SereneHead

Legal

Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how Qimo Lab Inc ("SereneHead," "we," "us," or "our") collects, uses, stores, and shares personal information when you use the SereneHead iOS app and related services.

SereneHead is a consumer wellness app for logging migraine attacks, treatments, weather context, and related notes. Because the app handles information that may relate to your health, this policy is written to describe both the everyday product behavior and the formal privacy terms that apply to it.

1. Scope

This policy applies to the SereneHead iOS app and related backend services that support account sign-in, private sync, voice-to-structured-entry processing, AI-generated summaries, weather features, doctor report PDFs, and notification features. It does not cover services you choose to use directly outside SereneHead, such as your email provider or any destination you pick from the iOS share sheet.

2. Information we collect

Depending on how you use SereneHead, we may collect the following categories of personal information.

Account and identity information. This includes your SereneHead account identifier and the sign-in provider you used (`Apple` or `Google`), along with basic profile details that provider shares with us. If you sign in with Apple, you can choose Hide My Email to share a private relay address instead of your real one.

Your health and wellness data. This includes migraine entries, severity, symptoms, triggers, pain locations, notes, medications, relief methods, end times, treatment records, voice transcripts, and AI summary inputs/outputs. All information is encrypted on your device and, if synced, securely transmitted and stored. Under European data protection law, much of this data is considered health information.

Doctor report profile details remain fully local on your device. They are never sent to our server or AI provider. They can only be shared when you explicitly choose to export or send a doctor report PDF.

Voice logging & your audio. Recordings are encrypted on your device and sent over a secure connection to be transcribed into your migraine entry. Audio is deleted immediately after transcription; only the text transcript is saved on your device. We never sell your data, show ads, or use your recordings to train AI models.

Location and weather information. If you allow location access, SereneHead may use your device location to retrieve weather information. You may also choose a manual city fallback. The app stores weather preferences and local forecast cache data on device, and it may store a weather snapshot with an entry, including pressure, humidity, temperature, precipitation type, and pressure deltas around the logged event.

Device, settings, and usage data needed to run the app. This includes notification preferences, permission states for location, microphone, and notifications, weather unit and display preferences, form customization settings, authentication session state, and limited operational state used by the app itself. You can customize many of these settings in the app, including notifications, permissions, units, display preferences, and form options. Some data, such as authentication session state and basic operational state, is required for SereneHead to function properly.

Operational logs for AI features. For voice logging and AI Summary, we keep limited per-user operational logs such as reservation status, timestamps, error messages, and processing metadata for quota enforcement, abuse prevention, and troubleshooting.

Report sharing data. If you generate a doctor report PDF, SereneHead creates that PDF locally on your device. If you share it, the recipient and any further handling depend on the destination you choose.

3. How we collect information

  • Directly from you when you type, edit, or review entries, treatment records, settings, or doctor report details.
  • From your sign-in provider when you sign in with Apple or Google.
  • From your device when you grant microphone, location, or notification permissions.
  • From Apple WeatherKit when weather features are used.
  • From our backend services when private sync, voice processing, or AI summary features are used.
  • From the app itself through local storage needed to provide features and remember preferences.

4. Why we use personal information

  • To provide the core logging, treatment, weather, reporting, and summary features of SereneHead.
  • To authenticate your account, maintain your session, and keep your journal privately synced across your devices.
  • To process voice recordings into transcript and structured entry data.
  • To generate AI summaries from your logged data.
  • To create doctor report PDFs at your direction.
  • To schedule and deliver device-local reminders and daily weather summary notifications if you enable them.
  • To maintain app integrity, troubleshoot issues, prevent abuse, and improve reliability.
  • To comply with legal obligations and enforce our Terms.

5. What we do not do

  • We do not sell personal information.
  • We do not share personal information for cross-context behavioral advertising.
  • We do not serve third-party advertising inside SereneHead.
  • We do not build advertising profiles from your entries.

6. Legal bases for processing

If you are in the EEA, UK, or another jurisdiction that requires a legal basis, we rely on one or more of the following: performance of a contract with you, your consent, your explicit consent where required for health-related or other special-category data, legitimate interests for security and service reliability where permitted, and compliance with legal obligations.

Where the processing involves data concerning health, we rely on your explicit consent under Article 9(2)(a) GDPR when you choose to enter health information, enable voice logging, enable private sync, or use AI summary features. You may withdraw consent by disabling the relevant feature, deleting the affected data, or deleting your account.

7. When we share personal information

We share personal information only in the situations needed to provide the service, comply with law, or carry out your instructions.

Service providers and infrastructure providers. SereneHead relies on the following subprocessors:

  • Supabase. Authentication, database, private sync, and edge functions. Data processed may include account identifiers, synced entries, treatments, transcripts, and weather snapshots. Processing region: United States.
  • Google Gemini API. AI transcription of voice recordings and AI-generated summaries. Data processed may include uploaded audio for transcription and entry text submitted for summarization. Processing region: United States.
  • Apple Sign in with Apple. Federated authentication using the Apple-provided user identifier and any optional name or email Apple supplies.
  • Google Sign-In. Federated authentication using the Google-provided user identifier, name, and email.
  • Apple WeatherKit. Weather forecasts and historical context using coordinates or a place identifier supplied by the app.
  • Apple platform services. Local notifications, share sheet behavior, and on-device APIs.

Gemini and health data. When you use voice logging or AI Summary, data leaves your device and is processed by Google's Gemini API. Voice logging sends the recorded audio, and AI Summary sends the logged text needed to generate the summary. SereneHead uses Gemini through the paid API path described in our app documentation, and SereneHead does not send your name, email, account identifier, or precise location to Gemini along with those requests. Google may retain submitted content and generated output for a limited period for abuse monitoring under Google's own terms.

At your direction. We may share information when you choose a sign-in provider, share a doctor report PDF through the iOS share sheet, or choose a manual location search result.

Legal and business transfers. We may disclose information if reasonably necessary to comply with law, protect rights or safety, enforce our Terms, or support a merger, acquisition, financing, or asset transfer subject to appropriate confidentiality and notice obligations.

8. Data retention

We retain personal information for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required by law.

  • Local app data remains on device until you delete it, delete your account, or remove the app.
  • Private sync records remain in the backend until you request deletion.
  • Synced backend records are soft-deleted on request and hard-deleted approximately 30 days later.
  • Sync tombstones are retained for approximately 90 days to support devices that return after being offline, then removed.
  • Backend database backups, authentication logs, and edge-function logs are retained for 30 days and then deleted on a rolling basis.

9. International transfers

SereneHead may process personal information in countries other than the one where you live, including through infrastructure or AI providers. Primary processing regions are listed above.

Where personal information is transferred from the EEA or UK to a country that is not the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, and the UK International Data Transfer Addendum where applicable, together with additional safeguards as required by law. You may request a copy of the safeguards in place by contacting us at the address in Section 14.

10. Your privacy rights

EEA, UK, and similar jurisdictions. Subject to applicable law, you may have the right to access, correct, delete, restrict, object to, or receive a portable copy of certain personal information, and to withdraw consent where processing is based on consent. You may also lodge a complaint with your local supervisory authority.

U.S. state privacy rights. Depending on where you live, including California and certain other U.S. states, you may have rights to know what categories of personal information we collect, use, disclose, and retain; access specific pieces of personal information; correct inaccurate information; delete personal information; obtain a portable copy of certain data; opt out of sale, sharing for cross-context behavioral advertising, or certain profiling where applicable; and receive equal service and pricing for exercising your rights.

SereneHead does not sell personal information and does not share personal information for cross-context behavioral advertising.

To exercise rights that are not available directly in the app, contact us at [email protected]. We aim to respond within the timelines required by applicable law.

11. Health data, HIPAA, and medical context

SereneHead is designed as a consumer app for personal wellness and self-tracking. Unless you enter into a separate written agreement with us that says otherwise, SereneHead is not offered as a HIPAA-covered entity or business associate service.

If U.S. law requires notice following a breach of certain health information, including under the FTC's Health Breach Notification Rule where applicable, we will provide the notices required by law. Where GDPR applies, we will notify the relevant supervisory authority of a qualifying personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, and notify affected individuals where required.

12. Children's privacy

SereneHead is not directed to children under 16. We do not knowingly collect personal information from children under that age without legally sufficient authorization where required. If you believe a child has provided personal information in violation of this policy, contact us at [email protected].

13. Security and policy changes

We use reasonable technical and organizational measures intended to protect personal information, including transport encryption (HTTPS/TLS) for data sent between the app and our backend, and access controls on backend systems. No method of transmission, storage, or processing is completely secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law, such as by updating the date above, posting an in-app notice, or using another appropriate method.

14. Contact us

Controller / business name: Qimo Lab Inc
Support email: [email protected]