Last Updated: February 16, 2026
Version 2.1
This Privacy Policy establishes the framework governing the collection, processing, storage, and protection of personal data by Zekvra MB (hereinafter "the Controller," "we," "us," or "our") in connection with the operation of the Hypneo digital wellness platform.
Legal Name: Zekvra MB
Company Registration Number: 307845219
Registered Office: Verkių g. 15-3, LT-08221 Vilnius, Lithuania
Contact Email: contact@hypneo.online
Our data processing activities comply with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR"), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and all applicable national and international data protection legislation.
We reserve the right to revise this Privacy Policy periodically to reflect changes in our practices, technological developments, or legal requirements. Material changes will be communicated to registered users via email notification or prominent platform notice. Continued use of our services following notification constitutes acceptance of the revised policy.
When you create an account on our Platform, we collect and process:
For subscription processing and payment fulfillment, we collect:
To enhance service quality and user experience, we collect:
For security, optimization, and technical support purposes, we collect:
When you contact our support team or communicate with us, we retain:
Subject to your consent, we may collect:
All personal data processing activities are conducted in accordance with lawful bases established under Article 6 of the GDPR. Below we specify the legal basis, purpose, and retention period for each processing activity.
Data Processed: Account credentials, profile information, subscription details, usage data
Necessity: Essential for providing access to our digital wellness platform and delivering subscribed services
Retention Period: Duration of active subscription plus six (6) years following account closure or final login, whichever occurs later
Data Processed: Billing information, payment card details (tokenized), transaction records, purchase history
Necessity: Required to process subscription payments, issue invoices, and maintain financial records
Retention Period: Ten (10) years from date of transaction to comply with accounting obligations
Data Processed: Financial records, invoices, payment documentation, tax-related information
Legal Requirement: Lithuanian Law on Accounting, Tax Administration Law
Retention Period: Ten (10) years from fiscal year end as mandated by Lithuanian legislation
Data Processed: All relevant personal data required for legal compliance, litigation, or regulatory investigation
Legal Requirement: Court orders, regulatory demands, law enforcement requests
Retention Period: Duration of legal proceedings plus three (3) years following final resolution
Data Processed: IP addresses, device identifiers, authentication logs, suspicious activity indicators
Legitimate Interest: Protecting our Platform from unauthorized access, fraud, and malicious activities; safeguarding user accounts and data integrity
Balancing Test: Security measures are proportionate and do not override user privacy rights
Retention Period: Two (2) years from collection date
Data Processed: Anonymized usage statistics, feature engagement metrics, performance data
Legitimate Interest: Enhancing platform functionality, optimizing user experience, and developing new features
Retention Period: Three (3) years from collection date
Data Processed: Account records, correspondence, operational metrics
Legitimate Interest: Efficient business management, quality assurance, internal reporting
Retention Period: Five (5) years from last interaction
Data Processed: Email address, name, communication preferences, engagement history
Consent Mechanism: Explicit opt-in during registration or via preference center
Withdrawal Rights: Users may withdraw consent at any time via unsubscribe links or account settings
Retention Period: Until consent withdrawal or three (3) years of inactivity, whichever occurs first
Data Processed: Cookie identifiers, browsing behavior, advertising interaction data
Consent Mechanism: Cookie banner and preference management tool
Withdrawal Rights: Users may modify or withdraw consent through cookie settings
Retention Period: As specified in cookie banner; typically 12-24 months
Data Processed: Support inquiries, correspondence, resolution records
Consent Mechanism: Implicit consent through voluntary submission of support requests
Retention Period: Four (4) years from final communication
We do not sell, rent, or trade personal data to third parties. Data sharing occurs only when necessary for service provision, legal compliance, or with explicit user consent. All third-party processors are bound by contractual obligations ensuring GDPR compliance and appropriate data protection standards.
Purpose: Transaction processing, fraud detection, payment authentication
Data Shared: Payment card information, billing address, transaction amounts
Location: European Union and United States
Safeguards: PCI-DSS compliance, Standard Contractual Clauses, encryption protocols
Purpose: Data hosting, storage, backup, and retrieval services
Data Shared: All platform data stored on cloud servers
Location: European Union data centers with redundancy in EEA
Safeguards: ISO 27001 certification, encryption at rest and in transit, access controls
Purpose: Technical assistance, inquiry resolution, user communication
Data Shared: Support tickets, user inquiries, account information necessary for resolution
Location: European Union
Safeguards: Confidentiality agreements, limited access protocols, data processing agreements
Purpose: Platform performance analysis, user behavior insights, service optimization
Data Shared: Anonymized usage data, aggregated statistics, technical performance metrics
Location: Worldwide (including United States)
Safeguards: Data anonymization, Standard Contractual Clauses, privacy shield frameworks
Purpose: Email delivery, marketing campaign management, user engagement
Data Shared: Email addresses, names, communication preferences
Location: European Union and United States
Safeguards: GDPR-compliant processors, Standard Contractual Clauses, opt-out mechanisms
Purpose: Legal counsel, compliance audits, regulatory advice
Data Shared: Information necessary for legal representation or compliance verification
Location: Primarily European Union
Safeguards: Professional confidentiality obligations, attorney-client privilege
Purpose: Legal compliance, law enforcement cooperation, regulatory reporting
Data Shared: Information required by law, court order, or regulatory demand
Location: As required by jurisdiction
Safeguards: Verification of legal authority, disclosure limited to legally required information
When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:
As a data subject under GDPR, you possess the following rights regarding your personal data. These rights are subject to legal limitations and exceptions as specified in applicable data protection legislation.
