Privacy Policy

2. Data Controller

The data controller (the entity responsible for determining how and why your personal data is processed) is:

Data Protection Officer (DPO)

We have appointed a Data Protection Officer in accordance with GDPR Article 37. For all privacy-related inquiries and data subject requests, please contact:

Email: dpo@holisticunity.app
Support: support@holisticunity.app
Website: holisticunity.app

3. Data We Collect

We collect and process various categories of personal data to provide our Service. The data you provide is collected in different ways:

3.1 Information You Provide Directly

• Account Registration: Full name, email address, phone number, password, date of birth, gender, address, and profile photograph.
• Payment Information: Credit/debit card details, billing address, and transaction history (processed securely via Stripe; we do not store full card numbers).
• Consultation Details: Therapy type requested, health/wellness concerns shared in session descriptions, consultation notes, and session recordings (with your explicit consent).
• Communications: Messages sent through our messaging system, support requests, feedback, and reviews.
• Survey and Preference Data: Information collected through optional surveys, polls, and preference questionnaires to improve our Service.

3.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type, unique device identifiers, mobile network information, and IP address.
• Usage Data: Pages viewed, features accessed, time spent, links clicked, session duration, and clickstream data. This helps us understand how you interact with our Service and improve user experience.
• Geolocation Data: Approximate location based on IP address (not GPS-based unless explicitly enabled by you for location-based features).
• Cookies and Tracking Technologies: Persistent and session-based cookies, web beacons, and similar tracking technologies (see Section 8 for details).

3.3 Information from Third Parties

• Identity Verification: We may receive identity verification data from third-party verification providers to ensure platform safety and regulatory compliance.
• Referral Data: Information about users who refer you to our Service, if applicable.
• Third-Party Integrations: Data shared through authorized third-party integrations, if you choose to link your Holistic Unity account with other services.

4. Purposes of Processing

We process your personal data for the following purposes:

4.1 Service Delivery

• Creating and maintaining your account
• Matching you with suitable holistic therapists
• Facilitating and hosting online video consultation sessions
• Processing payments and managing invoices
• Sending appointment reminders and session follow-ups

4.2 Personalization and Improvement

• Personalizing your experience based on preferences and behavior
• Analytics to understand Service usage patterns and optimize features
• A/B testing to improve user interface and experience

4.3 Marketing and Communications

• Sending promotional emails, newsletters, and service updates
• Targeted advertising and product recommendations
• Conducting market research and surveys

4.4 Legal and Regulatory Compliance

• Complying with legal obligations and court orders
• Fraud detection, prevention, and security investigations
• Identity verification and AML/KYC compliance
• Ensuring compliance with Terms of Service

4.5 Safety and Security

• Monitoring for suspicious or unauthorized activities
• Protecting against fraud, abuse, and other harmful conduct
• System security and network reliability

5. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on one or more of the following legal bases:

5.1 Consent (Article 6(1)(a))

For marketing communications, targeted advertising, cookies (non-essential), and optional features, we rely on your explicit consent. You can withdraw consent anytime through your account settings or by contacting us.

5.2 Contractual Necessity (Article 6(1)(b))

We process personal data necessary to enter into and perform the contract with you, including account creation, session facilitation, payment processing, and service delivery.

5.3 Legal Obligation (Article 6(1)(c))

We may process data to comply with legal obligations, including tax laws, anti-money laundering regulations, and law enforcement requests.

5.4 Legitimate Interests (Article 6(1)(f))

We may rely on legitimate interests for:

• Fraud detection and platform security
• Service improvement and analytics
• Targeted advertising and product recommendations
• Network and system administration
• Marketing and business development

When relying on legitimate interests, we balance our interests against your rights and freedoms.

5.5 Special Categories of Data (GDPR Article 9)

Your health and wellness information (shared during session descriptions and consultations) may constitute special categories of data under GDPR Article 9. We process such data only:

• With your explicit written consent
• To fulfill our contractual obligations to you
• As permitted by law for occupational health purposes

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required by law. Retention periods vary depending on the data category:

6.1 Account and Profile Data

Retained for the duration of your account plus 3 years after account deletion (to comply with tax and fraud prevention obligations).

6.2 Consultation and Health Data

Session recordings and detailed consultation notes are retained for 7 years (standard therapeutic record retention), unless you request deletion earlier. Summary billing records are retained for 10 years (tax obligations).

6.3 Payment Information

Transaction records are retained for 10 years for tax and regulatory compliance. Full card details are not stored by us (handled directly by Stripe).

6.4 Marketing and Browsing Data

Usage logs and analytics data are retained for 12 months. Marketing email lists are maintained until you unsubscribe, after which they are retained for legal archiving for 1 additional year.

6.5 Cookies and Tracking Data

Session cookies are deleted automatically when you log out or close your browser. Persistent cookies are retained according to their expiration date (typically 1-2 years), unless you clear cookies manually.

