Privacy Statement

Be Autogenic

Privacy Statement - Be Autogenic

Last Updated: January 2026
Version: 2.0

1. Data Controller

MED HUB IMPACT S.R.L.
Aleea Trestiana 3
040377 Bucharest, Romania

Contact:
Email: support@medhubimpact.com
Data Protection Officer: Sven Müller-Garofil

2. Introduction

At Be Autogenic, we are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal data. This Privacy Statement explains your rights under the General Data Protection Regulation (GDPR) and how we comply with data protection laws.

Important: Your session descriptions may contain health-related information. By using our service, you explicitly consent to our processing of this special category data to generate personalized autogenic training sessions (GDPR Art. 9(2)(a)). You can withdraw this consent at any time by deleting your sessions or account.

3. Data We Collect

3.1 Account Data

What we collect:
- Email address (required)
- Name (optional)
- Password (hashed and stored by Auth0 only, never by us)
- Gender preference (male/female/diverse) - used solely for voice selection
- Language preference (English/German/Romanian)
- Email verification status
- Account creation and last login timestamps
- Privacy policy and marketing consent records with timestamps

Legal basis: Contractual necessity (GDPR Art. 6(1)(b))

3.2 Session Content Data

What we collect:
- Your problem descriptions (max 500 characters per session)
- AI-generated session scripts (full text)
- Session audio files (MP3 format, 24kHz, 48kbps mono)
- Session metadata: duration, voice gender, language, AI-generated title
- Session sections and structure
- Session usage statistics: completion count, last played timestamp

Legal basis:
- Contractual necessity (GDPR Art. 6(1)(b)) for service delivery
- Explicit consent (GDPR Art. 9(2)(a)) for health-related content in your descriptions

3.3 Subscription Data

What we collect:
- Current subscription tier (Free Help / Help More / I am content)
- Google Play purchase tokens (for verification only)
- Subscription start and expiry dates
- Auto-renewal status
- Order IDs from Google Play
- Country code (provided by Google Play)
- Monthly session generation count
- Payment state and purchase type

Legal basis:
- Contractual necessity (GDPR Art. 6(1)(b))
- Legal obligation (GDPR Art. 6(1)(c)) for tax and accounting

3.4 Technical Data

What we collect:
- Firebase Cloud Messaging (FCM) tokens for push notifications
- API request logs (request IDs, timestamps, HTTP status codes)
- Error reports and stack traces (for debugging)
- Audio playback preferences (background music enabled/disabled, selected track)
- Session cache metadata (stored locally on your device in encrypted storage)

Legal basis:
- Consent (GDPR Art. 6(1)(a)) for FCM tokens and push notifications
- Legitimate interests (GDPR Art. 6(1)(f)) for error monitoring and service improvement

3.5 Usage Data

What we collect:
- Number of times each session was completed
- Last session completion timestamp
- Monthly session generation quota usage
- Account status (active, frozen, pending deletion)

Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) for service improvement and quota enforcement

3.6 What We Do NOT Collect

We do not collect:
- ❌ Device fingerprints or advertising IDs
- ❌ Location data or GPS coordinates
- ❌ Contact lists or phonebook access
- ❌ Camera or microphone access
- ❌ Browsing history or web activity
- ❌ Third-party analytics or tracking data
- ❌ Biometric data
- ❌ Social media profile information (unless voluntarily shared via Auth0 social login)

4. How We Use Your Data

We process your personal data for the following purposes:

Service Delivery (Legal basis: Contractual necessity)

- Creating and managing your user account
- Authenticating your login sessions
- Generating personalized autogenic training sessions using AI
- Converting session scripts to audio using text-to-speech technology
- Storing your session history for offline access
- Managing your subscription tier and quota limits
- Processing audio playback and background music preferences

Communications (Legal basis: Contractual necessity and Legitimate interests)

- Sending welcome emails upon registration
- Notifying you when sessions are ready or have failed
- Informing you about subscription changes
- Responding to your support requests
- Account deletion confirmations

Marketing (Legal basis: Consent - optional)

- Sending service updates and new feature announcements
- Sharing tips for effective autogenic training
- Promotional offers and special discounts

You can withdraw marketing consent at any time via Profile settings or unsubscribe links in emails.

