AscentStateASCENTSTATE

LEGAL

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: May 6, 2026

1. Introduction

Welcome to AscentState. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

AscentState is a commercial digital platform offering personal development tools, including learning paths, focus sessions, AI coaching, accountability features, and progress analytics. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), Swiss Federal Act on Data Protection (revDSG), Liechtenstein Data Protection Act (DSG), and other applicable international privacy laws.

By using AscentState, you agree to the data practices described in this policy. If you do not agree, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:

AscentState (operated by Ignaz Hoch)

9495 Triesen

Liechtenstein

Email: support@ascentstate.com

AscentState is currently operated as a sole proprietorship by Ignaz Hoch, a private individual residing in Liechtenstein. Operations will be transferred to AscentState AG, a Liechtenstein-registered company, once incorporated. This policy will be updated upon transfer.

Liechtenstein is a member of the European Economic Area (EEA), so GDPR applies fully. Through our future Liechtenstein establishment, we will satisfy the requirement of having an EEA presence under Article 3 GDPR.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Data

  • Email address (required for authentication)
  • Username (chosen by you, publicly visible on the platform)
  • Password (stored encrypted, hashed via bcrypt)
  • Profile information you choose to add (avatar, tagline, bio)
  • Account creation date and last login timestamps

3.2 Usage Data

  • Lessons watched, actions completed, daily reflections submitted
  • Focus sessions: duration, mode, distractions logged
  • Streak data, XP earned, ranks achieved
  • Personal records (PRs) you log (e.g., training metrics, weights)
  • Notes and journal entries you create
  • Calendar events you schedule
  • Path progress and completion data

3.3 AI Coach Conversations

  • Messages you send to and receive from our AI Coach
  • Session metadata (mode, timestamps, message count)
  • Token usage (input/output tokens for billing and rate limiting)

AI Coach messages are processed by Anthropic (see Section 6 — Third Parties). Your conversations are stored on our servers and used to provide context for follow-up sessions. We do not use your AI conversations to train our or third-party models.

3.4 Social & Accountability Data

  • Followers / following relationships
  • Accountability partner connections and commitments
  • Public profile information visible to other users
  • Bug reports you submit (including optional screenshots)

3.5 Payment Data

  • Subscription tier (Free / Pro / Premium) and billing status
  • Stripe customer ID and subscription ID (for invoicing & access control)

We do not store full credit card numbers, CVCs, or banking details. All payment processing is handled by Stripe (see Section 6).

3.6 Technical Data

  • IP address (for security, fraud prevention, rate limiting)
  • Browser type, operating system, device type
  • Timezone (for accurate streak calculations)
  • Session cookies (essential for authentication)

4. Why We Process Your Data (Legal Basis)

We process your personal data on the following legal bases:

4.1 Performance of Contract (Art. 6(1)(b) GDPR)

  • Providing the AscentState service you signed up for
  • Processing payments and managing subscriptions
  • Tracking your progress and personal records
  • Delivering AI Coach responses

4.2 Legitimate Interests (Art. 6(1)(f) GDPR)

  • Securing our platform against abuse and fraud
  • Improving our service through aggregated, anonymized analysis
  • Communicating service updates and critical security notices

4.3 Legal Obligation (Art. 6(1)(c) GDPR)

  • Tax, accounting, and bookkeeping requirements
  • Responding to lawful requests from authorities

4.4 Consent (Art. 6(1)(a) GDPR)

Where we process data based on your consent (e.g., optional marketing communications), you can withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

5. Cookies & Tracking

AscentState uses only strictly necessary (essential) cookies. These do not require your consent under GDPR/ePrivacy because they are necessary for the service to function.

5.1 Essential Cookies We Use

  • Authentication cookies (Supabase): Keep you logged in. These are HTTP-only, secure, and SameSite-protected.
  • Currency preference cookie: Remembers your chosen currency for billing display.

