Privacy Policy

We collect the following categories of information: • Account Information: name, email address, and role when you create an account. • Session Data: therapeutic session configurations, music preferences, duration, intensity, and phase selections. • Feedback Data: session ratings, emotional states, insights, and integration notes you voluntarily provide. • Usage Data: how you interact with the platform, including pages visited, features used, and session history. • Audio Uploads: if you choose to upload your own music files (MP3), we store them securely on our servers.

If you choose to connect a wearable device (such as Oura Ring, WHOOP, or Garmin), we collect biometric data from those platforms solely with your explicit consent and authorization. This may include: • Heart rate and heart rate variability (HRV) • Skin temperature and temperature deviation • Blood oxygen saturation (SpO2) • Recovery and readiness scores • Resting heart rate • Stress scores IMPORTANT: We only access wearable data after you explicitly initiate an OAuth connection to each provider. We do not access your wearable data without your active consent. You can disconnect any provider and delete all associated data at any time from Settings > Wearables. We do NOT collect, store, or process: GPS/location data, sleep stage details, menstrual cycle data, weight/body composition, or any data beyond what is necessary for session biometric analysis.

We use your personal information exclusively for the following purposes: • Providing and operating the Psyzone Sonics therapeutic music platform • Personalizing your session experience based on your preferences • Generating post-session biometric reports for your personal analysis • Improving our services and user experience • Communicating with you about your account and our services We do NOT use your data for advertising, marketing profiling, or any purpose unrelated to the Psyzone Sonics service.

Biometric data from connected wearable devices is used exclusively to: • Generate personalized post-session biometric reports visible only to you • Provide session analysis with heart rate, HRV, and recovery metrics correlated to your therapeutic sessions • Help you understand the physiological context of your therapeutic experience We do NOT: • Share, sell, or disclose your biometric data to any third party • Use your biometric data for advertising or marketing purposes • Use your biometric data for medical diagnosis or clinical assessment • Aggregate your biometric data with other users' data for any purpose • Retain your biometric data beyond what is necessary for your session reports Your biometric data is stored exclusively for your personal use and is accessible only to you through your authenticated account.

When you connect a wearable device, we interact with the following third-party APIs: • Oura Health Oy (Oura Ring) — via OAuth 2.0 with scopes limited to heart rate, readiness, daily metrics, and SpO2 • WHOOP, Inc. — via OAuth 2.0 with scopes limited to recovery, cycles, and profile data • Garmin Ltd. — via authorized API access, when available and enabled These providers have their own privacy policies. We encourage you to review them: • Oura: ouraring.com/privacy-policy • WHOOP: whoop.com/privacy • Garmin: garmin.com/privacy We access only the minimum data necessary for session biometric analysis. We do not share your Psyzone Sonics account data with these providers.

We retain your data as follows: • Account data: retained as long as your account is active • Session data and feedback: retained as long as your account is active • Wearable OAuth tokens: stored encrypted (AES-256-GCM) and retained only while the connection is active. Tokens are deleted immediately when you disconnect a provider. • Biometric session data: retained as long as your account is active. You can delete all biometric data at any time from Settings > Wearables using the data purge option. • Uploaded music files: retained until you delete them or your account is closed. When you delete your account, all associated data — including biometric data, OAuth tokens, session history, and uploaded files — is permanently deleted.

We implement robust security measures to protect your data: • All communications are encrypted via TLS/HTTPS • OAuth tokens from wearable providers are encrypted at rest using AES-256-GCM with a dedicated encryption key • Biometric data is stored in a secure PostgreSQL database with access controls • We never log plaintext OAuth tokens or sensitive credentials • Access to your data requires authenticated sessions with secure HTTP-only cookies • We perform regular security reviews of our infrastructure

All OAuth access tokens and refresh tokens from wearable providers are encrypted before being stored in our database using AES-256-GCM encryption with a randomly generated nonce for each encryption operation. The encryption key is stored separately from the database and is never exposed in application logs or error reports. Plaintext tokens exist only in memory during active API calls to wearable providers and are never persisted in unencrypted form.

You have the following rights regarding your data: • Right to Access: request a copy of all data we hold about you • Right to Correction: update or correct inaccurate data • Right to Deletion: delete your account and all associated data • Right to Disconnect: revoke wearable provider access at any time • Right to Data Purge: delete all biometric data and wearable connections instantly from Settings > Wearables • Right to Data Portability: request your data in a machine-readable format • Right to Withdraw Consent: revoke any previously granted consent at any time To exercise any of these rights, use the self-service options in Settings or contact us at [email protected].

Psyzone Sonics complies with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD). As data controller, we ensure: • Data processing is based on legitimate consent • Data minimization: we collect only what is necessary • Purpose limitation: data is used only for stated purposes • Transparency: this policy clearly describes all data practices • User rights: you can access, correct, delete, or port your data • Data purge: you can request complete deletion of all personal data Our Data Protection Officer can be reached at [email protected].

Psyzone Sonics is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it.

For privacy-related inquiries, data requests, or concerns: • Email: [email protected] • Data Protection Officer: [email protected] • Website: psyzone.org We will respond to all privacy requests within 15 business days.