← Back

Privacy Policy

Last updated: March 2026

1. Data Controller

Somana is a therapy-adjacent mental wellness application designed to support your meditation practice, mood tracking, and connection with healthcare professionals. We are committed to handling your personal information with the highest level of care and transparency.

For the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR, Somana is the data controller responsible for your personal data. Our jurisdiction is Ireland / European Union.

Contact: info@somanaapp.com | Website: somanaapp.com | Supervisory authority: Data Protection Commission (Ireland)

2. Health Disclaimer

Somana is a wellness and treatment-support application. Please read the following carefully:

  • Somana is not a medical device and does not provide medical advice, diagnosis, or treatment.
  • The platform does not provide emergency monitoring services.
  • All tools, reflections, journaling prompts, and assessments within Somana are informational only.
  • Somana does not replace professional psychological or medical care. It is designed to complement, not substitute, professional mental healthcare.
  • In a crisis, contact emergency services (112/999/911) or a qualified mental health professional immediately.
  • Any data shared with healthcare professionals is user-controlled and is not actively monitored by Somana.
  • Healthcare professionals using Somana should rely on their own independent clinical judgment.

3. Your Journal Stays on Your Device

Journal entries, including any text you write and any voice recordings you make, are stored exclusively on your device. They are never transmitted to our servers, never stored in our database, and never shared with anyone, including your healthcare provider.

This is a deliberate architectural decision, not just a policy. No server-side database table exists that could store journal content. Even in the unlikely event of a data breach affecting our servers, your journal content could not be exposed because it has never left your device.

4. Special Category Data and Lawful Basis for Processing

Health-Related Data (GDPR Article 9)

Some of the data Somana processes, including mood check-in values, clinical assessment scores (PHQ-9, GAD-7, WHO-5), and wellness activity patterns, constitutes special category data (health data) under Article 9 of the GDPR.

Article 6 - General Lawful Basis

  • Contract performance (Article 6(1)(b)) - processing necessary to provide the wellness tracking service you signed up for
  • Legitimate interest (Article 6(1)(f)) - anonymous, aggregated performance data used to improve the application

Article 9 - Special Category Data

  • Explicit consent (Article 9(2)(a)) - you provide explicit consent for processing health-related data when you create your account
  • Provider data sharing - sharing wellness metadata with a healthcare provider requires a separate, explicit action: entering a 16-digit linking code. You can revoke this link at any time in Settings.

5. Information We Collect

Account Information

When you create an account, we collect your email address and a securely hashed version of your password (we never store your actual password). Healthcare professionals also provide their name, profession, and licence number for verification.

Wellness Metadata

  • Meditation session duration and type
  • Mood check-in values (e.g., happy, calm, anxious) - not the journal text that prompted them
  • Whether a journal entry was made on a given day (a yes/no flag, not the content)
  • Clinical assessment responses (PHQ-9, GAD-7, WHO-5 questionnaire scores)
  • Music and ambient sound usage patterns
  • Crisis tool usage (reported to your linked healthcare provider as a safety signal)

What We Do NOT Collect

  • Journal text content
  • Voice recording audio files
  • Your location
  • Your contacts
  • Browsing history outside of Somana

6. How We Use Your Information

  • To operate and maintain your account
  • To display your progress and wellness trends within the app
  • To share wellness metadata with your linked healthcare provider (only if you have consented)
  • To generate clinical assessment scores and wellness alerts for your provider
  • To send push notifications (if enabled) for reminders and progress updates
  • To process subscription payments through Stripe (web) and Apple App Store or Google Play (mobile, via RevenueCat)
  • To send transactional emails such as password reset links
  • To improve the application using performance data

7. Important Service Limitations

  • No real-time monitoring. Somana does not monitor users in real time. Healthcare providers must actively log in to their dashboard to review patient wellness data.
  • No guaranteed alert delivery. Wellness alerts are generated for informational purposes. Delivery to healthcare providers is not guaranteed.
  • Not an emergency service. If you are in immediate danger or experiencing a mental health crisis, please contact emergency services (112/999/911) or a crisis helpline.
  • Not medical advice. The wellness trends and data displayed in the app and provider dashboard are informational and do not constitute clinical recommendations.
  • Independent clinical judgment. Healthcare professionals using Somana should rely on their own clinical assessment and judgment.

8. Sharing Your Information

We do not sell your personal data. We share information only in these circumstances:

With Your Healthcare Provider

If you have linked your account to a healthcare professional using their linking code, they can view your wellness metadata (mood trends, meditation stats, assessment scores). They cannot view your journal content. You can remove this link at any time in Settings.

With Service Providers

  • Neon - database hosting (EU region)
  • Stripe - payment processing for web subscriptions (EU-US Data Privacy Framework certified; SCCs)
  • RevenueCat - subscription management for mobile (United States; SCCs)
  • Resend - transactional email delivery (United States; SCCs)
  • Sentry - error monitoring (EU data centre; SCCs)
  • Replit - application hosting (United States; SCCs)

Legal Requirements

We may disclose information if required by law, court order, or to protect the safety of users or others.

9. International Data Transfers

Somana is developed and operated from Ireland and the United States. Our database is configured to store your primary data in the European Union on Neon's managed infrastructure. When your data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework as required by GDPR Article 46.

10. Data Security

  • Passwords are hashed using bcrypt - we never store your actual password
  • All data is transmitted over HTTPS with TLS encryption
  • Authentication tokens are stored in secure, httpOnly cookies inaccessible to JavaScript
  • Healthcare accounts require two-factor authentication
  • All data access is logged in a structured audit trail designed with reference to HIPAA security standards
  • MFA secrets and sensitive credentials are encrypted before storage

11. Data Retention

When you delete your account, your personal content and wellness data are permanently deleted from our servers. Audit logs are retained for up to 7 years to meet regulatory requirements.

Data Category Retention Period On Deletion
Account dataWhile account is activePermanently deleted
Wellness metadataWhile account is activePermanently deleted
Clinical assessments (PHQ-9, GAD-7, WHO-5)While account is activePermanently deleted
Audit logs7 yearsRetained for regulatory compliance
Technical performance data90 daysAuto-deleted
Journal content and voice recordingsDevice-only (your control)Removed when you clear data or delete the app

12. Your Rights

Under GDPR (EU/EEA Residents)

You have the right to: access the personal data we hold about you; correct inaccurate data; request deletion ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests; withdraw consent for health data processing; and lodge a complaint with the Data Protection Commission (Ireland).

Exercising Your Rights

You can export or delete your account directly in the app under Settings. For other requests, contact: info@somanaapp.com

13. Automated Decision-Making

Somana does not use automated decision-making or profiling that produces legal or similarly significant effects on users (GDPR Article 22). Wellness alerts and clinical assessment scores are generated using simple, rule-based logic, not AI or machine learning. These outputs are informational only.

14. Cookies

Somana uses strictly necessary cookies for authentication (JWT session cookies and CSRF protection tokens). We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that identify individual users.

15. Children's Privacy

Somana is not directed at children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or by email and update the "Last updated" date. Your continued use of Somana after changes take effect constitutes acceptance of the updated policy.

17. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at: info@somanaapp.com

Terms and Conditions | Data Processing Register