Last Updated: 12 May 2026
Effective Date: 12 May 2026
Version: 2.1.0
Welcome to ProTilo ("we," "our," "us," "ProTilo"). We are committed to protecting your privacy and ensuring the security of your personal and health data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile health-tracking application and related services (the "Service").
Data Controller for purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):
Oleksandr Zayats — Empresário em Nome Individual (sole-proprietor business registered in Portugal)
NIF / Tax ID: 311513131
Place of business: Parede, Portugal
Email (general privacy enquiries): privacy@protilo.com
Email (data protection): dpo@protilo.com
Postal correspondence address is provided in §13 below. For all legal correspondence please use email; postal mail is monitored periodically.
We organise the data we collect into the categories Apple recognises in its App Privacy framework, so you can correlate this section directly with the App Store privacy disclosure.
Health and self-reported metric data are treated as Special Category Data under GDPR Article 9 and processed only on the legal basis described in §3.
All data described in §2.3, and any free-text content in journal entries that may reveal health, mental-health, or wellbeing status, is classified as sensitive information.
We do not collect IDFA (Identifier for Advertisers) and we do not display the App Tracking Transparency (ATT) prompt.
The current version of ProTilo is offered free of charge. We do not collect or process any payment information. If we introduce paid features in a future version, this Privacy Policy will be updated, and your explicit consent obtained where required by law.
To be unambiguous about the absence of common data-collection practices in this app:
| Data category | Legal basis | Purpose |
|---|---|---|
| Account & profile data (§2.1, §2.5) | Contract — GDPR Art. 6(1)(b) | To create and operate your account, authenticate you, and deliver the Service you signed up for |
| Health and special-category data (§2.3, §2.4) | Explicit consent — GDPR Art. 9(2)(a) | To provide wellness-tracking features that are the core function of the Service. Consent is captured at onboarding through a dedicated, granular consent screen and can be withdrawn at any time. |
| Diagnostic & crash data (§2.7) | Consent — GDPR Art. 6(1)(a) | To diagnose technical errors and improve stability. Captured at onboarding; can be withdrawn in Settings → Privacy & Data. |
| Security & abuse-prevention server logs | Legitimate interest — GDPR Art. 6(1)(f) | To protect the Service from misuse, fraud, brute-force attacks, and unauthorised access. We have conducted a balancing test and concluded that this minimal logging does not override your privacy rights. |
| Records required by tax & commercial law | Legal obligation — GDPR Art. 6(1)(c) | To comply with Portuguese tax, accounting, and commercial-records obligations |
The on-device insights ProTilo shows you (see §4.4 below) are produced by deterministic rules and do not produce legal effects or similarly significant effects within the meaning of GDPR Article 22(1). They are informational signals for your personal reflection.
Notwithstanding the above, in keeping with the transparency principles of GDPR Articles 13–15 and the EU AI Act, you may always request a plain-language explanation of any specific insight — see §7.7.
ProTilo surfaces information at three levels. Please read this section carefully. Only the third level involves any AI provider, and only with your manual action.
L1 — On-device deterministic rules. Simple comparisons against your own history: "You slept less than your 30-day average." These run entirely on your device using fixed, auditable rules. No AI is involved. No data leaves your device.
L2 — On-device pattern matching. Correlation-style observations computed locally: "Your mood has trended downward over the last 3 days." Still deterministic, still local, still zero external transmission.
L3 — AI Analysis Export (user-initiated manual paste). An optional feature in which ProTilo generates a text prompt summarising selected entries from your journal, copies it to your device clipboard, and offers a deep-link to open a third-party AI app of your choice — Google Gemini, Anthropic Claude, or OpenAI ChatGPT. You then decide whether to paste the prompt into that third-party app.
First-time consent. The first time you trigger AI Analysis Export, ProTilo shows a consent modal that summarises the facts above and records your explicit acceptance. You may decline at any time without losing access to other app features — rules-based insights remain fully available.
Disclaimer for AI output. Any response you receive from a third-party AI service is for personal reflection only and must not be interpreted as medical advice, diagnosis, or treatment. AI responses may be inaccurate, incomplete, or out of date.
For complete transparency about how AI is used in ProTilo, see our separate AI Transparency document.
