Privacy Policy
Initial Effective Date: Oct 16 2025
Latest Revised Date: Oct 16 2025
This Privacy Policy describes what data we collect and how we handle your information when you use our mobile apps for iOS and Android. Together with our Terms of Use, this Privacy Policy governs our legal relationship.
For a short Q&A section about this document, please visit our Frequently Asked Questions.
Note: The Q&A section helps explain this policy in simpler terms, but it does not replace the policy itself.
Key Points
Before we start, here are the key points about our Services and your data:
- You mainly interact with our Services by having conversations with our AI chatbot or using our app. Our chatbot is designed to support conversations on topics related to mental health and well-being.
- We may collect and process sensitive data such as information about your health, emotions, feelings, or well-being, but only as much as necessary for the Services to work and to deliver personalized content.
- We process your information solely for the purpose of delivering and improving our Services. If we ever intend to use your data for any other purpose, we will first request your explicit consent.
- We follow industry best practices for data protection. Our security infrastructure is designed to safeguard your data throughout its lifecycle.
- We do not share or sell your personal data to third parties for advertising purposes.
What Data Do We Collect?
First, let's break down the basics: what personal data (or personal information) means, what processing is, and how we handle it at Elomia.
What is Personal Data?
Personal data is any information that can be used to identify you, either on its own or when combined with other information.
This includes obvious identifiers like your name, home address, email address, and phone number. It also covers digital information that can be linked back to you, such as your IP address, device ID, location data, and browsing history.
Even pieces of information that seem anonymous can be considered personal data if they can be combined to identify you. For instance, your age, gender, and zip code, when combined, could identify you. The same is true for sensitive information like your medical records, financial details, biometric data (such as fingerprints), and employment history.
At Elomia, we collect only the data necessary for the Services to function, and you can find the full list below. We believe that the less data we collect, the better.
What is Processing?
Personal data processing means any operation performed on your data, including collection, storage, use, sharing, or deletion, and even turning it into anonymized data.
How Do We Process Your Personal Data?
You can find the data types, their justification, and how we process them below:
| Type of data | Processing reasons | Lawful Basis | Notes on Processing |
|---|---|---|---|
| Email address | To create and manage your account | Performance of the contract | Occurs during registration |
| User ID | To perform A/B testing | Legitimate interest | To reduce how often we store your email, we generate a unique identifier for your profile and use that instead. |
| Information related to your mood, general well-being, feelings, thoughts, and other details you share while using the app | To process inbound messages, analyze them, and deliver personalized content | Performance of the contract | This happens during conversations with the AI chatbot and when we generate content for your "For you" section. |
| Sensitive personal information, or personal health information, including information about mental health | To process inbound messages, analyze them, and deliver personalized content | Consent | This happens during conversations with the AI chatbot and when we generate content for your "For you" section. |
| Email address, full name or nickname, and email content | To process feedback or feature suggestions you send us via email | Performance of the contract | We process this data when you reach out to us via email with suggestions, complaints, or claims |
| Email address and interview results | To conduct in-depth interviews and questionnaires | Legitimate interest when we create a list of users to interview; Consent when we directly ask you to participate | We may use this data to improve our Services. If you agree to participate, we may offer you discounts or other benefits |
| Postal code, address, signature, full name, or nickname | To process refunds or inquiries received at our physical address | Performance of the contract | We may process this information for refund purposes or any Services-related mail if you decide to send it by post |
| Email address | To inform you about technical updates and new features | Legitimate interest | When we launch new features, significantly update our Services, or fix technical issues |
| Log data of your usage of the Services | To analyze how you interact with our Services | Legitimate interest | We may analyze how you tap, for how long and how often you interact with the content, and your usage frequency and preferences |
| Email address | To send you newsletters to promote our products and services | Consent | When you opt in to the newsletter in the Settings section of the Services |
| Only anonymized: conversational data along with language preferences and time of the conversation | To improve safety of our models and AI chatbot quality | No legal basis required for processing anonymized data | We run AI training after we delete all possible identifiers from your personal data. Once data is anonymized so it cannot be linked back to you, it is no longer considered "personal data" under privacy laws. |
Note on Legal Basis:
- "Performance of the contract" means we need this data to provide the Services you signed up for
- "Legitimate interest" means we have a valid business reason to process this data, balanced against your privacy rights
- "Consent" means we have your explicit permission. For example, you provide consent by agreeing to this Privacy Policy and our Terms of Use when you create an account, or by completing optional forms like questionnaires where we clearly explain that you're allowing us to process your data.
