Privacy Policy Zurück

As of: March 2026

1. Data Controller

Christoph Stern
Bruckergasse 21
6060 Hall in Tirol, Austria
Email: datenschutz@meinsomaviva.com

2. Data We Process

SomaViva processes the following personal data:

2.1 Account Data

  • Email address: Stored only as a cryptographic hash (SHA-256). We cannot read your email address in plain text.
  • Display name: Optional, set by you.
  • Registration date, last login

2.2 Health Data (special categories, Art. 9 GDPR)

SomaViva processes health data that you voluntarily enter:

  • Sleep quality and duration
  • Mood, energy, stress level
  • Nutrition data (meals, hunger, satisfaction)
  • Body sensations and discomfort
  • Fluid intake
  • Exercise and physical activity (type, duration, intensity)
  • Supplements and medications (names are stored encrypted)
  • Menstrual cycle data (flow intensity, cycle phase, cycle-related symptoms)
  • Journal entries (free text, fully encrypted at rest, AES-256-GCM)
  • Wellbeing check-in (PHQ-2, GAD-2, PSS-4 — self-assessed scales)

Encryption: Free-text fields (notes, symptom details, journal entries) are stored encrypted (AES-256-GCM). Numeric values (scales 1-10, times, amounts) remain unencrypted for analysis purposes.

2.4 AI-Powered Analysis (optional)

SomaViva offers optional AI-powered features that you can enable or disable individually:

  • Personal Wellness Analysis: Aggregated statistics from your entries (averages, trends — no raw data) are sent to Mistral AI (Mistral AI SAS, Paris, France) to generate personalized wellness insights. A Data Processing Agreement (DPA) per Art. 28 GDPR is in place with Mistral AI.
  • Journal in AI Analysis: If you enable this option, short excerpts of your journal entries (maximum 200 characters per entry) are sent to Mistral AI. You can disable this at any time in the settings.
  • Voice Input: When you use the voice feature, audio data is sent to Mistral AI for transcription. Audio data is not stored after processing.
  • Automatic Detection: Structured data is automatically detected from journal entries (e.g., activities, symptoms, meals). This detection is performed via Mistral AI.

Important: For all AI features, no personal data (name, email address, account ID) is transmitted to Mistral AI. Processing is based on your explicit consent (Art. 9(2)(a) GDPR), which you can grant and revoke individually for each feature.

2.5 Social Login (optional)

You can optionally sign in via external providers. The following data is transmitted by the respective provider:

  • Email address, name and provider account ID

Available providers: Google (Google LLC, USA), Amazon (Amazon.com Inc., USA), Microsoft (Microsoft Corp., USA). Data transfer is based on Standard Contractual Clauses (SCC) per Art. 46 GDPR.

This data is used exclusively for authentication and account linking. Providers have no access to your health data.

You can unlink any provider at any time in the settings. Your account remains accessible via Magic Link.

2.5 Technical Data

  • IP address (during login and practitioner access)
  • Browser/User-Agent (during session creation)
  • Session tokens

4. Practitioner Sharing (Practitioner Connection)

You can selectively share your data with registered practitioners:

  • You decide which modules and which time period practitioners can see.
  • You can revoke the connection at any time.
  • Every access by practitioners is logged (audit log).
  • You can view the access log at any time in the settings.
  • Free-text notes are not shown to practitioners (encrypted).

5. Storage and Security

  • Hosting: IONOS (1&1 Ionos SE, Germany). A data processing agreement (Art. 28 GDPR) exists with IONOS, ensuring instruction-bound processing of your data.
  • Backup: Encrypted database backups are stored at Backblaze Inc. (B2 Cloud Storage, EU data center in the Netherlands). Backups contain exclusively encrypted data — Backblaze has no access to plain text data. A Data Processing Addendum (DPA) per Art. 28 GDPR is in place.
  • AI Analysis: Mistral AI SAS (Paris, France) processes aggregated wellness data, journal excerpts and audio data on our behalf. A Data Processing Agreement (DPA) per Art. 28 GDPR is in place. Mistral AI does not store data beyond the processing duration.
  • Encryption: TLS/HTTPS for all connections, field-level encryption for sensitive data
  • Passwordless: We use Magic Links instead of passwords — your access is tied to your email address.
  • Sessions: HttpOnly Cookies, not visible in URLs
  • Retention period: Your data is stored as long as your account exists. On the free plan, entries are automatically deleted after 90 days. When you delete your account, all data is immediately and irreversibly deleted. Consent records (Art. 7 GDPR) are retained in anonymized form. Encrypted backups are overwritten after 30 days at the latest.

6. Your Rights

You have the following rights under the GDPR:

6.1 Right of Access (Art. 15)

You can view and export all your data at any time (Settings → Export data).

6.2 Right to Data Portability (Art. 20)

You can export your data at any time as JSON or CSV.

6.3 Right to Erasure (Art. 17)

You can permanently delete your account and all associated data at any time (Settings → Delete account).

6.4 Right to Withdraw Consent

You can withdraw your consent to the processing of your health data at any time by deleting your account.

6.5 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
dsb@dsb.gv.at

7. Cookies

SomaViva uses only technically necessary cookies:

  • somaviva_session: Session cookie for authentication (HttpOnly, Secure, SameSite=Lax)

We do not use tracking cookies, analytics tools, or advertising services.

8. Contact

For questions about data protection, contact: datenschutz@meinsomaviva.com