Privacy Policy

Respecting the right to privacy of individuals who have entrusted Enai sp. z o.o. with their personal data, including persons using our services, our business partners and their employees, we declare that any information obtained is processed in accordance with applicable national and European Union law, in a manner ensuring its proper protection.

Pursuant to Article 13(1) and 13(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”), we hereby inform you that:

Data Administrator

The administrator of personal data is Enai sp. z o.o., 75A/7 Złota Street, 00-819 Warsaw, Poland, KRS No. 0001201232, NIP No. 5273188703, REGON No. 543041470.
In matters relating to the processing of personal data, you are encouraged to contact us by electronic means by sending an e-mail to:privacy@enai.app

Collection of Data and Purposes of Processing

Personal data obtained during telephone conversations, e-mail correspondence, text messages and meetings shall be processed for the following purposes:
1. ongoing contact related to a concluded agreement or activities undertaken prior to the conclusion and performance of an agreement within the scope of the Administrator’s business activity - Article 6(1)(b) and (f) GDPR;
2. provision of the newsletter service, subject to prior voluntary consent - Article 6(1)(a) GDPR;
3. provision of services, including granting access to and registration of a user account - Article 6(1)(b) GDPR;
4. handling complaints, requests and claims, as well as technical support requests - Article 6(1)(c) and (f) GDPR;
5. carrying out marketing activities - on the basis of voluntary consent (Article 6(1)(a) GDPR) or on the basis of the Administrator’s legitimate interest consisting in the direct marketing of its own services (Article 6(1)(f) GDPR);
6. responding to submitted enquiries and conducting correspondence not directly related to an agreement - Article 6(1)(f) GDPR;
7. fulfilment of legal obligations imposed on the Administrator, including accounting, bookkeeping and financial reporting obligations - Article 6(1)(c) GDPR;
8. establishment, exercise or defence of potential legal claims, which constitutes the Administrator’s legitimate interest, until the expiry of the relevant limitation periods - Article 6(1)(f) GDPR;
9. provision of psychological support services with the use of a chatbot, which involves the processing of special categories of personal data (data concerning health/emotions) - on the basis of the user’s explicit and freely given consent - Article 9(2)(a) GDPR;
10. automated generation of personalised meditation sessions on the basis of an analysis of the user’s conversations with the chatbot (profiling), involving the use of special categories of personal data - on the basis of the user’s explicit and freely given consent - Article 22(4) in conjunction with Article 9(2)(a) GDPR.
The Administrator processes data lawfully, collects it for specified and lawful purposes, and does not subject it to any further processing incompatible with those purposes. Data is collected only to the extent that is adequate, relevant and necessary in relation to the purposes for which it is processed.
The Administrator may entrust the processing of Users’ personal data to another entity on the basis of a data processing agreement concluded with such entity pursuant to Article 28 GDPR.

Data Recipients

In the course of our business operations, your personal data (including special category data, where you have given your consent) may be disclosed to the following categories of recipients supporting the operation of the Enai application:
1. sole traders and entities providing services to the Administrator under data processing agreements (for example, accounting or legal services);
2. entities authorised to receive such data under mandatory provisions of law;
3. infrastructure and database providers:

- - Convex (Convex, Inc., USA) - application hosting, backend and storage. Data is physically stored on servers located in the European Union;
  - Railway (Railway Corp., USA) - application hosting and processing of system logs on servers located in the European Union;
  - Clerk (Clerk, Inc., USA) - authorisation and account management (including e-mail address, name, role, tokens and hashed passwords), which involves the transfer of data to the United States.
- providers of Artificial Intelligence (AI) models: the processing of conversation history (which may include health-related data) for the purpose of providing support and generating meditations, resulting in the transfer of data to the United States, is carried out with the involvement of:
- - OpenAI (OpenAI, Inc., USA / OpenAI Ireland Ltd.);
  - Google AI (Google LLC, USA) - including for the purpose of verifying communication safety (guardrails);
  - Anthropic (Anthropic PBC, USA);
  - ElevenLabs (ElevenLabs, Inc., USA/UK/PL) - for text-to-speech (TTS) synthesis and the generation of personalised meditation recordings.
- providers of analytics tools:
- - PostHog (PostHog, Inc., UK) - product analytics carried out without access to the content of conversations. Transfers of data to the United Kingdom take place on the basis of an adequacy decision issued by the European Commission;
- payment service providers:
- - Stripe (Stripe Payments Europe, Ltd., Ireland) - payment processing.

Provision of Data to Enai sp. z o.o.

The provision of your data to Enai sp. z o.o. is necessary in order to establish cooperation, perform the concluded agreement and comply with legal obligations. This applies in particular when you use our services, purchase products, or intend to join our team.
In all other cases, in particular where data is processed for marketing purposes, the provision of data is voluntary.

Security of Processed Personal Data

Enai sp. z o.o. makes every effort to protect the personal data of clients and users against unauthorised access by third parties and, for this purpose, applies organisational and technical security measures appropriate to the risks associated with the processing of personal data, in accordance with Article 32 GDPR. All our employees are required to comply with our policies and procedures relating to confidentiality, security and privacy.

