PRIVACY POLICY

Derniere mise a jour : June 16, 2026

This policy explains what personal data the Stop Your Pain app collects, how it is used, and your rights. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).

1. Data controller

The data controller within the meaning of the GDPR is:

Michael Abergel, Osteopath D.O.

80 rue Saint-Dominique, 75007 Paris, France

ADELI N°: 750019457

SIRET N°: 82825803800029

Email: m.abergelosteo@gmail.com

To exercise your rights or ask any question regarding your personal data, contact us via the Contact page in the app or by email.

1a. Legal basis for processing

Each processing activity relies on a specific legal basis under the GDPR:

• Pain ratings, pain descriptions you type, and physiological signals read from Apple Health or WHOOP: this is health-related data (special category, GDPR article 9), processed on the basis of your explicit consent (article 9(2)(a)), collected in the app before processing.

• Contact email and purchase identifier: processed on the basis of performing the service you request and our legitimate interest in operating the app (GDPR articles 6(1)(b) and 6(1)(f)).

You may withdraw your consent at any time, as easily as you gave it (GDPR article 7(3)). Withdrawal does not affect the lawfulness of processing carried out before it.

2. Data we collect

We only collect the data needed to operate the app. Some of it is health-related data (GDPR article 9), processed with your explicit consent:

• Pain ratings (body area and intensity from 0 to 10), classified as health data, linked to a random identifier generated on your device and stored in our database (Supabase, Frankfurt). This identifier is pseudonymous, not anonymous.

• Pain descriptions you type into the AI Companion (text), which may constitute health data. We do not retain them on our servers; Google may keep them for up to 30 days for abuse prevention, then deletes them.

• Physiological data read from Apple Health (HealthKit) if you allow it (sleep, HRV, resting heart rate, steps, etc.): kept only on your device, never sent to our servers.

• Physiological data from WHOOP if you connect your strap: the connection goes through a secure server function, then measurements are fetched directly to your device and kept locally.

• History of your AI consultations, stored locally on your device

• Email address, only if you write to us via the contact form

• Anonymous purchase identifier (if you subscribe to Premium via the App Store)

• Language and theme preferences (stored locally)

2a. Apple Health (HealthKit) data

In accordance with Apple's rules, this section clarifies how we use Apple Health data:

• It is read on your device after your explicit authorization, and serves only the wellness features of the app (relating it to your pain ratings).

• It is never used for advertising or marketing, never sold, and never shared with third parties for such purposes.

• It is kept only on your device and is never sent to our servers.

• You can revoke this access at any time in iOS Settings (Privacy & Security, Health).

3. How we use your data

• Provide personalized AI responses

• Show you, on your device only, wellness observations relating your pain ratings to your physiological signals (correlations, factor of the day). No physiological data is sent to our servers for this analysis.

• Improve the quality of advice

• Reply to your contact messages

• Manage your Premium subscription

Your health data (pain ratings, descriptions, Apple Health and WHOOP signals) is never used for advertising or marketing, never sold, and never shared with third parties for such purposes.

4. Sharing with third parties

We never sell your data. The providers below acting on our behalf (processors) are bound by data protection commitments consistent with the GDPR:

• Supabase (Frankfurt, Germany): hosts the database containing your pain ratings linked to a random identifier, and the server function that secures the WHOOP connection.

• Google Gemini API (USA): generates AI responses from descriptions. We do not retain them; Google may keep them for up to 30 days for abuse prevention, then deletes them.

• Apple App Store (USA): subscription and payment management, transfers governed by the European Commission's Standard Contractual Clauses.

• Transactional email service (EU-hosted): replies to the contact form.

WHOOP, Inc. (USA) is an independent third party, not a processor acting on our instructions. If you connect your strap, the connection (OAuth authorization and tokens) is handled via a secure server function, then your measurements are fetched directly to your device. WHOOP's processing is governed by its own privacy policy.

5. Data retention

• Pain descriptions: not retained on our servers; Google may keep them for up to 30 days for abuse prevention, then deletes them.

• Pain ratings (linked to a random identifier): kept in our database (Supabase, Frankfurt) while you use tracking; deletable at any time from the app.

• Apple Health and WHOOP signals, AI consultation history and preferences: kept only on your device; removed by clearing the app data, disconnecting, or uninstalling.

