Empattie

Privacy Policy

Effective Date: 27.01.2026
Last Updated: 27.01.2026

This Privacy Policy describes how Neuvelia Spółka z ograniczoną odpowiedzialnością (KRS: 0001189908, NIP: 6762700408, REGON: 542505430) ("Neuvelia," "Empattie," "we," "us," or "our") collects, uses, processes, and protects your personal data when you access or use the Empattie mobile application and related services (the "Service").

We are committed to protecting your privacy and ensuring transparency in our data practices. This Privacy Policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection laws.

Our commitment: Empattie operates on a subscription-based model. You pay for our Service, which means we do not sell your personal data to third parties or use it for advertising purposes. Your emotional well-being is our product—your data is not.

1. Data Controller

The data controller responsible for your personal information is:

Neuvelia Spółka z ograniczoną odpowiedzialnością
KRS: 0001189908
NIP: 6762700408
REGON: 542505430
Registered Address: Szlak 77/222, 31-153 Kraków, Polska
Email: legal@empattie.com
Data Protection Officer: privacy@empattie.com

2. Information We Collect

2.1 Information You Provide Directly

We collect personal data that you voluntarily provide when using the Service:

Account Information: When you create an account, we collect your email address and password (stored in hashed form). You may optionally provide your name or display name to personalize your experience.

Conversation Data: To provide AI-powered emotional support, we collect and process the content of your conversations with Empattie, including text messages and voice inputs. This is the core data necessary to deliver the Service.

Mood and Journal Data: We collect mood tracking information, emotional state indicators, and any journal entries you create within the Service.

Payment Information: When you subscribe to a paid plan, we collect billing information necessary to process your subscription. Payment details (credit card numbers) are processed and stored by our third-party payment processor and are not directly accessible to us.

Support Communications: If you contact our customer support team, we collect the contents of your communications and any additional information you provide to assist with your inquiry.

2.2 Information Collected Automatically

Technical Data: We automatically collect certain technical information when you use the Service, including device type, operating system version, mobile network information, unique device identifiers, IP address, and approximate geographic location based on your IP address.

Usage Data: We collect information about how you interact with the Service, including features accessed, session duration, conversation frequency, timestamp data, and in-app navigation patterns.

Performance Data: We collect crash reports, error logs, and diagnostic information to identify and resolve technical issues affecting Service performance.

2.3 Information from Third Parties

If you choose to authenticate using third-party services (such as Sign in with Apple or Google), we receive limited information from those platforms, including your email address and profile information, in accordance with your privacy settings on those platforms.

3. How Your Data Is Processed

3.1 Cloud-Based Processing

Important: When you interact with Empattie, your conversation data and voice inputs are transmitted from your device to cloud-based servers for processing. This transmission is necessary because modern artificial intelligence models require substantial computational resources that cannot be provided by mobile devices alone.

Your data is sent to our secure servers and, in some cases, to servers operated by our trusted AI technology providers. These providers process your conversation content to generate contextually appropriate responses and deliver the core functionality of the Service.

This means your conversations are not processed exclusively on your device. Data is transmitted over the internet, processed in cloud infrastructure, and the AI-generated responses are returned to your application.

3.2 Data Security Measures

We implement industry-standard security measures to protect your personal data:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 protocol, ensuring that your information cannot be intercepted during transmission.

Encryption at Rest: Personal data stored on our servers is encrypted using AES-256 encryption, a military-grade standard that protects your information while it resides in our infrastructure.

Access Controls: We employ strict access control mechanisms, ensuring that only authorized systems and personnel can access your data, and only when necessary to provide the Service, resolve technical issues, or comply with legal obligations.

Infrastructure Security: Our cloud infrastructure is hosted with providers that maintain SOC 2 Type II certification and ISO 27001 compliance. We conduct regular security audits, vulnerability assessments, and penetration testing to identify and remediate potential risks.

Data Segregation: Your data is logically segregated from other users' data within our database architecture, and we employ multiple layers of authentication to prevent unauthorized access.

