biohugs — Proactive Mental Wellness
Last updated: 10 March 2026
Effective date: 10 March 2026
| What you should know | Details |
|---|---|
| Your biometric data | Heart rate is processed on your device. Session summaries sync to your cloud account when signed in. |
| AI personalisation | Your first name, mood, and session context are sent to Google Gemini to generate guided content. |
| Voice synthesis | Script text is sent to ElevenLabs to generate spoken audio. |
| We never | Sell your data, show ads, share with data brokers, or track you across apps. |
| Guest mode | No data leaves your device. |
| Delete everything | Settings > Account > Edit Account > Delete Account removes your data. |
The controller responsible for the processing of your personal data is:
Biohugs UG (haftungsbeschränkt)
Meiendorfer Mühlenweg 38
22393 Hamburg, Germany
Email: privacy@biohugs.com
Website: https://biohugs.com
Data Protection Officer (Datenschutzbeauftragte/r): Hannes Jürgensen
Contact: privacy@biohugs.com
biohugs is a mental wellness app that uses real-time biofeedback from Apple Watch to guide personalised breathing exercises, meditation, yoga, and cognitive reframing sessions. This Privacy Policy explains what data we collect, why we collect it, how we process it, and your rights.
We process special category data (health and biometric data) under Article 9 of the EU General Data Protection Regulation (GDPR). We take the protection of this data extremely seriously.
| Data | Purpose | Legal Basis |
|---|---|---|
| First name, last name | Personalisation of guided sessions (your name is spoken in scripts) | Consent (Art. 6(1)(a) GDPR) |
| Email address | Account creation, authentication, password reset | Performance of contract (Art. 6(1)(b) GDPR) |
| Phone number (if provided) | Phone-based authentication via Firebase Auth | Performance of contract (Art. 6(1)(b) GDPR) |
| Age category (e.g. "18-25", "26-45") | Content personalisation | Consent (Art. 6(1)(a) GDPR) |
| Authentication provider (Apple, Google, Email, Phone) | Account management | Performance of contract (Art. 6(1)(b) GDPR) |
| Data | Purpose | Legal Basis |
|---|---|---|
| Heart rate (real-time) | Real-time biofeedback during sessions | Explicit consent (Art. 9(2)(a) GDPR) |
| Heart rate variability indicators | Wellness assessment and relaxation trend tracking | Explicit consent (Art. 9(2)(a) GDPR) |
| Resting heart rate | Session baseline calibration | Explicit consent (Art. 9(2)(a) GDPR) |
| Stress and relaxation indicators | Adaptive session guidance | Explicit consent (Art. 9(2)(a) GDPR) |
| Wellness scores | Session effectiveness tracking — these are proprietary wellness indicators, not clinical measurements | Explicit consent (Art. 9(2)(a) GDPR) |
| Heart rate session history | Session review and trend analysis | Explicit consent (Art. 9(2)(a) GDPR) |
On-device processing: Biometric data from your Apple Watch is initially processed on your device. When you are signed in, session summaries are securely synced to your cloud account. In guest mode, no data leaves your device.
| Data | Purpose | Legal Basis |
|---|---|---|
| Session records (technique, duration, completion time) | Progress tracking, session history | Performance of contract (Art. 6(1)(b) GDPR) |
| Mood tag (e.g. "calm", "anxious", "restless") | Session personalisation, progress tracking | Explicit consent (Art. 9(2)(a) GDPR) |
| Energy level | Session personalisation | Explicit consent (Art. 9(2)(a) GDPR) |
| Session goal (e.g. "relax", "focus") | Technique routing | Performance of contract (Art. 6(1)(b) GDPR) |
| Session content | Session continuity | Performance of contract (Art. 6(1)(b) GDPR) |
| Device information (phone model, OS version, watch model) | Technical diagnostics | Legitimate interest (Art. 6(1)(f) GDPR) |
| Data | Purpose | Legal Basis |
|---|---|---|
| Subscription status (premium/free, trial status) | Feature access management | Performance of contract (Art. 6(1)(b) GDPR) |
| Product ID, purchase date, expiration date | Subscription management and restoration | Performance of contract (Art. 6(1)(b) GDPR) |
| Original transaction ID | Purchase verification | Performance of contract (Art. 6(1)(b) GDPR) |
Note: All payment processing is handled entirely by Apple through the App Store. We never receive, process, or store your payment card details, bank account information, or Apple Pay credentials.
Firebase Analytics (included as part of the Firebase SDK) automatically collects certain events and device information, including:
IP addresses processed by Firebase Analytics are anonymised by default by the Firebase SDK before storage. We do not collect or access Apple's Identifier for Advertisers (IDFA), and do not use the App Tracking Transparency framework, as we do not track users across apps or websites.
We do not use this data for advertising or user profiling. We use it solely for basic app diagnostics and stability monitoring.
The Google Ads on-device conversion SDK is included as a transitive dependency of the Firebase SDK. It performs on-device ad attribution measurement. We do not run advertising campaigns that use this SDK, but its presence is disclosed here for transparency.
During sessions, we send limited personal data to Google Gemini API to generate personalised session content. This includes:
We do not send your email address, phone number, age, device identifiers, raw heart rate samples, or account ID to Gemini.
When offline, the app uses pre-written content. No data is sent to any external service.
Session content is converted to spoken audio using the ElevenLabs API. The text of the script — which may include your first name — is sent to ElevenLabs for audio generation. No other personal data is transmitted to ElevenLabs.
We use the following third-party services as data processors under Art. 28 GDPR.