5.2 What We Do Not Use

  • No Google Analytics
  • No Facebook Pixel or Meta tracking
  • No advertising or marketing cookies
  • No third-party tracking pixels
  • No cross-site tracking

If we add analytics in the future, we will update this policy and present a clear consent banner before any non-essential tracking.

6. Third-Party Service Providers

We use the following processors who handle data on our behalf under Data Processing Agreements (DPAs):

6.1 Supabase (Database & Authentication)

  • Provider: Supabase, Inc. — data hosted in Frankfurt, Germany (EU)
  • Purpose: User authentication, database storage, file storage
  • Data: All user-generated and account data
  • Privacy: supabase.com/privacy

6.2 Stripe (Payment Processing)

  • Provider: Stripe, Inc. (USA) — GDPR-compliant via SCCs
  • Purpose: Processing subscriptions and one-time payments
  • Data shared: Email, name, payment method (handled directly by Stripe — never touches our servers)
  • Privacy: stripe.com/privacy

6.3 Anthropic (AI Coach)

  • Provider: Anthropic, PBC (USA) — GDPR-compliant via DPA
  • Purpose: Powering the AI Coach feature
  • Data shared: Your messages to the AI Coach plus minimal context (current streak, recent activity) for personalization
  • Anthropic does not use API inputs to train models (per their API terms)
  • Privacy: anthropic.com/privacy

6.4 International Data Transfers

When data is transferred outside the EEA (e.g., to Stripe or Anthropic in the USA), we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards as required by GDPR Articles 44-49.

7. Data Retention

We retain your personal data only as long as necessary:

  • Active accounts: Data is kept while your account is active.
  • Deleted accounts: Personal data is deleted within 30 days of account deletion. Some data may persist longer if required by law (e.g., invoices for tax purposes — typically 10 years under Liechtenstein law).
  • Backups: Encrypted backups are retained for 30 days, after which deleted data is purged.
  • Bug reports: Retained for 12 months after resolution to monitor recurring issues.
  • AI Coach messages: Stored as long as your account is active. Deleted with account deletion.

8. Your Rights

Under GDPR, Swiss revDSG, and Liechtenstein DSG, you have the following rights:

  • Right to Access — request a copy of your personal data
  • Right to Rectification — correct inaccurate data
  • Right to Erasure("Right to be Forgotten") — request deletion of your account and data
  • Right to Restriction — limit how we process your data
  • Right to Data Portability — receive your data in a structured, machine-readable format
  • Right to Object — object to processing based on legitimate interests
  • Right to Withdraw Consent — where processing is based on consent
  • Right to Lodge a Complaint with a supervisory authority (see Section 12)

To exercise any of these rights, contact us at support@ascentstate.com. We will respond within 30 days. Most account-related actions (delete account, export data) can also be performed directly in your account settings.

9. Security

We protect your data with industry-standard security measures:

  • HTTPS/TLS encryption for all data in transit
  • Encryption at rest for sensitive data (passwords, PII)
  • Row-level security (RLS) policies on our database — you can only access your own data
  • Regular security updates and vulnerability monitoring
  • Access controls and authentication for our team members
  • Encrypted backups with 30-day retention

No system is 100% secure. If we become aware of a personal data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours, as required by Article 33 GDPR.

10. Children's Privacy

AscentState is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not use our services or provide any personal information.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@ascentstate.com and we will delete the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a prominent notice on our platform at least 30 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact & Supervisory Authorities

12.1 Contact Us

For any privacy-related questions, requests, or complaints, contact us at:

Email: support@ascentstate.com

Ignaz Hoch

9495 Triesen

Liechtenstein

12.2 Supervisory Authorities

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority:

  • Liechtenstein (primary): Datenschutzstelle Fürstentum Liechtenstein — datenschutzstelle.li
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
  • EU/EEA residents: Your local data protection authority — find yours at edpb.europa.eu
  • UK residents: Information Commissioner's Office (ICO) — ico.org.uk
  • California residents: California Attorney General (CCPA/CPRA) — oag.ca.gov/privacy