3.3 Human Access to Your Data

We have designed our systems to minimize human access to your conversations. Automated AI systems process your conversation data without human review. However, in limited circumstances, authorized personnel may access your data:

• When you explicitly request customer support and provide written consent to data review (via email confirmation or in-app consent checkbox)

• To investigate suspected fraud, abuse, or violations of our Terms of Use (only after documented suspicion)

• When legally required by valid court order, subpoena, or regulatory authority

• To prevent imminent harm or address urgent safety concerns (e.g., credible suicide threat)

We maintain detailed access logs of all human access to user data, including timestamp, employee ID, and justification. These logs are audited quarterly.

We never access your data for marketing purposes, and we never sell or share your conversations with advertisers or data brokers.

4. Purpose and Legal Basis for Processing

We process your personal data for specific purposes, each grounded in a lawful basis under GDPR:

Service Delivery (Contract Performance, Article 6(1)(b) GDPR): We process your account information, conversation data, mood tracking data, and usage information to provide the AI-powered emotional wellness support you have subscribed to. This processing is necessary to fulfill our contractual obligations to you.

Payment Processing (Contract Performance, Article 6(1)(b) GDPR): We process billing information to manage your subscription, process payments, and handle billing inquiries.

Free Trial Administration (Contract Performance, Article 6(1)(b) GDPR): We process account data and device identifiers to verify free trial eligibility and prevent abuse of trial periods.

Service Improvement and Development (Legitimate Interest, Article 6(1)(f) GDPR): We analyze aggregated and anonymized usage data to understand how users interact with the Service, identify areas for improvement, develop new features, and enhance overall user experience. We have determined that our legitimate interest in improving the Service does not override your privacy rights.

Security and Fraud Prevention (Legitimate Interest, Article 6(1)(f) GDPR): We process technical data, IP addresses, and device information to detect and prevent fraudulent activity, unauthorized access, abuse of free trials, and abuse of the Service.

Legal Compliance (Legal Obligation, Article 6(1)(c) GDPR): We retain certain records, such as payment information, to comply with tax, accounting, and regulatory requirements.

Personalization (Consent, Article 6(1)(a) GDPR): Where you have provided consent, we use your name and preferences to personalize your experience. You may withdraw this consent at any time.

5. Data Sharing and Third-Party Processors

We do not sell your personal data. However, to provide the Service, we share your data with carefully selected third-party service providers who process data on our behalf under strict contractual obligations.

5.1 AI Technology Providers

To generate intelligent responses to your conversations, we share conversation content with trusted AI technology providers. These providers operate advanced machine learning models that power Empattie's conversational capabilities.

Critical commitment: All AI providers we engage with:

• Are bound by Data Processing Agreements (DPAs) that comply with GDPR Article 28 requirements

• Implement appropriate technical and organizational security measures

• Process data solely for the purpose of providing AI services to Empattie

• Are contractually PROHIBITED from using your conversation data to train, improve, or develop AI models under ANY circumstances

• Do NOT retain copies of your conversations after generating responses

• Are prohibited from sharing your data with third parties

• Must delete conversation data in accordance with our retention policies

We use one or more of the following AI technology providers: OpenAI, Anthropic, Google Cloud AI. The specific provider(s) may vary based on feature and availability.

5.2 Cloud Infrastructure Providers

We utilize cloud hosting services to store and process your data. Our infrastructure providers include Amazon Web Services (AWS), Google Cloud Platform, or Microsoft Azure. These providers maintain SOC 2 Type II certification and ISO 27001 compliance and process data in accordance with GDPR requirements. All infrastructure providers either operate in GDPR-compliant regions (EU data centers) or are subject to Standard Contractual Clauses.

5.3 Payment Processors

Subscription payments are processed through third-party payment processors such as Stripe, PayPal, or similar PCI-DSS compliant providers. These processors handle your payment card information in accordance with PCI-DSS standards. We do not store complete credit card numbers on our servers—only the last 4 digits for reference purposes.

5.4 Analytics and Performance Monitoring

We use analytics services such as Google Analytics for Firebase, Mixpanel, or similar tools to understand usage patterns and application performance. We configure these services to:

• Anonymize IP addresses before transmission

• Disable advertising features and remarketing

• Limit data collection to the minimum necessary for analytics purposes

• Exclude sensitive conversation content from analytics data

You may opt out of analytics tracking through your account settings (Settings → Privacy → Analytics).

5.5 Voice Processing Services

If you use voice input features, we engage speech-to-text service providers (such as Google Cloud Speech-to-Text or similar services) to transcribe your voice recordings into text for processing by our AI systems.