Purpose: User authentication (Apple Sign-In, Google Sign-In, Email/Password, Phone/SMS)
Data processed: Email address, phone number, authentication tokens, user ID
Privacy: https://firebase.google.com/support/privacy
Purpose: Cloud storage and synchronisation of user profiles, session records, and purchase records
Data processed: User profile data, session records (including biometric summaries, mood data, and session content), subscription status
Privacy: https://firebase.google.com/support/privacy
Purpose: AI-generated personalised session content
Data processed: First name, mood/energy context, biofeedback summary, language preference
Data retention: Data sent to Google Gemini is processed under Google's Cloud Data Processing Addendum, which prohibits use of customer data for model training. See: https://ai.google.dev/gemini-api/terms
Purpose: Text-to-speech audio generation for guided sessions
Data processed: Session script text (which may contain the user's first name within the narrative)
Privacy: https://elevenlabs.io/privacy
Purpose: Reading heart rate and HRV data from Apple Watch; writing workout summaries to Apple Health
Data processed: Heart rate, resting heart rate (read); workout summaries (write)
Important: HealthKit data is governed by Apple's privacy framework. We do not have access to your broader HealthKit data beyond the specific types you authorise.
Purpose: Subscription purchase and management
Data processed: Subscription status, product identifiers, transaction data
Important: All payment processing is handled by Apple. We never receive payment details.
Biometric data is processed locally on your device. User profile and session data are also stored locally on your device to enable offline use. Temporary audio files are cached on-device and automatically cleared periodically.
When you are signed in with an account, the following is synced to Firebase Firestore:
| Data Category | Retention Period |
|---|---|
| Account data (cloud) | Until account deletion |
| Session records (cloud) | Until account deletion |
| Purchase records (cloud) | Until account deletion |
| Local profile and session data | Until app is deleted or user signs out |
| Temporary audio cache | Automatically cleared periodically |
| Authentication records | Until account deletion |
You can delete your account at any time through the app:
Settings > Account > Edit Account > Delete Account
When you delete your account:
If you wish to exercise your right to erasure (Art. 17 GDPR) beyond in-app account deletion, or if you encounter any issues with the deletion process, please contact us at privacy@biohugs.com. We will respond within 30 days.
Your data may be transferred to and processed in countries outside the European Economic Area (EEA):
For all international transfers, we ensure that at least one of the following safeguards is in place:
You may request a copy of the applicable safeguards by contacting privacy@biohugs.com.
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of all personal data we hold about you | Contact privacy@biohugs.com |
| Rectification (Art. 16) | Correct inaccurate personal data | Edit in-app (Settings > Account > Edit Account) or contact us |
| Erasure (Art. 17) | Delete all your personal data | In-app (Settings > Account > Edit Account > Delete Account) or contact us |
| Restriction (Art. 18) | Restrict processing of your data | Contact privacy@biohugs.com |
| Data Portability (Art. 20) | Receive your data in a structured, machine-readable format | Contact privacy@biohugs.com |
| Objection (Art. 21) | Object to processing based on legitimate interest | Contact privacy@biohugs.com |
| Withdraw Consent (Art. 7(3)) | Withdraw consent for health data processing at any time | In-app (Settings > Account > Edit Account > Health Data Processing toggle), revoke HealthKit permissions in iOS Settings, or delete your account |
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg
https://datenschutz-hamburg.de
Alternatively, you may contact any supervisory authority in the EU Member State of your habitual residence or place of work (Art. 77 GDPR).
If you are in the United Kingdom, your rights under the UK GDPR and Data Protection Act 2018 are substantially similar to those listed above. The competent supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk
California (CCPA/CPRA): You have the right to know what personal information is collected, to delete personal information, to opt out of the sale of personal information (we do not sell your data), and to non-discrimination. Contact privacy@biohugs.com.
Washington My Health My Data Act: We collect health data (heart rate, heart rate variability) only with your explicit consent and do not sell or share it for commercial purposes unrelated to the services you requested.
Other US states: We comply with applicable state privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy legislation.
biohugs is designed for adults (18 years and older). We do not knowingly collect personal data from children under 16 (the age threshold under Art. 8 GDPR as implemented in Germany via Section 25(1) TTDSG).
If we learn that we have inadvertently collected personal data from a child under 16, we will delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@biohugs.com.
biohugs is a native iOS application. We do not use:
In accordance with Section 25 TTDSG and the ePrivacy Directive (2002/58/EC), we only access information on your device (HealthKit data) with your explicit prior consent, obtained through iOS system permission dialogs.
biohugs is a wellness app, not a medical device. All biofeedback data, wellness scores, stress and relaxation indicators, and session content provided by the app are for general wellness purposes only and do not constitute medical advice, diagnosis, or treatment.
biohugs uses AI (Google Gemini) to generate personalised session content and adapts sessions in real time based on your biofeedback. This constitutes automated processing but does not constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR.
The biofeedback-adaptive system processes your heart rate data algorithmically to adjust session pacing and content. These are wellness indicators, not clinical measurements. This processing is core to the service you have requested.
AI-generated content is not reviewed by a human before delivery. While we design our content generation carefully, AI output may occasionally be inaccurate or not suited to your specific situation.
We may update this Privacy Policy from time to time. We will notify you of material changes by:
Where material changes affect the processing of your health data, we will request fresh consent before applying the changes.
For any questions about this Privacy Policy, your data, or to exercise your rights:
Biohugs UG (haftungsbeschränkt)
Meiendorfer Mühlenweg 38
22393 Hamburg, Germany
Email: privacy@biohugs.com
Data Protection Officer: privacy@biohugs.com
We will respond to your request within 30 days.
This Privacy Policy is governed by the laws of the Federal Republic of Germany and the European Union, in particular: