Privacy Policy

Last updated: February 19, 2026

ODMO ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal and health data when you use the ODMO mobile app.

1. Who We Are and Our Legal Basis for Processing

ODMO is a lifestyle wellness application and is not a medical device, a covered healthcare entity (as defined by HIPAA), or a medical service provider.

We process your data on the following legal bases under GDPR Art. 6 & Art. 9:

Consent (Art. 6(1)(a) & Art. 9(2)(a)): The sole legal basis for processing your health and wellness data. You grant this by creating an account and using the app. You may withdraw it at any time.
Contract (Art. 6(1)(b)): To deliver the services described in our Terms and Conditions.
Legitimate Interest (Art. 6(1)(f)): For app security, crash reporting, and service improvement.

2. Data We Collect

2.1 Personal Identification Information

Account: Email address (via Apple Sign-In / Firebase Auth)
Profile: Name, gender, date of birth

Your name and date of birth are AES-256 encrypted before cloud storage.

2.2 Health & Wellbeing Data (Special Category — GDPR Art. 9)

The following are considered sensitive health data and require your explicit consent:

Data Type	What We Collect	Encrypted?
Biometrics	Weight, height	✅ AES-256
Health Conditions	Wellness conditions (onboarding)	✅ AES-256
Sleep	Duration, bedtime, wake time, deep sleep	☁️ Cloud (not encrypted)
Activity	Steps, workout type/duration, sun & outdoor time	☁️ Cloud (not encrypted)
Nutrition	Water intake, meal timing logs	✅ Meal logs AES-256
Mind & Mental State	Screen-free time, mindfulness status	☁️ Cloud (not encrypted)
Connection Logs	Personal gratitude and connection notes	✅ AES-256

Note: Fields marked ☁️ are stored in encrypted cloud infrastructure (Firebase) but are not additionally client-side encrypted. Fields marked ✅ are encrypted locally on your device using AES-256 before reaching our servers.

2.3 Apple HealthKit Data (Device-Only)

ODMO may request access to HealthKit to read: steps, sleep analysis, workouts, and active energy.

HealthKit data never leaves your device to our servers.
It is exclusively used to calculate your personal Vitality Score.
It is never used for advertising, data brokering, or shared with third parties.

2.4 Device & Diagnostic Data

We collect anonymized crash logs and device/OS information solely to improve app stability.

3. Data Security

AES-256 Local Encryption: Sensitive fields (name, birth date, biometrics, health conditions, meal logs, gratitude notes) are encrypted on your device before uploading.
iOS Keychain: Encryption keys are device-locked and accessible only to the ODMO app.
Firebase Security: All cloud data is stored in Google's infrastructure with Firebase's built-in server-side encryption at rest and TLS in transit.
Data Breach Notification: In the event of a security breach, we will notify relevant supervisory authorities within 72 hours, as required by GDPR Art. 33, and affected users promptly.

4. How We Use Your Data

Purpose	Legal Basis
Calculate your daily Vitality Score (0–100)	Contract + Consent
Provide personalized wellness insights	Consent
Sync data across your devices (Firebase)	Contract
Manage your premium subscription (RevenueCat)	Contract
Respond to support inquiries	Legitimate Interest
Improve app stability (crash reports)	Legitimate Interest

5. Third-Party Services

We do not sell, trade, or share your health data with advertisers or data brokers. We share limited data only with:

Provider	Purpose	Data Shared
Firebase (Google)	Auth, encrypted cloud storage, crash reporting	Account data, health metrics
RevenueCat	Subscription management	Subscription status, anonymous ID
Apple HealthKit	Health metric sync	Device-only, not shared with us

Google maintains GDPR-compliant Data Processing Agreements for Firebase services.

6. Data Retention

Your data is retained only while your account is active.
You may delete your account at any time via Profile → Settings → Delete Account, which permanently removes all associated data from our systems.
Anonymized, aggregated diagnostic data may be retained for up to 90 days after account deletion.

7. Your Rights

European Users (GDPR)

You have the following rights under the GDPR:

Right	How to Exercise
Access	Request a copy of your data via support email
Erasure	Delete account in-app (Profile → Settings)
Portability	Request data export via support email
Withdraw Consent	Revoke HealthKit in iOS Settings; delete account to revoke all
Restriction	Contact us to limit how we process your data
Object	You may object to processing based on legitimate interest
Lodge a Complaint	Contact your national data protection authority (DPA)

California Users (CCPA/CPRA)

We do not sell or share your personal information for cross-context behavioral advertising. California residents have additional rights including the right to know, delete, and opt-out of sale (not applicable, as we do not sell).

All Users

You can revoke HealthKit permissions granularly via iOS Settings → Health → Data Access & Devices → ODMO
You can revoke notification permissions via iOS Settings → Notifications → ODMO

8. Children's Privacy

ODMO is intended for users 18 years of age and older. We do not knowingly collect data from minors. If you believe we have collected data from someone under 18, please contact us immediately.

9. Changes to This Policy

We will notify you of material changes by updating the "Last updated" date and, where appropriate, via in-app notification. Continued use of the app constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related requests, questions, or complaints:
Email: nikolaveljic64@gmail.com

For EEA users, you may also contact your local Data Protection Authority (DPA).