Privacy Policy

1. Introduction

OnePersonHealth is operated by Zero Point Studio d.o.o. ("we," "our," or "us"), a company registered in Zagreb, Croatia. We are committed to protecting your privacy and ensuring the security of your personal information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use OnePersonHealth — our personal health tracking and AI-powered wellness platform, including its web application and mobile applications (collectively, the "Service"). By using our Service, you agree to the collection and use of information in accordance with this policy.

Important: OnePersonHealth processes health-related data, which is classified as special category data under GDPR Article 9. We process this data based on your explicit consent, which you provide when creating your account and using health tracking features.

2. Data Controller Information

• Company: Zero Point Studio d.o.o.
• Address: Rudeška cesta 179, 10000 Zagreb, Croatia
• Email: andrej@zeropointstudio.io
• Phone: +385 91 722 8780
• Director: Andrej Šimunaj
• Registration Date: April 24, 2024

3. Information We Collect

3.1 Account Information

When you register for an account, we collect:

• Username
• Email address
• Password (stored as an encrypted hash using scrypt)
• Google account ID (if you sign in with Google)
• Account preferences (AI assistant style, measurement units, time format)

3.2 Profile and Biometric Information

During onboarding and profile setup, we collect:

• Date of birth and age
• Gender
• Height and weight
• Location (city/region, with latitude and longitude via Google Places)
• Timezone
• Activity level (sedentary, lightly active, moderately active, highly active)
• Health objectives and preferences
• Genetic data (if you choose to provide it)

3.3 Health and Wellness Data

Through daily use of the Service, we collect:

• Daily metrics: Weight, sleep duration, mood (1-10), stress level (1-10), energy level (1-10)
• Vital signs: Heart rate (average and resting), heart rate variability (HRV)
• Nutrition data: Food and drink items with full macronutrient breakdown (calories, protein, carbohydrates, fat, saturated fat, sugars), meal timestamps
• Activity data: Workout type (60+ activity categories), duration, calories burned, steps, distance
• Supplement data: Supplement names, dosages, frequency, time of day, intake records
• Sleep data: Sleep sessions with stage breakdown (deep, light, REM, awake)
• Health summaries: Daily aggregated health metrics

3.4 Device Health App Data

If you connect Apple Health (iOS) or Google Health Connect (Android), we import:

• Steps and distance
• Active and total calories burned
• Heart rate and resting heart rate
• Heart rate variability (HRV)
• Sleep sessions and stages
• Workout data
• Weight measurements

This data syncing requires your explicit permission through your device's operating system and can be revoked at any time in your device settings.

3.5 AI Interaction Data

When you use AI-powered features, we collect:

• Chat messages and conversation history with the AI assistant
• Food descriptions and images submitted for nutrition analysis
• Audio recordings submitted for transcription
• Custom AI instructions and preferences you set
• AI-generated responses and recommendations

3.6 Usage Information

We automatically collect certain information when you use our Service:

• Session duration and activity timestamps
• Feature interactions and navigation patterns
• Device type and platform information
• Notification interactions (received, clicked, dismissed)
• Error reports and performance metrics

3.7 Payment Information

Payment processing is handled by Stripe, Inc. We store your Stripe customer ID, subscription ID, and payment transaction records. We also store the last four digits of your card number, card brand, and expiration date for display purposes. We do not store your full credit card number, CVV, or other sensitive payment credentials — these are collected and processed directly by Stripe. Please review Stripe's Privacy Policy for details on how they handle your payment data.

4. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining the OnePersonHealth platform and all its features
• Processing and analyzing your health data to generate insights and recommendations
• Powering AI features including nutrition analysis, health coaching, and food recognition
• Authenticating your identity and managing account access
• Processing payments, managing subscriptions, and tracking billing
• Sending important service communications (billing, security, health reminders, policy changes)
• Monitoring usage to enforce plan limits, rate limits, and prevent abuse
• Improving platform performance, reliability, and feature development
• Ensuring security and detecting fraudulent activity
• Complying with legal obligations

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Explicit Consent (Article 9(2)(a)): Processing of health data (special category data) is based on your explicit consent, provided when you create your account and use health tracking features. You may withdraw consent at any time by deleting your account.
• Contract Performance (Article 6(1)(b)): Processing necessary to provide the services you have subscribed to, including account management, billing, and core platform functionality.
• Legitimate Interests (Article 6(1)(f)): Processing for service improvement, security, fraud prevention, and analytics.
• Legal Obligation (Article 6(1)(c)): Processing required by applicable laws (tax records, regulatory compliance).

6. Third-Party Services

We do not sell, trade, or rent your personal information. We share data with the following categories of service providers only as necessary to operate the Service:

• OpenAI — AI-powered health coaching, nutrition analysis, food image recognition, and audio transcription.
• Google Gemini — Alternative AI model for health coaching conversations.
• Groq — Audio transcription and alternative AI processing.
• Stripe — Payment processing, subscription management, and billing.
• Brevo — Transactional email delivery and contact list management.
• Google Places — Location search during onboarding.
• Sentry — Error monitoring and crash reporting (PII scrubbed).
• Firebase Cloud Messaging (FCM) — Push notification delivery.
• Cloudflare R2 — Cloud storage for uploaded content.
• Apple Health / Google Health Connect — Device health data import (with your permission).

We may also disclose your information when required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets.

7. Third-Party Coach API Access

If you enable the Coach API feature and share your access code with a third party:

• The third party will be able to access your health data through our API
• We act as the data controller for data stored on our platform, but we are not responsible for how third parties process your data after accessing it via the API
• You are the sole decision-maker in sharing your access code and are responsible for ensuring any third party you share with handles your data appropriately
• You can revoke access at any time by disabling the API or regenerating your access code in your settings

8. Cookies and Tracking Technologies

We use the following types of storage:

• Essential Cookies: Required for authentication and session management. Cannot be disabled without breaking core functionality.
• Local Storage: UI preferences, notification prompt state, and app settings.
• IndexedDB (Service Worker): Push subscription data, offline request queue, and notification tracking.

We do not use third-party analytics cookies (such as Google Analytics) in the application. For more details, see our Cookie Policy.

9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17): Request deletion of your personal data and all associated health records.
• Right to Restrict Processing (Article 18): Request that we limit how we use your data.
• Right to Data Portability (Article 20): Receive your health data in a structured, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent: You may withdraw your consent for health data processing at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at andrej@zeropointstudio.io. We will respond to your request within 30 days.

10. Data Retention

We retain your data according to the following schedule:

• Active accounts: All data retained for the duration of your subscription.
• Deleted accounts: Personal data and health records deleted or anonymized within 30 days.
• AI conversation logs: Retained for the duration of your account.
• LLM usage logs: Retained for up to 1 year for cost tracking and abuse prevention.
• Usage and analytics logs: Retained for up to 1 year for service improvement.
• Payment records: Retained for 7 years as required for tax and regulatory compliance.
• Error logs (Sentry): Retained per Sentry's default retention policies (typically 90 days).

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (HTTPS/TLS)
• Encrypted password storage using scrypt hashing
• Session-based authentication with secure, same-site cookies
• Role-based access controls and admin authentication
• Webhook signature verification for payment events
• PII scrubbing on error reports before transmission to monitoring services
• Regular security updates and monitoring
• Rate limiting on API endpoints and AI features

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. International Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA), particularly when processed by our AI service providers (OpenAI, Google, Groq — primarily based in the United States). When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Appropriate technical and organizational safeguards compliant with GDPR requirements

13. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information or health data from anyone under 18. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise your GDPR rights, please contact us:

• Company: Zero Point Studio d.o.o.
• Email: andrej@zeropointstudio.io
• Address: Rudeška cesta 179, 10000 Zagreb, Croatia
• Phone: +385 91 722 8780