Privacy Policy

01 Introduction and Scope

1.1 Purpose of This Policy

This Privacy Policy establishes the framework governing the collection, processing, storage, and protection of personal data by Zekvra MB (hereinafter "the Controller," "we," "us," or "our") in connection with the operation of the Hypneo digital wellness platform.

1.2 Data Controller Identity

Legal Name: Zekvra MB

Company Registration Number: 307845219

Registered Office: Verkių g. 15-3, LT-08221 Vilnius, Lithuania

Contact Email: contact@hypneo.online

1.3 Regulatory Framework

Our data processing activities comply with Regulation (EU) 2016/679 (GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and all applicable national and international data protection legislation.

1.4 Policy Updates

We reserve the right to revise this Privacy Policy periodically to reflect changes in our practices, technological developments, or legal requirements. Material changes will be communicated to registered users via email or prominent platform notice. Continued use following notification constitutes acceptance of the revised policy.

02 Categories of Personal Data Collected

2.1 Account and Registration Data

When you create an account on our Platform, we collect and process:

• Full name (first name and surname)
• Email address
• Account password (encrypted and hashed)
• Date of account creation and profile customization data
• Account preferences, settings, and authentication credentials

2.2 Transaction and Billing Information

For subscription processing and payment fulfillment, we collect:

• Payment card information (processed by third-party payment processors)
• Billing address and currency/payment method preferences
• Transaction history, order details, purchase timestamps, and amounts
• Subscription plan selection and invoice/receipt data

2.3 Usage and Interaction Data

To enhance service quality and user experience, we collect:

• Session duration and frequency; audio content accessed and completion rates
• Feature utilization patterns and navigation paths within the Platform
• Search queries, preferences, and progress milestones
• User feedback and ratings

2.4 Technical and Device Information

For security, optimization, and technical support, we collect:

• Internet Protocol (IP) address and device identifiers
• Operating system, browser type/version, and language settings
• Screen resolution, mobile network information, and time zone
• Geographic location data and referral source

2.5 Communication Records

When you contact our support team, we retain:

• Correspondence content (emails, messages, chat transcripts)
• Support ticket information, resolution history, and timestamps
• Attachments and supplementary documentation

2.6 Marketing and Analytics Data

Subject to your consent, we may collect:

• Marketing communication preferences and campaign engagement metrics
• Advertisement click-through and conversion tracking data
• A/B testing participation and social media interaction records

03 Legal Bases and Purposes for Processing

All personal data processing activities are conducted in accordance with lawful bases established under Article 6 of the GDPR.

3.1 Contract Performance (Article 6(1)(b) GDPR)

Service Delivery & Account Management — Data processed: account credentials, profile information, subscription details, usage data. Retained for the duration of your active subscription plus six (6) years following account closure or final login, whichever is later.

Payment Processing & Financial Transactions — Data processed: billing information, tokenized payment card details, transaction records. Retained for ten (10) years from the date of transaction to comply with accounting obligations.

3.2 Legal Obligation (Article 6(1)(c) GDPR)

Accounting and Tax Compliance — Financial records, invoices, and payment documentation are retained for ten (10) years from fiscal year end as mandated by Lithuanian accounting law.

Regulatory Compliance & Legal Proceedings — All relevant personal data required for litigation or regulatory investigation is retained for the duration of proceedings plus three (3) years following final resolution.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

Platform Security & Fraud Prevention — IP addresses, device identifiers, and authentication logs are processed to protect our Platform and user accounts. Retained for two (2) years. Security measures are proportionate and do not override your privacy rights.

Service Improvement & Development — Anonymized usage statistics and performance data are used to optimize user experience. Retained for three (3) years from collection.

Business Operations & Administration — Account records and operational metrics for internal reporting. Retained for five (5) years from last interaction.

3.4 Consent (Article 6(1)(a) GDPR)

Marketing Communications — Email address, name, and engagement history used for direct marketing. You may withdraw consent at any time via unsubscribe links or account settings. Retained until withdrawal or three (3) years of inactivity.

Non-Essential Cookies & Tracking — Cookie identifiers and browsing behavior. Managed through our cookie banner and preference center. Typically retained 12–24 months.

Customer Support — Support inquiries and resolution records. Retained for four (4) years from final communication.