Automated Decision-Making
Our Services use AI technology (large language models) to generate personalized responses during your conversations with our chatbot. Here's what you should know:
How It Works
When you send a message, our AI analyzes your input and automatically generates a response based on patterns learned from training data. The AI considers your conversation history, preferences, and onboarding information to personalize its responses.
What Decisions Are Automated
The AI automatically decides what content to show you, including conversation responses and content in the "For you" section. These decisions are based on your interactions, stated preferences, and usage patterns.
Your Control
You have full control over this process. You can:
- Choose what information to share with the chatbot
- Delete messages or your entire conversation history at any time
- Adjust your preferences in Settings
- Stop using the automated features by deleting your account
No High-Impact Decisions
Our AI does not make decisions that significantly affect your legal rights or other important matters. The chatbot provides information and support, but does not diagnose conditions, prescribe treatment, or make binding decisions on your behalf.
If you have questions about how automated decision-making works in our Services, please contact us at privacy@elomia.com.
Data Disclosure to Third Parties
We do not sell your personal data. We do not share your data with third parties for their own marketing or advertising purposes. We only share data with service providers who help us deliver our Services to you, and they are contractually prohibited from using your data for any other purpose.
We work with some third-party service providers who help us deliver and improve our Services under contract. We only share the minimum amount of data necessary for each service to function properly. Here's the breakdown:
| Service provider | Type of provider | Purpose of disclosure | Data shared |
|---|---|---|---|
| OpenAI (USA) | AI Services | AI content generation | Only the data necessary to generate the content in the least possible amount. Depending on the specific content type we generate, it may include your messages, information about your preferences, and your age group. |
| Anthropic (USA) | AI Services | AI content generation | Only the data necessary to generate the content in the least possible amount. Depending on the specific content type we generate, it may include your messages, information about your preferences, and your age group. |
| Google Cloud (USA) | Infrastructure | Server hosting and data storage | All data you provide to us, including messages and account information. (Google Cloud hosts our infrastructure, so all data stored on our servers is physically stored on their secure servers.) |
| Sentry (USA) | Technical | System stability monitoring and error reporting | Device information, language preferences, app version, error logs, timezone, time display format, and IP address. |
| RevenueCat (USA) | Payment | Subscription management (App Store/Google Play) | User ID, IP address, login history (last opened, first used), timezone, subscription status, and purchase history. |
| Mixpanel (USA) | Analytics | App usage analytics | User ID, IP address, answers to questions asked during onboarding, and usage patterns. |
| AppsFlyer (USA) | Analytics | Deep link generation | No personal data (link click information only). |
| Flagsmith (UK) | Optimization | Conducting A/B testing | User ID only. |
| SendGrid (USA) | Communication | Email notifications | Email address only. |
| Firebase (USA) | Communication | Push notifications and analytics | Device information, notification preferences, usage data, user ID, IP address, usage patterns, timezone, and time display format. |
Data Minimization Principle
We follow the principle of data minimization. This means we only share the absolute minimum data required for each service to work properly. For example:
- Our error reporting service provider only receives technical information needed for quality assurance; it does not receive the content of your conversations or your email address.
- Our analytics service providers receive aggregated, often anonymized usage data.
- AI service providers only receive the content necessary to generate your personalized responses. For instance, if we generate an article based on your latest conversation with the chatbot that included five messages, and we are using a fine-tuned model hosted on OpenAI servers, we will send only those five messages to OpenAI without sharing any other information about you.
Please note: If you contact us through third-party platforms, such as other messaging apps or our social media accounts, you are subject to their Terms of Use. We do not control how these providers process your data.
Our Security Framework
This section explains the measures we use to keep your information safe. If you have any suggestions or questions, please reach out to us at support@elomia.com.
PIN and Biometric Authentication
PIN Code
You can set up a PIN to protect your account from unauthorized access by anyone else who might use your device, such as family members or others with access to your device. For better security, we recommend avoiding easy-to-guess codes like your date of birth, sequential numbers (e.g., 1234), or other simple combinations.
