Privacy Policy

The data controller responsible for your personal data is HolisticCodex.

Contact e-mail: privacy@holisticcodex.com.

If you have any questions about how your data is handled, please contact us at the address above.

Account data: e-mail address, display name or nickname, and optionally age, gender, and country of residence provided at registration.

Health-related data (special category under GDPR Article 9): results of the Dosha Test and data entered into the Wellness Tracker. We process this data exclusively to provide you with personalised wellness information within the app. By using these features you give explicit consent to this processing.

User-generated content: bookmarks, notes, and reading history stored to power your personal library.

Newsletter: e-mail address if you subscribe, processed only with your explicit consent.

Technical data: IP address (used solely for security rate-limiting, not for tracking), session cookies required for authentication.

We do not collect payment card numbers — all payments are handled directly by Stripe.

Providing the service (Article 6(1)(b) GDPR — contract): account management, personalised content, library and wellness features.

Newsletter communications (Article 6(1)(a) GDPR — consent): sending educational content you subscribed to. You may unsubscribe at any time.

Security and fraud prevention (Article 6(1)(f) GDPR — legitimate interest): rate-limiting, abuse detection.

Health-related data such as Dosha Test results and Wellness Tracker entries (Article 9(2)(a) GDPR — explicit consent): you consent when you actively use these features.

Supabase (supabase.com) — authentication and database hosting. Your account data and user-generated content are stored on Supabase infrastructure.

Stripe (stripe.com) — payment processing for Pro and Expert memberships. We share only what Stripe needs to complete transactions. We never see your full card number.

Resend (resend.com) — transactional and newsletter e-mail delivery. Your e-mail address is shared with Resend only when necessary to send you messages.

Vercel (vercel.com) — application hosting and edge delivery. Requests pass through Vercel infrastructure.

Sentry (sentry.io) — error monitoring. Crash reports may contain technical metadata (browser, OS, URL). Session Replay is intentionally disabled because the app handles sensitive health data.

Google (google.com) — OAuth sign-in (Google Login). If you use Google Login, Google authenticates you and shares basic profile data (name, e-mail) with us.

Affiliate programmes (e.g., Amazon Associates) — links to products in our content may be affiliate links. Clicking them takes you to an external third-party site and may set a cookie on that platform's own domain. We do not share or sell your personal data to affiliate networks.

All processors are contractually bound to protect your data and use it only for the stated purpose.

We use session cookies that are strictly necessary for authentication — without them you cannot stay logged in.

We do not use third-party advertising or tracking cookies on our own domain, apart from the necessary authentication cookies above. However, clicking a third-party affiliate link (such as Amazon) may result in cookies being set by those external platforms on their own domains, outside our control.

You can manage cookie preferences via the cookie banner displayed on your first visit.

Your data is retained for as long as your account exists.

When you delete your account (Settings → Your Data → Delete Account), all personal data — including bookmarks, notes, reading history, Wellness Tracker data, and Dosha Test results — is permanently deleted in a cascading process.

Newsletter subscriptions are deleted separately if you unsubscribe.

Access (Art. 15): you can request a copy of all personal data we hold about you.

Rectification (Art. 16): you can correct inaccurate data in your profile settings at any time.

Erasure (Art. 17): you can delete your account and all associated data via Settings → Your Data → Delete Account, or by contacting us.

Data portability (Art. 20): you can export your data (bookmarks, notes) in machine-readable format via Settings → Export Data.

Objection (Art. 21): you may object to processing based on legitimate interest.

Restriction (Art. 18): you may request that we restrict processing of your data in certain circumstances.

Withdrawal of consent: you may withdraw consent to newsletter communications or health-data processing at any time, without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your national supervisory authority (in Slovakia: Úrad na ochranu osobných údajov SR, dataprotection.gov.sk).

Notice for California residents (CCPA/CPRA): we do not 'sell' or 'share' your personal information as defined under the CCPA. You have the right to request access and deletion, and the right not to be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@holisticcodex.com.

Some of our processors (Supabase, Vercel, Sentry) may process data on servers located outside the European Economic Area.

Where transfers occur, they are protected by Standard Contractual Clauses (SCC) approved by the European Commission, or the processor is certified under an equivalent adequacy framework.

For details on each processor's safeguards, consult their respective privacy documentation.

We may update this Privacy Policy from time to time. We will notify registered users of significant changes by e-mail or via an in-app notice.

The date of the last update is shown at the top of this page. Continued use of the service after changes constitutes acceptance of the revised policy.

For questions or concerns, contact us at privacy@holisticcodex.com.