Service Improvement (Legal basis: Legitimate interests)

- Monitoring errors and performance issues
- Analyzing usage patterns to improve user experience
- Testing new features with super user accounts
- Ensuring service security and preventing fraud

Legal Compliance (Legal basis: Legal obligation)

- Maintaining tax and accounting records for 7 years (Romanian law)
- Responding to lawful requests from authorities
- Enforcing our Terms of Service
- Protecting our legal rights

5. Third-Party Service Providers

To deliver our services, we share your personal data with the following third-party processors. All processors are bound by Data Processing Agreements ensuring GDPR compliance:

5.1 Authentication & User Management

Authentication service provider (USA)
- Purpose: Secure user authentication, password management, email verification
- Data shared: Email, name, password (hashed), email verification status
- Data location: United States
- Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses
- Data retention: Deleted when you delete your account
- Important: Your password is hashed (encrypted one-way) and never stored in plain text. We cannot access your password.

5.2 Cloud Infrastructure & Storage

Microsoft Azure (Microsoft Corporation, USA/EU)
- Services used:
- Azure Data Lake Storage (session audio files, metadata)
- Azure Cognitive Services Speech (text-to-speech conversion)
- Azure Functions (session processing)
- Azure EventGrid (automation triggers)
- Data shared: Session scripts, audio files, user prompts, metadata
- Data location: Azure West Europe (Ireland) - preferred region
- Safeguards: EU Standard Contractual Clauses, ISO 27001, SOC 2
- Data retention: Audio files stored until session deletion; processing data ephemeral
- Privacy policy: https://privacy.microsoft.com/

5.3 Database Services

Cloud database provider (USA/EU)
- Purpose: Secure storage of user accounts, session metadata, subscriptions
- Data shared: All account, session, and subscription data listed above
- Data location: European Union cloud regions (preferred)
- Safeguards: EU Standard Contractual Clauses, encryption at rest (AES-256), ISO 27001 certified
- Data retention: Retained until account deletion (30-day grace period applies)

5.4 AI Content Generation Services

Third-party AI service providers (USA/EU)
- Purpose: Generate personalized autogenic training session scripts using artificial intelligence
- Data shared: Your problem description (max 500 characters), session duration preference, language selection
- Data location: United States and/or European Union data centers
- Data retention: No long-term storage; ephemeral processing only (data is deleted immediately after processing)
- Safeguards: Data Processing Agreements, EU Standard Contractual Clauses, contractual commitment not to use your data for model training or other purposes
- Important: AI providers process your text solely to generate your session and do not retain or use your data afterward

5.5 Email Communications

Email service provider (EU-based)
- Purpose: Transactional and marketing email delivery
- Data shared: Email address, name, session titles, request IDs
- Data location: European Union
- Safeguards: GDPR-compliant EU service, ISO 27001 certified
- Data retention: Email logs retained for 3 years for support and compliance purposes

5.6 Push Notifications

Firebase Cloud Messaging (Google LLC, USA)
- Purpose: Send push notifications for session completion
- Data shared: FCM device tokens, notification delivery status
- Data location: United States (Google Cloud infrastructure)
- Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses
- Data retention: Tokens deleted when you log out or uninstall app
- User control: Manage via device notification settings
- Privacy policy: https://firebase.google.com/support/privacy

5.7 Payment Processing

Google Play Store (Google LLC, USA)
- Purpose: Subscription purchase verification and management
- Data shared: Purchase tokens (for verification only)
- Data received: Order IDs, subscription status, expiry dates, country code
- Important: We do NOT receive your credit card or payment details. Google processes all payment data.
- Safeguards: EU-US Data Privacy Framework, PCI DSS Level 1
- Privacy policy: https://policies.google.com/privacy