Voice data handling:

• Voice recordings are transmitted securely using TLS 1.3 encryption

• Recordings are processed only for transcription purposes

• Voice recordings are automatically and permanently deleted within 24 hours after transcription is complete. In case of transcription failure, recordings are deleted within 48 hours regardless of outcome.

• Transcribed text is treated as conversation data and subject to standard retention policies

[POPRAWKA 5: Konkretny okres retencji dla voice - 24h zamiast vague "not permanently stored"]

5.6 Customer Support Tools

We may use customer support platforms such as Zendesk, Intercom, or similar services to manage support inquiries. These platforms only receive data you voluntarily provide when contacting support, plus basic account metadata (email, subscription status) necessary to assist you.

5.7 International Data Transfers

Some of our service providers operate servers located outside the European Economic Area, including in the United States. When we transfer your personal data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission pursuant to GDPR Article 46(2)(c) with all international data processors.

Adequacy Decisions: Where the European Commission has determined that the destination country provides an adequate level of data protection, we rely on that adequacy decision.

Supplementary Measures: We implement additional safeguards including:

• Server-side encryption (AES-256)

• Strict access controls with multi-factor authentication

• Contractual commitments to data minimization

• Regular third-party security audits

• Prohibition on government data access without legal process

You have the right to request information about international transfers affecting your data and to obtain copies of the safeguards we have implemented. Contact our Data Protection Officer at privacy@empattie.com for more information.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

Active Account Data: Your account information, conversation history, and mood tracking data are retained for the duration of your active subscription or free trial.

Inactive Accounts: If your account remains inactive (no login activity) for more than 12 months, we will send you an email notification warning that your account will be deleted in 30 days unless you log in. After the 30-day grace period, we permanently delete your account and all associated data.

[POPRAWKA 6: Dodana polityka dla inactive accounts - 12 months + 30 day warning]

Deleted Conversations: When you manually delete individual conversations through the app:

• Conversations are removed from our active systems within 48 hours

• Conversations are purged from backup systems within 30 days

• After 30 days, deleted conversations cannot be recovered by us or by you

Account Deletion: When you delete your account:

• We initiate a permanent deletion process

• All personally identifiable data (conversations, mood data, account information) are irreversibly deleted within 30 days

• Deletion includes all active systems, backup systems, and cache

• After 30 days, your data cannot be recovered by us or by you

Anonymized Analytics: We may retain aggregated and anonymized data derived from your usage for up to three years for research and service improvement purposes. This data:

• Cannot be used to identify you personally

• Is stripped of all identifying information (email, device ID, IP address)

• Is aggregated with data from thousands of other users

• May include insights like "users who track mood daily have higher engagement"

Legal and Financial Records: We retain payment records, invoices, and transaction history for seven years to comply with Polish tax, accounting, and financial regulatory requirements. This includes:

• Subscription purchase dates and amounts

• Refund records (if applicable)

• Billing disputes

• Tax documentation

Security and Access Logs: Technical logs used for security monitoring are retained for 90 days, after which they are automatically and permanently deleted.

Voice Recordings: As stated in Section 5.5, voice recordings are automatically deleted within 24 hours after transcription is complete.

[POPRAWKA 7: Wszystkie okresy retencji są teraz KONKRETNE - 24h, 48h, 30d, 90d, 3yr, 7yr]

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about how it is processed. You may request a copy of your personal data in a commonly used electronic format (JSON or CSV).

To exercise this right:

• Go to Settings → Privacy → Download My Data within the app

• OR email privacy@empattie.com with "Data Access Request" in the subject line

• We will verify your identity and provide your data within 30 days

7.2 Right to Rectification (Article 16 GDPR)

You have the right to correct inaccurate or incomplete personal data we hold about you.

To exercise this right:

• Update your account information directly through Settings → Profile

• For conversation data corrections, contact privacy@empattie.com

7.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data where:

• The data is no longer necessary for the purposes for which it was collected

• You withdraw consent upon which processing is based

• You object to processing based on legitimate interests and there are no overriding legitimate grounds

• The data has been unlawfully processed

• Deletion is required to comply with a legal obligation

To delete specific conversations:

1. Open the conversation in the app

2. Tap the menu icon (⋯)

3. Select "Delete Conversation"

4. Confirm deletion

5. The conversation will be permanently removed from our servers within 48 hours

To delete your entire account:

1. Go to Settings → Account → Delete Account

2. Confirm your password

3. Review the warning that this action is irreversible

4. Tap "Permanently Delete My Account"

5. All your data will be permanently deleted within 30 days

Note: We cannot delete data if we are legally required to retain it (e.g., financial records for tax purposes).