In a future release of ProTilo we may introduce server-side AI-generated insights. In that future model, ProTilo's backend would send a structured prompt derived from your data to a third-party AI provider (for example, Anthropic Claude or OpenAI), receive a response, and store the resulting insight in your account.
If and when we introduce this feature:
Server-side AI processing is not active in the current version. The current AI Analysis Export feature (§4.4) requires your manual action to copy and paste content into a third-party AI app.
We engage the following providers to process personal data on our behalf, each under a written Data Processing Agreement satisfying GDPR Article 28:
| Provider | Role | Data shared | Hosting location |
|---|---|---|---|
| Google Cloud / Firebase (Google Ireland Ltd, with Google LLC and affiliates) | Hosting, database (Firestore), authentication, Cloud Functions, Cloud Messaging (FCM) | Account data, health data, technical data, push tokens | EU (europe-west1, Belgium) for primary storage |
| Sentry (Functional Software, Inc.) | Crash and error diagnostics | Stack traces, device model, anonymised user identifier, app version. No email, no name, no health data. | EU (Frankfurt ingest endpoint) |
| Expo (650 Industries, Inc.) | Push-notification delivery (Expo Push Service) | Device push token, notification payload metadata | United States — transfers under EU Standard Contractual Clauses |
| Google Workspace (Gmail SMTP) | Transactional email delivery (welcome, password reset, deletion confirmations, security alerts) | Recipient email address, email content | EU/US — Google operates under the EU-US Data Privacy Framework |
Certain parties involved in delivering the Service to you process personal data as independent controllers, under their own privacy policies and on their own legal basis. We do not have a processor relationship with them, and they are not bound by our Data Processing Agreements.
| Party | Role | Their privacy policy |
|---|---|---|
| Apple Inc. | App distribution (App Store, TestFlight), Sign in with Apple, HealthKit consent management, Push Notification Service (APNs) | apple.com/legal/privacy |
| Google LLC (only if you choose to sign in with Google) | Federated identity provider | policies.google.com/privacy |
| Anthropic, OpenAI, Google AI (only if you choose to paste an AI Analysis Export prompt — see §4.4) | Third-party AI processing of content you choose to share with them | Linked from §4.4 above |
If we add a new processor or independent controller, we will update this list and notify you by in-app notice and email at least 30 days before the change takes effect.
We may disclose your data only if strictly required by a binding court order from a competent EU authority, or to:
We resist over-broad requests and notify affected users where lawfully permitted to do so.
If ProTilo's business is acquired by, merged with, or transferred to another organisation, your data may be transferred to the new operator. In such an event we will:
All personal data is stored on Google Cloud / Firebase servers in the European Union region europe-west1 (Saint-Ghislain, Belgium). Cloud Functions execute in the same region. Firebase has been explicitly configured so that primary data storage does not replicate to non-EU regions.
| Data category | Retention period |
|---|---|
| Active account — profile, check-ins, health data | For the lifetime of your account, subject to the inactivity rule below |
| Inactive accounts | If you do not sign in for 24 consecutive months, we send a notice to your registered email address. If you do not sign in within 30 days of that notice, we automatically delete your account and all associated data. |
| Account in user-initiated deletion grace period | Up to 7 days, then irreversibly deleted (see §7.3) |
| Daily backups | 30 days, rolling |
| Security & audit logs | 24 months |
| Aggregated, fully-anonymised statistics (no person identifiable) | Indefinite (not personal data under GDPR) |
| Tax & accounting records (Portuguese legal obligation, Código do IRC) | 10 years from end of fiscal year |
You can request a copy of all personal data we hold about you.
How: Settings → Safety → Request Data Export, or email privacy@protilo.com.
You can correct inaccurate or incomplete data directly in the app (Profile screen; journal entries), or by writing to privacy@protilo.com.
You can request deletion of your account and all associated personal data at any time.
How: Settings → Safety → Delete Account. You will be asked to type DELETE and re-enter your password. The account is queued for deletion and irreversibly removed within 7 days; you can sign in during that 7-day window to cancel.
What is removed: all profile data, all health data, all check-ins, all derived insights, push tokens, Sentry pseudonymous identifier.
What is retained: server-side audit logs (24 months) and minimum tax records, as required by legal obligation.