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States. We ensure adequate protection through:

Safeguards in Place:

- EU Standard Contractual Clauses (SCCs) with all non-EU processors
- EU-US Data Privacy Framework for certified US companies where applicable
- Technical safeguards:
- Encryption in transit: TLS 1.2+
- Encryption at rest: AES-256
- Access controls: Time-limited access tokens with automatic expiry
- ISO 27001 and SOC 2 certified service providers

Data Storage Locations:

- Primary storage: European Union (Ireland) - within EU
- Processing: United States (authentication, AI processing, cloud services)
- Email services: European Union (France) - within EU
- Database: European Union cloud regions (preferred)

You can obtain a copy of the safeguards in place by contacting support@medhubimpact.com.

7. Data Retention Periods

Active Accounts

- Account data: Retained while your account is active
- Session data: Retained indefinitely until you delete the session or account
- Subscription history: Retained for 7 years (Romanian tax law requirement)
- FCM tokens: Retained until you log out or uninstall the app

Deleted Accounts

- Grace period: 30 days - data inaccessible but recoverable if you change your mind
- Permanent deletion: Within 14 days after grace period expires
- Exception: Subscription payment records retained for 7 years (legal obligation)

Communications

- Transactional email logs: 3 years (for support and dispute resolution)
- Marketing communications: Until consent is withdrawn

Technical Data

- API request logs: 90 days
- Error reports: 1 year
- Session cache (local device): Until app uninstall or cache cleared

8. Local Data Storage on Your Device

Our app stores data locally on your device to enable offline functionality and improve performance:

What's Stored Locally:

- Encrypted Storage (FlutterSecureStorage):
- Authentication tokens (JWT)
- Cached session metadata
- Shared Preferences:
- App settings
- Language preference
- Background music preferences (track selection, enabled/disabled)
- Local Audio Cache:
- Downloaded session MP3 files for offline playback

Important:

- This data is stored only on your device
- We cannot access this local data remotely
- Local data is deleted when you uninstall the app or clear app data
- We do not use cookies or web tracking technologies

9. Data Security Measures

We implement industry-standard security measures to protect your personal data:

Technical Safeguards:

- Encryption in transit: All data transmitted via HTTPS/TLS 1.2+
- Encryption at rest: AES-256 encryption for stored data (MongoDB, Azure Storage)
- Authentication security:
- Passwords hashed using bcrypt (managed by Auth0)
- Multi-factor authentication available via Auth0
- JWT token-based authentication with expiry
- Secure token storage: Auth tokens stored in encrypted local storage (FlutterSecureStorage)
- Access controls:
- Time-limited SAS tokens (1-hour expiry) for audio file downloads
- Role-based access control on backend APIs
- Email verification required for account activation

Organizational Safeguards:

- Regular security updates and dependency scanning
- Data Processing Agreements with all third-party processors
- Limited employee access to personal data (need-to-know basis)
- Incident response procedures for data breaches

Important Notice:

Despite our best efforts, no method of transmission or storage is 100% secure. If you have security concerns or notice suspicious activity, contact us immediately at support@medhubimpact.com.

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Art. 15)

Request a copy of all personal data we hold about you.

How to exercise: Email support@medhubimpact.com with subject "Data Access Request"

Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

How to exercise: Update your profile information via the app's Profile screen, or email support@medhubimpact.com

Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data.

How to exercise:
- In-app: Profile → Delete Account
- Email: support@medhubimpact.com with subject "Account Deletion Request"
- Note: 30-day grace period applies; you can restore your account within this period

Right to Restrict Processing (Art. 18)

Temporarily suspend data processing while we investigate your concerns.

How to exercise: Email support@medhubimpact.com

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON or CSV).

How to exercise: Email support@medhubimpact.com with subject "Data Portability Request"

Right to Object (Art. 21)

Object to processing based on legitimate interests (e.g., error monitoring).

