Privacy Policy

1. Introduction

LumeLabs OÜ ("we," "us," or "our") operates PainApp, a pain tracking and neuroplasticity education application. This Privacy Policy explains how we collect, use, protect, and share your personal information, including sensitive health data.

Your privacy is important to us. We are committed to protecting your personal information and complying with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address
• Name (if provided)
• Password (encrypted)
• Profile information

Health Data (Special Category Data under GDPR):

• Pain levels and descriptions
• Symptom information
• Body part tracking
• Timestamps of pain episodes
• Notes and observations
• Medication tracking (if used)
• Any other health-related information you choose to enter

AI Chatbot Conversation Data:

• Questions you ask the AI chatbot
• Responses generated by the AI
• Health information you share with the chatbot
• Conversation history and context
• This data may be processed by third-party AI providers (see Section 5.1)

This is "special category" personal data under GDPR and receives enhanced protection.

2.2 Information Collected Automatically

Technical Data:

• IP address
• Device type and operating system
• Browser type and version
• App version
• Time zone settings
• Language preferences
• Mobile device identifiers (if using mobile app)
• Device model and manufacturer
• Operating system version
• Screen resolution

Usage Data:

• Features you use
• Time spent in app
• Interaction patterns
• Error logs and crash reports
• Button clicks and navigation paths (via Posthog)
• Session duration and frequency
• Feature adoption metrics

Note: Usage analytics help us improve the app but do NOT include your actual health data or pain tracking details.

2.3 Information From Third Parties

We may receive information if you:

• Sign in through social media (if enabled)
• Use third-party integrations (with your permission)

2.4 Mobile App Permissions

If you use the mobile app, we may request:

Required Permissions:

• Internet access (to sync data and use chatbot)
• Storage (to cache data locally)

Optional Permissions (only if you grant):

• Notifications (for reminders and updates)
• Camera (if you want to add photos to pain logs)

You can manage permissions in your device settings. Denying optional permissions may limit some features but won't prevent basic app functionality.

3. Legal Basis for Processing (GDPR)

We process your personal data only when we have a legal basis:

3.1 Consent (Primary Basis for Health Data)

• You explicitly consent to us processing your health data
• You can withdraw consent at any time
• Withdrawal does not affect lawfulness of prior processing

3.2 Contract Performance

• To provide the Service you signed up for
• To manage your account
• To process payments

3.3 Legitimate Interests

• To improve the Service
• To prevent fraud and abuse
• To ensure security
• To analyze usage patterns (anonymized)

3.4 Legal Obligations

• To comply with laws and regulations
• To respond to legal requests
• To enforce our Terms of Service

4. How We Use Your Information

4.1 Primary Uses

To Provide the Service:

• Display your health tracking data
• Generate visualizations and reports
• Sync data across your devices
• Provide personalized features
• Power the AI chatbot with your questions and context
• Generate AI responses to your health information queries

To Improve the Service:

• Analyze usage patterns (anonymized)
• Identify bugs and fix errors
• Develop new features
• Conduct research (with anonymized data)

To Communicate With You:

• Send service announcements
• Respond to your inquiries
• Send marketing communications (with consent)
• Provide customer support

To Ensure Security:

• Prevent fraud and abuse
• Protect against security threats
• Enforce our Terms of Service
• Maintain system integrity

4.2 We Do NOT

• Sell your personal data to third parties
• Use your health data for advertising
• Share identifiable health data without consent
• Use your data for purposes incompatible with those described here

5. How We Share Your Information

5.1 We Share Your Data In Limited Circumstances:

Service Providers (Data Processors):

We share data with trusted third parties who help us operate:

Authentication & Data Storage:

• Supabase - Provides authentication services and database infrastructure
• Processes: Email, password (encrypted), user authentication tokens, session data
• Location: Servers in EU/US (depending on configuration)
• Privacy Policy: https://supabase.com/privacy

Analytics:

• Posthog - Provides product analytics and usage tracking
• Processes: Usage data, feature interactions, session recordings (if enabled), anonymized user behavior
• Does NOT process: Raw health data or pain tracking details
• Privacy Policy: https://posthog.com/privacy

Cloud Hosting:

• Cloud hosting providers for data storage and application delivery

Payment Processing:

• Payment processors for billing and subscription management

Email Communications:

• Email service providers for transactional and marketing emails

Customer Support:

• Support tools for handling user inquiries

AI/LLM Providers (Chatbot Functionality):

When you use the AI chatbot feature, your questions and health information may be processed by third-party AI providers including:

• OpenAI (GPT models)
• Anthropic (Claude models)
• Google (Gemini/PaLM models)
• Meta (Llama models)
• Other LLM providers we may integrate

Important About AI Providers:

• Your chatbot conversations are sent to these providers to generate responses
• Each provider has their own privacy policy and data practices
• We may switch providers without notice
• AI providers may use conversations to improve their models (check their policies)
• We select providers based on their security and privacy commitments

All Service Providers:

• Are contractually bound to protect your data
• Process data only on our instructions
• Comply with GDPR requirements (or equivalent)
• Are selected based on security standards

Legal Requirements:

We may disclose data if required by:

• Court orders or subpoenas
• Law enforcement requests
• Legal proceedings
• Protection of our rights
• Public safety concerns

Business Transfers:

If we are acquired or merged, your data may be transferred to the new entity (you will be notified).

