← Back to Home

Privacy Policy

Effective Date: 2026-04-16 · Policy Version: 2026-04-16 · Data Controller: Zentient AI, LLC · App: Hypnova

1. Who we are

Zentient AI, LLC (“Zentient”, “we”, “us”) is the data controller for personal data processed by the Hypnova mobile application and the hypnova.ai website.

  • EU Representative (Art. 27 GDPR): pending appointment. Contact will be published here before Hypnova is made available in the EU/EEA.
  • UK Representative (Art. 27 UK-GDPR): pending appointment. Contact will be published here before Hypnova is made available in the UK.
  • Privacy contact: hypnova@zentient.ai

2. Data we process

  • Account data: email, name, username, Firebase authentication identifiers.
  • Preferences: speech speed, soundscape volume, favorite categories, playback state.
  • Wellness conversations (special category data): chat history with the Hypnova assistant including mood, goals, and focus areas. Treated as health data under GDPR Article 9 and processed only with your explicit consent.
  • Session activity: sessions played, liked, created, and listening timestamps. Used to power the Library and personalized recommendations.
  • Subscription & billing metadata: managed through RevenueCat; we never see card details.
  • Device metadata: operating system, app version, crash stack traces. Used for diagnostics only.
  • Approximate region: derived from your request IP at signup to serve the correct consent flow.

We do not collect or store audio recordings of your voice.

3. Why we process your data and our legal basis

  • Providing the service (creating an account, generating sessions, saving your library): performance of a contract — GDPR Art. 6(1)(b).
  • Wellness personalization and AI-generated hypnosis content derived from your chat responses: explicit consent — GDPR Art. 9(2)(a). You grant this consent during onboarding and can withdraw it at any time in Settings → Privacy Controls, which erases your chat history.
  • Product analytics (PostHog): consent — GDPR Art. 6(1)(a). You are asked during onboarding in the EU/EEA/UK and can opt in or out at any time in Settings. Analytics are default-off until you opt in.
  • Crash and error reporting (Sentry): legitimate interests — GDPR Art. 6(1)(f). We run Sentry with PII redaction (no IPs, user identifiers, or session content). Our Legitimate Interest Assessment is available on request.
  • Complying with legal obligations (tax, billing, responding to regulatory requests): legal obligation — GDPR Art. 6(1)(c).

4. Third-party processors

We use the following processors. Each operates under a data processing agreement and, where data is transferred out of the EU/EEA/UK, under Standard Contractual Clauses (and UK International Data Transfer Addendum).

  • Firebase (Google LLC, US) — authentication.
  • Render (Render Services, Inc., US) — application hosting.
  • Cloudflare R2 (Cloudflare, Inc., US) — audio storage.
  • RevenueCat (RevenueCat, Inc., US) — subscription and entitlement management.
  • OpenAI (OpenAI, L.L.C., US) — AI session content generation.
  • Anthropic (Anthropic, PBC, US) — AI session content generation.
  • ElevenLabs (ElevenLabs, Inc., US) — voice synthesis.
  • Speechify (Speechify, Inc., US) — voice synthesis.
  • Trigger.dev (Trigger.dev Ltd., UK) — background job orchestration.
  • PostHog (PostHog Inc., US) — product analytics, used only when you opt in.
  • Sentry (Functional Software, Inc., US) — error monitoring, operated under legitimate interest.
  • Vercel Analytics & Speed Insights (Vercel, Inc., US) — cookieless aggregated metrics for this website only; no cookies or identifiers placed on your device.

5. International data transfers

Most of our processors are located in the United States. When your personal data is transferred outside the EU/EEA/UK we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. We have completed a Transfer Impact Assessment covering these transfers and have implemented supplementary measures (encryption in transit and at rest, access controls, PII minimization). A copy is available on request.

6. How long we keep your data

  • Account, preferences, wellness conversations, session activity: kept while your account is active. Deleted when you delete your account.
  • Transactional records (subscription charges, credit ledger): retained for 24 months after account deletion to meet billing and tax obligations.
  • Consent audit log: retained for 36 months to demonstrate compliance with Art. 7 GDPR.
  • Crash reports (Sentry): 90-day rolling retention.

7. Your rights

If GDPR or UK-GDPR applies to you, you can exercise the following rights:

  • Access (Art. 15) — Settings → Account Information → Download my data.
  • Rectification (Art. 16) — edit your name in-app, or email us to correct other fields.
  • Erasure (Art. 17) — Settings → Account Information → Delete Account. Cascades to all linked records and our processors.
  • Data portability (Art. 20) — the download feature above returns your data as structured JSON.
  • Restriction (Art. 18) — email us to restrict processing.
  • Objection (Art. 21) — for legitimate interest uses such as crash reporting, email us.
  • Withdraw consent (Art. 7(3)) — Settings → Privacy Controls. Withdrawing wellness-data consent erases your chat history.
  • Lodge a complaint with your local supervisory authority (e.g. BfDI in Germany, CNIL in France, the ICO in the UK). A full list is available at edpb.europa.eu.

8. Children and age of digital consent

Hypnova is not available to users under 16 in the EU/EEA/UK in line with GDPR Art. 8 digital consent thresholds. Elsewhere the minimum age is 13. During onboarding we ask you to confirm your age; if you are under the applicable threshold we delete your account and Firebase authentication record immediately.

9. Security and data breach notification

We use TLS in transit, encryption at rest, least-privilege access, and continuous monitoring. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by Art. 33 GDPR and inform affected users without undue delay.

10. Automated decision-making

We use AI to generate hypnosis scripts tailored to information you provide, but this does not produce legal or similarly significant effects on you. You can withdraw consent for this processing at any time in Settings → Privacy Controls.

11. Changes to this policy

Material changes will bump the Policy Version at the top of this page. Your next app launch will re-prompt you for consent against the new version. We will never re-purpose previously collected data in a way inconsistent with the consent you already gave.

12. Contact

For any privacy question or to exercise your rights, email hypnova@zentient.ai. We aim to respond within 30 days.