How to exercise: Email support@medhubimpact.com

Right to Withdraw Consent (Art. 7(3))

Withdraw consent for:
- Marketing emails (via Profile settings or unsubscribe links)
- Push notifications (via device settings)
- Health-related session data processing (by deleting sessions/account)

Important: Withdrawing consent for essential processing (e.g., account authentication) may prevent us from providing the service.

Right to Lodge a Complaint

If you believe we are not complying with GDPR, you have the right to lodge a complaint with a supervisory authority.

Romanian Data Protection Authority (ANSPDCP):
- Website: www.dataprotection.ro
- Email: anspdcp@dataprotection.ro
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

11. Email Communications Policy

Transactional Emails (Cannot opt out - Contractual necessity)

- Welcome email upon registration
- Email verification requests
- Session completion notifications
- Session error/failure notifications
- Subscription change confirmations
- Password reset emails
- Account deletion confirmations

These emails are essential for service delivery and account security.

Marketing Communications (Consent-based - Can opt out)

- Service updates and new feature announcements
- Tips for effective autogenic training practice
- Promotional offers and special discounts
- Educational content about autogenic training

How to manage:
- Opt-in: During signup or via Profile settings
- Opt-out: Unsubscribe link in each marketing email or via Profile settings
- Email: support@medhubimpact.com

12. Automated Decision-Making and AI Usage

AI-Powered Content Generation

We use third-party artificial intelligence services to generate personalized autogenic training session scripts based on your problem description. This AI processing:
- Is NOT automated decision-making with legal or similarly significant effects
- Does not affect your access to the service or subscription
- Does not profile you for marketing or advertising purposes
- Can be bypassed by deleting and regenerating sessions if you're unsatisfied
- Your data is processed only for session generation and is not used to train AI models

No Profiling

We do not use profiling or automated decision-making to:
- Determine your subscription eligibility
- Restrict access to features
- Make decisions about your account status

13. Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data:
- Contact us immediately at support@medhubimpact.com
- We will delete such data within 14 days
- We may request proof of guardianship to process the request

14. Premium Features

Background Music (I am content subscription only)

If you enable background music during sessions:
- Your music preference (enabled/disabled) and selected track are stored locally on your device
- This preference is synchronized with our servers to persist across devices
- No audio playback data or listening statistics are transmitted to us
- Music files are bundled with the app; no streaming or external downloads occur

15. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours
- We will notify you via your registered email address without undue delay
- The notification will include:
- Nature of the breach
- Likely consequences
- Measures taken or proposed to address the breach
- Contact point for further information

If you suspect unauthorized access to your account:
- Change your password immediately via Auth0
- Contact us at support@medhubimpact.com
- Enable multi-factor authentication if available

16. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect:
- Changes in our data processing practices
- New features or services
- Legal or regulatory requirements
- Security enhancements

How we notify you:

- Material changes: We will obtain fresh consent if required by law (e.g., new processing purposes)
- Non-material changes: Notice via email or in-app notification
- Version history: Available upon request at support@medhubimpact.com

Last updated: January 2026
Version: 2.0
Previous version: 1.0 (date of previous version)

17. Contact Us

If you have questions about this Privacy Statement or wish to exercise your rights:

Email: support@medhubimpact.com
Subject line: "Privacy Inquiry - [Your Request]"

Data Protection Officer: Sven Müller-Garofil
Company: MED HUB IMPACT S.R.L.
Address: Aleea Trestiana 3, 040377 Bucharest, Romania

Response time: We will respond to all requests within 30 days as required by GDPR Article 12(3).

18. Legal Framework

This Privacy Statement is governed by:
- Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)
- Romanian Law 190/2018 on measures to implement GDPR
- ePrivacy Directive 2002/58/EC

© 2026 MED HUB IMPACT S.R.L. All rights reserved.

This Privacy Statement was last reviewed and approved on [Date] and complies with GDPR requirements as of January 2026.