You can ask us to suspend processing while a dispute about accuracy or lawful basis is resolved. Email privacy@protilo.com.
You can receive your data in a structured, commonly-used, machine-readable format (JSON).
How: Settings → Safety → Request Data Export. We acknowledge the request immediately and deliver a downloadable archive within 30 days, normally faster.
You can withdraw consent for the processing of health data, AI Analysis Export, and diagnostic data at any time in Settings → Privacy & Data → Manage Consents. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. Withdrawing health-data consent will require us to delete the associated health data and will substantially limit Service functionality, because health data is the core of the Service.
Although our insights are not automated decisions within the meaning of GDPR Article 22, we voluntarily offer a right to explanation as a transparency commitment, in keeping with GDPR Articles 13–15 and the EU AI Act. You may request a plain-language explanation of:
Email privacy@protilo.com with the date and title of the insight. We respond within 30 days (GDPR Art. 12(3)).
If you believe we have processed your data in breach of GDPR, you may lodge a complaint with your national data-protection authority. ProTilo's lead supervisory authority is:
Comissão Nacional de Proteção de Dados (CNPD) — Portugal
Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal
www.cnpd.pt · geral@cnpd.pt
If you reside in another EU/EEA Member State, you may also complain to your local authority. A directory of European data-protection authorities is available at edpb.europa.eu/about-edpb/about-edpb/members.
Exercising any of these rights is free of charge and will not result in any degradation of the Service you receive (other than the natural consequences of the right itself — for example, deleting your account ends your access to it).
ProTilo is a native iOS application and does not use web cookies, web beacons, pixel tags, or any browser-based tracking technology. We use a small number of mobile identifiers strictly necessary to operate the app (IDFV, Firebase Installation ID, push token).
We do not perform cross-app or cross-site tracking, we do not display the App Tracking Transparency (ATT) prompt, and we do not collect IDFA. Full detail is available in our separate Mobile Tracking Policy.
ProTilo is intended exclusively for users aged 18 or older.
We take active measures to prevent the creation of accounts by users under 18:
If you are a parent or guardian and believe a minor has provided us with personal data, please contact us immediately at privacy@protilo.com. We will treat your request as a priority.
We do not market the Service to persons under 18. Our 18+ policy is a more conservative threshold than the GDPR digital-service consent age (16, or lower as set by Member States), and reflects our commitment to keeping wellness-tracking with sensitive personal content out of the hands of minors.
The primary storage location for your personal data is the European Union (Belgium). Some processors and independent controllers we work with — namely Expo, Apple, and (if you choose to use them) Google, Anthropic, and OpenAI — are based in the United States or operate global infrastructure that may involve transfers outside the EU/EEA.
Where such transfers occur, they are governed by appropriate safeguards under GDPR Chapter V:
We maintain documentation of these safeguards and make a summary available on request to dpo@protilo.com.
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will:
To report a suspected security issue, email security@protilo.com. We treat coordinated disclosure of security issues with appreciation and will not pursue good-faith security researchers.
We may update this Privacy Policy to reflect changes in the Service, in applicable law, or in our data-processing practices. When we make material changes we will:
Continued use of the Service after the effective date of an update constitutes acceptance of the updated Privacy Policy for processing not requiring consent. For processing that requires consent, your previous consent does not carry over — affirmative re-consent is required.
Historical versions of this Privacy Policy are available on request to privacy@protilo.com.
General privacy enquiries: privacy@protilo.com
Data protection & rights requests: dpo@protilo.com
Security & vulnerability reports: security@protilo.com
Legal & contractual matters: legal@protilo.com
General support: support@protilo.com
Postal correspondence:
Oleksandr Zayats — ENI
Parede, Portugal
NIF 311513131
For all legal and time-sensitive matters please use email; postal mail is monitored periodically.
Response time: We respond to all rights requests within 30 days, as required by GDPR Art. 12(3). Where a request is complex or where we receive a high volume of requests, we may extend the response period by up to an additional 60 days and will inform you of the extension and the reason for it within the initial 30-day period.
This Privacy Policy is governed by Portuguese law and the GDPR. By using the ProTilo Service, you acknowledge that you have read and understood this Privacy Policy.