Privacy Policy (Apps)
App-VenTur ("we", "our", or "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our applications and services — including our mobile apps and any associated web interfaces — in compliance with the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP).
By using our services, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
Company: App-VenTur
Address: Zurich, Switzerland
General enquiries: legal@app-ventur.com
Data Protection Officer: legal@app-ventur.com
2. Scope of This Policy
This policy applies to all App-VenTur products and platforms, including:
- Mobile applications (iOS and Android) — including the EFT tapping app
- Web applications and interfaces — including any browser-based access to our services
- Associated backend services — including authentication, usage tracking, and AI content generation
3. Data We Collect
3.1 Account & Identity Data
- Email address and display name
- Authentication credentials (passwords are hashed and never stored in plaintext)
- Account creation date and subscription tier
3.2 Sensitive / Health-Related Data (Special Category — Art. 9 GDPR)
Important: The following data is considered health-related under GDPR and processed only with your explicit consent.
When you use our EFT (Emotional Freedom Techniques) tapping features, we collect:
- Emotional state data — the emotions you select to describe your current state (e.g., anxiety, sadness, anger)
- Distress intensity (SUDS) — your self-reported Subjective Units of Distress score (0–10 scale)
- Session concerns — the personal issue or topic you choose to focus on during a session
- Tapping scripts — AI-generated therapeutic content created from the above inputs
This data is used solely to generate and deliver your personalised tapping session. It is not used for advertising, profiling, or shared with third parties except as described in Section 6.
3.3 Usage & Session Data
- Session logs (session ID, start/end time, duration, completion status)
- Feature interactions and in-app navigation events
- Voice preferences (selected TTS provider and voice)
- Voice test usage count
- Script generation history and quota consumption
3.4 Device & Technical Data
- Operating system version and device type
- App version
- Crash reports and error logs
3.5 Local Device Storage (Mobile)
- Generated audio files — tapping session audio is cached on your device as
.mp3files for replay without re-generating content - App state — preferences, session history, and authentication tokens are persisted in local device storage (AsyncStorage)
- These files remain on your device and are not uploaded to our servers unless explicitly stated
3.6 Web-Specific Data
- Browser type and version
- IP address (used for security and fraud prevention, not for tracking)
- Session cookies and local storage (see Section 9)
3.7 Payment Data
- Payment information is processed directly by our third-party payment provider and is not stored on our servers
- We retain transaction records (amount, date, subscription tier) for legal and accounting purposes
4. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b) GDPR) |
| Providing app features and services | Contract performance (Art. 6(1)(b) GDPR) |
| Processing emotional and distress data for session generation | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a) GDPR) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
| Legal and financial compliance | Legal obligation (Art. 6(1)(c) GDPR) |
Withdrawing consent: Where processing is based on consent (including sensitive data), you may withdraw consent at any time via your in-app account settings or by contacting our DPO. Withdrawal does not affect the lawfulness of prior processing.
5. How We Use Your Data
- To provide, maintain, and improve our applications and services
- To generate personalised AI-powered EFT tapping scripts and voice narration
- To pre-cache and replay session audio on your device
- To track usage quotas and enforce subscription limits
- To process payments and manage subscription tiers
- To send service-related communications (account, security, policy updates)
- To analyse aggregated, anonymised usage patterns to improve app performance
- To comply with legal obligations and enforce our terms of service
We do not use your emotional or distress data for advertising, behavioural profiling, or any purpose outside of session delivery.
6. Third-Party Sub-Processors
We share data with the following sub-processors where necessary to deliver our services. All sub-processors are bound by data processing agreements (DPAs) consistent with GDPR requirements.
