PRIVACY POLICY

Last updated: April 20, 2026

This Privacy Policy explains how Augmy s.r.o. ("Augmy," "we," "us," or "our") collects, uses, processes, and protects personal data in connection with the Augmy mobile application, website, and related services (collectively, the "Service").

Augmy is built with a privacy-first approach. Wherever possible, data is processed locally on your device, encrypted, and minimized. When data must be transmitted or processed remotely, we limit it to what is strictly necessary, protect it in transit, encrypt it, and retain it only for as long as needed to provide the Service.

Augmy, with its registered office in the Czech Republic, acts as the data controller for the personal data processed under this Privacy Policy.

This Privacy Policy applies to all users of the Service and describes:

• What data we collect
• How and why we use it
• The legal bases for processing
• How we share and protect data
• Your rights and choices

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using the Service, you acknowledge that your personal data may be processed as described in this Privacy Policy. If you do not agree with this Privacy Policy, you should not use the Service.

This Privacy Policy should be read together with the Augmy Terms of Use, which govern your use of the Service.

TABLE OF CONTENTS

• 1. OUR PRIVACY PRINCIPLES
• 2. DATA WE COLLECT
• 3. LEGAL BASIS FOR PROCESSING
• 4. HOW WE USE DATA
• 5. DATA SHARING AND THIRD PARTIES
• 6. DATA RETENTION
• 7. YOUR RIGHTS
• 8. DATA SECURITY
• 9. INTERNATIONAL DATA TRANSFERS
• 10. CHILDREN'S PRIVACY
• 11. CHANGES TO THIS PRIVACY POLICY
• 12. CONTACT INFORMATION
• 13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. OUR PRIVACY PRINCIPLES

We design the Service around a set of core privacy principles that guide how personal data is handled across all features.

Local-first processing

Wherever possible, data is stored and processed locally on your device. This reduces the need to transmit personal data to our servers.

End-to-end protection of private content and communications

Where supported, private content and communications are protected using end-to-end encryption (E2EE), meaning that only you or the intended recipients can access the content.

Data minimization

We collect and process only the data necessary to provide each feature. Optional features require your explicit action and can be disabled at any time.

Ephemeral processing

Many types of data (such as text inputs, voice recordings, and biometric signals) are processed transiently to generate insights and are not stored after processing is completed.

Aggregation and de-identification

Where data is stored, it is typically transformed into aggregated or derived forms designed to reduce or remove direct identification of users.

Encryption in transit

All data transmitted between your device and our systems is protected using secure communication protocols.

Limited retention

Personal data is retained only for as long as necessary to provide the Service, after which it is deleted or made non-identifiable.

2. DATA WE COLLECT

We collect and process different types of personal data depending on how you use the Service. This includes information you provide directly, data generated through your use of the Service, and data derived from analysis of your interactions with the Service.

2.1 Account and Identity Information

When you create an account, we may collect:

• email address
• authentication identifiers from third-party login providers (such as Apple, when provided, or Google)
• optional phone number (which may be processed in hashed form for contact discovery)

2.2 User Content and Inputs

The Service allows you to create and interact with different types of content, including:

• messages
• journal entries
• mood updates
• voice recordings
• media (such as images, videos, and GIFs)

This content is processed to provide features of the Service and generate insights.

• Messages and shared content (such as mood updates shared with others) are protected using end-to-end encryption (E2EE) and are processed to generate insights and support features of the Service.
• Journal entries are stored in encrypted form and can only be decrypted on your device. We do not have access to the content of your journal entries.
• Voice recordings are processed to generate insights and are not stored after processing is completed.
• Media content is processed as needed to enable features of the Service. Storage and transmission depend on the specific functionality you use.

2.3 Sensor, Behavioural, and Contextual Data

If you choose to enable certain features, we may process additional data generated through your device and interactions with the Service. This may include:

• sensor data (such as motion or activity-related signals)
• behavioural data (such as usage patterns and interactions within the Service)
• contextual data (such as time-based or activity-related context)

This data is used to support specific features, improve insights, and enhance your experience of the Service.

These features are optional and can be enabled or disabled at any time.