• Contact emails: kept for 3 years after the last interaction.

We respond to any request regarding your data within one month (GDPR article 12(3)).

6. Your rights (GDPR)

Under GDPR, you have the following rights:

• Right to access your data

• Right to rectification

• Right to erasure (right to be forgotten)

• Right to data portability

• Right to object to processing

• Right to withdraw your consent at any time, as easily as you gave it, for health data

• Right to lodge a complaint with a supervisory authority

7. Cookies and local storage

The app uses your browser or device local storage to remember your preferences (language, theme, history). No advertising tracking cookies are used.

8. Security

We implement technical and organizational measures to protect your data against unauthorized access, alteration or disclosure.

9. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

• Right to know what categories of personal data are collected and the purposes

• Right to request deletion of your personal data

• Right to correct inaccurate data

• Right to opt out of sale or sharing of your data (we NEVER SELL OR SHARE your data for advertising)

• Right to non-discrimination when exercising these rights

10. Children's privacy (COPPA)

Stop Your Pain is NOT intended for children under 13 years old, in compliance with the U.S. Children's Online Privacy Protection Act (COPPA) and the European GDPR (article 8: parental consent required for minors).

We do not knowingly collect personal data from children under 13. If you are a parent or guardian and discover that your child has provided us with data, please contact us immediately and we will delete it.

11. HIPAA Notice for US Users

Stop Your Pain is a wellness app developed by an osteopath based in France. We are not a HIPAA-covered entity, and the data collected through this app is not "Protected Health Information" (PHI) within the meaning of HIPAA. Stop Your Pain is not a substitute for professional medical advice, diagnosis, or treatment. We process your data exclusively under EU GDPR and California CCPA frameworks. For full details on data handling, see sections 5 and 9 of this Privacy Policy.

12. International data transfers

Your data is primarily processed and hosted within the European Union (Supabase Frankfurt). Some technical operations may involve transfers to third countries (Google Gemini API, Apple App Store in the United States). These transfers are governed by the Standard Contractual Clauses of the European Commission, ensuring a level of protection equivalent to the GDPR.

13. Changes

This policy may be updated. Any change will be published on this page with a new update date. Substantial modifications will be notified through the app.

14. Third-Party AI Service (Google Gemini)

Stop Your Pain uses Google's Gemini AI API to analyze the pain descriptions you submit and generate personalized osteopathic guidance. This section explains exactly what is shared and how.

15. What we send to Google

• The free-text pain description you write (e.g. "lower back pain for 3 days, worse when sitting")

• Anatomical context tags inferred by the app (e.g. zone = lumbar)

• An anonymous random identifier (UUID v4) generated on first launch and stored locally on your device

16. What we do NOT send to Google

• Your name, email, phone number, or any other contact information

• Your IP address (proxied through our Supabase Edge Function)

• Your medical history (antécédents), stored locally and in Supabase only

• Any payment information

• Your pain intensity scores (stored locally and in Supabase only)

17. Who receives this data

Google LLC, through the Gemini API (gemini-2.5-flash, gemini-3-flash-preview, or gemini-2.5-pro depending on availability).

Google's processing of this data is governed by:

• Google's Privacy Policy: policies.google.com/privacy

• Google AI Studio Terms: ai.google.dev/terms

• Google Cloud Data Processing Addendum (GDPR Article 28): cloud.google.com/terms/data-processing-terms

Google's data handling complies with privacy standards equivalent to or stronger than those described in this policy.

18. Your consent

On first launch, Stop Your Pain displays a consent screen that clearly discloses this data sharing. You must explicitly accept before any data is sent to Google. You can withdraw consent at any time by deleting the app.

19. Data retention (Gemini)

• Pain descriptions sent to Gemini: retained on Google's infrastructure for up to 30 days for abuse prevention, then permanently deleted

• Anonymous UUIDs: retained for 12 months for analytics purposes, then automatically purged

• Local app data: deleted instantly when you delete the app

20. Your rights

You have the right to:

• Refuse AI processing (deletes the app)

• Request deletion of any data we hold by emailing stopyourpainapp@gmail.com

• Access a copy of data we process about you

• Lodge a complaint with your data protection authority (CNIL in France, etc.)