Privacy Policy

Last updated: 29 March 2026

1. Controller

Fluctara is operated by Miroslav Šotek, Marbach SG, Switzerland (ANULUM / Fortis Studio). Contact: protoscience@anulum.li.

2. Data We Collect

• Account data: email address, display name, hashed password.
• Profile data: birth date (optional), chronotype, experience level, health flags (epilepsy, pacemaker — used solely for safety screening).
• Session data: entrainment session records, EVS scores, protocol choices, duration.
• Biometric data: heart rate, HRV, EEG band powers — collected only when you connect a device and start a session.
• Clinical outcomes: self-reported questionnaire scores (PHQ-9, GAD-7, ISI) — entered voluntarily.

3. How We Use It

• Personalise your entrainment protocols and closed-loop feedback.
• Compute your EVS (Entrainment Verification Score) per session.
• Display analytics and longitudinal trends.
• Safety screening (contraindication flags).

We do not sell, rent, or share your personal data with third parties. We do not serve advertisements.

4. Legal Basis (GDPR Art. 6)

• Consent — for biometric data processing and optional clinical outcomes.
• Contract performance — for account creation and session delivery.
• Legitimate interest — for security logging and abuse prevention.

5. Data Retention

Account and session data are retained for as long as your account is active. You may request deletion at any time via the privacy API or by contacting us. Biometric data older than 12 months is automatically anonymised (HMAC pseudonymisation).

6. Your Rights

Under GDPR and Swiss FADP, you have the right to access, rectify, erase, restrict processing, data portability, and object. You may also withdraw consent at any time. Contact us at protoscience@anulum.li or use the in-app privacy controls.

7. Security

Passwords are hashed with PBKDF2-HMAC-SHA256 (600,000 iterations). All API traffic uses HTTPS with HSTS. Biometric data is pseudonymised at rest. Access logs are retained for 90 days.

8. Third-Party Services

Fluctara does not embed third-party analytics, tracking pixels, or advertising networks. Device integrations (Oura, Garmin, etc.) use OAuth2 with scoped permissions — we only read the data types you authorise.

9. Cookies

The web application uses only essential cookies (authentication token in localStorage). No tracking cookies are set.

10. Changes

We will notify registered users by email of material changes to this policy. The "last updated" date above reflects the most recent revision.

11. Contact

Miroslav Šotek
ANULUM / Fortis Studio
Marbach SG, Switzerland
protoscience@anulum.li
www.anulum.li