Privacy Policy

PsychPod, Mental Wellbeing Tracker | Version 2026-05-29 | Effective: 29 May 2026

PsychPod (“we,” “us,” “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under the Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016, “PDPPL”), the EU General Data Protection Regulation (“GDPR”), and other applicable data protection laws.

Special-nature processing notice (PDPPL Article 16). PsychPod processes mental-health data, which is classified as special-nature personal data under the Qatar PDPPL. We are actively engaged with the National Data Privacy Office (NDPO) on the required permission process and have completed the Organization Level Privacy Compliance Assessment. We process this data only on the basis of your explicit consent (PDPPL Article 4) and never share it for purposes outside what is described in Section 5 below.

By using PsychPod, you agree to the collection and use of your information in accordance with this policy. If you do not agree, please discontinue use of the Service immediately.

Contents

Who We Are
Data We Collect
How We Use Your Data
Legal Bases for Processing
Data Sharing and Third-Party Processors
International Data Transfers
Data Retention
Your Rights
Push Notifications
Children’s Privacy
Security
Changes to This Policy
Contact

1. Who We Are

PsychPod is a personal mental wellbeing tracking application. For the purposes of applicable data protection law, PsychPod is the data controller responsible for your personal data.

We are registered as a data controller with the Compliance and Data Protection Department (CDPD) under the Qatar Ministry of Transport and Communications, as required by Article 15 of the Qatar PDPL.

Contact: support@psychpod.org
Website: https://psychpod.org

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

Email address (required for authentication)
Display name and/or full name (optional, set by you)
Profile avatar image (optional, set by you)
Date of account creation
Terms of Service acceptance record (version, timestamp)

2.2 Wellbeing Check-In Data

The core function of PsychPod is self-reported check-ins. We collect:

Daily check-in responses across wellbeing domains: sleep, mood, energy, calm, focus, social connection, overall wellbeing, and contextual factors
Calculated domain scores and overall wellbeing score
Check-in timestamps
Habit-tracking responses linked to your configured habits

2.3 Voice Notes

If you choose to record a voice note during a check-in, we store the audio file securely in your account. Voice notes are associated with the check-in they were recorded for and are only accessible to you. The microphone permission is only requested when you explicitly tap the voice note button.

2.4 Social Features

If you use the friends and messaging features, we collect:

Friend connections and friendship records
Messages sent between you and your friends
Social activity updates visible to your friends
Friend requests sent and received

2.5 Achievement and Badge Data

We track which badges and achievements you have unlocked, along with the timestamps of those unlocks.

2.6 Notification and Device Data

To deliver push notifications, we collect:

Expo push notification token (for native iOS/Android notifications)
Web push subscription endpoint and key material (for browser notifications on the website)
Your notification preferences (e.g., reminder time, enabled/disabled state)

We do not collect persistent device identifiers beyond what is needed for push delivery.

2.7 Usage and Technical Data

We collect limited technical data to operate the Service:

IP address (logged by Supabase infrastructure for security and abuse prevention)
Login timestamps and session data
App version and platform (iOS/Android/Web) for compatibility

On the website (psychpod.org) we use privacy-preserving, cookieless web analytics, Vercel Analytics and Vercel Speed Insights, to understand aggregate traffic and page performance. These do not use cookies, do not track you across other sites, and do not build an advertising profile; you can decline optional analytics via the cookie banner. We use Sentry to capture diagnostic error and performance reports, with text and images masked and no clinical data sent. We do not use invasive analytics SDKs such as Firebase Analytics, Mixpanel, or Amplitude. We may show a small number of hand-picked, non-personalized sponsor messages on our public blog; these are not targeted using your data, set no advertising cookies, and we never share your personal data with advertisers. Signed-in members can remove blog ads with a one-time upgrade. We do not build advertising profiles, use behavioral ad networks, or sell your personal data.

2.8 Research Data (Optional)

If you opt in to research participation in Settings, we may use anonymized and aggregated versions of your check-in data to improve the Service and contribute to mental health research. This data cannot be linked back to you individually. Participation is entirely voluntary and can be disabled at any time.

3. How We Use Your Data

Purpose	Data Used
Provide and operate the Service (check-ins, scoring, history)	Account info, check-in data, voice notes
Social features (friends, messages, updates)	Profile, messages, friend connections
Push notifications (reminders, alerts)	Push tokens, notification preferences
Badge and achievement tracking	Check-in history, usage patterns
Security and fraud prevention	IP address, session data
Compliance with legal obligations	Account info, ToS acceptance records
Improving the Service (with consent)	Anonymized, aggregated check-in data
Responding to support requests	Account info, relevant usage data

We do not use your data for advertising, profiling for commercial purposes, or selling to third parties. We do not use automated decision-making that produces legal or similarly significant effects on you.

4. Legal Bases for Processing

4.1 Qatar PDPL

Under the Qatar PDPL, we process your personal data on the following bases:

Consent (Article 6): For account creation, check-in data, push notifications, and optional research participation, you provide consent when you accept our Terms and use the Service features.
Legitimate interests: For security, fraud prevention, and service integrity, where our interests do not override your fundamental rights.
Legal obligation: Where processing is required by Qatari law.

4.2 GDPR (EEA Users)

For users in the European Economic Area, our legal bases under GDPR Article 6 are:

Contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
Consent (Art. 6(1)(a)): Push notifications, optional research data sharing.
Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement.
Legal obligation (Art. 6(1)(c)): Where required by applicable EU law.

