Privacy Policy

Last Updated: 12 May 2026
Effective Date: 12 May 2026
Version: 2.1.0

Contents
  1. Introduction & Data Controller
  2. Data We Collect
  3. Legal Basis for Processing
  4. How We Use Your Data
  5. Data Sharing and Disclosure
  6. Data Storage, Security & Retention
  7. Your Rights Under GDPR
  8. Tracking Technologies & Mobile Identifiers
  9. Children's Privacy & Age Verification
  10. International Data Transfers
  11. Personal-Data Breach Notification
  12. Changes to This Policy
  13. Contact Us
  14. Definitions

1. Introduction & Data Controller

Welcome to ProTilo ("we," "our," "us," "ProTilo"). We are committed to protecting your privacy and ensuring the security of your personal and health data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile health-tracking application and related services (the "Service").

Data Controller for purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):

Oleksandr ZayatsEmpresário em Nome Individual (sole-proprietor business registered in Portugal)
NIF / Tax ID: 311513131
Place of business: Parede, Portugal
Email (general privacy enquiries): privacy@protilo.com
Email (data protection): dpo@protilo.com

Postal correspondence address is provided in §13 below. For all legal correspondence please use email; postal mail is monitored periodically.

Medical disclaimer. ProTilo is a wellness reflection tool. It is not a medical device under EU Regulation 2017/745 (Medical Devices Regulation), is not intended to diagnose, prevent, monitor, predict, treat or alleviate any disease, injury, or disability, and does not provide medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for any medical concern. In an emergency, call your local emergency number — 112 across the European Union.

2. Data We Collect

We organise the data we collect into the categories Apple recognises in its App Privacy framework, so you can correlate this section directly with the App Store privacy disclosure.

2.1 Contact Info

2.2 User Content

2.3 Health & Fitness

Health and self-reported metric data are treated as Special Category Data under GDPR Article 9 and processed only on the legal basis described in §3.

2.4 Sensitive Info

All data described in §2.3, and any free-text content in journal entries that may reveal health, mental-health, or wellbeing status, is classified as sensitive information.

2.5 Identifiers

We do not collect IDFA (Identifier for Advertisers) and we do not display the App Tracking Transparency (ATT) prompt.

2.6 Usage Data

2.7 Diagnostics

2.8 Payment Information

The current version of ProTilo is offered free of charge. We do not collect or process any payment information. If we introduce paid features in a future version, this Privacy Policy will be updated, and your explicit consent obtained where required by law.

2.9 What We Do Not Collect

To be unambiguous about the absence of common data-collection practices in this app:


3. Legal Basis for Processing

Data categoryLegal basisPurpose
Account & profile data (§2.1, §2.5) Contract — GDPR Art. 6(1)(b) To create and operate your account, authenticate you, and deliver the Service you signed up for
Health and special-category data (§2.3, §2.4) Explicit consent — GDPR Art. 9(2)(a) To provide wellness-tracking features that are the core function of the Service. Consent is captured at onboarding through a dedicated, granular consent screen and can be withdrawn at any time.
Diagnostic & crash data (§2.7) Consent — GDPR Art. 6(1)(a) To diagnose technical errors and improve stability. Captured at onboarding; can be withdrawn in Settings → Privacy & Data.
Security & abuse-prevention server logs Legitimate interest — GDPR Art. 6(1)(f) To protect the Service from misuse, fraud, brute-force attacks, and unauthorised access. We have conducted a balancing test and concluded that this minimal logging does not override your privacy rights.
Records required by tax & commercial law Legal obligation — GDPR Art. 6(1)(c) To comply with Portuguese tax, accounting, and commercial-records obligations

4. How We Use Your Data

4.1 Primary Purposes

4.2 What We Do NOT Do

4.3 Automated Processing & Right to Explanation

The on-device insights ProTilo shows you (see §4.4 below) are produced by deterministic rules and do not produce legal effects or similarly significant effects within the meaning of GDPR Article 22(1). They are informational signals for your personal reflection.

Notwithstanding the above, in keeping with the transparency principles of GDPR Articles 13–15 and the EU AI Act, you may always request a plain-language explanation of any specific insight — see §7.7.

4.4 AI-Generated Content — How AI Is Used in ProTilo Today

ProTilo surfaces information at three levels. Please read this section carefully. Only the third level involves any AI provider, and only with your manual action.

L1 — On-device deterministic rules. Simple comparisons against your own history: "You slept less than your 30-day average." These run entirely on your device using fixed, auditable rules. No AI is involved. No data leaves your device.

L2 — On-device pattern matching. Correlation-style observations computed locally: "Your mood has trended downward over the last 3 days." Still deterministic, still local, still zero external transmission.

L3 — AI Analysis Export (user-initiated manual paste). An optional feature in which ProTilo generates a text prompt summarising selected entries from your journal, copies it to your device clipboard, and offers a deep-link to open a third-party AI app of your choice — Google Gemini, Anthropic Claude, or OpenAI ChatGPT. You then decide whether to paste the prompt into that third-party app.