04 Data Sharing and Third-Party Recipients

4.1 General Principles

4.2 Categories of Recipients

• Payment Processing Partners — transaction processing and fraud detection; data located in EU and US; safeguards include PCI-DSS compliance and Standard Contractual Clauses.
• Cloud Infrastructure Providers — data hosting and backup; EU data centers with EEA redundancy; ISO 27001 certified with encryption at rest and in transit.
• Customer Support Providers — inquiry resolution and user communication; EU-based; bound by confidentiality agreements and data processing agreements.
• Analytics & Performance Tools — anonymized usage data and aggregated statistics; worldwide including US; Standard Contractual Clauses and data anonymization applied.
• Marketing & Communication Platforms — email delivery and campaign management; EU and US; GDPR-compliant processors with opt-out mechanisms.
• Legal & Professional Advisors — legal counsel and compliance; primarily EU; bound by professional confidentiality obligations.
• Regulatory Authorities & Law Enforcement — legal compliance only; disclosure limited strictly to legally required information after verification of authority.

4.3 International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:

• European Commission Adequacy Decisions — transfers to countries with recognized adequate data protection
• Standard Contractual Clauses (SCCs) — EU-approved contractual terms ensuring GDPR-level protection
• Binding Corporate Rules — internal policies ensuring consistent data protection globally
• Explicit Consent — where applicable, user consent obtained for specific international transfers

05 Your Data Subject Rights

As a data subject under GDPR, you possess the following rights. These are subject to legal limitations and exceptions specified in applicable data protection legislation. All requests should be submitted to contact@hypneo.online with the subject line "Data Subject Rights Request." Requests are processed free of charge and responded to within one (1) month unless extended for complexity.

5.1 Right of Access (Article 15)

You may obtain confirmation as to whether we process your personal data and receive a copy, along with information on purposes, recipients, retention periods, data sources, and any automated decision-making in use.

5.2 Right to Rectification (Article 16)

You may request correction of inaccurate personal data and completion of incomplete data. We will notify all recipients of rectifications unless doing so is impossible or involves disproportionate effort.

5.3 Right to Erasure (Article 17)

You may request deletion of your personal data when it is no longer necessary for its original purpose, you withdraw consent, you object to processing, or the data has been unlawfully processed.

5.4 Right to Restriction (Article 18)

You may request limitation of processing while accuracy is contested, if processing is unlawful but you oppose erasure, if you require data for legal claims, or pending verification of an objection.

5.5 Right to Data Portability (Article 20)

You may receive personal data you provided to us in a structured, machine-readable format (CSV, JSON, or XML) and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

5.6 Right to Object (Article 21)

You may object to processing based on legitimate interests. Upon objection to direct marketing, we cease processing immediately without exception. For other processing, we cease unless we demonstrate compelling legitimate grounds.

5.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you may withdraw it at any time through account settings or unsubscribe links. Withdrawal does not affect the lawfulness of prior processing.

5.8 Right to Lodge a Complaint (Article 77)

If you believe your data protection rights have been violated, you may lodge a complaint with the Lithuanian supervisory authority:

06 Data Security Measures

6.1 Technical Safeguards

• Encryption — all data transmissions use TLS 1.3; stored data encrypted with AES-256
• Access Controls — role-based restrictions ensure personnel access only data necessary for their function
• Authentication — multi-factor authentication required for all administrative access
• Firewalls & Intrusion Detection — network perimeter security with continuous monitoring
• Security Audits — regular penetration testing and vulnerability assessments
• Data Minimization — collection and retention limited to data strictly necessary for specified purposes

6.2 Organisational Safeguards

• Confidentiality Agreements — all employees and contractors sign NDAs
• Security Training — regular data protection awareness training for all personnel
• Incident Response — documented breach notification procedures compliant with Articles 33–34 GDPR
• Vendor Management — due diligence assessments and contractual obligations for all third-party processors
• Privacy by Design — data protection principles integrated into system architecture and business processes

6.3 Data Breach Notification

In the event of a personal data breach posing risk to your rights and freedoms, we will:

• Notify the competent supervisory authority within 72 hours of becoming aware
• Notify affected data subjects without undue delay when the breach poses high risk
• Document all breaches including facts, effects, and remedial actions taken

07 Cookies and Tracking Technologies

7.1 Overview

Our Platform uses cookies and similar tracking technologies to enhance functionality, analyse performance, and deliver personalised experiences, in compliance with ePrivacy Directive requirements.