You have the right to obtain confirmation as to whether we process your personal data and, where applicable, access to such data along with information concerning:
Response Time: Within one (1) month of verified request receipt, extendable by two (2) months for complex requests
You may request correction of inaccurate personal data and completion of incomplete data. We will notify all recipients of rectifications unless doing so proves impossible or involves disproportionate effort.
Response Time: Within one (1) month of verified request receipt
You may request deletion of your personal data when:
Limitations: This right does not apply when retention is necessary for legal compliance, establishment of legal claims, or fulfillment of legal obligations.
Response Time: Within one (1) month of verified request receipt
You may request limitation of processing when:
Response Time: Within one (1) month of verified request receipt
You have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit such data to another controller when:
Format: CSV, JSON, or XML format as technically feasible
Response Time: Within one (1) month of verified request receipt
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Direct Marketing: Objections to marketing communications are honored immediately without exception
Response Time: Within one (1) month of verified request receipt
Where processing is based on consent, you may withdraw such consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
Mechanism: Account settings, unsubscribe links, or direct contact with our team
Effect: Immediate cessation of consent-based processing
If you believe we have processed your personal data unlawfully or violated your rights, you have the right to lodge a complaint with a supervisory authority, particularly in your EU Member State of residence, workplace, or place of alleged infringement.
Lithuanian Supervisory Authority: State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
Email: ada@ada.lt
Website: www.ada.lt
Request Submission: All rights requests should be submitted via email to contact@hypneo.online with subject line "Data Subject Rights Request"
Identity Verification: We may request additional information to verify your identity before processing requests to prevent unauthorized disclosure
No Fee: Requests are processed free of charge unless manifestly unfounded, excessive, or repetitive
Communication: All responses will be provided in clear, plain language via your registered email address
We implement industry-standard technical security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will:
Our Platform utilizes cookies and similar tracking technologies to enhance functionality, analyze performance, and deliver personalized experiences. This section provides detailed information regarding cookie usage in compliance with ePrivacy Directive requirements.
Purpose: Essential for platform functionality, security, and basic operations
Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) - consent not required
Examples: Session management, authentication tokens, security verification, load balancing
Retention: Session duration or until browser closure
Purpose: Remember user preferences, settings, and choices
Legal Basis: Consent (Article 6(1)(a) GDPR)
Examples: Language preferences, display settings, volume controls, progress tracking
Retention: 12 months from last visit
Purpose: Collect anonymized data regarding platform usage, performance metrics, and user behavior patterns
Legal Basis: Consent (Article 6(1)(a) GDPR)
Examples: Page view counts, session duration, bounce rates, feature engagement statistics
Retention: 24 months from last visit
Purpose: Deliver targeted advertisements, measure campaign effectiveness, track conversions
Legal Basis: Consent (Article 6(1)(a) GDPR)
Examples: Advertising identifiers, retargeting pixels, conversion tracking codes
Retention: 13 months from last visit
You may control and manage cookie preferences through:
Our Platform may incorporate third-party services that set their own cookies. We do not control these cookies and recommend reviewing the respective privacy policies of:
Our Platform currently does not respond to "Do Not Track" browser signals. You may control tracking through cookie settings and browser preferences as described above.
We do not engage in automated decision-making that produces legal effects or similarly significantly affects data subjects, as defined in Article 22 GDPR. All decisions impacting user accounts, subscriptions, or service access involve human review and intervention.
We may conduct limited profiling for service personalization purposes, such as:
Such profiling does not produce legal effects and is conducted with appropriate safeguards to protect your interests. You may object to profiling activities by contacting us at contact@hypneo.online.
Our services are not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal data from minors without verifiable parental consent.
If we become aware that we have inadvertently collected personal data from a minor without appropriate consent, we will take immediate steps to delete such information from our systems. Parents or legal guardians who believe we may have collected data from their child should contact us immediately at contact@hypneo.online.
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods are established based on:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account and Profile Data | 6 years after account closure or last login | Contract performance, legitimate business interests |
| Transaction Records | 10 years from transaction date | Legal accounting obligations (Lithuanian Law) |
| Marketing Consent Records | 3 years after consent withdrawal | Demonstrate compliance with consent requirements |
| Support Communications | 4 years from final interaction | Quality assurance, dispute resolution |
| Security Logs | 2 years from creation | Fraud prevention, security incident investigation |
| Analytics Data (Anonymized) | 3 years from collection | Service improvement, business intelligence |
Upon expiration of applicable retention periods, personal data is securely deleted or anonymized using industry-standard methods to prevent recovery or reconstruction. Deletion procedures include:
We reserve the right to modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, technological developments, or business operations.
Material changes will be communicated through:
Your continued use of our services following notification of changes constitutes acceptance of the revised Privacy Policy. If you do not agree with modifications, you should discontinue use of the Platform and may request account deletion.
For questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:
Email: contact@hypneo.online
Subject Line: Privacy Inquiry
Response Time: We endeavor to respond to all inquiries within five (5) business days
For matters specifically related to data protection compliance, GDPR rights, or supervisory authority communications, you may contact our Data Protection Officer:
Email: contact@hypneo.online
Subject Line: Attention: Data Protection Officer
If you are dissatisfied with our response or believe we have violated your data protection rights, you may contact the Lithuanian supervisory authority:
Name: State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
Phone: +370 5 271 2804
Email: ada@ada.lt
Website: www.ada.lt