Privacy Policy

This Privacy Policy explains how Vana (operated by Zealous OÜ, registration number: 16989036, registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5) collects, uses, discloses, and protects your information when you use our website, mobile application, and AI-powered habit tracking services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

1. Information We Collect

1.1 Personal Information

We may collect the following types of personal information:

• Account Information: Email address, username, password (encrypted), and profile information
• Contact Information: Name, email address, phone number (if provided)
• Payment Information: Billing address, payment method details (processed securely through third-party payment processors)
• Communication Data: Messages, feedback, support requests, and other communications with us

1.2 Usage and Technical Information

We automatically collect certain information when you use our Service:

• Device Information: Device type, operating system, browser type, device identifiers, IP address
• Usage Data: App features used, time spent, pages visited, interactions, preferences, and settings
• Performance Data: Crash reports, error logs, performance metrics
• Location Data: General location information (city/country level) based on IP address

1.3 Habit and Health Data

Our Service is designed to track habits and health-related information:

• Habit Data: Habits you choose to track, completion status, frequency, goals, and progress
• Health Metrics: Sleep data, exercise information, mood tracking, and other health-related data you input
• AI Insights: Personalized recommendations, patterns, and insights generated by our AI system

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Provision

• Provide, maintain, and improve our Service
• Process transactions and manage your account
• Deliver personalized habit tracking and AI-powered insights
• Send important service updates and notifications

2.2 Communication

• Respond to your inquiries and provide customer support
• Send marketing communications (with your consent)
• Notify you about new features, updates, and beta opportunities
• Send administrative information and policy updates

2.3 Analytics and Improvement

• Analyze usage patterns to improve user experience
• Conduct research and development for new features
• Monitor and prevent fraud, abuse, and security threats
• Generate aggregated, anonymized statistics

2.4 Legal Compliance

• Comply with applicable laws and regulations
• Enforce our Terms of Service and other agreements
• Protect our rights, property, and safety
• Respond to legal requests and prevent harm

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Consent: When you explicitly agree to the processing of your personal data
• Contract Performance: To provide the Service you requested and fulfill our contractual obligations
• Legitimate Interest: To improve our Service, ensure security, and prevent fraud
• Legal Obligation: To comply with applicable laws and regulations
• Vital Interests: To protect your health and safety in emergency situations

4. Information Sharing and Disclosure

4.1 Service Providers

We may share your information with trusted third-party service providers who assist us in operating our Service:

• Hosting and Infrastructure: Firebase (Google Cloud Platform) for hosting, databases, and cloud services
• Email Services: ConvertKit for email delivery and newsletter management
• Analytics: Google Analytics for website usage analysis (anonymized data)
• Payment Processing: Stripe, PayPal, or other payment processors for subscription payments
• Customer Support: Help desk and support tools
• Security: Security monitoring and threat detection services

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests (subpoenas, court orders, government investigations)
• Emergency situations involving public safety
• Enforcement of our Terms of Service or other agreements
• Protection of our rights, property, or safety

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the business transaction. We will notify you of any such changes and ensure appropriate safeguards are in place.

4.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information for research, analytics, or other purposes that does not identify individual users.

5. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Strict access controls and authentication mechanisms
• Regular Audits: Security assessments and vulnerability testing
• Data Minimization: We only collect and retain necessary information
• Employee Training: Regular security training for all staff
• Incident Response: Procedures for detecting and responding to security incidents

6. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active and for a reasonable period after deletion
• Usage Data: Typically retained for 2-3 years for analytics and service improvement
• Communication Data: Retained for the duration of our relationship and for legal compliance
• Payment Data: Retained as required by financial regulations and for accounting purposes
• Legal Requirements: Some data may be retained longer to comply with legal obligations

You may request deletion of your data at any time, subject to legal requirements.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): For transfers outside the EEA
• Adequacy Decisions: For transfers to countries with adequate data protection
• Certification Programs: Where applicable, we rely on approved certification mechanisms
• Consent: In some cases, we may rely on your explicit consent

8. Your Rights and Choices

8.1 Access and Control

You have the following rights regarding your personal information:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw consent where processing is based on consent

8.2 Marketing Preferences

You can control marketing communications:

• Unsubscribe from marketing emails using the link in each email
• Update your communication preferences in your account settings
• Contact us directly to opt out of specific communications

8.3 Cookies and Tracking

You can control cookies and tracking technologies:

• Adjust your browser settings to block or delete cookies
• Use browser extensions to block tracking
• Opt out of analytics tracking where available

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take steps to remove such information from our records.

For users between 13-18 years of age, we recommend parental guidance and consent for using our Service.

10. Third-Party Services and Links

Our Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected and how it's used
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on this page
• Sending an email notification to registered users
• Displaying a notice in our Service

The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.