Biometric Authentication
On supported devices, you can use Face ID or Touch ID instead of a PIN. Biometric authentication is more secure and means you do not have to enter your PIN each time you log in.
Please note that all biometric data (fingerprints, facial recognition data) is stored locally on your device. We do not collect, access, or store this sensitive information.
Session Management
We use a secure session system with refresh and access tokens to protect your account. If you do not log in for two weeks, you will be automatically logged out. This prevents inactive sessions from being misused.
Data Retention Periods
Active Accounts
While your account is active, we retain your data for as long as necessary to provide the Services to you. This includes:
- Account information (email address, user ID): Retained while your account is active
- Conversation history and messages: Retained while your account is active, unless you delete individual messages or conversations
- Usage logs and analytics data: Retained for up to 24 months from the date of collection
- Support correspondence: Retained for up to 3 years from the date of your last interaction with our support team
Inactive Accounts
If you do not log into your account or use the Services for 3 consecutive years, we may email you to confirm whether you want to keep your account active. If we do not hear back within 30 days, we may delete your account and associated data in accordance with our standard deletion procedures.
Deleted Accounts
If you decide to delete your account, we maintain a 30-day grace period for your convenience. This allows you to restore your account if you change your mind. After 30 days, we will permanently delete all associated data.
You have full control over your data. When you delete your account, all related messages and other information associated with your usage will also be permanently deleted.
Anonymized Data
Please keep in mind that we may still use anonymized data for AI training even after your account is deleted. The anonymization process makes it impossible for us to link that data back to your account. As a result, we cannot delete this data upon account deletion because we have no way to identify which data was yours.
Technical and Organizational Security Measures
In Simple Terms: We protect your data using encryption (scrambling data so only authorized people can read it), strict access controls (limiting who can see your data), regular security testing, and continuous monitoring for threats. We follow security standards including SOC 2 and HIPAA best practices.
Detailed Security Measures:
We implement a layered security approach to protect personal data and ensure the confidentiality, integrity, and availability of our systems. These technical safeguards are continuously reviewed and improved to maintain alignment with industry best practices, including those outlined in SOC 2 and HIPAA.
Data Encryption
- All communication between clients and servers is secured using HTTPS with TLS 1.2 or higher.
- All data stored in databases and cloud storage is encrypted using Google Cloud's native encryption mechanisms, with secure key management practices.
- Authentication data, such as PIN codes, is stored using one-way cryptographic hashing.
Identity and Access Management
- Access to production systems and data is restricted based on predefined security groups and job responsibilities.
- Privileged access is limited to authorized personnel and reviewed regularly.
- Regular audits are performed to verify access rights and remove outdated privileges.
- All access to sensitive systems and data is logged and monitored for anomalies.
Infrastructure and Application Security
- Infrastructure components follow secure baseline configurations managed via automation and configuration management tools.
- Network traffic is filtered through firewalls and access control layers, while backend systems are logically isolated by design.
- All infrastructure and application changes are tracked in a centralized issue management system with approval workflows.
- Web Application Firewalls and Intrusion Detection Systems monitor and filter inbound and outbound traffic for threats.
Threat and Vulnerability Management
- Automated scans are performed weekly to identify known threats, which are triaged and remediated based on severity.
- We use enterprise-grade tools to continuously monitor system performance, latency, and security events.
- We maintain a documented incident response plan, which includes detection, containment, remediation, communication, and post-incident reviews.
Compliance, Risk, and Governance
- Security operational risk assessments are conducted at least annually. Results are logged, prioritized, and tracked in a formal risk register.
- We perform continuous control monitoring and testing to ensure controls are operating effectively.
- Policies and procedures are reviewed, approved, and redistributed annually.
HR Security
- All new hires must pass a background screening prior to onboarding.
- All team members complete security awareness training during onboarding and annually thereafter, including incident reporting procedures and best practices.
Business Continuity
- Encrypted backups are performed regularly and tested to ensure data can be restored in the event of disruption.
- A formal Business Continuity Plan is in place and tested annually through tabletop exercises.
- System resource usage is continuously monitored to ensure scalability and availability.
Vulnerability Disclosure
We take security seriously and encourage responsible disclosure of any vulnerabilities found in our applications or infrastructure. If you believe you have discovered a security issue, please report it to us at security@elomia.com. We appreciate your contribution to keeping Elomia safe.
