Privacy Policy

We collect the following categories of personal data:

• Email address — used for authentication and transactional email
• Display name — shown inside the app
• User ID — a WorkOS-issued identifier that links your account across sessions
• Free-text content (journal entries, dreams, worry-box entries, gratitude items, exercise notes, evaluation answers, scheduled-item titles, habit names, sleep notes, mood notes, before-bed-activity notes) is stored ONLY on your device. We do not collect, store, or process this content on our servers.
• Structured health data — mood and sleep ratings, emotion tags, completion flags, streak counts, onboarding-declared therapy concerns, and breathing session durations. This structured data is stored on our servers and is described in the Special Category Data section below.
• Usage analytics — product interaction events (screens visited, features used); session replay is disabled
• Crash data — stack traces and device metadata collected when the app crashes

Mood and sleep ratings, emotion tags, and onboarding-declared therapy concerns constitute data concerning health within the meaning of GDPR Article 9(1). Free-text journal and exercise content also constitutes Article 9 data, but we mitigate Article 9 risk by storing it ONLY on your device — we never receive it. Lawful basis for the structured data we do process: explicit consent under Article 9(2)(a).

You may withdraw consent at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

We do not use health-category data for advertising, profiling, or sale to third parties.

We use your personal data for the following purposes:

• App functionality — delivering the mental-health exercises, tracking your progress, and personalising the experience
• Crash debugging — identifying and fixing errors using anonymised crash reports
• Product improvement — understanding which features are used (via aggregated analytics) to guide development

We do not sell your data. We do not serve advertising. We do not profile you for third-party marketing. Health-category content is never shared with any party other than the subprocessors listed below, and only to the extent necessary to operate the service.

We retain personal data for the periods set out below:

• Account data (email, name, user ID, mood/journal entries, therapy goals, worry-box content) — retained indefinitely until you delete your account
• Analytics events — 365 days from the date of collection, then automatically purged
• Crash reports — 90 days from the date of collection, then automatically purged
• Email OTP codes — 15 minutes from issuance; codes expire and are invalidated automatically

When you delete your account all health-category content and account data are removed within 30 days. Some anonymised, non-identifiable aggregate statistics may be retained indefinitely.

We share personal data with the following subprocessors, each bound by a Data Processing Agreement (DPA) with us:

• Convex (database — stores identity, structured selections, audit logs, and schedule metadata; does NOT store your free-text content; hosted in [region — verify before ship])
• WorkOS (authentication — magic-link email delivery; receives your email address)
• Sentry (crash and error telemetry — receives masked screenshots, no plaintext content; hosted in US, SCCs in place)
• Expo (EAS) — mobile app build infrastructure and over-the-air update delivery; DPA: https://expo.dev/privacy
• Apple Push Notification service and Google Firebase Cloud Messaging (push delivery for system events only — never user content)

Apple iCloud and Google Drive are NOT subprocessors: your free-text content is excluded from OS backup, so neither receives it.

PostHog — product analytics (receives usage events; session replay is disabled)

Resend — transactional email delivery (sends authentication OTP codes)

Each subprocessor has published a Data Processing Agreement covering GDPR obligations. Links are provided for your review:

• Convex DPA: https://www.convex.dev/dpa
• WorkOS DPA: https://workos.com/dpa
• Sentry DPA: https://sentry.io/legal/dpa/
• PostHog DPA: https://posthog.com/dpa
• Resend DPA: https://resend.com/legal/dpa
• Expo (EAS) DPA: https://expo.dev/privacy

If you have questions about any subprocessor's data practices, contact us at kontakt@denkroelledehjerne.dk and we will assist.

As a data subject under the GDPR you have the following rights:

• Right of access (Article 15) — you may request a copy of the personal data we hold about you
• Right to erasure (Article 17) — you may request deletion of your personal data ("right to be forgotten"). See "Right to Erasure" below for how deletion works with our local-only architecture.
• Right to data portability (Article 20) — you may export your data in a structured, machine-readable format directly from the app. See "Data Export" below.
• Right to object (Article 21) — you may object to processing based on legitimate interests
• Right to rectification — you may request correction of inaccurate data
• Right to restrict processing — you may request that processing be limited in certain circumstances

To exercise any of these rights, contact us at kontakt@denkroelledehjerne.dk. We aim to respond within 30 days. Where we cannot fulfil a request we will explain why.

