Privacy Policy
This policy explains what personal data we process, why we process it, and your rights.
Last updated: March 17, 2026
1. Data controller
Anima Felix SRL ("Anima Felix", "we", "us") is the controller of personal data processed through the Anima Felix app and website.
Registered office: Bucharest, Ion Mihalache 166, Sector 1, Romania. Trade Register no. J2024027531000, fiscal code 50637957.
Data protection contact: [email protected]
2. Scope
This policy applies to personal data processed when you use the Anima Felix mobile app, website, and related support channels.
3. Personal data we process
- Account and contact data: email, account identifiers, and device identifiers.
- Wellbeing inputs (special category — Art. 9): mental health check-ins, anxiety-related selections, mood tracking, journal-like entries, psychological assessment responses (e.g., GAD-7, PHQ-9, PSS-10), and in-app interactions you choose to provide. This data is processed solely with your explicit consent.
- Voice data: if you use voice onboarding or voice features, audio recordings and transcripts may be processed via our voice service providers (Twilio and ElevenLabs). Recordings are used only to deliver the voice interaction and are not used for identification or biometric profiling.
- Photo data: if you upload a photo during a check-in, images are processed via OpenAI's Vision API for content interpretation and moderation. Photos that violate content policies are rejected.
- Technical and usage data: device/browser information, app version, IP address, timezone, operating system details, logs, and security events.
- Support data: messages you send to our support/privacy email.
- Consent data: cookie and tracking preferences saved in your browser, and in-app consent records (T&C, privacy policy, and sensitive data consent declarations with timestamps).
- Payment data: subscription status and billing identifiers processed through RevenueCat and Stripe. We do not store credit card numbers directly.
4. Why we process data and legal bases (GDPR)
- Provide the service: to operate app features and your account (Art. 6(1)(b), contract).
- Health-related wellbeing data (special category): your explicit consent before providing any anxiety, mental health, or wellbeing-related information in the app (Art. 9(2)(a), explicit consent for special category data). This includes check-ins, assessment responses, mood data, and journal entries. Consent is obtained separately in-app before any sensitive data is processed.
- Voice interactions: your explicit consent when initiating a voice session (Art. 6(1)(a), consent; Art. 9(2)(a) where voice content relates to health).
- Improve reliability and security: prevent abuse, debug issues, content moderation, maintain service integrity (Art. 6(1)(f), legitimate interests).
- Support and service communications: reply to your requests and account-related messages (Art. 6(1)(b) and 6(1)(f)).
- Analytics and marketing on website: measurement and campaign attribution only after consent where required (Art. 6(1)(a), consent).
- Legal obligations: where required by applicable law, including fiscal record-keeping (Art. 6(1)(c)).
5. Sharing and processors
We share personal data with the following service providers (processors) acting on our instructions under Data Processing Agreements:
| Processor | Role | Location |
|---|---|---|
| Hetzner GmbH | Server hosting (database, backend, frontend) | EU (Germany) |
| Google LLC (Firebase) | Authentication and app infrastructure | US (EU-US DPF) |
| OpenAI, Inc. | AI chat, content moderation, photo analysis | US (DPA + SCCs) |
| Cloudflare, Inc. | DNS, DDoS protection, CDN | US (EU-US DPF) |
| Twilio Inc. | Voice call infrastructure | US (EU-US DPF + SCCs) |
| ElevenLabs, Inc. | Voice AI synthesis | US (SCCs) |
| RevenueCat, Inc. | Subscription and payment management | US (SCCs) |
| Stripe Payments Europe Ltd | Payment processing | Ireland / US (EU-US DPF) |
| Expo (650 Industries) | Push notifications | US (SCCs) |
| Google LLC (Analytics) | Website analytics (consent-gated) | US (EU-US DPF) |
| Meta Platforms Ireland Ltd | Website marketing attribution (consent-gated) | Ireland / US (EU-US DPF) |
| TikTok (ByteDance) | Website marketing attribution (consent-gated) | Singapore / US (SCCs) |
We may also disclose data when required by law, court order, or to protect legal rights.
We do not sell your personal data.
6. International transfers
Our primary data storage is on servers located within the European Economic Area (Hetzner, Germany). Where data is transferred to processors outside the EEA (see processor table above), we rely on:
- EU-US Data Privacy Framework (DPF): for US-based processors certified under the DPF adequacy decision (Google, Cloudflare, Stripe, Twilio, Meta).
- Standard Contractual Clauses (SCCs): for processors not covered by an adequacy decision (OpenAI, ElevenLabs, RevenueCat, Expo, TikTok/ByteDance).
7. Data retention
We retain personal data only as long as needed for the purposes described above. Specific retention periods by data category:
| Data category | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Wellbeing inputs (check-ins, assessments, journal) | Duration of account; deleted within 30 days of account deletion |
| Voice recordings | Duration of the voice session; not retained after delivery |
| Photos uploaded in check-ins | Duration of account; deleted with account data |
| Chat messages and AI interactions | Duration of account; deleted within 30 days of account deletion |
| Support correspondence | Up to 5 years from last interaction |
| Technical and server logs | 90 days rolling |
| Consent records | 3 years (for compliance demonstration) |
| Financial/billing data | 10 years (Romanian fiscal law) |
| Server backups | 90 days rolling |
When data is no longer required, we delete or anonymize it. Data that must be kept for legal, security, or fraud-prevention obligations is retained for the required period only.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data
- Rectify inaccurate personal data
- Erase personal data
- Restrict processing
- Data portability
- Object to processing based on legitimate interests
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with a supervisory authority
To exercise your rights, email [email protected]. We normally respond within one month, with extension rights allowed by GDPR for complex requests.
Data portability: you may request a copy of your personal data in a structured, commonly used, machine-readable format (JSON or CSV). Contact us at [email protected] and we will provide your data export within one month.
If you believe your data has been handled unlawfully, you may lodge a complaint with your local data protection authority. In Romania, this is the Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP): B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania. Email: [email protected]. Website: www.dataprotection.ro.
9. Security
We use technical and organizational safeguards appropriate to the risk. No method of transmission or storage is completely risk-free, but we continuously work to protect personal data.
10. Automated decision-making
We do not use solely automated decision-making, including profiling, that produces legal or similarly significant effects on you. AI-generated outputs in the app (such as chat responses, exercise recommendations, and assessment interpretations) are informational and supportive in nature and do not constitute medical advice, diagnosis, or legal decisions.
11. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, describing the nature of the breach, its likely consequences, and the measures taken or proposed to address it, as required by GDPR Article 34.
12. Children
Anima Felix requires users to be at least 16 years old, or to have reached the age of majority in their jurisdiction. Users under 16 must have consent from a parent or legal guardian. If you believe a child has provided personal data without appropriate consent, contact us and we will investigate and take appropriate action.
13. Cookies and tracking
For website tracking details and your cookie choices, please see our Cookie Policy.
14. Changes to this policy
We may update this policy to reflect product, legal, or operational changes. The latest version is always published on this page with the updated date.
Privacy request
Contact our privacy team