Privacy Notice (GDPR)
herapy — Voice & Text Wellness Support For Users in the European Economic Area and United Kingdom
Effective date: June 02, 2025 Last updated: June 02, 2025
1. Introduction
ICI Tech Teknoloji A.Ş. processes your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the UK GDPR.
| Data Controller | ICI Tech Teknoloji A.Ş. |
| Website | https://herapy.app/ |
| app@icitech.com.tr | |
| Country of establishment | Republic of Turkey |
EU Representative (Article 27 GDPR): As a company established outside the EEA offering services to EEA residents, we are in the process of designating an EU representative per Article 27 GDPR. Updated contact details will be published at https://herapy.app/privacy once appointed. In the meantime, contact app@icitech.com.tr.
Data Protection Officer: We do not currently meet the threshold for mandatory DPO appointment under Article 37 GDPR. All data protection enquiries: app@icitech.com.tr.
Important Disclaimer: herapy is not a therapy service, clinical diagnosis tool, medical device, or licensed mental health treatment. It is a personal support companion for everyday stress, anxiety, and overwhelm. Consult a qualified healthcare professional for clinical-level support.
herapy is free. We do not collect payment information.
2. Special Category Data — Mental Health and Emotional Data
Under GDPR Article 9, the following data processed by herapy may constitute data concerning health, specifically mental health and psychological wellbeing:
| Data Category | Why It May Qualify |
|---|---|
| Daily mood selections | Relates to emotional and psychological state |
| Emotional self-reports and check-in entries | Contains mental health context |
| Text session content | May contain sensitive personal disclosures about mental wellbeing |
| Recurring emotional themes | Derived analysis of psychological patterns |
We process all special category data only on the basis of your explicit consent under GDPR Article 9(2)(a). You provide this consent when you:
- Complete your first mood check-in
- Start your first text coaching session
- Enable memory/personalization features
You may withdraw consent at any time through Settings → Privacy → Manage Consents without penalty. Withdrawal will restrict access to features that depend on this data.
Voice content is never stored or transmitted and is therefore not subject to data protection law on our end — it never reaches us.
3. Data We Process
3.1 Account Information (Optional)
Email address, password (hashed), optional display name and profile photo. Account creation is not required — herapy can be used as a guest.
3.2 Mood and Emotional Check-in Data (Special Category)
Daily mood selections, emotional self-reports, check-in history, recurring emotional themes.
3.3 Voice Session Data
Session timestamps and duration only. Voice audio is processed on-device and never transmitted. No audio content, transcript, or spoken word reaches our servers.
3.4 Text Session Content (Special Category)
Text you type during coaching sessions, session timestamps.
3.5 Memory and Personalization Data
Personal context and preferences you save in the app's memory controls.
3.6 Weekly Insights and Analytics
Mood trend summaries, session consistency scores, progress highlights.
3.7 Device and Technical Data
Device type, OS version, app version, IP address (truncated), time zone, crash logs.
3.8 Push Notification Data
Device push token and notification interaction events (if permission granted).
3.9 Communications Data
Email and message content from support contacts.
4. Legal Bases for Processing (GDPR)
| Purpose | GDPR Legal Basis |
|---|---|
| Account creation and management (optional) | Art. 6(1)(b) — Performance of contract |
| Daily mood check-ins and emotional data | Art. 9(2)(a) — Explicit consent (special category) |
| Text session content | Art. 9(2)(a) — Explicit consent (special category) |
| Voice session timing metadata | Art. 6(1)(b) — Performance of contract |
| Memory and personalization | Art. 6(1)(b) / Art. 6(1)(a) — Contract / Consent |
| Weekly insights and analytics | Art. 6(1)(b) — Performance of contract |
| App quality and crash analysis | Art. 6(1)(f) — Legitimate interests |
| Security monitoring | Art. 6(1)(f) — Legitimate interests |
| Support requests | Art. 6(1)(b) — Performance of contract |
| Legal obligations | Art. 6(1)(c) — Legal obligation |
| Marketing communications | Art. 6(1)(a) — Consent |
Legitimate interests: Where we rely on Art. 6(1)(f), we have balanced our interests against your rights. You may object — see Section 8.
5. Voice Data — GDPR Clarification
Voice audio is processed entirely on your device and is never transmitted to our servers. As such:
- We do not hold your voice recordings
- You cannot submit an access request for audio we do not hold
- Voice data does not form part of our data processing under GDPR
- We receive only session start/end timestamps — no audio content whatsoever
This is a foundational privacy design decision, not a policy choice.
6. What We Do Not Do
- We do not sell personal data.
- We do not transmit voice recordings.
- We do not share mood data, emotional check-ins, or text session content with Meta, TikTok, Google Ads, or any advertising network.
