GDPR Compliance and Data Processing Information
MAI PLEXOS
Effective Date: January 31, 2025
Data Controller: Aionics OÜ
Version: 1.1
1. GDPR Compliance Statement
Aionics OÜ is committed to protecting your personal data and complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This document outlines how we ensure GDPR compliance for users of MAI PLEXOS, particularly those residing in the European Union and European Economic Area.
2. Data Controller Information
Data Controller: Aionics OÜ
Registered Address: Tornimäe tn 5, Tallinn city, Harju county, 10145, Estonia
Business Registry: Estonian Business Registry
Data Protection Contact: privacy@aionics.pro
General Support: support@aionics.pro
Website: https://aionics.pro
As Aionics OÜ is established within the European Union (Estonia), no separate EU Representative is required under Article 27 GDPR.
3. Lawful Basis for Processing
We process personal data under the following lawful bases as defined in GDPR Article 6:
3.1 Consent (Article 6(1)(a) GDPR)
- Explicit consent for processing health data (special category data)
- Consent for optional Apple Health integration
- Consent for optional analytics collection
- Consent for optional crash reporting
3.2 Contract Performance (Article 6(1)(b) GDPR)
- Necessary for providing the App's core services
- Required for subscription management and fulfillment
- Essential for App functionality you have requested
3.3 Legitimate Interests (Article 6(1)(f) GDPR)
- App improvement and bug fixes
- Security monitoring and fraud prevention
- Responding to support inquiries
We have conducted legitimate interests assessments where applicable and determined that our interests do not override your fundamental rights and freedoms.
4. Special Category Data (Health Data)
4.1 Legal Basis for Health Data Processing
Health data constitutes "special category data" under Article 9 GDPR. We process your health data under:
Article 9(2)(a) - Explicit Consent: You explicitly consent to the processing of your health data when you:
- Accept the Consent Form during onboarding
- Enable specific health tracking features
- Connect Apple Health integration
- Export health reports
4.2 Health Data We Process
With your explicit consent, we may process:
- Pain levels, locations, triggers, and patterns
- Mood scores and emotional states
- Medication information (names, dosages, schedules)
- Sleep quality and duration
- Diet and environmental factors
- Meditation and relaxation data
- Apple Health data (if integration enabled): steps, heart rate, sleep, exercise, weight, blood pressure
4.3 Safeguards for Health Data
We implement appropriate safeguards including:
- Local Storage: All health data is stored locally on your device, not on our servers
- Encryption: AES-256 encryption at rest
- Access Control: Biometric authentication (Face ID/Touch ID) support
- No Third-Party Sharing: Health data is never shared with third parties without explicit consent
- Data Minimization: We collect only what is necessary for the App's features
- Pseudonymization: Where possible, data is pseudonymized
5. Data Subject Rights
Under GDPR, you have the following rights:
5.1 Right of Access (Article 15)
You have the right to:
- Obtain confirmation of whether we process your personal data
- Access your personal data
- Receive information about processing purposes, categories, recipients, and retention periods
How to exercise: Use the in-app export feature at Settings > Export Data, or email privacy@aionics.pro
5.2 Right to Rectification (Article 16)
You have the right to:
- Correct inaccurate personal data
- Complete incomplete personal data
How to exercise: Edit your data directly within the App, or contact privacy@aionics.pro
5.3 Right to Erasure ("Right to be Forgotten") (Article 17)
You have the right to request deletion of your personal data when:
- Data is no longer necessary for its original purpose
- You withdraw consent
- You object to processing
- Data was unlawfully processed
- Legal obligation requires deletion
How to exercise: Use Settings > Account > Delete Account within the App, or email privacy@aionics.pro
5.4 Right to Restriction of Processing (Article 18)
You have the right to restrict processing when:
- You contest the accuracy of data (during verification)
- Processing is unlawful but you prefer restriction over erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing (pending verification)
How to exercise: Contact privacy@aionics.pro
5.5 Right to Data Portability (Article 20)
You have the right to:
- Receive your personal data in a structured, commonly used, machine-readable format (CSV, PDF)
- Transmit that data to another controller
How to exercise: Use Settings > Export Data to export in PDF or CSV format
5.6 Right to Object (Article 21)
You have the right to object to:
- Processing based on legitimate interests
- Processing for direct marketing (we do not conduct direct marketing)
- Profiling (we do not conduct profiling for marketing)
How to exercise: Contact privacy@aionics.pro or adjust settings within the App
5.7 Right to Withdraw Consent (Article 7(3))
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
How to exercise:
- Disable specific features in App settings
- Delete your account
- Uninstall the App
- Contact privacy@aionics.pro
5.8 Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Primary Supervisory Authority:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia
5.9 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
Our practice: The App's AI features provide informational insights only and do not make automated decisions with legal or significant effects. You always have human oversight of any recommendations.
