2)(a) GDPR): For marketing emails, cookies beyond strictly necessary, and the processing of health-related programme data.

3. How We Use Your Data

• Providing, personalising, and improving the 21-day quit-smoking programme.
• Processing payments and managing your subscription.
• Sending programme content, reminders, and transactional emails.
• Sending marketing emails and offers (only with your consent; you can unsubscribe at any time).
• Analysing aggregate, anonymised usage to improve the Service.
• Complying with legal obligations and responding to lawful requests from authorities.

4. Third-Party Processors

We share your data only with trusted processors who are contractually bound to protect it under GDPR-compliant data processing agreements:

• Payment processors (e.g. Stripe, Inc. or Mollie B.V.) – billing and fraud prevention. Stripe is certified under the EU–US Data Privacy Framework. Mollie is headquartered in the Netherlands.
• Email service providers (e.g. Brevo SAS or Mailchimp / Intuit) – delivering programme and marketing emails.
• AI / coaching technology providers – powering personalised in-app coaching features. We ensure appropriate safeguards (Standard Contractual Clauses where applicable) are in place for any transfers outside the EEA.
• Analytics providers (e.g. Google Analytics configured with IP anonymisation, or a privacy-first alternative such as Plausible) – understanding Service usage.
• Cloud hosting providers – storing application data within the European Economic Area.

We do not sell your personal data to third parties.

5. International Data Transfers

Where we transfer personal data outside the European Economic Area (EEA), we do so only where appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses, an adequacy decision, or the EU–US Data Privacy Framework. You can request details of these safeguards by contacting us.

6. Data Retention

• Account & programme data: retained for the duration of your subscription plus 2 years after account closure (to handle potential disputes or re-subscriptions), then securely deleted or anonymised.
• Payment records: retained for 7 years to comply with Dutch tax and accounting law (Belastingdienst requirements).
• Marketing consent records: retained until you withdraw consent, plus a reasonable period to demonstrate compliance.
• Support communications: retained for 2 years after the last interaction.

7. Cookies & Similar Technologies

We use cookies and similar tracking technologies on our website and app. Categories include:

• Strictly necessary cookies: required for the Service to function (no consent required).
• Analytics cookies: help us understand how users interact with the Service (requires your consent).
• Marketing/advertising cookies: used to show relevant ads and measure campaign effectiveness (requires your consent).

You can manage your cookie preferences via our cookie consent banner or your browser settings. Withdrawing cookie consent does not affect the lawfulness of prior processing.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, hashed passwords, access controls, and regular security reviews. No transmission over the internet is 100% secure; we encourage you to use a strong, unique password.

9. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights, which you may exercise free of charge by contacting us at info@rolandb31.com:

• Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
• Right to restriction (Art. 18): Ask us to limit processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to complain to the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), at www.autoriteitpersoonsgegevens.nl.

We will respond to verifiable requests within 30 days (extendable by a further 60 days for complex requests, with notice).

10. Children

The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or in-app notification before they take effect. The “Last updated” date at the top will always reflect the current version.

12. Contact & Data Controller Details

BreathFree2 BV
Test Street 2, 1010 TT Amsterdam, the Netherlands
Email: info@rolandb31.com

Disclaimer: This Privacy Policy has been prepared to reflect the requirements of the GDPR and applicable Dutch law as of the date above. It is provided for informational purposes and does not constitute professional legal or compliance advice. BreathFree2 BV recommends seeking independent legal counsel to verify ongoing compliance with all applicable data protection laws.