- We do not use emotional or mental health data for ad targeting or profiling.
- We do not use voice or text content to train any model.
- We do not use advertising identifiers (IDFA / GAID).
- We do not collect payment information.
- We do not make automated decisions with significant effects based on your emotional data (Art. 22 GDPR).
7. Your Rights Under GDPR
| Right | Article | Description |
|---|---|---|
| Right of access | Art. 15 | Obtain a copy of your personal data |
| Right to rectification | Art. 16 | Correct inaccurate data |
| Right to erasure | Art. 17 | Request deletion |
| Right to restriction | Art. 18 | Limit processing |
| Right to data portability | Art. 20 | Receive data in machine-readable format |
| Right to object | Art. 21 | Object to legitimate interest processing or marketing |
| Right to withdraw consent | Art. 7(3) | Withdraw mood/text consent or marketing consent at any time |
| Right not to be subject to automated decisions | Art. 22 | Not profiled by fully automated means with significant effects |
| Right to lodge a complaint | Art. 77 | Contact your national supervisory authority |
How to exercise
Email app@icitech.com.tr — subject "GDPR Data Subject Request — herapy". We respond within one month, free of charge.
In-app controls
| Action | Where |
|---|---|
| Delete account | Settings → Account → Delete Account |
| Withdraw mood/text consent | Settings → Privacy → Manage Consents |
| Clear memory data | Settings → Memory → Clear All |
| Export your data | Settings → Privacy → Export My Data (where available) |
| Revoke marketing consent | Settings → Privacy → Marketing Preferences |
| Revoke microphone permission | Device Settings → Microphone → herapy |
8. Right to Lodge a Complaint
| Country | Authority | Website |
|---|---|---|
| 🇫🇷 France | CNIL | https://www.cnil.fr |
| 🇩🇪 Germany | BfDI + state DPAs | https://www.bfdi.bund.de |
| 🇪🇸 Spain | AEPD | https://www.aepd.es |
| 🇬🇧 United Kingdom | ICO | https://ico.org.uk |
| 🇧🇪 Belgium | APD/GBA | https://www.dataprotectionauthority.be |
| 🇳🇱 Netherlands | AP | https://autoriteitpersoonsgegevens.nl |
| Other EEA | Your national DPA | https://edpb.europa.eu/about-edpb/about-edpb/members_en |
We encourage you to contact us first — most concerns are resolved quickly.
9. International Data Transfers
ICI Tech Teknoloji A.Ş. is established in Turkey. The European Commission has not issued an adequacy decision for Turkey under GDPR Article 45.
For all transfers from the EEA or UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK IDTAs for UK transfers
- GDPR Article 49 derogations where applicable
Voice data is never transferred internationally — it never leaves your device.
Request a copy of applicable transfer mechanisms: app@icitech.com.tr.
10. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (if created) | Duration + 3 years after deletion |
| Mood and emotional check-in data | Duration + 1 year; deleted within 30 days of consent withdrawal |
| Text session content | Duration + 1 year; deleted within 30 days of consent withdrawal |
| Voice audio | Never stored |
| Voice session timing metadata | Duration + 1 year |
| Memory and personalization data | Until cleared in-app or account deleted |
| Support communications | 3 years |
| Crash logs | 12 months |
| Security logs | 12 months |
11. Security
- TLS 1.2+ in transit; encryption at rest
- Mood and emotional data stored with elevated access controls
- Voice audio never stored — no server-side audio risk
- Breach notification: Within 72 hours to supervisory authority (Art. 33); users notified without undue delay for high-risk breaches (Art. 34)
12. Automated Decision-Making
We do not make automated decisions with legal or similarly significant effects based on your mood data, emotional entries, or text sessions (Art. 22 GDPR). Insights and trends are generated from your own data and displayed to you for personal reflection only.
13. Children's Privacy
herapy is for users 18 and older. Contact app@icitech.com.tr for immediate deletion if a child has submitted data.
14. Cookies
Our website uses cookies with a consent banner on first visit.
| Type | Legal Basis | Opt-Out |
|---|---|---|
| Strictly necessary | Art. 6(1)(f) | Not possible |
| Analytics | Art. 6(1)(a) — Consent | Via banner |
| Marketing | Art. 6(1)(a) — Consent | Via banner |
We do not use cookies to infer emotional state or mental health status.
15. Changes
Material changes notified 14 days in advance. Current version: https://herapy.app/privacy/gdpr.
16. Contact Us
| app@icitech.com.tr | |
| Subject | "GDPR Data Subject Request — herapy" |
| Website | https://herapy.app/ |
Acknowledge within 5 business days, resolve within one month.