Your Data Processing Rights
You have several important rights regarding your data. Here's how you can exercise them:
| Scope of the Right | What This Means | How to Exercise This Right |
|---|---|---|
| Right to Be Informed | You have the right to know how we collect, use, and share your personal information before we do so. | You can review this Privacy Policy and our Terms of Use. If you still have questions or would like us to clarify anything, please email us at support@elomia.com. |
| Right to Access | You can request a copy of all the personal information we have about you. | You can contact us to request access to your data. We will provide you with information about what data we have collected, where it came from, and how we are using it. For example, you can request a file containing all your messages, account information, and usage data. |
| Right to Rectification | If any of your personal information is incorrect or incomplete, you can ask us to fix it. | You can update most information directly in the app. To correct your email address or other information you cannot change yourself, contact us at support@elomia.com and we will update it for you. |
| Right to Erasure | You can request that we delete your personal information. | You can go to Settings and select the option to delete your account and all associated data. Alternatively, you can contact us to request deletion of specific information when you no longer need it. |
| Right to Data Portability | You can get your personal data in a format that allows you to easily transfer it to another service. | You can contact us and request your data in a common, machine-readable format (such as CSV or JSON files). For example, you can request your conversation history to upload it to another mental health app. |
| Right to Opt-Out of Sale/Sharing of Personal Information | You can object to the sale of your data to other companies or to receiving personalized ads based on your personal information. | No action is needed. Elomia does not sell your data, does not use your data for targeted advertising, and does not share your data with advertisers. |
| Right to Object to Automated Decision-Making and Profiling | You can request to disable features that use automated decision-making. | You can contact us at support@elomia.com to request disabling specific features. For example, you can ask us to disable AI-generated content in your "For you" section. |
| Right to Limit Use of Sensitive Personal Information | You can ask us not to process your sensitive personal information. | You can control what sensitive information you share during your conversations with our AI chatbot. We will not push you toward sensitive topics unless you choose to raise them. For example, you can discuss general wellness topics without sharing specific health conditions or mental health details. |
| Right to Withdraw Consent | You can take back permission you previously gave us. | You can unsubscribe from newsletters using the link in any email or through Settings. To withdraw other consents, contact us at support@elomia.com at any time and we will process your request. |
How to Exercise Your Rights
You can manage many of your rights directly in the app's Settings. For all other requests, please contact us at privacy@elomia.com.
Fees for Requests
We do not charge a fee for most data requests, including requests for access, rectification, erasure, or portability. However, if your request is clearly unfounded, repetitive, or excessive, we may charge a reasonable administrative fee or refuse to act on the request. If we intend to charge a fee, we will inform you in advance.
Our Response Standard
We will acknowledge receipt of your request within 10 business days and will respond within 45 calendar days. We may extend the response time by an additional 15 calendar days and will notify you promptly if we do so.
Regardless of your location, if your request does not require additional information and is straightforward, we typically respond in less than 2 days.
To process your request efficiently, we may need additional information to verify your identity and the nature of your request. If needed, we will reach out to request further details.
When We Cannot Fulfill Your Request
In some cases, we may not be able to fulfill your request. This can happen if:
- The request is unclear or not directly related to your own data;
- We are restricted by legal requirements or specific case-by-case limitations;
- Your data has already been permanently deleted.
If we cannot process your request, we will inform you promptly and provide further details where applicable.
Contact Information
Elomia is operated by Elomia Health, Inc., registered at: 8 The Green Ste 6359, Dover, DE 19901.
If you have any privacy questions, please contact us at privacy@elomia.com.
For any other questions, comments, or feedback related to the Services, as well as any complaints or claims, please contact us at (302) 244-7193 or by email at support@elomia.com.
If you are a resident of the EEA, in addition to contacting us, you may also refer to the EDPB website, which lists all national data protection authorities.
If you are a resident of Switzerland, find your data protection authority at the EDÖB website.
If you are a resident of the UK, visit the page of your national supervisory authority at ICO.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will post the updated policy here, and you will see the revision date at the top. If the updates significantly impact your experience, we will notify you via push notification in the app or by email.
By continuing to use our Services after changes take effect, you accept the updated Privacy Policy. If the updated policy does not align with your privacy preferences, you may request a refund or cancel your subscription. Learn more about cancellation and refunds in our Terms of Use.