6. Data Processing Principles
We adhere to the GDPR's core principles (Article 5):
6.1 Lawfulness, Fairness, and Transparency
- Clear information about data processing in our Privacy Policy
- Transparent consent mechanisms
- Fair processing practices
6.2 Purpose Limitation
- Data collected only for specified, explicit, and legitimate purposes
- No processing incompatible with original purposes without additional consent
6.3 Data Minimization
- Only necessary data is collected
- No excessive data collection
- Features designed to minimize data footprint
6.4 Accuracy
- Reasonable steps to ensure data accuracy
- User ability to correct or update data at any time
6.5 Storage Limitation
- Data retained only as long as necessary
- User-controlled deletion available
- No indefinite retention
6.6 Integrity and Confidentiality
- Appropriate security measures implemented
- Protection against unauthorized or unlawful processing
- Protection against accidental loss, destruction, or damage
6.7 Accountability
- Documentation of processing activities
- Regular compliance reviews
- Demonstrable compliance with GDPR
7. Technical and Organizational Measures (Article 32)
7.1 Technical Measures
- Encryption at Rest: AES-256 encryption for stored data
- Encryption in Transit: TLS 1.3 for any data transmission
- Authentication: Biometric authentication support (Face ID/Touch ID)
- Secure Key Management: Apple Keychain integration
- Local Processing: AI features process data locally on device
- Regular Updates: Security patches and updates distributed through App Store
7.2 Organizational Measures
- Privacy by Design: Privacy considerations integrated into development
- Privacy by Default: Most privacy-protective settings enabled by default
- Data Protection Training: Team awareness of data protection requirements
- Access Controls: Limited access to any support data on need-to-know basis
- Incident Response: Procedures for handling security incidents
- Vendor Assessment: Evaluation of any third-party services for GDPR compliance
8. Data Breach Notification (Articles 33-34)
8.1 Supervisory Authority Notification
In the event of a personal data breach likely to result in a risk to rights and freedoms:
- Notification to Estonian Data Protection Inspectorate within 72 hours
- Documentation of all breaches regardless of notification requirement
8.2 Data Subject Notification
If a breach is likely to result in a high risk to your rights and freedoms:
- Direct notification without undue delay
- Clear description of the breach
- Contact point for more information
- Likely consequences
- Measures taken or proposed
8.3 Our Commitment
Given that health data is stored locally on your device and not on our servers, the risk of a centralized data breach affecting your personal health data is minimal. However, we maintain incident response procedures for any potential security issues.
9. International Data Transfers (Chapter V)
9.1 Local Storage Model
As all health data is stored locally on your device:
- No systematic international transfers of health data occur
- No data is transferred to countries outside the EU/EEA by us
- You control any data exports or sharing
9.2 Support Communications
If you contact us for support:
- Communications may be processed in Estonia (EU)
- Estonia maintains GDPR-compliant data protection standards
- No transfer to non-adequate countries without appropriate safeguards
9.3 User-Initiated Transfers
When you export or share your data, you are responsible for ensuring appropriate protections for any international transfer.
10. Contact for GDPR Requests
For exercising your GDPR rights:
Email: privacy@aionics.pro
Response time: Within 30 days (extendable by 60 days for complex requests)
For general inquiries:
Email: support@aionics.pro
For complaints:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia
GDPR Compliance Summary
| Requirement |
Status |
Implementation |
| Lawful basis identified | ✅ | Consent for health data; Contract for services |
| Privacy notice provided | ✅ | Privacy Policy accessible in-app and online |
| Consent mechanisms | ✅ | Clear opt-in during onboarding |
| Data subject rights | ✅ | In-app tools and email request process |
| Security measures | ✅ | AES-256 encryption, TLS 1.3, biometrics |
| Breach procedures | ✅ | 72-hour notification process established |
| DPIAs conducted | ✅ | Completed for health data processing |
| Records maintained | ✅ | Processing activity records kept |
| Privacy by Design | ✅ | Local-first architecture |
| Third-party AI disclosure | ✅ | Clear disclosure and consent requirement |
Document ID: GDPR-MAIPLEXOS-2025-001
Version: 1.1
Effective Date: January 31, 2025
Next Review: July 31, 2025