7.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we limit how we process your data in certain circumstances, such as when:

• You contest the accuracy of the data (while we verify)

• Processing is unlawful but you oppose deletion

• You need the data for legal claims but we no longer need it

• You object to processing while we verify legitimate grounds

Contact privacy@empattie.com to request restriction.

7.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another controller.

What you can export:

• Account information

• Conversation history

• Mood tracking data

• Journal entries

To exercise this right:

• Go to Settings → Privacy → Download My Data

• Select format (JSON or CSV)

• Tap "Export Data"

• Receive download link via email within 24 hours

7.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You have an absolute right to object to direct marketing. We do not currently send marketing communications, but if we introduce them in the future, you will be able to opt out.

7.7 Right to Withdraw Consent

Where processing is based on your consent (e.g., personalization, analytics), you have the right to withdraw that consent at any time.

To manage consent:

• Go to Settings → Privacy

• Toggle individual consent options (Analytics, Personalization, etc.)

Withdrawal does not affect the lawfulness of processing conducted before withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement.

Polish Supervisory Authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: uodo.gov.pl
Email: kancelaria@uodo.gov.pl
Phone: +48 22 531 03 00

For EU residents: You may also contact your local data protection authority.

Exercising Your Rights:

To exercise any of these rights, contact our Data Protection Officer at privacy@empattie.com with:

1. Subject line clearly stating your request (e.g., "Data Deletion Request")

2. Your registered email address

3. Description of your request

4. Proof of identity (if required)

We will respond to your request within 30 days in accordance with GDPR requirements. In complex cases, we may extend this by an additional 60 days and will inform you of the extension and reasons.

8. Automated Decision-Making

Empattie uses artificial intelligence to generate conversational responses based on the input you provide. However, these AI-generated responses are suggestions and supportive guidance—they do not constitute:

• Legally binding decisions about you

• Medical diagnoses or treatment decisions

• Determinations that significantly affect your legal rights or interests

You have the right to:

• Understand how AI processes your data (described in Section 3.1)

• Request human intervention for specific concerns (contact support@empattie.com)

• Express your point of view about AI-generated responses

• Contest any automated processing that produces legal effects

The AI does not make decisions about your subscription, account status, or access to the Service—these decisions are made by our systems based on objective criteria (payment status, Terms compliance) or by human staff.

9. Children's Privacy

Empattie is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors.

If we become aware that we have inadvertently collected data from a person under 18, we will:

1. Immediately suspend the account

2. Delete all associated data within 48 hours

3. Notify the account holder (if contact information is available)

If you believe a minor has created an account, please contact us immediately at privacy@empattie.com with "Minor Account Report" in the subject line.

10. Cookies and Similar Technologies

We use cookies and similar tracking technologies to enhance your experience and analyze Service usage.

Essential Cookies: These cookies are necessary for the Service to function properly and cannot be disabled without ceasing use of the Service. Essential cookies include:

• Session authentication tokens

• Security and fraud prevention identifiers

• App state and navigation preferences

Analytics Cookies: We use analytics cookies to understand Service usage and improve features. These cookies collect:

• Session duration and frequency

• Feature usage patterns

• Navigation paths within the app

• Error occurrences and performance metrics

Analytics cookies are enabled by default but you may disable them through Settings → Privacy → Analytics without affecting core functionality.

Preference Cookies: These cookies store your choices to enhance your experience:

• Language preference

• Theme selection (light/dark mode)

• Notification settings

• Display preferences

What We DO NOT Use:

• Third-party advertising cookies

• Cross-site tracking technologies

• Behavioral advertising tools

• Social media tracking pixels (Facebook Pixel, etc.)

• Cookie-based user profiling for ads

Managing Cookies:

• In-app: Go to Settings → Privacy → Cookie Preferences

• Mobile device: Adjust tracking settings in your device's Settings app

• Note: Disabling essential cookies will prevent you from using the Service

Cookie Lifespan:

• Session cookies: Deleted when you close the app

• Essential cookies: Up to 12 months

• Analytics cookies: Up to 2 years

• Preference cookies: Until you change settings or delete account

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Report to Supervisory Authority: Notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.

Notify Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay via:

• Email to your registered email address

• In-app notification

• Public notice on our website (if email notification is not possible)

Information Provided:

• Nature of the personal data breach (what happened)

• Likely consequences of the breach

• Measures we have taken or propose to take to address the breach

• Contact information for our Data Protection Officer

• Recommendations for steps you can take to protect yourself (e.g., change password, monitor accounts)

Recent Breach History: We have not experienced any reportable data breaches since our launch. This section will be updated if circumstances change.

12. Mergers, Acquisitions, and Business Transfers

In the event that Neuvelia is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction:

Your Data May Be Transferred: Your personal data may be transferred to the acquiring entity or successor organization as part of the transaction.

Protections:

• The acquiring entity will be bound by the terms of this Privacy Policy

• If the acquiring entity intends to use your data in a manner materially different from this Policy, we will notify you at least 30 days in advance

• You will have the opportunity to delete your account before the transfer takes effect

• All GDPR rights continue to apply under the new controller

Notification: We will notify you of any such transfer via email and prominent in-app notification.

[POPRAWKA 8: Dodana kompletna sekcja M&A - co się dzieje z danymi przy przejęciu]

13. Why Subscription Matters for Privacy

You pay for Empattie. That's why your data stays yours.

Unlike free apps that monetize user data through advertising, our subscription model means:

No data sales: We never sell your conversations or emotional data to third parties, advertisers, or data brokers. Our business model does not depend on monetizing your personal information.

No ad targeting: Your data is not used to build advertising profiles, serve targeted ads, or participate in ad networks.

Aligned interests: Our business succeeds when you trust us and find value in the Service, not when we exploit your data. Your subscription fee funds ongoing security improvements, compliance initiatives, and privacy-enhancing technologies.

Sustainable privacy: Subscription revenue allows us to:

• Invest in better encryption and security

• Conduct regular third-party security audits

• Maintain GDPR compliance infrastructure

• Hire dedicated privacy and security staff

• Say "no" to third-party data sharing requests

Transparency as competitive advantage: We compete on trust, not data exploitation. If we wanted to monetize your data, we would have to change this Privacy Policy—and we would notify you 30 days in advance, giving you time to delete your account.

Your emotional well-being is our product. Your data is not.

14. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our data practices, legal requirements, or Service features. When we make material changes, we will:

Advance Notice:

• Update the "Last Updated" date at the beginning of this Policy

• Notify you via email at least 30 days before the changes take effect

• Display a prominent in-app notification when you next access the Service

• For significant changes affecting your rights (e.g., new data sharing practices), we may request your renewed consent

Your Options:

• Review the updated Policy before it takes effect

• Contact us with questions or concerns

• Delete your account if you do not agree with the changes (before the effective date)

Continued Use: Your continued use of the Service after the effective date constitutes your acceptance of the revised Privacy Policy.

Policy Archive: Previous versions of this Privacy Policy are available upon request by contacting privacy@empattie.com.

15. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact:

Data Protection Officer
Email: privacy@empattie.com
Postal Address: Neuvelia Sp. z o.o., Szlak 77/222, 31-153 Kraków, Polska
Phone: [PHONE NUMBER if available]

Privacy Inquiries
Email: privacy@empattie.com
Response Time: Within 5 business days for general inquiries, within 30 days for formal rights requests

General Support
Email: support@empattie.com

Legal Department
Email: legal@empattie.com

For Urgent Security or Privacy Concerns:
Email: privacy@empattie.com with "URGENT" in the subject line
We monitor this inbox 24/7 for critical issues

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of Poland and the General Data Protection Regulation (GDPR).

Disputes: Any disputes arising from this Privacy Policy shall be subject to the jurisdiction of the courts of Kraków, Poland, unless you are a consumer residing in another EU member state, in which case you may bring proceedings in your country of residence.

Supervisory Authority: The primary supervisory authority for Neuvelia is the Polish UODO (Urząd Ochrony Danych Osobowych).

By using Empattie, you acknowledge that you have read, understood, and agree to the collection, use, and processing of your personal data as described in this Privacy Policy.

© 2026 Neuvelia Sp. z o.o. All rights reserved.