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following third-party service providers (“processors”) who act on our instructions and are bound by data processing agreements:

Processor	Role	Location	Privacy Policy
Supabase	Database, authentication, file storage, Edge Functions	US / EU	supabase.com/privacy
Expo / EAS	App build infrastructure, push notification delivery	US	expo.dev/privacy
Anthropic / Claude AI	AI-powered analysis of anonymized wellbeing patterns	US	anthropic.com/privacy
Apple	iOS App Store distribution, APNs push delivery	US	apple.com/legal/privacy
Google / Firebase	Android distribution, FCM push delivery	US	policies.google.com/privacy
Vercel	Website hosting (psychpod.org) and privacy-preserving, cookieless analytics	US / global edge	vercel.com/legal/privacy-policy
Sentry	Error and performance monitoring (diagnostic crash reports)	EU	sentry.io/privacy

We may also disclose your data if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of PsychPod, our users, or the public.

6. International Data Transfers

Your data is processed outside Qatar.

Our third-party processors (listed above) are located in the United States and the European Union: Vercel serves the website from a global edge network with a US origin, Sentry processes diagnostic error reports in the EU, and Supabase may operate in both the US and the EU. By using PsychPod and accepting our Terms of Service, you expressly consent to this international transfer of your personal data, as required by Article 13 of the Qatar PDPL.

We implement appropriate safeguards for these transfers, including data processing agreements with our processors. For EEA users, transfers to the US may rely on Standard Contractual Clauses (SCCs) or other approved mechanisms under GDPR Chapter V.

You may withdraw consent at any time by deleting your account. Upon deletion, we will request erasure of your data from all processors within 30 days.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service.

Account data: Retained until account deletion.
Check-in and voice note data: Retained until account deletion or explicit deletion by you.
Messages: Retained until deleted by you or account deletion.
Push tokens: Retained until account deletion or token invalidation (device change, app uninstall).
Legal compliance records (ToS acceptance): May be retained for up to 5 years after account deletion to meet legal obligations.
Anonymized, aggregated research data: May be retained indefinitely as it cannot be linked to you.

30-day soft-delete grace period. When you tap Settings → Delete my account, we mark your account for deletion but do not destroy the data immediately. Sign back in within 30 days and tap “Cancel deletion and recover account” to restore everything. After 30 days, all your personal data is permanently deleted from our servers, except where retention is required by law (e.g. ToS acceptance records up to 5 years).

Inactive-account auto-deletion. If you do not sign in for 24 months, we will email you 30 days before automatically deleting your account, on the same 30-day grace period. This implements PDPPL data-minimisation and storage-limitation principles (Article 10).

8. Your Rights

Under the Qatar PDPL and GDPR (where applicable), you have the following rights regarding your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure (“right to be forgotten”): Request deletion of your personal data. You can do this directly via Settings → Delete my account, or by contacting us.
Right to restrict processing: Request that we limit how we process your data in certain circumstances.
Right to data portability: Request your check-in data in a structured, machine-readable format. Use Settings → Export my data in the app.
Right to withdraw consent: Withdraw consent at any time for processing based on consent (e.g., research participation, push notifications). Withdrawal does not affect lawfulness of prior processing.
Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@psychpod.org. We will respond within 30 days. In some cases we may need to verify your identity before processing your request.

If you are in Qatar and believe we have violated the PDPL, you may lodge a complaint with the Compliance and Data Protection Department (CDPD). If you are in the EEA, you may lodge a complaint with your local data protection supervisory authority.

9. Push Notifications

PsychPod can send you push notifications for daily check-in reminders, messages from friends, badge achievements, and other activity. We only send notifications with your permission.

Native notifications (iOS/Android): Your device’s operating system controls permission. You can revoke permission at any time in your device Settings.
Browser (web) notifications: Your browser controls permission. You can revoke it in your browser’s site settings for psychpod.org.

You can also manage all notification preferences inside the PsychPod app under Settings → Notifications.

10. Children’s Privacy

Minimum age: 18. PsychPod is not intended for users under the age of 18. We do not knowingly collect personal data from anyone under 18. Mental-health data is classified as special-nature personal data under PDPPL Article 17, and we have not implemented a guardian-consent mechanism that would meet that bar. The minimum age was previously 16; it was raised to 18 on 9 May 2026 as part of our PDPPL compliance work.

If we become aware that a user is under 18, we will immediately terminate their account and delete all associated data, in compliance with Qatar’s Child Law (Law No. 25 of 2007), the Qatar PDPPL, and the GDPR.

If you believe a person under 18 has provided us with personal data, please contact us immediately at support@psychpod.org.

11. Security

We implement industry-standard security measures to protect your personal data, including:

Encryption in transit (TLS/HTTPS) for all data communications
Encryption at rest for data stored in Supabase
Row-Level Security (RLS) policies ensuring users can only access their own data
Server-side validation of all sensitive operations (e.g., badge awards, data exports)
Access controls limiting who on our team can access production data

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

In the event of a personal data breach, we will notify the National Data Privacy Office (NDPO) within 72 hours of becoming aware of the breach and inform affected users without undue delay, as required by PDPPL Articles 13 and 14. Our Personal Data Breach Response Runbook describes our internal process; you can request a copy by emailing support@psychpod.org.

Reporting a security issue. Email support@psychpod.org, see our responsible disclosure page. Privacy and rights requests also go to support@psychpod.org; we acknowledge within 72 hours and aim to resolve within 30 days, in line with PDPPL Articles 5 and 6.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and/or by email, and update the “Last updated” date at the top of this page. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

13. Contact

For any privacy-related questions, requests, or complaints, contact our Data Protection Officer at:

PsychPod, Data Protection

Email: support@psychpod.org

Website: https://psychpod.org

For legal inquiries relating to these Terms, contact: support@psychpod.org