2.4 Special Category Data (Health and Biometric Data)

Some features of the Service may involve the processing of data that may be considered special category data under applicable data protection laws, including:

• heart rate and resting heart rate
• activity levels (such as steps, exercise, and movement patterns)
• sleep patterns and duration
• mood-related inputs and wellness indicators

This data is provided directly by you or accessed through integrations with third-party platforms (such as HealthKit or Health Connect), where enabled.

Where you enable relevant features, such data may be processed for the following purposes:

• Heart rate and resting heart rate: used to identify physiological patterns and variations over time, contributing to general wellbeing insights.
• Activity levels and exercise data: used to understand physical activity patterns, intensity, and consistency, and to support analysis of routines and behavioural trends.
• Step count and movement-related data: used to assess daily activity levels, movement consistency, and general lifestyle patterns.
• Sleep data: used to identify sleep patterns and analyze relationships between sleep, mood, and daily behaviour.
• Mood-related inputs and wellness indicators: used as primary signals to generate insights and correlate with behavioural and physiological patterns.

This data supports features designed to help you understand and improve your general wellbeing, including:

Fitness, wellness, and coaching features

• tracking daily activity and movement patterns
• analyzing sleep health, duration, and routines
• monitoring changes in mood and behavioural patterns over time
• identifying trends and correlations between activity, sleep, mood, and lifestyle factors
• detecting patterns that may indicate changes in your general wellbeing (for example, variations in activity or sleep over time), without providing medical conclusions
• supporting tracking of lifestyle and personal habits for self-reflection and awareness

Gamified and activity-based features

• features where in-app progress, achievements, or interactive elements are influenced by your real-world activity or wellness data (for example, visual indicators such as a personal “garden” reflecting mood or wellbeing)
• experiences that use aggregated activity or usage signals to unlock or enhance functionality (for example, accessing specific features or rewards based on engagement with the Service)
• interactive systems designed to encourage engagement with wellbeing-related activities (for example, sharing, tracking progress, or participating in group-based features such as collaborative elements)

The Service is designed for wellness, self-reflection, and lifestyle insights. It does not provide medical, clinical, or treatment functionality.

2.5 Analytical and Derived Data

We may generate and process data derived from your interactions with the Service, including insights related to mood, behaviour, activity patterns, and usage of features.

This data is used to support the functionality of the Service, improve features, and enhance overall performance.

Where such data is stored, it is typically processed in non-identifiable forms that do not directly link to you.

2.6 Contact Data (Contact Discovery)

If you choose to use contact discovery features, your contact list may be processed on your device to identify other users of the Service.

Phone numbers are transformed using a one-way (irreversible) hashing process before any matching is performed. This means the original phone numbers cannot be reconstructed from the hashed values.

Hashed identifiers may be used solely for the purpose of matching contacts with existing users of the Service. We do not store raw contact lists.

2.7 Subscription and Payment Information

If you subscribe to paid features of the Service, payments are processed by third-party platforms (such as the Apple App Store or Google Play).

We use RevenueCat to manage subscriptions and entitlements.

We do not receive or store full payment details. We may only process limited information related to your subscription status and entitlements to provide access to paid features.

2.8 Data Stored on Your Device

Some data generated through your use of the Service may be stored locally on your device and not be transmitted to our servers.

Such data may include user content, activity data, and other information required to support features of the Service.

Locally stored data may be protected using encryption technologies (such as SQLCipher for SQLite databases), ensuring that it remains accessible only on your device.

We do not access or process locally stored data unless it is necessary to provide a specific feature of the Service and such processing is performed in accordance with this Privacy Policy.

3. LEGAL BASIS FOR PROCESSING

We process personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

3.1 Performance of a Contract (Article 6(1)(b) GDPR)

We process personal data where necessary to provide and operate the Service, including account creation and management, core features, communication between users, and customer support.

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

We may process personal data where necessary for our legitimate interests, such as improving the Service, ensuring performance and reliability, and maintaining security.

Where we rely on this basis, we take steps to ensure that your rights and freedoms are protected and not overridden.

3.3 Consent (Article 6(1)(a) GDPR)

We rely on your consent where you choose to enable optional features or provide data that is not required for the core operation of the Service.

You may withdraw your consent at any time by disabling the relevant features or adjusting your settings.

3.4 Processing of Special Category Data (Article 9(2)(a) GDPR)

Where features involve the processing of health or biometric data, we rely on your explicit consent in accordance with Article 9(2)(a) GDPR.

You may withdraw this consent at any time by disabling the relevant features or permissions within the Service or your device settings.

3.5 Legal Obligations (Article 6(1)(c) GDPR)

We may process personal data where necessary to comply with legal obligations, including responding to lawful requests from public authorities and complying with applicable laws and regulations.

4. HOW WE USE DATA

Personal data supports the operation of the Service, its features and functionalities, and ongoing improvements.

4.1 Providing and Operating the Service

We use personal data to:

• create and manage user accounts
• enable core features such as messaging, journaling, and mood tracking
• facilitate communication and interaction between users
• support contact discovery and user connections
• provide customer support

4.2 Generating Insights and Analysis

Data is processed to generate insights related to:

• mood and emotional patterns
• activity levels and routines
• behavioural trends over time

Where enabled, this includes analysis of wellness and biometric data (such as activity, sleep, and physiological signals), as described in Special Category Data (Health and Biometric Data).

This analysis may include:

• identifying patterns and variations over time
• analyzing relationships between activity, sleep, mood, and user behaviour
• detecting trends and changes across multiple data points
• generating insights based on correlations between different types of data

Data is analyzed in combination and is not interpreted in isolation.

Processing may involve automated systems, including artificial intelligence or machine learning technologies, and is designed to support general wellbeing and self-reflection.

Raw inputs (such as text, voice, or biometric signals) are not retained after processing. Outputs are typically stored as derived or aggregated data designed to reduce direct identification of users.

The Service is not intended to provide medical, psychological, or clinical advice, diagnosis, or treatment. Automated analysis supports user understanding and does not replace human judgment.

4.3 Optional Features

Certain features of the Service are optional and require your active choice to enable. When these features are enabled, additional data may be processed, including sensor, behavioural, contextual, or wellness-related data, as described in Data We Collect.

This data is used to:

• enhance the accuracy and relevance of insights
• reduce the need for manual input
• support more context-aware and adaptive functionality
• enable features that rely on real-time or continuous data inputs

Optional features are designed to provide additional value and can be enabled or disabled at any time through the Service or your device settings.

4.4 Improving and Developing the Service

Data about how the Service is used, including interaction patterns, feature usage, and aggregated activity signals, is analyzed to:

• identify which features are used and how they perform
• improve the accuracy and relevance of insights and recommendations
• detect issues and optimize performance and reliability
• refine analytics, models, and system behaviour over time

This processing is based on aggregated or non-identifiable data and is designed to improve the overall quality and functionality of the Service.

4.5 Security and Integrity

Personal data may be processed to maintain the security of the Service and protect users. This includes:

• detecting and preventing unauthorized access, misuse, or abuse
• identifying and responding to security incidents
• ensuring the integrity and proper functioning of the Service
• enforcing applicable terms and policies

Security-related processing may involve monitoring system activity, detecting anomalies, and applying safeguards designed to prevent unauthorized or harmful behaviour.

4.6 Automated Processing and Decision-Making

Some features of the Service involve automated processing, including systems based on artificial intelligence or machine learning systems.

This processing is used solely to generate insights, support functionality, and improve the Service. Automated analysis is designed to assist users and does not replace human judgment.

It isn't used to make decisions that produce legal or similarly significant effects on users.

4.7 Wellness Disclaimer

The Service provides general wellness, lifestyle, and self-reflection insights together with gamified features as explained in Section 2.

It is not intended to provide medical or healthcare advice, diagnosis, or treatment, and should not be used for medical purposes.

Any insights or outputs generated by the Service are provided for informational and personal use only and should not be relied upon as a substitute for professional advice from qualified healthcare providers.

5. DATA SHARING AND THIRD PARTIES

We do not and will never sell your personal data.

Personal data may be shared only where necessary to provide and operate the Service, including with service providers that support core functionality such as infrastructure, communication, analytics, and payments.

Any such sharing is limited to what is required for the specific purpose and is subject to appropriate safeguards.

You control the information you choose to share through the Service, including through optional features and interactions with other users.

5.1 Service Providers (Processors)

We use trusted third-party service providers (“processors”) to support the operation of the Service. These providers process personal data on our behalf and only as necessary to perform their respective functions.

These providers may support functions such as:

• hosting and infrastructure
• data storage and database management
• analytics and system performance
• security and fraud prevention
• communication and messaging functionality
• customer support services

This may include services and technologies such as:

• Firebase
  Used for backend services, analytics, and performance monitoring. Firebase may process usage data and technical information to support the operation and improvement of the Service.
• Matrix protocol (messaging infrastructure)
  Used to enable communication features within the Service. Messaging is designed to support end-to-end encryption, ensuring that only you and intended recipients can access the content.
• Cloud infrastructure providers (such as Amazon Web Services or OVHcloud)
  Used to host and operate the Service and its data storage systems.

All such providers are contractually bound to process personal data only in accordance with our instructions, implement appropriate security measures, and comply with applicable data protection laws, including Article 28 of the GDPR.

5.2 Payment Processing

If you subscribe to paid features, those payments are processed by third-party platforms such as the Apple App Store or Google Play. We use RevenueCat to manage subscriptions and user entitlements.

These providers process payment and subscription-related data in order to enable purchases and manage access to paid features.

5.3 Third-Party Integrations

The Service may allow you to connect or interact with third-party services. These integrations are optional and are enabled only if you choose to use them.

Such integrations may include platforms or services that provide additional data or functionality, such as health, activity, or device-related information (for example, Apple HealthKit or Google Health Connect).

When you enable a third-party integration:

• data may be shared between the Service and the third-party service in accordance with your settings and permissions
• the processing of data by the third-party service is subject to its own terms and privacy policy
• we do not control how third-party services use or process your data once it has been shared with them

You can enable or disable these integrations at any time through the Service or your device settings.

5.4 Providers Supporting Automated Processing

Automated processing within the Service may be performed using a combination of internal systems and specialized third-party providers.

This includes:

• Internal systems and models
  Models developed by Augmy and used to analyze data and generate insights as part of the Service’s functionality.
• audEERING (voice processing technology)
  Used to process voice inputs for the purpose of generating insights. Voice data is processed transiently and is not stored after processing.

Where third-party providers are used, they process data only to the extent necessary to:

• generate insights
• support specific features of the Service

We do not permit such providers to use your personal data for their own independent purposes.

5.5 Legal Requirements

We may disclose personal data where required to do so by law or in response to valid legal requests, including:

• compliance with legal obligations
• responding to lawful requests from public authorities
• protecting the rights, safety, or integrity of the Service, our users, or others

5.6 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction.

Such transfers will be carried out only where necessary for the continuation of the Service and in accordance with applicable data protection laws.

Personal data will not be transferred or used independently of the Service for unrelated purposes.

Where such a transfer occurs, we will ensure that appropriate safeguards are in place to protect your data.

5.7 Aggregated and Non-identifiable Data

We may share aggregated or non-identifiable data that does not directly identify you for purposes such as:

• research and analysis
• improving the Service
• developing new features

6. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Service, complying with legal obligations, resolving disputes, and enforcing our agreements.

Retention periods may vary depending on the type of data and how it is used.

6.1 Data not retained

Certain types of data are processed only temporarily and are not retained after processing. This includes:

• voice recordings used for analysis
• raw biometric or physiological data processed for insights

Such data is processed solely to generate outputs or insights and is discarded after processing is completed.

6.2 Data We Retain

We retain certain types of data where necessary to provide and improve the Service, including:

• account and identity information (such as email address and authentication identifiers)
• subscription and entitlement information
• sensor, behavioural, and contextual data (where features are enabled)
• derived or analytical data (such as mood insights or activity patterns)

Where possible, such data is stored in aggregated or non-identifiable form.

6.3 Retention Criteria

We determine retention periods based on factors including:

• the purpose for which the data was collected
• whether the data is necessary to provide the Service
• legal, regulatory, or contractual requirements
• security and fraud prevention needs

Account-related data is generally retained for as long as your account remains active.

6.4 Data Stored on Your Device

Certain data remain stored locally on your device and is not controlled by us unless it is transmitted to our systems through specific features.

6.5 Account Information and Deletion

If you would at any time like to review or change the information in your account or terminate your account, you can:

• log in to your account settings and update your user account
• manage information associated with you at https://augmy.org/delete-me

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

If you have questions or comments about your privacy rights, you may email us at info@augmy.org.