6.6 Legal Proceedings

Data relevant to ongoing or potential legal disputes will be retained until the matter is fully resolved plus applicable statute of limitations periods.

7. Third-Party Services and Data Sharing

We share your personal data with trusted third-party service providers only when necessary to deliver our Service or meet legal obligations. Third parties act as Data Processors and are bound by confidentiality and security agreements.

7.1 Payment Processing (Stripe)

We use Stripe (stripe.com) to process payments securely. We share your name, email, billing address, and transaction amounts with Stripe. Stripe does not share your full card number with us. We do not store or process raw card data.

7.2 Backend Infrastructure (Supabase)

Supabase (supabase.com) hosts our backend infrastructure and database. Your account data, consultation records, and session logs are stored within Supabase's secure cloud infrastructure (hosted in Europe).

7.3 Video Conferencing (LiveKit)

We use LiveKit Cloud (livekit.io) to deliver live audio and video consultation sessions. LiveKit acts as a Data Processor under our Data Processing Agreement. During a session, LiveKit processes:

• Audio and video streams (transmitted end-to-end between participants; LiveKit does not store the content of the streams)
• Session metadata (start time, duration, room identifier, participant identifiers)
• Your IP address and basic device/network information required to establish the WebRTC connection

Our current configuration does not record sessions. Session metadata logs are retained by LiveKit for approximately 24 hours for operational purposes and then deleted. Where cross-border transfers occur, we rely on Standard Contractual Clauses.

7.4 Transactional and Marketing Email (Brevo)

We use Brevo (brevo.com, formerly Sendinblue, headquartered in the European Union) to send appointment reminders, account notifications, and — only if you opt in — marketing communications. The personal data shared with Brevo is your email address, display name, and marketing-consent state. Marketing email may be disabled at any time from in-app Settings or via the unsubscribe link in every marketing message.

7.5 Identity Verification and Fraud Prevention

For regulatory compliance and fraud prevention, we may share limited identity data with specialized third-party verification services.

7.6 Website Analytics (Google Analytics)

Our public marketing website (holisticunity.app) uses Google Analytics 4 (measurement ID G-0WEMYZ5DZ0) to collect aggregated usage data. Data may be processed in the United States under the EU-US Data Privacy Framework. You can opt out via the cookie consent banner, browser extensions, or by rejecting non-essential cookies. Google Analytics is NOT used inside the iOS app or the authenticated therapist portal.

7.7 In-App Messaging (Stream Chat)

In-app messaging is powered by Stream Chat (Stream.io Inc., getstream.io, headquartered in the United States). Stream is a Data Processor under our DPA and relies on Standard Contractual Clauses for EU-US transfers. We share your user identifier, display name, avatar URL, message content, attachments, typing and read-state events, and channel membership metadata. Messages are retained until deleted by either party or until your account is deleted.

7.8 Error Monitoring (Sentry)

We use Sentry (sentry.io) to collect crash reports and application error telemetry. Data sent to Sentry is intentionally minimised: opaque user identifier (never email, phone, name, or user-typed content), stack traces, device model, OS version, and recent-actions breadcrumbs. Screenshots and session replays are disabled. Retention is 90 days.

7.9 Authentication Providers (Sign in with Apple, Google, Microsoft)

If you choose to sign in with Apple, Google, or (therapists only, Outlook calendar) Microsoft, we receive a minimal set of identity attributes from that provider (typically name and email). We do not receive your password. Each provider's privacy policy applies to the data held by them.

7.10 Application Hosting (Vercel)

The marketing website, therapist portal, and admin dashboard are hosted on Vercel (vercel.com). Vercel processes basic request metadata (IP, user agent, pages visited) for operational purposes and acts as a Data Processor under our DPA.

7.11 Push Notifications (Apple Push Notification Service)

When you enable push notifications, Apple issues an opaque device token which we store in order to deliver notifications via the Apple Push Notification service (APNs). Notification content is limited to what you would otherwise see inside the app. You can disable notifications at any time from iOS Settings.

7.12 No Unauthorized Sharing

We do NOT sell, rent, or share your personal data to third parties for marketing purposes without explicit consent.

7.13 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze how you use our Service, and deliver personalized content and advertising.

8.1 Types of Cookies

• Essential Cookies: Necessary for core functionality (authentication, security, session management). Set automatically without consent.
• Performance Cookies: Track usage patterns and page performance. Require consent but are important for improving our Service.
• Functional Cookies: Remember your preferences (language, theme, settings). Enhance personalization. Require consent.
• Marketing/Advertising Cookies: Enable targeted advertising and remarketing. Require explicit consent.

8.2 Consent and Opt-Out

When you first visit our website, you will be presented with a cookie consent banner. You can:

• Accept all cookies
• Accept only essential cookies
• Customize which categories you consent to
• Withdraw or modify your consent in account settings

You can also opt-out of marketing cookies by visiting the Network Advertising Initiative or the Digital Advertising Alliance.

8.3 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for 1-2 years, depending on cookie type

8.4 Third-Party Cookies

Third-party cookies may be placed on your device by our advertising partners (Google, Meta/Facebook, etc.) for remarketing and audience segmentation.

9. International Data Transfers

Our primary data storage is within the European Union (via Supabase Europe). Brevo is also EU-based. Some sub-processors are headquartered in the United States and may store or process data there: Stripe, Stream Chat, Sentry, Vercel, Google Analytics (marketing site only), and LiveKit infrastructure regions. Apple Push Notification Service is delivered globally. For each we rely on the legal mechanisms in Section 9.1.

9.1 Legal Mechanisms

When transferring data outside the EEA, we use appropriate legal safeguards:

• Standard Contractual Clauses (SCCs): For transfers to non-adequacy third countries, we implement EU-approved Standard Contractual Clauses.
• Supplementary Measures: We implement supplementary technical and organizational measures to protect your data.
• Adequacy Decisions: Where available, we rely on EU Commission Adequacy Decisions.

9.2 Your Rights Regarding Transfers

You have the right to request information about the mechanisms we use for international transfers. Contact our DPO for details about our transfer agreements and supplementary safeguards.

10. Your Data Rights Under GDPR

Under GDPR and Italian data protection law, you have the following rights regarding your personal data:

10.1 Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you in a structured, commonly used, machine-readable format. We will provide this within 30 days of your request.

10.2 Right to Rectification (Article 16)

You can request correction or update of inaccurate or incomplete personal data. You can also update most information directly in your account settings.

10.3 Right to Erasure ('Right to be Forgotten') (Article 17)

You may request deletion of your personal data under certain circumstances, such as:

• Data is no longer necessary for the purposes it was collected
• You withdraw consent for processing based on consent
• You object to processing for legitimate interests

Note: We may retain certain data for legal, tax, or fraud prevention purposes as described in Section 6 (Data Retention).

10.4 Right to Data Portability (Article 20)

You have the right to obtain a copy of your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and to transmit it to another data controller without hindrance.

10.5 Right to Restrict Processing (Article 18)

You may request that we limit how we process your data (e.g., suspend processing while you contest its accuracy).

10.6 Right to Object (Article 21)

You have the right to object to processing of your data for:

• Marketing and promotional purposes (including targeted advertising)
• Profiling for direct marketing
• Processing based on legitimate interests (where it outweighs your rights)

We will cease processing immediately unless we can demonstrate compelling legitimate grounds for continuing.

10.7 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the relevant data protection authority in your country. In Italy, this is:

Garante per la Protezione dei Dati Personali
Piazza di Monte Citorio, 121
00186 Roma (RM), Italy
Phone: +39 06 696 77 777
Email: garante@gpdp.it
Website: www.gpdp.it

10.8 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: dpo@holisticunity.app
• Support: support@holisticunity.app
• Account Settings: You can exercise some rights directly in your account.

We will respond to all rights requests within 30 days (or up to 60 days for complex requests) as required by GDPR.

11. Security and Data Protection

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Technical Security Measures

• Encryption: All data in transit is encrypted using TLS 1.2+ (HTTPS). Sensitive data at rest is encrypted using AES-256.
• Authentication: Multi-factor authentication (MFA) available for accounts. Passwords are hashed using industry-standard algorithms.
• Access Control: Principle of least privilege. Employee access is limited to necessary data and logged.
• Intrusion Detection: Firewalls, DDoS protection, and continuous network monitoring.
• Vulnerability Management: Regular security audits, penetration testing, and patch management.

11.2 Organizational Security Measures

• Data Protection Training: All employees receive regular training on data protection and privacy.
• Confidentiality Agreements: All employees and contractors sign strict confidentiality agreements.
• Incident Response Plan: We have documented procedures for responding to data breaches.
• Data Processing Agreements: All third-party processors have signed Data Processing Agreements.

11.3 Notification of Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify you without undue delay (within 72 hours when feasible)
• Provide details about the breach, affected data, and measures being taken
• Notify the data protection authority as required by law

11.4 Limitations of Security

While we implement strong security measures, no method of transmission over the internet or electronic storage is completely secure.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Primary Contact

STORM X DIGITAL S.R.L.
Data Protection Officer: dpo@holisticunity.app
Customer Support: support@holisticunity.app
Website: holisticunity.app

Mailing Address

STORM X DIGITAL S.R.L.
Via Strada del Carro 24
76011 Bisceglie (BA)
Italy
VAT/P.Iva: 08789080721
PEC: stormxdigital@pec.it

Data Protection Authority

For complaints or inquiries to the Italian data protection authority:

Garante per la Protezione dei Dati Personali
Piazza di Monte Citorio, 121
00186 Roma (RM), Italy
Phone: +39 06 696 77 777
Email: garante@gpdp.it
Website: www.gpdp.it

Response Time

We will respond to all inquiries and data rights requests within 30 days (or up to 60 days for complex requests).