ProTilo never transmits your data to AI services automatically. Our application code contains no outbound API calls to Anthropic, OpenAI, Google AI, or any other large-language-model provider. Any transmission happens only if and when you manually paste the prompt into the third-party service yourself, at which point that service becomes the data controller for that interaction under its own privacy policy:

First-time consent. The first time you trigger AI Analysis Export, ProTilo shows a consent modal that summarises the facts above and records your explicit acceptance. You may decline at any time without losing access to other app features — rules-based insights remain fully available.

Disclaimer for AI output. Any response you receive from a third-party AI service is for personal reflection only and must not be interpreted as medical advice, diagnosis, or treatment. AI responses may be inaccurate, incomplete, or out of date.

For complete transparency about how AI is used in ProTilo, see our separate AI Transparency document.

4.5 Looking Ahead — Future Server-Side AI Processing

This section is forward-looking and describes a feature that is NOT active in the current version.

In a future release of ProTilo we may introduce server-side AI-generated insights. In that future model, ProTilo's backend would send a structured prompt derived from your data to a third-party AI provider (for example, Anthropic Claude or OpenAI), receive a response, and store the resulting insight in your account.

If and when we introduce this feature:

Server-side AI processing is not active in the current version. The current AI Analysis Export feature (§4.4) requires your manual action to copy and paste content into a third-party AI app.


5. Data Sharing and Disclosure

5.1 Processors — Service Providers Acting on Our Behalf

We engage the following providers to process personal data on our behalf, each under a written Data Processing Agreement satisfying GDPR Article 28:

ProviderRoleData sharedHosting location
Google Cloud / Firebase (Google Ireland Ltd, with Google LLC and affiliates) Hosting, database (Firestore), authentication, Cloud Functions, Cloud Messaging (FCM) Account data, health data, technical data, push tokens EU (europe-west1, Belgium) for primary storage
Sentry (Functional Software, Inc.) Crash and error diagnostics Stack traces, device model, anonymised user identifier, app version. No email, no name, no health data. EU (Frankfurt ingest endpoint)
Expo (650 Industries, Inc.) Push-notification delivery (Expo Push Service) Device push token, notification payload metadata United States — transfers under EU Standard Contractual Clauses
Google Workspace (Gmail SMTP) Transactional email delivery (welcome, password reset, deletion confirmations, security alerts) Recipient email address, email content EU/US — Google operates under the EU-US Data Privacy Framework

5.2 Independent Controllers — Parties That Process Your Data on Their Own Account

Certain parties involved in delivering the Service to you process personal data as independent controllers, under their own privacy policies and on their own legal basis. We do not have a processor relationship with them, and they are not bound by our Data Processing Agreements.

PartyRoleTheir privacy policy
Apple Inc. App distribution (App Store, TestFlight), Sign in with Apple, HealthKit consent management, Push Notification Service (APNs) apple.com/legal/privacy
Google LLC (only if you choose to sign in with Google) Federated identity provider policies.google.com/privacy
Anthropic, OpenAI, Google AI (only if you choose to paste an AI Analysis Export prompt — see §4.4) Third-party AI processing of content you choose to share with them Linked from §4.4 above

5.3 Adding New Providers

If we add a new processor or independent controller, we will update this list and notify you by in-app notice and email at least 30 days before the change takes effect.

5.4 Legal Requirements

We may disclose your data only if strictly required by a binding court order from a competent EU authority, or to:

We resist over-broad requests and notify affected users where lawfully permitted to do so.

5.5 Business Transfers

If ProTilo's business is acquired by, merged with, or transferred to another organisation, your data may be transferred to the new operator. In such an event we will:


6. Data Storage, Security & Retention

6.1 Where We Store Your Data

All personal data is stored on Google Cloud / Firebase servers in the European Union region europe-west1 (Saint-Ghislain, Belgium). Cloud Functions execute in the same region. Firebase has been explicitly configured so that primary data storage does not replicate to non-EU regions.

6.2 Security Measures

6.3 Data Retention

Data categoryRetention period
Active account — profile, check-ins, health data For the lifetime of your account, subject to the inactivity rule below
Inactive accounts If you do not sign in for 24 consecutive months, we send a notice to your registered email address. If you do not sign in within 30 days of that notice, we automatically delete your account and all associated data.
Account in user-initiated deletion grace period Up to 7 days, then irreversibly deleted (see §7.3)
Daily backups 30 days, rolling
Security & audit logs 24 months
Aggregated, fully-anonymised statistics (no person identifiable) Indefinite (not personal data under GDPR)
Tax & accounting records (Portuguese legal obligation, Código do IRC) 10 years from end of fiscal year

7. Your Rights Under GDPR

7.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.
How: Settings → Safety → Request Data Export, or email privacy@protilo.com.

7.2 Right to Rectification (Art. 16)

You can correct inaccurate or incomplete data directly in the app (Profile screen; journal entries), or by writing to privacy@protilo.com.

