Katharsis Software Ltd Last updated: 12th June 2026
Katharsis Software Ltd (“we”, “us”, “our”) is the data controller for personal data processed through EDGR (“the Service”). We are a company registered in England and Wales.
Contact: support@edgr.app [REGISTERED ADDRESS — to be added on incorporation]
If you have any questions about how we handle your data, or wish to exercise any of your rights, please contact us at support@edgr.app or, for data subject rights requests, at dsar@edgr.app.
“Activity data” means any intimate events, sessions, journal entries, notes, and associated metadata (such as timestamps, duration, and intensity) that you log using the Service.
“Data controller” means the entity that determines the purposes and means of processing personal data. For the Service, the data controller is Katharsis Software Ltd.
“Data processor” means a third party that processes personal data on behalf of the data controller, under a data processing agreement.
“Data subject rights request” or “DSAR” means a formal request by a user to exercise one or more of their rights under UK GDPR, such as a right of access, erasure, or portability.
“Explicit consent” means a clear, affirmative, and specific agreement to the processing of special category personal data, as required under Article 9(2)(a) UK GDPR.
“Linked accounts” means the feature of the Service that allows a subject to grant a viewer read and write access to their activity data.
“Lawful basis” means the legal ground under UK GDPR that permits the processing of personal data.
“Personal data” means any information relating to an identified or identifiable living individual.
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
“Public profile” means the publicly accessible page associated with a user’s account, displaying information and dashboard content that the user has chosen to make public.
“Special category data” means personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation. Activity data logged in EDGR falls within this category.
“Subject” means a user who sends a link request to another user, thereby initiating the process of granting that user read and write access to their activity data.
“The Service” means the EDGR web application and progressive web app operated by Katharsis Software Ltd, accessible at edgr.app.
“Viewer” means a user who has accepted a link request from a subject and thereby received read and write access to that subject’s activity data, within the limits described in the Terms of Service.
“UK GDPR” means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
What: Email address, username, and password (stored as a hashed value — we never store your password in plain text).
Why: To create and manage your account, authenticate you, and communicate with you about the Service.
Lawful basis: Performance of a contract (Article 6(1)(b) UK GDPR).
What: Display name, time zone, and any other optional profile information you provide.
Why: To personalise your experience and display your activity data in your local time zone.
Lawful basis: Performance of a contract (Article 6(1)(b) UK GDPR).
What: Logged events (including event type, timestamp, duration, intensity, and any notes you attach), session records, and journal entries.
Why: To provide the core functionality of the Service — tracking, dashboards, and reflective journalling.
Special category data: Activity data logged in EDGR constitutes data concerning sexual behaviour and orientation, which is a special category of personal data under Article 9 UK GDPR. We process this data only on the basis of your explicit consent, given when you create your account and confirmed by your active, ongoing use of the Service to log this data. You may withdraw consent at any time by deleting your data or your account.
What: The identities of accounts you have linked (as a subject or viewer), and the consent records associated with those links.
Why: To enable the linked accounts feature, whereby a subject may grant a viewer read and write access to their activity data, or a viewer may receive such access from a subject.
Special category data: Where a subject sends a link request to a viewer and the viewer accepts it, that viewer will be able to read, add, edit, and delete the subject’s special category data as described in Section 3.3. This access does not extend to the subject’s account settings or profile settings. This access is granted only on the basis of the subject’s explicit consent, given at the time of sending the link request and confirmed when the viewer accepts. The subject may revoke this consent at any time.
Lawful basis: Explicit consent (Article 9(2)(a) UK GDPR); and, for the account linkage records themselves, performance of a contract (Article 6(1)(b) UK GDPR).
What: Your username, and any profile information you have chosen to make publicly visible (which may include a display name, bio, age, gender, and location). Additionally, activity data displayed on any dashboard cards you have enabled for your public profile.
Why: To enable the public profile feature, which allows you to share a view of your activity data with others.
Special category data: If you choose to enable public dashboard cards, activity data — which constitutes special category data under Article 9 UK GDPR — will be disclosed to anyone who accesses your public profile URL, or to anyone with your token-protected link if you have enabled token protection. We process and disclose this data solely on the basis of your explicit consent, expressed through your active choice to enable public sharing. You may withdraw this consent at any time by disabling your public profile or removing public dashboard links from your account settings, which takes effect immediately.
What you control: You control which profile fields are visible on your public profile and which dashboard cards are publicly shared. Fields you have not enabled are not disclosed.
Lawful basis: Explicit consent (Article 9(2)(a) UK GDPR) for special category activity data; legitimate interests (Article 6(1)(f) UK GDPR) for the disclosure of non-sensitive profile fields you have chosen to make public.
What: Device push notification tokens, and your notification preferences.
Why: To send you in-app push notifications about activity relevant to your account (for example, notifications relating to linked account activity, where you have enabled these).
Lawful basis: Consent (Article 6(1)(a) UK GDPR). You may withdraw consent at any time by disabling notifications in your browser or device settings, or within the Service.
What: Log data including truncated IP address (the last octet is removed before storage), browser type, pages accessed, and timestamps of requests. This data is collected automatically when you use the Service.
Why: To maintain the security and performance of the Service, diagnose errors, and prevent abuse.
Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is the secure and reliable operation of the Service.
We use the following third-party services to operate the Service. Each acts as a data processor on our behalf under a data processing agreement:
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and file storage | EU (Frankfurt) |
| Cloudflare, Inc. | Bot and spam protection (Turnstile, used on authentication forms) | EU/US |
Supabase processes your data on servers located in the EU (Frankfurt region). No transfer of your personal data outside the UK or EEA occurs in the ordinary operation of the Service. Where any processor is located outside the UK or EEA, we ensure appropriate safeguards are in place in accordance with UK GDPR.
We do not sell your personal data to any third party. We do not use your data for advertising.
| Data type | Retention period |
|---|---|
| Account and profile data | Until you delete your account |
| Activity data (events, sessions, journals) | Until you delete the data or your account |
| Linked account consent records | Until the link is revoked by either party, or either account is deleted |
| Public profile settings and consent records | Until you disable public sharing or delete your account |
| Push notification tokens | Until you withdraw consent or your account is deleted |
| Server log data | Up to 90 days, then deleted |
When you delete your account, all personal data associated with it will be deleted from our systems within 30 days, except where we are required to retain it by law.
Under UK GDPR, you have the following rights:
Right of access — You may request a copy of the personal data we hold about you.
Right to rectification — You may ask us to correct inaccurate or incomplete data.
Right to erasure — You may ask us to delete your personal data. You can also delete your own data and account directly from within the Service.
Right to restriction — You may ask us to restrict processing of your data in certain circumstances.
Right to data portability — You may request your personal data in a structured, machine-readable format.
Right to object — You may object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent (including for special category data), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at dsar@edgr.app. We will respond within one calendar month. We may ask you to verify your identity before fulfilling a request.
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF ico.org.uk | 0303 123 1113
We would ask that you contact us first at support@edgr.app so we have the opportunity to address your concern directly.
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include encrypted connections (HTTPS), hashed password storage, and access controls on our database.
No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we will notify you and the ICO without undue delay in the event of a data breach that poses a risk to your rights and freedoms.
The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with their data, please contact us at support@edgr.app and we will delete it promptly.
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a notice within the Service before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision.
Continued use of the Service after the effective date of any change constitutes acceptance of the revised policy.
For any privacy-related queries or to exercise your rights:
Katharsis Software Ltd support@edgr.app | dsar@edgr.app 124 City Road, London, United Kingdom, EC1V 2NX