If you choose to delete your account:

• personal data associated with your account will be deleted or non-identifiable without undue delay
• we may retain certain data for 30 days after account deletion before starting to clear the data for purposes such as:
  • detecting and preventing fraud or abuse
  • resolving disputes
  • enforcing our Terms of Use
  • complying with legal obligations

After this period, the data will be deleted or non-identifiable, unless further retention is required by law. Residual data may be retained in aggregated or non-identifiable form where it no longer identifies you.

7. YOUR RIGHTS

If you are in the European Economic Area (EEA) or a jurisdiction with similar data protection laws, you have certain rights regarding your personal data.

• Right of Access – to confirm whether we process your personal data and to obtain a copy of that data, along with information about how it is used
• Right to Rectification – to correct inaccurate or incomplete personal data
• Right to Erasure – to request deletion of your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected
• Right to Restrict Processing – to limit the processing of your personal data in certain situations, such as where you contest its accuracy or object to processing
• Right to Object – to object to certain types of processing, including processing based on legitimate interests
• Right to Data Portability – to request a copy of your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another service provider where technically feasible.
• Right to Withdraw Consent – Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint – to lodge a complaint with a competent data protection authority if you believe that your personal data has been processed in violation of applicable data protection laws. You may contact the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

7.1 Exercising Your Rights

To exercise these rights, you can contact us by visiting https://augmy.org/delete-me, by emailing us at info@augmy.org, or by referring to the contact details at the bottom of this document.

Under certain US state data protection laws, you can designate an authorized agent to request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

Request Verification

Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.

If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at info@augmy.org. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine The Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "Contact Infromation".

8. DATA SECURITY

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration.

These measures include:

• storing and processing data locally on your device wherever possible
• protecting locally stored data using encryption mechanisms
• transmitting data using secure communication protocols
• applying end-to-end encryption for supported communications (including diary) and shared content
• minimizing the amount of data transmitted by using aggregated or derived data where appropriate

Where data is transmitted, it is protected in transit and, where possible, processed in a manner designed to reduce direct identification of users.

While we take reasonable steps to protect your data, no system can be completely secure. We encourage users to take appropriate measures to protect their own devices and account credentials.

9. INTERNATIONAL DATA TRANSFERS

Your personal data may be processed and stored in countries outside of your country of residence, including countries outside the European Economic Area (EEA), depending on the location of our service providers.

Where personal data is transferred outside of the EEA, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws.

These safeguards may include:

• the use of Standard Contractual Clauses (SCCs) approved by the European Commission
• reliance on adequacy decisions issued by the European Commission, where applicable
• other legally recognized transfer mechanisms under applicable data protection laws

Where required, we take additional steps to ensure that personal data remains protected, which may include conducting assessments of the level of data protection in the recipient country.

We take reasonable measures to ensure that any third-party providers processing personal data on our behalf provide an adequate level of data protection.

For more information about international data transfers or the safeguards we use, you may contact us using the contact details provided in this Privacy Policy.

10. CHILDREN'S PRIVACY

The Service is intended for users who are at least 16 years old.

If you are under 16 years of age, you may use the Service only where permitted by applicable law in your jurisdiction and with the consent and supervision of a parent or legal guardian. In some countries (including those in the European Economic Area under the GDPR), the minimum age for consent to the processing of personal data may be lower (but not below 13).

We do not knowingly collect or process personal data from users who do not meet these requirements.

If we become aware that personal data has been collected from a child without appropriate consent, we will take reasonable steps to:

• delete the data, or
• restrict access to the Service

If you are a parent or legal guardian and believe that a child has provided personal data without appropriate consent, please contact us using the contact details provided in this Privacy Policy.

11. CHANGES TO THIS PRIVACY POLICY

We may update or modify this Privacy Policy from time to time to reflect changes to the Service, legal requirements, or our data processing practices.

When we make material changes, we will provide notice through the Service, on our website, push-notifications or email.

The updated Privacy Policy will become effective on the date indicated at the top of this document. We encourage you to review this Privacy Policy periodically to stay informed about how your data is protected.

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acknowledgment of the updated terms.

12. CONTACT INFORMATION

If you have questions or comments about this notice, you may email us at info@augmy.org or contact us by post at:

Augmy s.r.o.
Chrastavská 89/68
Prague 9, 190 00
Czechia

13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please visit: https://augmy.org/delete-me.