7.2 Cookie Categories

Strictly Necessary — essential for platform security and basic operations (session management, authentication tokens). Legal basis: legitimate interest. No consent required. Retained for session duration.

Functional — remember user preferences and settings (language, volume, display). Legal basis: consent. Retained for 12 months from last visit.

Performance & Analytics — anonymized data on usage patterns and feature engagement (page views, session duration, bounce rates). Legal basis: consent. Retained for 24 months.

Marketing & Advertising — targeted ads and campaign effectiveness tracking (retargeting pixels, conversion codes). Legal basis: consent. Retained for 13 months.

7.3 Managing Your Cookie Preferences

• Cookie Banner — granular consent options presented upon first visit
• Preference Center — adjust cookie settings at any time via the platform footer
• Browser Settings — configure your browser to block or delete cookies (note: disabling essential cookies may impair platform functionality)

7.4 Third-Party Cookies

Our Platform may incorporate third-party services with their own cookies, including Google Analytics, payment processors, social media platforms, and content delivery networks. We recommend reviewing the respective privacy policies of these services.

7.5 Do Not Track

Our Platform does not currently respond to "Do Not Track" browser signals. You may control tracking through the cookie settings described above.

08 Automated Decision-Making and Profiling

8.1 No Significant Automated Decisions

We do not engage in automated decision-making that produces legal effects or similarly significantly affects data subjects, as defined under Article 22 GDPR. All decisions impacting user accounts, subscriptions, or service access involve human review.

8.2 Limited Personalisation Profiling

We conduct limited profiling for service personalisation, including content recommendations based on usage history, customised wellness program suggestions, and personalised communication timing. Such profiling does not produce legal effects.

09 Children's Privacy

9.1 Age Restrictions

Our services are not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal data from minors without verifiable parental consent.

9.2 Parental Discovery

If we become aware that we have inadvertently collected personal data from a minor without appropriate consent, we will immediately delete such information from our systems. Parents or legal guardians who believe we may hold data relating to their child should contact us at contact@hypneo.online.

10 Data Retention and Deletion

10.1 Retention Principles

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods are established based on the nature and sensitivity of data, legal and regulatory requirements, and applicable statutes of limitation.

10.2 Retention Schedule

Data Category	Retention Period	Justification
Account and Profile Data	6 years after account closure or last login	Contract performance, legitimate business interests
Transaction Records	10 years from transaction date	Legal accounting obligations (Lithuanian Law)
Marketing Consent Records	3 years after consent withdrawal	Demonstrate compliance with consent requirements
Support Communications	4 years from final interaction	Quality assurance, dispute resolution
Security Logs	2 years from creation	Fraud prevention, security incident investigation
Analytics Data (Anonymized)	3 years from collection	Service improvement, business intelligence

10.3 Secure Deletion

Upon expiration of applicable retention periods, personal data is securely deleted or anonymized using industry-standard methods to prevent recovery or reconstruction, including permanent removal from active databases and backup systems, secure overwriting of storage media, and notification to third-party processors to delete shared data.

11 Changes to This Policy

11.1 Modification Rights

We reserve the right to modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, technological developments, or business operations.

11.2 How We Notify You

Material changes will be communicated through:

• Email notification to registered users at least thirty (30) days prior to the effective date
• Prominent notice on the Platform homepage
• In-app notification upon your next login
• Updated "Last Updated" date at the top of this policy

11.3 Continued Use

Your continued use of our services following notification of changes constitutes acceptance of the revised Privacy Policy. If you do not agree with modifications, you should discontinue use of the Platform and may request account deletion.

12 Contact and Data Protection Officer

12.1 General Privacy Inquiries

For questions, concerns, or rights requests regarding this Privacy Policy or our data processing practices, please contact us at contact@hypneo.online with the subject line "Privacy Inquiry." We endeavour to respond to all inquiries within five (5) business days.

12.2 Data Protection Officer

For matters specifically related to GDPR rights, data protection compliance, or supervisory authority communications, contact our Data Protection Officer at contact@hypneo.online with the subject line "Attention: Data Protection Officer."

12.3 Supervisory Authority

If you are dissatisfied with our response or believe we have violated your data protection rights, you may contact the Lithuanian supervisory authority: