Privacy Policy
Last updated: January 19, 2026
Contents
1. Introduction
ADHD Harmony B.V. ("ADHD Harmony," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Harmony AI, accessible at app.adhdharmony.com and related services (collectively, the"Service").
This Privacy Policy applies to all users of our Service, including those in the European Union/European Economic Area (EU/EEA), United Kingdom, and worldwide. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller Information
For the purposes of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller responsible for your personal data is:
ADHD Harmony B.V.
Email: info@adhdharmony.com
Website: adhdharmony.com
Registration: Chamber of Commerce (KvK), Netherlands
For any privacy-related inquiries, data access requests, or complaints, please contact us at info@adhdharmony.com.
3. Personal Data We Collect
We collect personal data that you provide directly, data generated through your use of our Service, and data from third-party integrations you authorize.
3.1 Data You Provide Directly
| Category | Data Types | Purpose |
|---|---|---|
| Account Information | Email address, password (encrypted/hashed) | Account creation and authentication |
| Profile Information | Name, date of birth, location, pronouns, occupation, industry, work style, goals, challenges, communication preferences | Personalization of AI coaching experience |
| Chat Conversations | Messages exchanged with AI agents (Sage, Coach, Guide) | Providing AI coaching and support |
| Daily Check-ins | Mood, energy, focus, happiness, calmness, motivation scores (1-10); activities completed; personal reflections | Wellness tracking and pattern identification |
| Worksheet Responses | Answers to guided exercises and self-assessments | Personal development support |
| Knowledge Base Content | Documents (PDFs), notes, and files you upload to your personal library | Personal knowledge management and AI context |
3.2 Data from Third-Party Integrations
If you choose to connect your Google account, we access and store the following data with your explicit consent:
- Google Tasks: Your task lists and individual tasks (read and write access to display and manage within the app)
- Google Calendar: Calendar events to help you manage your schedule (read access and ability to create events)
Important: We only access the specific Google services you authorize. We do not access your Gmail, Google Drive (except documents you explicitly upload), contacts, or other Google services. You can revoke Google access at any time through your account settings or at Google Account Permissions.
3.3 Automatically Collected Data
When you use our Service, we automatically collect:
- Technical Data: IP address, browser type and version, device type, operating system, time zone, and language preferences
- Usage Data: Pages visited, features used, click patterns, session duration, and interaction data
- Location Data: Approximate location derived from IP address (city/country level only)
3.4 Sensitive Personal Data
By using our ADHD-focused service, you may voluntarily share health-related information such as ADHD experiences, mental wellness data, and emotional states. This data is processed with the highest care and security. We process this sensitive data based on your explicit consent and solely to provide you with personalized coaching and wellness support.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Art. 6(1)(b) GDPR) |
|
| Explicit Consent (Art. 6(1)(a) & Art. 9(2)(a) GDPR) |
|
| Legitimate Interests (Art. 6(1)(f) GDPR) |
|
| Legal Obligation (Art. 6(1)(c) GDPR) |
|
You may withdraw your consent at any time for processing activities based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. How We Use Your Data
We use your personal data for the following purposes:
5.1 Service Delivery
- Provide, maintain, and operate the Harmony AI platform
- Personalize your AI coaching experience using your profile and conversation history
- Generate insights and patterns from your check-ins and worksheets
- Enable AI agents to reference your knowledge base for context
- Display and manage your Google Tasks and Calendar events
- Provide body doubling features with voice/video capabilities
5.2 Communication
- Send essential service notifications and updates
- Respond to your support requests and inquiries
- Send marketing communications (only with your explicit consent)
5.3 Improvement and Analytics
- Analyze usage patterns to improve features and user experience
- Identify and fix technical issues
- Develop new features based on aggregate usage insights
5.4 Security and Legal
- Protect against unauthorized access and fraud
- Enforce our Terms of Service
- Comply with legal obligations
Important: We do NOT sell your personal data to third parties.
6. AI and Automated Processing
Harmony AI uses artificial intelligence to provide personalized coaching and support. This section explains how AI processes your data.
6.1 How AI Is Used
We use AI technology (specifically Anthropic's Claude and OpenAI) to:
- Analyze your messages and provide contextual, helpful responses
- Reference your knowledge base documents to give informed answers
- Generate insights based on your check-ins and worksheets
- Personalize coaching based on your profile information
- Create conversation titles and summaries
6.2 No Training on Your Data
Your data is NOT used to train AI models.
We use AI APIs (Anthropic Claude and OpenAI) solely to process your requests and generate responses. Your personal data, conversations, and documents are not used by us or our AI providers to train, improve, or develop AI models. This is enforced through our API agreements with these providers.
6.3 Human Oversight
While AI processes your requests, all coaching frameworks, system prompts, and safety guidelines are designed and maintained by humans. The AI operates within defined boundaries and includes safety protocols for crisis situations.
6.4 No Automated Legal Decisions
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects concerning you. The AI provides coaching and suggestions only—all decisions remain yours.
6.5 Your Rights Regarding AI Processing
Under GDPR Article 22, you have the right to:
- Request information about the logic involved in AI processing
- Request human review of AI-generated insights
- Object to certain forms of automated processing
7. Data Sharing and Third Parties
We share your personal data only as necessary to provide our Service and as described below. We never sell your data.
7.1 Service Providers
We work with trusted third-party service providers who process data on our behalf:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | All account and application data | EU (AWS Frankfurt) |
| Anthropic (Claude) | Primary AI processing | Messages, profile context, knowledge base content | USA (with DPA) |
| OpenAI | Secondary AI processing | Messages for specific features (titles, artifacts) | USA (with DPA) |
| Vercel | Hosting and analytics | Technical/usage data, file storage | Global (Edge network) |
| LiveKit | Voice/video for body doubling | Real-time audio/video streams (not stored) | USA |
| Tasks and Calendar integration | OAuth tokens (encrypted) | Global |
All service providers are bound by data processing agreements (DPAs) and are required to process data only as instructed and implement appropriate security measures.
7.2 Legal Requirements
We may disclose your data if required by law or when we believe:
- It's necessary to comply with a legal obligation
- It's necessary to protect our rights, property, or safety
- It's necessary to investigate potential violations of our Terms
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
7.4 Aggregated Data
We may share aggregated, anonymized data that cannot identify you for research or statistical purposes.
8. International Data Transfers
Your data may be transferred to and processed in countries outside the EU/EEA, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers
- Data Processing Agreements: All providers have binding DPAs with GDPR-compliant terms
- Supplementary Measures: Including encryption in transit and at rest
For transfers to the US, our AI providers (Anthropic, OpenAI) have committed to not using your data for training and to deleting processed data within their retention windows.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest
- Password Security: Passwords are hashed using industry-standard algorithms (bcrypt)
- Access Controls: Strict access controls and authentication for all systems
- Secure Infrastructure: We use enterprise-grade cloud providers with SOC 2 certification
- Regular Updates: Systems are regularly updated and patched
- Monitoring: Continuous security monitoring and logging
While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you of any breach as required by law.
10. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period |
|---|---|
| Account and profile data | As long as your account is active |
| Chat conversations | As long as your account is active (you can delete individual chats) |
| Check-ins and worksheets | As long as your account is active |
| Knowledge base content | Until you delete it or close your account |
| Google integration tokens | Until you disconnect the integration |
| Usage analytics | 26 months (anonymized after 14 months) |
Account Deletion: When you delete your account, we will delete your personal data within 30 days, except where we are legally required to retain it (e.g., for tax or legal compliance purposes).
11. Your Privacy Rights
Under the GDPR and other applicable laws, you have comprehensive rights regarding your personal data:
11.1 Rights for All Users
| Right | Description |
|---|---|
| Access | Request a copy of your personal data we hold |
| Rectification | Correct inaccurate or incomplete data |
| Erasure ("Right to be Forgotten") | Request deletion of your personal data |
| Data Portability | Receive your data in a structured, machine-readable format |
| Restriction of Processing | Limit how we use your data in certain circumstances |
| Object to Processing | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent for processing based on consent |
11.2 How to Exercise Your Rights
You can exercise your rights by:
- In-App: Use account settings to update profile, delete chats, disconnect integrations, or delete your account
- Email: Contact us at info@adhdharmony.com
We will respond to your request within 30 days (extendable by 60 days for complex requests). We may ask you to verify your identity before processing your request.
11.3 Right to Lodge a Complaint
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority:
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)88 - 180 5250
12. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.
In summary, we use:
- Essential Cookies: Required for authentication and core functionality (cannot be disabled)
- Analytics Cookies: Help us understand how you use our Service (Vercel Analytics)
We do NOT use advertising or marketing cookies. We do NOT track you across other websites.
13. Children's Privacy
Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us immediately at info@adhdharmony.com. We will take steps to delete such information.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Notification of Changes: For significant changes, we will:
- Post a prominent notice on our website
- Send you an email notification (if you have an account)
- Request your consent if required for new processing activities
We encourage you to review this Privacy Policy periodically. The"Last updated" date at the top indicates when the policy was last revised.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
ADHD Harmony B.V.
Privacy Inquiries: info@adhdharmony.com
General Contact: info@adhdharmony.com
Website: adhdharmony.com
By using Harmony AI, you acknowledge that you have read and understood this Privacy Policy.