Emotrek Inc.("Emotrek," "we," "us," or "our") respects your privacy and is committed to protecting it through our compliance with this policy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Information You Provide

Category	Examples	Lawful Basis (GDPR)
Account Data	Name, email, license type, practice name	Contract performance
Patient Data (PHI)	Mood scores, journal notes, voice recordings, PHQ-9 responses	Legitimate interest / Consent
Payment Data	Processed by Stripe; we do not store card numbers	Contract performance
Communications	Support tickets, feedback	Legitimate interest

1.2 Automatically Collected Information

Usage Analytics: Pages visited, features used, session duration (via Google Analytics)
Device Information: Browser type, operating system, device identifiers
Log Data: IP addresses, access timestamps, error logs
Cookies: Essential (authentication), functional (preferences), analytics (opt-in). See our cookie consent banner for controls.

2. How We Use Your Information

Service Delivery: Provide, maintain, and improve Emotrek features
Clinical Support: Generate mood trends, AI insights, and therapeutic recommendations
Security: Detect fraud, enforce Terms of Service, audit PHI access
Communication: Send service updates, alerts, and support responses
Legal Compliance: Comply with HIPAA, GDPR, and other applicable regulations

We do not sell your personal data. We do not use PHI for marketing, advertising, or any purpose other than providing the Service.

3. HIPAA & Protected Health Information

Emotrek processes Protected Health Information ("PHI") as a Business Associate under HIPAA. We implement:

Encryption: AES-256 at rest (Google Cloud / Firebase), TLS 1.3 in transit
Access Controls: Role-based access, Firestore security rules, Firebase Authentication
Audit Logging: All PHI reads are recorded with actor, timestamp, resource, IP, and user-agent
Automatic Session Timeout: 30-minute inactivity logout (HIPAA §164.312(a)(2)(iii))
Breach Notification: We will notify affected Covered Entities within 72 hours of discovering a breach

4. GDPR — Your Rights as an EU/EEA/UK Resident

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation ("GDPR"):

Right	Description	How to Exercise
Access (Art. 15)	Request a copy of all personal data we hold about you	Email privacy@Emotrek.app
Rectification (Art. 16)	Correct inaccurate or incomplete data	Settings page or email
Erasure (Art. 17)	Request deletion of personal data ("Right to be Forgotten")	Settings → Delete Account
Restriction (Art. 18)	Restrict processing of your data	Email privacy@Emotrek.app
Portability (Art. 20)	Receive your data in a structured, machine-readable format	Email privacy@Emotrek.app
Objection (Art. 21)	Object to processing based on legitimate interest	Email privacy@Emotrek.app
Withdraw Consent (Art. 7)	Withdraw consent at any time without affecting prior processing	Cookie settings or email

We will respond to all data subject requests within 30 days. In complex cases, we may extend this by an additional 60 days with notice.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority. For EU residents, a list of DPAs is available at edpb.europa.eu.

5. Data Retention

Data Category	Retention Period	Basis
Account Data (PII)	Until account deletion	Contract
Clinical Records (PHI)	7 years from creation	HIPAA §164.530(j)
Audit Logs	7 years	HIPAA §164.312(b)
Analytics Data	26 months (Google Analytics default)	Legitimate interest
Payment Records	7 years	Tax/legal requirements

Upon account deletion, PII is immediately anonymized. Clinical records are de-identified (name → "[deleted]", email → anonymized) but retained for the mandatory period.

6. Data Sharing & Third Parties

6.1 Service Providers (Sub-processors)

Provider	Purpose	Location
Google Cloud / Firebase	Infrastructure, authentication, database	US (multi-region)
Google AI (Gemini)	AI-powered mood analysis	US
Stripe	Payment processing	US
Vercel	Web application hosting	US (edge)

6.2 Legal Disclosures

We may disclose information when required by law, subpoena, court order, or other legal process, or where necessary to protect the safety of any person.

7. International Data Transfers

Data processed by Emotrek may be transferred to, stored, and processed in the United States. For EU/EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as a lawful transfer mechanism.

8. Cookies & Tracking Technologies

We use cookies and similar technologies as described below. You can manage your preferences via our cookie consent banner at the bottom of the page.

Category	Purpose	Can be Disabled?
Strictly Necessary	Authentication, security, session management	No
Functional	Theme preferences, language settings	Yes
Analytics	Usage statistics (Google Analytics)	Yes

9. Children's Privacy

Emotrek is not directed to children under 13 (or 16 in EEA/UK). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

10. Data Security

All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Firebase Authentication with BCrypt password hashing
Server-side session cookies (HttpOnly, Secure, SameSite=Lax)
PHI access audit trail with immutable logging
Automatic session timeout (30 minutes / 8 hours with Remember Me)
Regular security reviews and penetration testing

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email and/or a prominent notice on the Service. The "Last Updated" date indicates the latest revision.

12. Contact Us

For privacy-related inquiries, data subject requests, or to report a concern:

Emotrek Inc.
Privacy Officer: privacy@Emotrek.app
DPO (EU): dpo@Emotrek.app
General: legal@Emotrek.app

Related documents: Terms of Service · Data Processing Agreement