With Your Consent:

We may share data with third parties if you explicitly consent.

5.2 Mobile App Stores

Apple App Store:

If you download PainApp from the Apple App Store:

• Apple collects data about your download and purchases
• Apple processes payment information
• Apple may collect device information and usage data
• Apple's Privacy Policy applies: https://www.apple.com/legal/privacy/
• We do not control Apple's data practices

Google Play Store:

If you download PainApp from Google Play Store:

• Google collects data about your download and purchases
• Google processes payment information
• Google may collect device information and usage data
• Google's Privacy Policy applies: https://policies.google.com/privacy
• We do not control Google's data practices

App Store Data Collection:

• App stores collect data independently of us
• We receive limited information (aggregate downloads, crash reports)
• Your relationship with app stores is governed by their terms
• We are not responsible for app store data practices

5.3 We Never Share

• Identifiable health data for marketing purposes
• Personal data for sale to data brokers
• Information to advertisers (except anonymized aggregate data)

6. Data Security

6.1 Security Measures

We implement appropriate technical and organizational measures:

Technical Measures:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Secure password hashing
• Regular security updates
• Firewall protection
• Intrusion detection systems

Organizational Measures:

• Access controls (principle of least privilege)
• Employee training on data protection
• Regular security audits
• Incident response procedures
• Data protection impact assessments

6.2 Your Responsibility

You are responsible for:

• Keeping your password secure
• Not sharing account access
• Using strong passwords
• Logging out on shared devices
• Updating security settings

6.3 No Absolute Security

Important: No internet transmission or electronic storage is 100% secure. While we implement strong security measures, we cannot guarantee absolute security. You use the Service at your own risk.

7. Data Retention

7.1 Retention Periods

Account Data:

• Retained while your account is active
• Deleted 90 days after account closure (unless legal requirements apply)

Health Data:

• Retained while your account is active
• Deleted 90 days after account closure
• May be retained longer if you request (e.g., for health records)

Anonymized Data:

• May be retained indefinitely for analytics
• Cannot be linked back to you

Legal Requirements:

• Some data may be retained longer if required by law
• Financial records: 7 years (EU requirement)

7.2 Data Deletion

To delete your data:

1. Contact us at hello@painapp.health
2. We will delete your data within 30 days
3. Some data may be retained in backups (90 days maximum)
4. Anonymized data may remain

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

8.1 Right to Access

• Request a copy of your personal data
• Understand how we process your data
• Receive data in a structured, commonly used format

How to exercise: Email hello@painapp.health with subject "Data Access Request"

8.2 Right to Rectification

• Correct inaccurate personal data
• Complete incomplete data

How to exercise: Update in app settings or email us

8.3 Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data
• Applies when data is no longer necessary
• Subject to legal retention requirements

How to exercise: Email hello@painapp.health with subject "Data Deletion Request"

8.4 Right to Restrict Processing

• Limit how we use your data
• Applies in specific circumstances

How to exercise: Email hello@painapp.health with subject "Restrict Processing"

8.5 Right to Data Portability

• Receive your data in machine-readable format
• Transmit data to another service

How to exercise: Email hello@painapp.health with subject "Data Portability Request"

8.6 Right to Object

• Object to processing based on legitimate interests
• Object to direct marketing (anytime)

How to exercise: Use unsubscribe link in emails or email us

8.7 Right to Withdraw Consent

• Withdraw consent for health data processing anytime
• Does not affect lawfulness of prior processing
• May limit Service functionality

How to exercise: Email hello@painapp.health with subject "Withdraw Consent"

8.8 Right to Lodge a Complaint

• File complaint with supervisory authority
• Estonian Data Protection Inspectorate: https://www.aki.ee/en
• EU residents can complain to their local authority

8.9 Response Time

We will respond to your requests:

• Within 30 days (GDPR requirement)
• Free of charge (for first request)
• May request identity verification
• May charge fee for excessive requests

9. International Data Transfers

9.1 Data Location

Your data is primarily stored and processed in the European Economic Area (EEA).

