Introduction
At Polana ("we," "our," or "us"), we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your information when you use our mental health assessment platform.
Privacy First
We collect only essential data to provide mental health assessments. We never sell your information to third parties, and you have complete control over your data with the right to delete your account at any time.
Information We Collect
We collect and process the following categories of personal data when you use our platform:
1. Identity Data
What we collect: First name, last name, email address, and encrypted password.
Why we collect it: To create and manage your account, enable login functionality, and send important service communications.
Legal basis (GDPR): Article 6(1)(b) - Processing necessary for contract performance.
2. Mental Health Assessment Data
What we collect: Your responses to validated mental health assessments (PHQ-9, GAD-7, ASRS, DASS-21, Big Five), calculated scores, severity levels, and historical assessment results.
Why we collect it: To provide personalized mental health insights, track your progress over time, generate analytics, and deliver evidence-based recommendations.
Sensitive Health Data
Assessment data is classified as special category data under GDPR Article 9 (health data). We process this data only with your explicit consent, which you provide when creating your account and completing assessments.
3. Technical Data
What we collect: IP address, browser type and version, device type, operating system, session timestamps, and pages visited.
Why we collect it: To ensure platform security, prevent fraud, troubleshoot technical issues, and improve user experience.
Legal basis (GDPR): Article 6(1)(f) - Legitimate interests (security and service improvement).
How We Use Your Data
We use your personal data for the following purposes:
- Provide Services: Calculate assessment scores, generate personalized insights, and display historical progress data.
- Account Management: Enable login, password reset, account settings updates, and communication about service changes.
- Platform Improvement: Analyze aggregated, anonymized usage patterns to enhance features and user experience (no individual identification).
- Security: Detect and prevent unauthorized access, fraud, and abuse of the platform.
- Legal Compliance: Respond to valid legal requests and enforce our Terms of Service.
We DO NOT: Sell or rent your data to third parties, use your data for advertising, or share your assessment results with anyone without your explicit consent.
Data Sharing and Disclosure
We do not sell, trade, or rent your personal data. We may share your data only in the following limited circumstances:
1. Service Providers
We use trusted third-party service providers for infrastructure: Supabase for database hosting, fly.io for API hosting, and Vercel for frontend hosting. These providers are contractually bound to process data only as instructed and maintain GDPR-compliant security standards.
2. Legal Requirements
We may disclose data if required by law, court order, or government regulation, or if necessary to protect the safety of users or the public (e.g., credible threat of self-harm).
3. User Consent
With your explicit permission, you may export and share your assessment data with healthcare providers or therapists via our Data Export feature.
Data Security
We implement industry-standard security measures to protect your data:
Encryption at Rest
Encryption at rest for all stored data, provided by our database hosting provider.
Encryption in Transit
TLS encryption for all data transmitted between your device and our servers.
Password Security
Industry-standard password hashing; passwords are never stored in plain text.
Access Controls
Access controls ensuring users can only access their own data.
Your Rights Under GDPR
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
Right to Access
Request a copy of all personal data we hold about you via the Data Export page.
Right to Rectification
Correct inaccurate or incomplete data through your Profile settings.
Right to Erasure
Delete your account and all associated data permanently (Right to be Forgotten).
Right to Restriction
Request temporary restriction of data processing in specific circumstances.
Right to Portability
Download your data in JSON or CSV format to transfer to another service.
Right to Object
Object to data processing based on legitimate interests or direct marketing.
Right to Withdraw Consent: Where processing is based on your consent (e.g., health data under Article 9), you may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
To exercise your rights: Visit your Profile page for account settings and deletion, or Data Export page to download your data.
Data Retention
We retain your data for the following periods:
- Active Accounts: Data is retained as long as your account is active and you continue using the platform.
- Account Deletion: When you delete your account, all personal data and assessment results are permanently deleted within 30 days.
- Backup Copies: Data in encrypted backups is deleted within 90 days after account deletion.
- Legal Hold: In rare cases, data may be retained longer if required by law or ongoing legal proceedings.
International Data Transfers
Our infrastructure providers (Supabase, Vercel) may store data in data centers located in the European Union and United States. When data is transferred outside the EU/EEA:
- Transfers comply with GDPR Article 44-49 (mechanisms for lawful international transfers).
- Service providers are certified under the EU-U.S. Data Privacy Framework or use Standard Contractual Clauses (SCCs).
- Data remains encrypted during transfer and storage.
Children's Privacy
Age Restriction
Polana is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you are under 18, please do not use this platform or provide any personal information.
If we discover that we have collected data from a user under 18, we will delete that data immediately. Parents or guardians who believe we have collected data from a minor should contact us at privacy@polana.app.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or platform features. The "Last Updated" date at the top of this page indicates the most recent revision. We will notify you of significant changes via email or prominent notice on the platform. Continued use of Polana after changes constitutes acceptance of the updated policy.
Contact Us
Data Protection Officer
If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or have privacy concerns, please contact us:
- Email: privacy@polana.app
- Response Time: We aim to respond to all data protection inquiries within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority. For users in Poland, this is the Urząd Ochrony Danych Osobowych (UODO) at uodo.gov.pl.