7.3 Right to Erasure / "Right to Be Forgotten" (Art. 17)

You can request deletion of your account and all associated personal data at any time.
How: Settings → Safety → Delete Account. You will be asked to type DELETE and re-enter your password. The account is queued for deletion and irreversibly removed within 7 days; you can sign in during that 7-day window to cancel.
What is removed: all profile data, all health data, all check-ins, all derived insights, push tokens, Sentry pseudonymous identifier.
What is retained: server-side audit logs (24 months) and minimum tax records, as required by legal obligation.

7.4 Right to Restrict Processing (Art. 18)

You can ask us to suspend processing while a dispute about accuracy or lawful basis is resolved. Email privacy@protilo.com.

7.5 Right to Data Portability (Art. 20)

You can receive your data in a structured, commonly-used, machine-readable format (JSON).
How: Settings → Safety → Request Data Export. We acknowledge the request immediately and deliver a downloadable archive within 30 days, normally faster.

7.6 Right to Withdraw Consent (Art. 7(3))

You can withdraw consent for the processing of health data, AI Analysis Export, and diagnostic data at any time in Settings → Privacy & Data → Manage Consents. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. Withdrawing health-data consent will require us to delete the associated health data and will substantially limit Service functionality, because health data is the core of the Service.

7.7 Right to an Explanation of Insights

Although our insights are not automated decisions within the meaning of GDPR Article 22, we voluntarily offer a right to explanation as a transparency commitment, in keeping with GDPR Articles 13–15 and the EU AI Act. You may request a plain-language explanation of:

Email privacy@protilo.com with the date and title of the insight. We respond within 30 days (GDPR Art. 12(3)).

7.8 Right to Lodge a Complaint (Art. 77)

If you believe we have processed your data in breach of GDPR, you may lodge a complaint with your national data-protection authority. ProTilo's lead supervisory authority is:

Comissão Nacional de Proteção de Dados (CNPD) — Portugal
Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal
www.cnpd.pt · geral@cnpd.pt

If you reside in another EU/EEA Member State, you may also complain to your local authority. A directory of European data-protection authorities is available at edpb.europa.eu/about-edpb/about-edpb/members.

7.9 No Fee, No Discrimination

Exercising any of these rights is free of charge and will not result in any degradation of the Service you receive (other than the natural consequences of the right itself — for example, deleting your account ends your access to it).


8. Tracking Technologies & Mobile Identifiers

ProTilo is a native iOS application and does not use web cookies, web beacons, pixel tags, or any browser-based tracking technology. We use a small number of mobile identifiers strictly necessary to operate the app (IDFV, Firebase Installation ID, push token).

We do not perform cross-app or cross-site tracking, we do not display the App Tracking Transparency (ATT) prompt, and we do not collect IDFA. Full detail is available in our separate Mobile Tracking Policy.


9. Children's Privacy & Age Verification

ProTilo is intended exclusively for users aged 18 or older.

We take active measures to prevent the creation of accounts by users under 18:

If you are a parent or guardian and believe a minor has provided us with personal data, please contact us immediately at privacy@protilo.com. We will treat your request as a priority.

We do not market the Service to persons under 18. Our 18+ policy is a more conservative threshold than the GDPR digital-service consent age (16, or lower as set by Member States), and reflects our commitment to keeping wellness-tracking with sensitive personal content out of the hands of minors.


10. International Data Transfers

The primary storage location for your personal data is the European Union (Belgium). Some processors and independent controllers we work with — namely Expo, Apple, and (if you choose to use them) Google, Anthropic, and OpenAI — are based in the United States or operate global infrastructure that may involve transfers outside the EU/EEA.

Where such transfers occur, they are governed by appropriate safeguards under GDPR Chapter V:

We maintain documentation of these safeguards and make a summary available on request to dpo@protilo.com.


11. Personal-Data Breach Notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will:

To report a suspected security issue, email security@protilo.com. We treat coordinated disclosure of security issues with appreciation and will not pursue good-faith security researchers.


12. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service, in applicable law, or in our data-processing practices. When we make material changes we will:

Continued use of the Service after the effective date of an update constitutes acceptance of the updated Privacy Policy for processing not requiring consent. For processing that requires consent, your previous consent does not carry over — affirmative re-consent is required.

Historical versions of this Privacy Policy are available on request to privacy@protilo.com.


13. Contact Us

General privacy enquiries: privacy@protilo.com

Data protection & rights requests: dpo@protilo.com

Security & vulnerability reports: security@protilo.com

Legal & contractual matters: legal@protilo.com

General support: support@protilo.com

Postal correspondence:

Oleksandr Zayats — ENI
Parede, Portugal
NIF 311513131

For all legal and time-sensitive matters please use email; postal mail is monitored periodically.

Response time: We respond to all rights requests within 30 days, as required by GDPR Art. 12(3). Where a request is complex or where we receive a high volume of requests, we may extend the response period by up to an additional 60 days and will inform you of the extension and the reason for it within the initial 30-day period.


14. Definitions


This Privacy Policy is governed by Portuguese law and the GDPR. By using the ProTilo Service, you acknowledge that you have read and understood this Privacy Policy.