Danish users may also lodge a complaint with Datatilsynet, the Danish Data Protection Authority, at https://www.datatilsynet.dk.

You may delete your account at any time via Settings → Delete Account.

When you tap Delete Account, we clear your local content from this device FIRST, then delete your server-side identity and structured data. The local wipe is synchronous and happens before any network request is made. This order ensures no window where your free-text content (journal entries, dreams, worry-box notes, etc.) survives on a deleted account.

If you signed in on another device, that device retains its local content until you delete the account there too OR uninstall the app. Because your free-text content is stored only on each device and we never receive it, we cannot delete it from devices other than the one you use to request deletion. This is an inherent property of local-only storage.

Server-side structured data (mood ratings, completion flags, insight counters, audit logs) is deleted within 30 days of your request via a background cascade. Some anonymised, non-identifiable aggregate statistics may be retained indefinitely.

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Settings → Export my data produces a single JSON file containing:

• Your server-stored structured data: mood and sleep ratings, completion flags, emotion tags, breathing session durations, habit streaks, audit log entries, and account identity.
• Your on-device free-text content: journal entries, dreams, gratitude items, worry-box notes, exercise answers, check-in notes, scheduled-item titles, and habit names.

A sensitivity warning is shown before the file is produced: "This file contains sensitive personal information including health-related notes. Only share it with services you trust." You must confirm before the file is written and the share sheet opens.

Each export generates an audit log entry so you (and we) have a record of when your data was exported.

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption in transit — all data transmitted between the app and our servers is protected by TLS
• Encryption at rest (server-side) — data stored in Convex is encrypted at rest under Convex-managed keys
• Encryption at rest (device-side) — your free-text content lives in your device's app sandbox using MMKV with at-rest encryption (256-bit key generated on first launch, stored in your device's Keychain on iOS / Keystore on Android — never transmitted off-device). The MMKV file uses iOS NSFileProtectionComplete (data unreadable when the device is locked) and is excluded from iCloud Backup and Google Drive Backup. This means: only your unlocked device can decrypt your content, and neither Apple nor Google ever receive a copy. The trade-off: if you lose your device or wipe it without using Settings → Export my data first, your free-text content cannot be recovered.
• Authentication security — WorkOS AuthKit supports multi-factor authentication; OTP codes expire within 15 minutes
• Access controls — service account access to production data is limited to the minimum necessary for operations

No security system is 100% secure. In the event of a data breach that affects your rights and freedoms we will notify you and the relevant supervisory authority as required by GDPR Article 33/34.

This app is designed for one device per user. Your free-text content does not sync across devices through our servers, AND it is excluded from iCloud Backup and Google Drive Backup so that neither Apple nor Google ever receives it. To preserve your content across devices, use Settings → Export my data BEFORE switching devices. If you lose your device or uninstall the app without exporting, your free-text content is permanently lost — we cannot recover it because we never had it. Your server-side data (mood ratings, completion flags, etc.) survives on our servers and reappears when you sign in on a new device.

Den Krøllede Hjerne is not intended for users under 16 years of age. We apply the age of 16 because Denmark's age of digital consent (GDPR Recital 38, implemented via Databeskyttelsesloven §6) requires parental consent for processing children's data until age 16.

We do not knowingly collect personal data from anyone under 16. If we become aware that a user under 16 has created an account, we will delete the account and all associated data upon notice. If you believe a child under 16 has provided us with personal information, please contact us immediately at kontakt@denkroelledehjerne.dk.

We may update this Privacy Policy from time to time. For material changes — changes that affect the legal basis for processing, the categories of data collected, or the subprocessors used — we will provide at least 30 days' notice before the change takes effect. Notice will be given via in-app notification or email.

The effective date at the top of this policy page reflects the date of the most recent revision. Continued use of the app after the effective date constitutes acceptance of the updated policy.

For all privacy-related questions, access and erasure requests, and complaints, contact us at:

kontakt@denkroelledehjerne.dk

Danish users may alternatively contact the Danish Data Protection Authority (Datatilsynet) directly at https://www.datatilsynet.dk if they believe their data protection rights have been violated.