Privacy Policy
Last updated: 14 May 2026
Emese Care ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect when you use the Emese Care app, why we collect it, how long we keep it, and what rights you have.
We designed Emese Care with privacy as a first principle, not as a legal afterthought. Your health data is sensitive, and we treat it that way.
1. Who we are
Emese Care is a digital behaviour-change platform that helps people leave behind destructive habits. We operate programs including Nekotin (nicotine), as well as programs for social media, alcohol, gambling, medications, and other habits.
Data Controller:
Nekotin Kft.
2072 Zsambek, Nyarfas utca 38., Hungary
hello@emese.care
If you have any questions about this Privacy Policy or about your data, contact us at: hello@emese.care.
2. The data we collect
2.1 Account and identity data
When you register, we collect:
- Email address
- Display name (optional)
- Age (to verify you are 18 or older)
- Gender (optional, used for content personalisation)
- Country
Why: To create your account and deliver the service to you.
2.2 Health and behaviour data
To personalise your program, we collect:
- Which habit program you are working on (e.g. nicotine, alcohol)
- Your quit date or programme start date
- Your Fagerstrom score (nicotine program only, a clinical measure of nicotine dependence)
- Your craving triggers (from a list of pre-defined shortcodes you select)
- Your behavioural state (e.g.
pre_quit,acute_withdrawal,stabilizing,maintenance), inferred from your activity, not self-reported - Relapse events you report
- Confidence and mood check-ins you complete
Why: This data is the core engine of the app. Without it, we cannot personalise your experience or detect when you might need extra support.
This is special category data under GDPR Article 9. We only process it with your explicit consent, which you give during registration.
2.3 User-generated content
- Future self letters you write (stored encrypted with AES-256-GCM)
- Feedback you leave on lessons and nudges
Why: To deliver these features to you. Your letters are yours, we cannot read them.
2.4 Usage data
Every significant action you take in the app creates a usage event (e.g. completing a lesson, tapping the panic button, checking in daily). We record:
- The type of event
- The time it happened
- Your behavioural state and active experiment at the time
Why: To improve the app and measure what works. Raw events are automatically deleted after 90 days.
2.5 Analytics data
If you consent to analytics, we record usage events such as screen views, lesson interactions, and session information. These events are sent to Google Analytics 4 so we can understand how people use the app at an aggregate level.
How it works technically: Unlike most apps, we do not embed a Google Analytics SDK inside the mobile app. Events travel first from your device to our own backend (hosted in the EU), and only then are they forwarded to Google Analytics via a server-to-server protocol. Your consent is re-checked on our backend before anything is forwarded. If the check fails, the event is dropped.
What we send: A pseudonymous internal user ID (not your email, not your name) plus bounded event metadata. The metadata fields are: screen name, lesson ID, content type, content ID, event type and timing, your current behavioural state (for example pre_quit, acute_withdrawal, stabilizing, maintenance, an inference our system makes about where you are in your change journey), and any A/B experiment assignments you were seeing when the event occurred. We never send your name, email, phone number, or anything you type into the app.
What we never send: Crisis signals, safety escalations, and panic events are explicitly blocked from Google Analytics. These are routed only to a separate internal operations channel under stricter access controls, because GDPR treats them under a different legal basis (vital interests, Art. 6(1)(d)).
Why: To understand how people use the app at an aggregate level and improve the product.
You can withdraw this consent at any time in the app settings. Withdrawing stops all future analytics collection immediately, including on our backend.
2.6 Technical data
- A pseudonymous internal user ID (not your email or name)
- Firebase Authentication token (used to verify you are who you say you are; expires regularly)
2.7 Data from public forms on emese.care and commons.emese.care
When you submit any form on our public websites (signing up, applying for early access, sending us feedback, applying as an employer or research contributor), we record some context about the submission alongside the details you typed. This helps us understand how people find us, fix bugs that only show up on certain devices, and follow up with you properly.
What we record automatically:
- Where you came from: marketing tracking parameters in the link you clicked (e.g.
utm_source,gclid,fbclid), the website that referred you to us, the first page you opened on our site, and the page you were on when you submitted the form. - About your device + browser: browser name and version, operating system, screen size, language preference, timezone. This is information your browser sends to every website you visit.