| Sub-Processor | Purpose | Data Shared | Region |
|---|---|---|---|
| Supabase | Backend infrastructure — authentication, database, usage tracking | Account data, session logs, usage records | Europe (EU) |
| Google (Gemini AI) | Primary AI script generation | Session concern, emotions, SUDS level | EU / US (SCCs in place) |
| OpenAI | Fallback AI script generation | Session concern, emotions, SUDS level | US (SCCs in place) |
| Google Cloud TTS | Text-to-speech voice synthesis | Generated script text | EU / US (SCCs in place) |
| OpenAI TTS | Text-to-speech voice synthesis (committed tier) | Generated script text | US (SCCs in place) |
| Google (Gemini TTS) | Text-to-speech voice synthesis (committed tier) | Generated script text | EU / US (SCCs in place) |
| Payment processor | Subscription billing | Payment details, subscription tier | [Region] |
We never sell your personal data to third parties.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while account is active; deleted within 30 days of account deletion request |
| Emotional / distress session data | Retained for 12 months from session date, or until consent is withdrawn |
| Generated tapping scripts | Retained for 12 months from session date |
| Session audio files (server-side, if any) | Retained for 12 months from session date |
| Session audio files (device-local) | Stored on your device; you can clear these via app settings or by uninstalling the app |
| Usage and session logs | Retained for 12 months |
| Payment records | Retained for 7 years as required by Swiss law |
| Crash reports and error logs | Retained for 90 days |
When a retention period expires, data is permanently deleted or anonymised.
8. Your Rights (GDPR & nFADP)
| Right | Description |
|---|---|
| Right of Access | Request a copy of the personal data we hold about you |
| Right to Rectification | Request correction of inaccurate or incomplete data |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to Restriction | Request that we limit processing of your data |
| Right to Portability | Receive your data in a structured, machine-readable format (JSON or CSV) |
| Right to Object | Object to processing based on legitimate interests or for direct marketing |
| Right to Withdraw Consent | Withdraw consent for sensitive data processing at any time |
| Right to Human Review | Request human review of any automated decision that significantly affects you |
To exercise any of these rights, contact our DPO at legal@app-ventur.com or use the Data Rights Request page in your account settings.
We will respond within 30 days (extendable to 90 days for complex requests, with notice).
9. Cookies and Local Storage
Mobile Applications
Our mobile apps do not use browser cookies. We use device-local storage (AsyncStorage on iOS and Android) to persist:
- Authentication session tokens
- User preferences (voice, TTS provider, session settings)
- Cached session history and script data
- Generated audio files
You can clear this data by logging out of the app or uninstalling it.
Web Applications
Our web interfaces use the following:
| Type | Purpose | Retention |
|---|---|---|
| Strictly necessary cookies | Session authentication, security | Session or up to 30 days |
| Functional cookies | Remembering preferences | Up to 12 months |
| Analytics cookies | Aggregated usage analytics | Up to 12 months |
You can manage cookie preferences via the consent banner displayed on first visit, or in your browser settings. Blocking strictly necessary cookies may affect core functionality.
10. Automated Decision-Making
Our AI-powered features use automated processing to generate personalised content. Specifically:
- EFT tapping script generation: Your stated emotions, SUDS level, and session concern are sent to an AI provider (Gemini or OpenAI) to generate a personalised therapeutic script. The output is determined algorithmically without human review in the generation step.
- Usage quota management: Subscription limits are enforced automatically based on your tier and recorded usage minutes.
Because the tapping script generation processes sensitive health-related data, you have the right to request human review of any session output you believe was inappropriate or harmful. Contact us at legal@app-ventur.com to request a review.
11. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of data in transit (TLS 1.2+)
- Encryption of sensitive data at rest
- Role-based access controls for backend systems
- Row-level security policies on our database
- Authentication requirements for all API access
- Regular security assessments
Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately.
12. International Transfers
Some of our sub-processors (Google, OpenAI) operate infrastructure in the United States. When we transfer personal data outside Switzerland and the EEA, we ensure appropriate safeguards are in place — specifically Standard Contractual Clauses (SCCs) approved by the European Commission and recognised under nFADP.
Our primary backend infrastructure (Supabase) is hosted in Europe to minimise cross-border transfers.
13. Children's Privacy
Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at legal@app-ventur.com and we will delete it promptly.
14. Policy Updates
We may update this Privacy Policy from time to time. We will notify you of significant changes via:
- Email notification to your registered address
- In-app notification on next launch
- Updated "Last Updated" date at the top of this document
Continued use of our services after the effective date of changes constitutes acceptance of the updated policy. For material changes affecting how we process sensitive data, we will request renewed explicit consent where required by law.
15. Contact & Complaints
For privacy-related questions or to exercise your rights:
DPO Email: legal@app-ventur.com
Address: Zurich, Switzerland
To lodge a complaint:
- Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
- EU residents: Your local data protection supervisory authority
This policy applies to all App-VenTur applications and services. For questions specific to a particular product, please reference the product name in your enquiry.