RU

Privacy Policy

Last updated:

Short version: we collect anonymous interaction events, your email is hashed with SHA-256, health metric values never enter analytics, and session recording is off. Your account and data stay until you delete them.

1. Who processes your data

Controller: Nikita Nikitenok (natural person), Vilnius, Lithuania. Contact and GDPR requests: n.nikitenok@parta.io. Jurisdiction: Lithuania / EU. GDPR applies in full.

2. What we collect

2.1. Account data

When you sign in with Google OAuth we receive from Google:

  • Email address
  • Display name
  • Avatar URL
  • Google account ID

No passwords are stored — sign-in is SSO only.

2.2. Health data (Special Category under GDPR Art.9)

You add this yourself, directly or through integrations:

  • Sleep, HRV, resting HR, activity metrics (Oura Ring API, RescueTime API, etc.)
  • Cognitive test results (reaction time, Stroop, PVT)
  • Self-reports (mood, energy, brain fog)
  • Location history — only if you manually upload Google Timeline export
  • Lab results — entered manually
  • Workouts and body metrics — from integrations or manual entry

Health data qualifies as “special categories of personal data” (GDPR Art.9) and receives elevated protection.

2.3. Technical data (analytics)

  • Anonymous interaction events (clicks, navigation, test start/finish, widget pin)
  • Provider: PostHog EU (Frankfurt, data does not leave the EU)
  • Identification: SHA-256 hash of email (first 16 hex chars) — plain email cannot be recovered
  • Cookie-less persistence in the SPA — identifiers live in memory only, not written to cookies
  • IP address is anonymized by PostHog

3. What we do NOT collect

  • Health metric values in analytics. A cognitive_test_completed event only carries the fact “test finished” + subtest type, no score.
  • Plain-text email or name in analytics.
  • Raw IP address (PostHog anonymizes; we do not retain IP long-term).
  • Activity outside the health-os.app and os.health-os.app domains.
  • Nothing is shared with advertising brokers or ad networks — we have none.

4. Lawful basis (GDPR)

  • Account and core functionality — performance of contract (Art.6(1)(b)).
  • Health data — explicit consent (Art.9(2)(a)), granted by uploading data and connecting integrations. You can withdraw consent at any time by requesting account deletion (see §8); disconnecting an integration stops future sync but leaves previously imported data — email us to delete it.
  • Analytics — legitimate interest (Art.6(1)(f)), balanced by cookie-less + hashed ID config and opt-out.
  • Browser Do Not Track — honored automatically: if enabled, analytics never initializes.

5. Sub-processors (third parties)

  • Google — OAuth login, YouTube Data API (if you connect the integration), Google Drive (on Takeout upload)
  • MongoDB Atlas (Ireland, EU region) — account and health data storage, experiment artifacts
  • Google Cloud Platform (europe-west1) — compute + GCS for uploaded files
  • Cloudflare — CDN for the public site, Pages hosting
  • PostHog EU (Frankfurt) — interaction analytics, cookie-less

We do not transfer health data to third parties outside this list, do not sell data, and do not use it for advertising.

6. Transfers outside the EEA

All core services are hosted in the EU / EEA (MongoDB Atlas EU regions, GCS europe-west1, PostHog Frankfurt). Cloudflare is a global CDN used only for the public static site, without personal data.

7. Retention

  • Health data and account data: kept until you delete the account. On deletion — cascade delete of all MongoDB records and GCS files within 30 days.
  • Session cookies (connect.sid): 30 days, HTTP-only, Secure, SameSite=Lax.
  • Analytics events: 90 days hot storage in PostHog EU (default retention).
  • Backup snapshots: up to 7 days after deletion (MongoDB Atlas point-in-time).

8. Your rights (GDPR Art.15–22)

  • Access — “Export all data” in Settings (JSON + CSV).
  • Erasure — email n.nikitenok@parta.io from your account email to request account deletion; full cascade delete is performed within 30 days. (A self-service delete button in Settings is on the roadmap; until then the email route is the documented path.)
  • Rectification — edit your profile in Settings.
  • Portability — export in standard formats.
  • Object to analytics — toggle in Settings → Privacy & Analytics. The preference is stored in localStorage per origin: setting it in the app (os.health-os.app) applies immediately there but does not propagate to the landing (health-os.app). On the landing, analytics additionally honors the browser Do Not Track signal for cross-site opt-out.
  • Withdraw consent — disconnect an integration to stop future sync (derived data stays unless you also request deletion by email) or delete the account.
  • Lodge a complaint — in Lithuania: Valstybinė duomenų apsaugos inspekcija (VDAI).

9. Analytics and session recording

  • Session replay is fully disabled on both origins: disable_session_recording: true in the SPA (packages/web/src/lib/analytics.ts) and on the landing (packages/site/src/components/posthog.astro).
  • If we ever enable recording for UX research, users will see an explicit banner and can opt out before the session starts.
  • Autocapture of links / clicks is scoped to events we explicitly send (see event catalog in docs/ANALYTICS.md).

10. Security

  • TLS in transit (HTTPS everywhere).
  • Encryption at rest provided by MongoDB Atlas and GCS.
  • Integration secrets (OAuth tokens, API keys) are encrypted at the application layer (AES-GCM, ENCRYPTION_KEY).
  • User isolation — every database query is scoped to the session owner’s userId.

11. Children

The service is not intended for people under 18. We do not knowingly collect data about children.

12. Changes to this policy

For material changes — the “Last updated” date is refreshed and we notify via email if the profile email is verified. Minor edits (typos, wording clarifications) — no notification.

13. Contact

Questions, export requests, deletion, GDPR complaints — n.nikitenok@parta.io.