- Engagement signals: how long you were on the page, how far you scrolled, what time of day you submitted. These help us know whether our pages are actually helpful or confusing.
- A short pseudonymous tab ID (
session_id) used to link a feedback emoji click with the follow-up message you write right after, so they show up as one record, not two. This ID is cleared the moment you close the browser tab. - Your hashed IP address. We never store the raw IP. We take a one-way fingerprint of it (
SHA-256) and store the first 32 characters of that. This is enough to detect, for example, the same person submitting five spam leads in an hour, but does not let us look up your home address. We treat this fingerprint as personal data and protect it the same way we protect the rest of your record. - A long-lived "returning visitor" ID (
visitor_id) that lets us recognise that the same browser came back to submit another form weeks later. We only create this ID if you have accepted analytics cookies via the banner on our site. If you haven't accepted, or you declined, this ID is never written and never sent, even on submissions you make afterwards.
What we do with it:Everything in this bundle is used internally to (a) understand which marketing channels work, (b) fix rendering bugs, (c) help our team prioritise real leads over spam, and (d) display the context inside our internal task-tracking tool when a new submission needs follow-up (see section 4). We don't sell it, we don't share it with advertisers, and we don't use it to build a profile or make automated decisions about you.
Legal basis: Most of these fields rely on legitimate interest (Art. 6(1)(f)), running a business needs basic visibility into how its forms get used. The long-lived visitor_id is the exception: it relies on your explicit consent (Art. 6(1)(a)) via the cookie banner and is never set without it. The consent state at the moment you submitted is itself recorded on the form, so we can prove on a per-submission basis which legal basis applied.
Retention: This metadata lives on the same record as the rest of your form submission. When that record is deleted (either via DELETE /me for account-bound submissions, or on manual purge for anonymous public-form records), the metadata is deleted with it.
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Delivering and personalising your behaviour-change program | Contract performance (Art. 6(1)(b)) |
| Inferring your behavioural state and adapting content | Contract performance (Art. 6(1)(b)) |
| Safety escalation, detecting high-distress signals and showing crisis resources | Legitimate interest / vital interests (Art. 6(1)(f) + Art. 9(2)(c)) |
| Personalising content through A/B experiments | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) |
| Sending you transactional emails (onboarding, milestones) | Contract performance (Art. 6(1)(b)) |
| Analytics and product improvement | Explicit consent (Art. 6(1)(a)) |
| Legal compliance and audit records | Legal obligation (Art. 6(1)(c)) |
We do not use your data to make fully automated decisions that have legal or similarly significant effects on you.
4. How we share your data
We do not sell your data. We do not share your health data with advertisers. We share data only with the third-party service providers listed below, who process it strictly to deliver the service on our behalf.
| Provider | What they receive | Purpose | Region | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud (Firestore, Cloud Run) | All user and health data | Hosting and database | EU (Belgium) | Data processed in EU only |
| Firebase Authentication | Your Firebase UID only | Identity verification | EU | Data processed in EU only |
| Google Analytics 4 (via Measurement Protocol, server-to-server from our backend, no SDK on your device) | Pseudonymous user ID + bounded event metadata (consent required; crisis events never sent) | Product analytics | US (Google LLC) | EU Standard Contractual Clauses + EU-US Data Privacy Framework |
| Brevo | Your email address only | Transactional emails | EU | Data processed in EU only |
| ClickUp | Public-form submissions (employer leads, commons contributor applications) and the feedback you send us (your rating, message, and reply email if you opted in), along with the form metadata bundle described in section 2.7. Never sent: your health data, behavioural state, or any other sensitive content. | Internal task-tracking, so our team can follow up on submissions | US (ClickUp, Inc.) | EU Standard Contractual Clauses |
All providers have signed Data Processing Agreements (DPAs) with us. No provider receives your health data in plain, identifiable form beyond what is strictly necessary.
We may disclose data if required by law, court order, or to protect the safety of our users or the public.
