Privacy Policy
Draft pending legal review. Last updated: 28 June 2026
1. Controller
Fluctara is operated by Miroslav Šotek, Marbach SG, Switzerland (ANULUM / Fortis Studio). Privacy contact: privacy@fluctara.com. General contact: protoscience@anulum.li.
2. Data We Collect
- Account data: email address, display name, hashed password.
- Account security data: email verification, password reset, MFA, login alert, refresh-token, and abuse-prevention metadata.
- Mail preference data: required notice state, optional consent choices, unsubscribe suppressions, outbox metadata, and delivery or inbound review metadata.
- Billing data: subscription tier, checkout, invoice, entitlement, and payment-status metadata when paid plans are enabled.
- Profile data: birth date (optional), chronotype, experience level, health flags (epilepsy, pacemaker — used solely for safety screening).
- Session data: entrainment session records, EVS scores, protocol choices, duration.
- Biometric data: heart rate, HRV, EEG band powers — collected only when you connect a device and start a session.
- Clinical outcomes: self-reported questionnaire scores (PHQ-9, GAD-7, ISI) — entered voluntarily.
3. How We Use It
- Personalise your entrainment protocols and closed-loop feedback.
- Compute your EVS (Entrainment Verification Score) per session.
- Display analytics and longitudinal trends.
- Safety screening (contraindication flags).
- Send required account, security, billing, product, and legal notices.
- Send optional digest, research, or marketing messages only when consent is recorded.
We do not sell or rent your personal data. We do not serve advertisements.
4. Legal Basis (GDPR Art. 6)
- Consent — for biometric data processing and optional clinical outcomes.
- Contract performance — for account creation, session delivery, required account notices, and paid-plan administration.
- Legitimate interest — for security logging and abuse prevention.
- Legal obligation — for notices, records, and responses required by applicable law.
5. Data Retention
Account and session data are retained for as long as your account is active. You may request deletion at any time via the privacy API or by contacting us. Biometric data older than 12 months is automatically anonymised (HMAC pseudonymisation). Security logs are normally retained for 90 days. Required notice metadata, suppression records, billing records, and audit records may be retained as needed to prove delivery, consent, account safety, financial records, or legal compliance. Rendered email bodies are retained only while queued or failed and are cleared after accepted SMTP delivery when real delivery is enabled.
6. Your Rights
Under GDPR and Swiss FADP, you have the right to access, rectify, erase, restrict processing, data portability, and object. You may also withdraw consent at any time. Contact us at privacy@fluctara.com or use the in-app privacy controls.
7. Security
Passwords are hashed with PBKDF2-HMAC-SHA256 (600,000 iterations). All API traffic uses HTTPS with HSTS. Biometric data is pseudonymised at rest. Access logs are retained for 90 days.
8. Third-Party Services
Fluctara does not embed third-party analytics, tracking pixels, or advertising networks. Infrastructure and service providers may process data for hosting, email transport, security, backups, and payment administration. Current planned providers include Hetzner for API hosting, WebHouse.sk for fluctara.com role mailboxes, and a payment processor only when paid checkout is enabled. Device integrations (Oura, Garmin, etc.) use OAuth2 with scoped permissions — we only read the data types you authorise.
9. Email Preferences and Unsubscribe
Required account, security, billing, product, and legal notices are sent where needed to operate the Service and cannot be disabled through optional-mail preferences. Optional digest, research, and marketing messages require consent and can be withdrawn in the app or through an unsubscribe link. Public unsubscribe links use expiring single-use tokens and do not reveal the recipient address in the response.
10. Cookies
The web application uses only essential cookies (authentication token in localStorage). No tracking cookies are set.
11. Changes
We will notify registered users by email of material changes to this policy. The "last updated" date above reflects the most recent revision.
12. Contact
Miroslav Šotek
ANULUM / Fortis Studio
Marbach SG, Switzerland
privacy@fluctara.com
www.anulum.li