Legal

Privacy Policy

Last updated: 12 May 2026

This Privacy Policy explains how AdProfex Ltd ("we", "us"), a private limited liability company organised under the laws of Cyprus (registration number HE 435565, registered office Omonoias 13, SOHO EMBASSY, 3052 Limassol, Cyprus), collects, uses, shares, and protects your personal data when you use our mobile applications, the website at https://adprofex-ltd.com, and related services (the "Service").

Our wellness Service is intended for general wellness purposes only and is not a medical device. We process personal data, including data concerning health, with great care and only in accordance with applicable data-protection law.

1. Data controller

The data controller is AdProfex Ltd, Omonoias 13, SOHO EMBASSY, 3052 Limassol, Cyprus.

You may contact us regarding privacy matters at lawyer@adprofex-ltd.com.

2. Categories of personal data we collect

2.1. Account data: name, email address, password (hashed), date of birth (to verify the 18+ age requirement), language, country.

2.2. Profile data: gender, height, weight, activity level (each provided voluntarily by you).

2.3. Health-related data (special category under GDPR Article 9; "Special Care-Required Personal Information" under APPI Article 2(3)): heart-rate readings derived from PPG camera measurements; self-reported blood pressure entries; self-reported blood glucose entries (manual journal entry only — no glucose monitoring hardware, no clinical measurement, no recommendation); self-reported sleep, mood, stress, hydration, activity logs; computed wellness scores.

2.4. Device & technical data: device model, OS version, app version, language, time zone, anonymised crash logs, IP address (used only for security and country-level localisation; not stored long-term in identifiable form).

2.5. Subscription & billing data: payment-processor reference (we do NOT store full card numbers — those are processed and tokenised by Stripe), subscription plan, renewal dates, invoices.

2.6. Communications: customer-support messages, feedback, survey responses.

2.7. Cookies & similar technologies on the website (see our separate Cookie Policy).

3. Sources

We collect data (i) directly from you, (ii) automatically when you use the Service, and (iii) from third-party services you integrate (e.g., Apple Health, Google Fit) only after your explicit in-app consent for each integration.

4. Purposes and legal basis (GDPR)

We process data for the following purposes, on the following legal bases:

(a) To provide the Service (account creation, calculate wellness metrics, sync your data across devices, customer support).
Legal basis: performance of a contract (Art 6(1)(b)).

(b) To process special-category health data (PPG-derived heart rate, self-reported BP, glucose, etc.).
Legal basis: your explicit consent under Art 9(2)(a). You provide this consent at first launch through a separate health-data consent screen. You may withdraw consent at any time in Settings → Privacy → Withdraw Health-Data Consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

(c) To process payments and provide subscription billing.
Legal basis: performance of a contract (Art 6(1)(b)) and our legitimate interests in operating a paid service (Art 6(1)(f)).

(d) To send service-related communications (renewal notices, billing receipts, security alerts).
Legal basis: performance of a contract (Art 6(1)(b)) and legal obligation (Art 6(1)(c)).

(e) To send marketing communications.
Legal basis: your separate opt-in consent (Art 6(1)(a)). You may withdraw at any time via the unsubscribe link.

(f) To improve, secure, and analyse the Service (in aggregated, non-identifiable form wherever possible).
Legal basis: our legitimate interests (Art 6(1)(f)).

(g) To comply with legal obligations (tax, accounting, AML, responding to lawful requests).
Legal basis: legal obligation (Art 6(1)(c)).

5. We do not sell your data. We do not use your health data for advertising.

6. Categories of recipients

We share personal data only with:

• Service providers (data processors) acting under written processing agreements (Art 28 GDPR): cloud hosting provider, payment processor (Stripe Payments Europe, Limited, Ireland), email provider, analytics, customer-support tool.
• Where required by law or to protect rights, property, or safety.
• In connection with a merger, acquisition, or sale of assets (subject to confidentiality and continued protection).

We do not share your health data with advertisers, data brokers, or any third party for marketing purposes.

7. International transfers

The Service is operated from Cyprus (EU). Some of our processors are located outside the European Economic Area ("EEA"), including in the United States (e.g., Stripe Inc. for payment data fallback, certain customer-support providers). When we transfer personal data outside the EEA, we rely on appropriate safeguards:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
• The EU–U.S. Data Privacy Framework where the recipient is certified;
• Additional supplementary measures (encryption in transit and at rest, contractual access restrictions) where appropriate following the Schrems II ruling.

You may obtain a copy of the safeguards by emailing lawyer@adprofex-ltd.com.

8. Retention

• Account data: while your account is active, plus 12 months thereafter for legitimate-interest purposes (security, fraud).
• Health data: while your account is active. On deletion request, deleted within 30 days from our production systems and from backups within 90 days.
• Billing & tax records: 7 years as required by Cypriot tax law.
• Marketing data: until you withdraw consent or after 24 months of inactivity.

9. Your rights (GDPR — EU/EEA residents, including Cyprus)

You have the right to:

• (a) Access your data (Art 15) — receive a copy.
• (b) Rectify inaccurate data (Art 16).
• (c) Erase your data ("right to be forgotten", Art 17) — subject to legal-retention obligations.
• (d) Restrict processing (Art 18).
• (e) Data portability (Art 20) — receive your data in a structured, machine-readable format (JSON).
• (f) Object (Art 21), including to direct marketing.
• (g) Withdraw consent at any time (Art 7(3)), without affecting prior lawful processing.
• (h) Lodge a complaint with a supervisory authority.

To exercise your rights, email lawyer@adprofex-ltd.com. We will respond within 30 days (extendable to 90 days for complex requests).

10. California privacy rights (CCPA / CPRA — for California residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know — what personal information we collect, use, disclose, and sell/share.
• Right to Delete — request deletion of personal information.
• Right to Correct — request correction of inaccurate information.
• Right to Limit Use of Sensitive Personal Information — limit our use of "sensitive personal information" (which includes health data) to that necessary to provide the Service.
• Right to Opt Out of Sale/Sharing — we do not sell or share personal information; nevertheless we provide a "Do Not Sell or Share My Personal Information" link in our website footer.
• Right to Non-Discrimination for exercising your rights.

To exercise California rights, email lawyer@adprofex-ltd.com or use the "Do Not Sell or Share" link in our footer. Authorised agents may submit requests on your behalf. Verification: we will verify your identity by matching to data we already hold (e.g., your email and a unique account identifier).

In the prior twelve months we have collected the categories of data listed in Section 2. We have not "sold" personal information as that term is defined by the CCPA. We have "shared" cookies/identifiers with analytics providers solely for service operation, not for cross-context behavioural advertising.

11. Japan privacy rights (APPI — for users in Japan)

日本のユーザーの方へ — When you reside in Japan, the Act on the Protection of Personal Information (個人情報の保護に関する法律, "APPI") applies. We handle:

• "Personal Information" (個人情報) including your name, email, and account data;
• "Special Care-Required Personal Information" (要配慮個人情報) including your medical/health-related data — processed only with your prior opt-in consent under APPI Art 17(2);
• "Personal Related Information" (個人関連情報) including some cookies — handled in accordance with APPI Art 31.

Purpose of use (利用目的): operating the Service, providing wellness analytics, billing, security, and improvement of the Service.

Third-party and cross-border transfers: we transfer Personal Information outside Japan, including to the United States and the European Economic Area (Cyprus). We obtain your prior consent and provide information about (i) the recipient country, (ii) its data-protection laws, and (iii) measures taken by the recipient, as required by APPI Art 28.

Your rights: disclosure, correction, suspension of use, and deletion. Contact: lawyer@adprofex-ltd.com.

12. Children's privacy

The Service is not directed to and is not intended for children under 18. We do not knowingly collect personal data from children under 18. In particular, in the United States, we do not knowingly collect personal data from children under 13 (COPPA). If we learn we have collected such data, we will delete it. Parents and guardians may contact lawyer@adprofex-ltd.com to request deletion of any data inadvertently collected from a minor.

13. Security

We implement appropriate technical and organisational measures including TLS in transit, AES-256 at rest, role-based access controls, encryption of health data with per-user keys, and regular vulnerability scanning. No system is 100% secure. In the event of a personal-data breach affecting your rights, we will notify you and the competent supervisory authority within 72 hours as required by GDPR Art 33–34 (and within the timeframes set by APPI and CCPA where applicable).

14. Automated decision-making

We do not engage in automated decision-making that produces legal or similarly significant effects on you. Wellness recommendations within the Service are informational only and not the result of profiling intended to make legally binding decisions about you.

15. Changes to this policy

We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least 15 days in advance.

16. Contact

Data Controller: AdProfex Ltd, Omonoias 13, SOHO EMBASSY, 3052 Limassol, Cyprus, Reg. HE 435565
Privacy contact: lawyer@adprofex-ltd.com