5. How long we keep your data
| Data type | Retention period |
|---|---|
| Your account and health profile | Until you delete your account |
| Future self letters | Until you delete them or delete your account |
| Raw usage events | 90 days (automatically deleted) |
| Analytics data (Google Analytics) | Up to 24 months (aggregated) |
| Audit and compliance records | 7 years (legal obligation) |
| Deletion records (proof of erasure) | 7 years (legal obligation) |
When you delete your account, all your personal data is permanently deleted within 30 days, except where we are legally required to retain records (e.g. deletion audit logs, which are retained in hashed, non-identifiable form).
6. Your rights
Under GDPR, you have the following rights:
| Right | What it means | How to exercise it |
|---|---|---|
| Access | See all the data we hold about you | Tap "Export my data" in app settings |
| Portability | Download your data in a machine-readable format (JSON) | Tap "Export my data" in app settings |
| Erasure | Delete your account and all your data permanently | Tap "Delete my account" in app settings |
| Rectification | Correct inaccurate data | Edit your profile in app settings |
| Withdraw consent | Stop analytics tracking at any time | Tap "Manage consent" in app settings |
| Object | Object to a specific processing activity | Email us at hello@emese.care |
| Restrict | Ask us to pause processing while a complaint is resolved | Email us at hello@emese.care |
We will respond to all requests within 30 days. If a request is complex, we may extend this by a further 60 days and will notify you.
You also have the right to lodge a complaint with your national data protection authority. In Hungary, this is the Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH) at naih.hu. For EU users in other countries, contact your local supervisory authority.
7. Security
We take security seriously because we know your data is sensitive.
- Encryption in transit: All data between your device and our servers is encrypted using TLS.
- Encryption at rest: All data in our database is encrypted by Google Cloud by default. Your future self letters have an additional layer of encryption (AES-256-GCM); we cannot read them.
- Pseudonymisation: Your health data is stored under a pseudonymous ID, not your email or name. These are kept in separate, restricted collections.
- No PII in logs: Our logging system automatically removes all personal information from server logs.
- Access controls: Your data can only be accessed via our authenticated API. Direct database access from the app is disabled.
- Breach notification: If we ever experience a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it.
8. International data transfers
Our servers are located in Belgium (EU). Your health data, account data, and user-generated content never leave the European Union.
If you consent to analytics, our backend forwards a pseudonymous user ID and bounded event metadata to Google Analytics 4, which is operated by Google LLC in the United States. This transfer is covered by Google's Standard Contractual Clauses (SCCs) and Google's participation in the EU-US Data Privacy Framework, which together provide a level of protection equivalent to EU data protection law. Crisis and safety events are never forwarded to Google Analytics.
9. Children's privacy
Emese Care is not intended for anyone under the age of 18. We verify your age during registration and hard-block access for users under 18. If we become aware that a person under 18 has provided us with personal data, we will delete it immediately. If you believe a minor has registered, contact us at hello@emese.care.
10. Medical disclaimer
Emese Care is not a medical service.
The content, tools, and features in Emese Care are for informational and peer support purposes only. Emese Care is not intended to diagnose, treat, cure, or prevent any disease or condition. It is not a substitute for professional medical treatment, therapy, or counselling.
If you are experiencing a medical emergency, call 112 (EU) or your local emergency number immediately.
If you are in crisis:
- Call or text 988 (Suicide & Crisis Lifeline, US)
- Text HOME to 741741 (Crisis Text Line, US)
- Contact your local crisis service (see findahelpline.com for international resources)
Always seek the advice of qualified healthcare providers with any questions about a medical condition or treatment.
11. Changes to this policy
We may update this Privacy Policy when our practices change or when the law requires it. When we make significant changes, we will notify you in the app and update the "Last updated" date at the top of this document. We will always ask for your consent again if we start processing your data in a new way that requires it.
Previous versions of this policy are available via the "What changed?" panel at the top of this page.
12. Contact us
If you have any questions, concerns, or requests about your data or this Privacy Policy, contact us at:
We aim to respond within 5 working days. For formal data subject rights requests, the legal deadline is 30 days.