Privacy Policy

Last updated: 1 April 2026

§ 1. Data controller

  1. The controller of personal data processed in connection with the use of the feelink application (available at my.feelink.app) is BBest24 OÜ, registered at Sepapaja tn 6, 15551 Tallinn, Estonia, entered in the Estonian Commercial Register (Äriregister) under number 14878717, EU VAT number: EE102221596 (hereinafter: the "Controller").
  2. Contact for data protection matters: privacy@feelink.app.

§ 2. Categories of collected data

In connection with the use of the Application, the Controller processes the following categories of data:

2.1. Account data

  • e-mail address - used for login and communication;
  • password - stored exclusively as a cryptographic hash.

2.2. Health data (Article 9 GDPR)

The User independently enters the following data into the Application:

  • Well-being and mental state: general well-being, mood, stress, anxiety, focus, productivity, impulsivity, irritability - on scales of 0-10;
  • Appetite: rated on a scale of 0-10.

2.3. Treatment data

  • treatment protocol stage, dosing regimen, medication dose;
  • information about whether medication was taken, time of intake;
  • medication effectiveness rating (0-10);
  • side effects (type, severity);
  • rebound effect: occurrence, severity, duration, profile;
  • alarm symptoms, contact with physician.

2.4. Vital signs

  • morning heart rate and heart rate after medication;
  • morning blood pressure and blood pressure after medication;
  • body weight.

2.5. Contextual data

  • day type (work, day off, vacation, sick leave);
  • physical activity, sleep (duration, quality), caffeine, alcohol, hydration;
  • working hours, workload level, main stressor;
  • text notes.

2.6. Observer data

If the User uses the observer system:

  • observer pseudonym assigned by the User;
  • observer ratings: functioning, focus, emotional regulation, calmness, communication, task completion (0-5);
  • observer notes.

2.7. Technical data

  • IP address - for security purposes only;
  • browser information (user agent) - technical diagnostics;
  • operation timestamps.

§ 3. Purposes and legal bases for processing

3.1. Service provision

Legal basis: Article 6(1)(b) GDPR - processing necessary for the performance of a contract.

Scope: account data, technical data necessary for authentication.

3.2. Processing of health data

Legal basis: Article 9(2)(a) GDPR - explicit consent of the User for the processing of health data for the purpose of maintaining a diary, generating analytics, and reports.

Consent is given during registration as a separate, explicit act and may be withdrawn at any time (see § 7).

3.3. System security

Legal basis: Article 6(1)(f) GDPR - legitimate interest of the Controller (system protection).

Scope: IP address, browser information, timestamps.

§ 4. Data recipients

  1. Supabase Inc. - authentication service provider. Processes only data necessary for authentication. Servers in the European Union.
  2. Hosting provider - VPS server hosting the Application and database. Servers in the European Union.

The Controller declares that:

  • personal data is not transferred outside the European Economic Area (EEA);
  • personal data is not sold;
  • data is not shared for marketing purposes with third parties;
  • the Application does not display advertisements.

§ 5. Data retention period

  1. Active Account data - for the entire duration of the Account's existence.
  2. After Account deletion - permanently deleted within 30 days.
  3. Backups - subject to regular rotation.
  4. Technical data (logs) - no longer than 12 months.
  5. Session tokens (JWT) - expire automatically.

§ 6. Technical safeguards

The Controller applies the following security measures:

  1. Transmission encryption - TLS (Transport Layer Security) protocol.
  2. Data isolation - Row Level Security (RLS) in the PostgreSQL database. Each User has access only to their own data.
  3. Secure password storage - cryptographic hashes only.
  4. Token-based authentication - JWT tokens verified with each request.
  5. Data validation - server-side validation with range constraints.
  6. EU-based servers - infrastructure within the European Union.
  7. Backups - regular backup creation.
  8. Access control - restricted access to server systems.

§ 7. User rights (Articles 15-22 GDPR)

7.1. Right of access (Article 15)

The right to obtain confirmation of processing and access to data. Available through the Diary, Analytics, and Report tabs.

7.2. Right to rectification (Article 16)

The right to request rectification of inaccurate data. Available by editing Entries in the diary.

7.3. Right to erasure (Article 17)

The right to request data erasure. Available by:

  • deleting individual Entries in the diary;
  • deleting the Account in the Application settings;
  • sending a request to: privacy@feelink.app.

7.4. Right to restriction of processing (Article 18)

Requests should be sent to: privacy@feelink.app.

7.5. Right to data portability (Article 20)

The right to receive data in a machine-readable format. Available through export in CSV, XLSX, Markdown, and PDF formats in the Export tab.

7.6. Right to object (Article 21)

The right to object to processing based on Article 6(1)(f). Objections: privacy@feelink.app.

7.7. Right to withdraw consent (Article 7(3))

Withdrawal of consent to the processing of Health Data is possible at any time. Withdrawal:

  • does not affect the lawfulness of prior processing;
  • results in the need to delete the Account, as Health Data constitutes the essence of the Service;
  • is possible by deleting the Account or by contacting: privacy@feelink.app.

7.8. Exercising rights

Requests should be directed to: privacy@feelink.app or carried out directly in the Settings tab. The Controller processes requests within 30 days (Article 12(3) GDPR).

§ 8. Right to lodge a complaint

The User has the right to lodge a complaint with the supervisory authority responsible for the Controller's registered office:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
aki.ee

A User residing in another EU Member State may also lodge a complaint with the supervisory authority in their country of residence (Article 77 GDPR).

§ 9. Cookies and technologies

  1. The Application uses only essential session cookies.
  2. The Application uses the browser's localStorage to store authentication tokens (JWT).
  3. The Application does not use: marketing cookies, third-party analytics cookies, tracking pixels, or retargeting tools.
  4. The Service Worker (PWA) caches static assets and does not process personal data.

§ 10. Profiling

  1. The Application does not employ automated decision-making within the meaning of Article 22 GDPR.
  2. Correlations, indicators, and summaries serve solely for self-observation purposes, are informational in nature, and do not constitute a medical diagnosis or recommendation.

§ 11. Changes to the Privacy Policy

  1. The Controller reserves the right to amend this Policy in the event of changes in legislation or Application functionality.
  2. The Controller shall inform Users of changes via an in-app notification and e-mail.
  3. The current version is available at: feelink.app/en/privacy-policy.

§ 12. Contact

This Privacy Policy enters into force on 1 April 2026.