9.2 Transfers Outside EEA

If we transfer data outside the EEA, we ensure adequate protection through:

• EU Standard Contractual Clauses
• Adequacy decisions by EU Commission
• Other approved safeguards

Third-Party Service Transfers:

Some of our service providers may be based outside the EEA:

• Supabase: May store data in EU or US data centers depending on configuration
• Posthog: May process analytics data in US/EU servers
• AI Providers: OpenAI (US), Anthropic (US), Google (US), Meta (US)
• App Stores: Apple (US), Google (US)

All international transfers are protected by:

• Standard Contractual Clauses (SCCs)
• Adequate security measures
• GDPR-compliant data processing agreements
• Your explicit consent for AI chatbot data transfers

9.3 Your Rights

You have the right to:

• Be informed of international transfers
• Request information about safeguards
• Object to transfers in certain circumstances

10. Cookies and Tracking

10.1 What We Use

Essential Cookies:

• Authentication and session management (Supabase)
• Security features
• Basic functionality

Analytics Cookies (with consent):

• Usage statistics (Posthog)
• Performance monitoring
• Feature improvement
• Session recording (if enabled, with consent)

We do NOT use:

• Advertising cookies
• Third-party tracking for marketing

10.2 Your Control

You can:

• Reject non-essential cookies
• Delete cookies through browser settings
• Opt out of analytics

Note: Rejecting essential cookies may limit functionality.

11. Children's Privacy

11.1 Age Restriction

PainApp is not intended for anyone under 18 years of age. We do not knowingly collect data from children under 18.

11.2 If We Discover

If we discover we have collected data from a child under 18:

• We will delete it immediately
• We will terminate the account
• Parents/guardians should contact us if this occurs

12. Marketing Communications

12.1 What You Receive

With your consent, we may send:

• Product updates
• New features
• Tips and best practices
• Special offers

12.2 How to Opt Out

You can opt out by:

• Clicking unsubscribe in any email
• Updating preferences in account settings
• Emailing hello@painapp.health

Note: You will still receive essential service communications (security alerts, account changes, etc.)

13. Automated Decision-Making

13.1 Our Practice

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

13.2 If We Do in Future

We will:

• Notify you explicitly
• Obtain your consent
• Explain the logic involved
• Give you the right to human intervention

14. Data Breach Notification

14.1 Our Commitment

If a data breach occurs that poses a risk to your rights:

• We will notify you within 72 hours (GDPR requirement)
• We will inform the supervisory authority
• We will explain the breach and our response

14.2 What We Tell You

• Nature of the breach
• Data affected
• Likely consequences
• Measures taken to address breach
• Steps you should take

15. Third-Party Services

15.1 Links to Other Sites

PainApp may contain links to third-party websites or services. We are not responsible for their privacy practices.

We recommend:

• Reading their privacy policies
• Understanding how they use your data
• Making informed decisions

15.2 Third-Party Integrations

If you connect third-party services (e.g., health devices):

• You authorize data sharing
• Their privacy policies apply
• We are not responsible for their practices

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy from time to time. We will:

• Post updated policy on our website/app
• Update "Last Updated" date
• Notify you of material changes (email or in-app)

16.2 Your Responsibility

You should:

• Review this policy periodically
• Understand how we use your data
• Contact us with questions

16.3 Continued Use

Continued use after changes constitutes acceptance. If you don't agree, stop using the Service and delete your account.

17. Contact Us

17.1 Privacy Questions

For questions about this Privacy Policy or our data practices:

17.2 Data Protection Officer

For GDPR-related inquiries, you may contact our designated privacy contact: Email: hello@painapp.health

17.3 Supervisory Authority

You have the right to contact the Estonian Data Protection Inspectorate:

18. Special Notices for Specific Regions

18.1 European Union / EEA

This Privacy Policy complies with GDPR. Your rights are outlined in Section 8.

18.2 California Residents (if applicable)

If you are a California resident, you may have additional rights under CCPA:

• Right to know what personal information we collect
• Right to delete personal information
• Right to opt out of sale (we don't sell data)
• Right to non-discrimination

18.3 Other Jurisdictions

We comply with applicable data protection laws in your jurisdiction. Contact us for specific rights in your region.

19. Data Protection Principles

We process your data in accordance with these principles:

1. Lawfulness, Fairness, Transparency: We process data lawfully and transparently
2. Purpose Limitation: We collect data for specific, explicit purposes
3. Data Minimization: We collect only necessary data
4. Accuracy: We keep data accurate and up to date
5. Storage Limitation: We retain data only as long as necessary
6. Integrity and Confidentiality: We protect data with appropriate security
7. Accountability: We demonstrate compliance with these principles

20. Your Consent

20.1 Consent for Health Data

By using PainApp to track health information, you explicitly consent to:

• Our collection of health data (special category data)
• Processing of this data as described in this policy
• Storage and use for the purposes stated

20.2 Withdrawal

You may withdraw consent at any time by:

• Emailing hello@painapp.health
• Deleting your account

Note: Withdrawal does not affect lawfulness of prior processing.