Retention Period of Personal Data

The Administrator retains personal data for the period necessary to fulfil the purposes of processing and perform the agreement. Personal data processed in order to comply with a legal obligation binding on the Administrator shall be retained no longer than for the period required under the applicable laws. Personal data shall also not be retained longer than necessary for the purposes arising from the Administrator’s legitimate interests. By way of example:
1. personal data processed for the purpose of establishing, pursuing or defending claims, on the basis of the Administrator’s legitimate interest, shall be retained until the expiry of the limitation period for any contractual claims, in accordance with the applicable law;
2. accounting records shall be retained for the period required by the applicable archiving laws; in particular, accounting documentation is generally retained for 5 years from the end of the year in which the event giving rise to the obligation to prepare a given document occurred;
3. personal data processed in connection with the newsletter and the marketing of products and services offered by the Administrator shall be retained until consent is withdrawn;
4. data processed on the basis of the Administrator’s legitimate interest shall be processed for as long as such legitimate interest exists, unless the interests or fundamental rights and freedoms of the data subject override that interest; in such case, the data shall be processed until an objection is raised;
5. other personal data shall be processed until an objection to their processing is submitted.

Your Rights in Connection with the Processing of Personal Data by Enai sp. z o.o.

In connection with the processing of your personal data, you have the right to:
1. access your personal data - Article 15 GDPR;
2. request the rectification of your personal data - Article 16 GDPR;
3. request the erasure of your personal data - Article 17 GDPR;
4. request the restriction of processing - Article 18 GDPR;
5. data portability - Article 20 GDPR;
6. object to the processing of your personal data - Article 21 GDPR;
7. lodge a complaint with the President of the Personal Data Protection Office in connection with the Administrator’s processing of your personal data - Article 77 GDPR.

Transfers of Data to Third Countries

Due to the Administrator’s use of advanced technological solutions, including Artificial Intelligence models, hosting services and authorisation systems, your personal data may be transferred outside the European Economic Area (EEA), in particular to the United States and the United Kingdom.
The Administrator ensures that such transfers are carried out with an adequate level of protection equivalent to the standards applicable within the EEA, using legally binding mechanisms provided for in Chapter V GDPR. Data transfers are based on:
adequacy decisions issued by the European Commission, including the EU-US Data Privacy Framework for certified entities in the United States and the adequacy decision for the United Kingdom;
Standard Contractual Clauses (SCCs) approved by the European Commission, applied together with any required supplementary measures where the recipient is not covered by an adequacy decision.

Automated Processing of Personal Data

When using the Enai application, your personal data may be processed by automated means, including profiling.
Automated processing of personal data is used in two main areas:
1. generation of personalised meditation sessions: the system analyses the history of your conversations with the chatbot in order to automatically create and tailor a dedicated audio recording intended to support your mental well-being;
2. analytics and optimisation purposes: analysis of activity within the application in order to improve its functionality, personalise the interface (for example by remembering settings), and assess general usage statistics.
3. The legal basis for automated processing is as follows:
4. in the case of the generation of personalised meditations referred to in point 2(a) - your freely given consent to automated decision-making involving special categories of personal data, obtained directly before you use this functionality - Article 22(4) in conjunction with Article 9(2)(a) GDPR;
5. in the case of analytics and optimisation purposes referred to in point 2(b) - the Administrator’s legitimate interest - Article 6(1)(f) GDPR - or your consent - Article 6(1)(a) GDPR.

COOKIE POLICY

What are cookies?

Cookies are small text files stored on the User’s end device (for example, a computer, tablet or smartphone), which may be read by the Administrator’s ICT system.
Cookies are used for the following purposes:
1. ensuring the proper operation of the Service;
2. maintaining the User’s session after login;
3. adapting the Service to the User’s preferences;
4. statistical and analytical purposes;
5. marketing and advertising purposes.

Types of Cookies Used

The following types of cookies are used within the Service:

1. By storage period:

session cookies - stored temporarily until the User logs out, leaves the website or closes the browser;
persistent cookies - stored for a specified period in accordance with their parameters or until they are manually deleted by the User.

2. By function:

necessary cookies - enable the basic functions of the Service, for example user authentication;
security cookies - used to ensure security, for example to detect abuse;
performance cookies - collect information on how the Service is used;
functional cookies - remember the User’s settings, such as language, font size or region;
advertising cookies - enable the display of advertising content tailored to the User’s preferences;
integration cookies - related to third-party services.

Consent to Cookies and Configuration

The User may consent to the use of cookies; their storage following such consent constitutes acceptance of their use.
The User may independently change cookie settings in their web browser.
Failure to change such settings after prior acceptance shall be deemed consent to the continued use of cookies.

Management and Deletion of Cookies

The User may at any time:
1. change their browser settings so as to block the automatic storage of cookies;
2. delete previously stored cookies using browser settings, dedicated software or the operating system.
3. Instructions for deleting cookies in the most commonly used browsers are available at:
4. Firefox: support.mozilla.org
5. Chrome: support.google.com
6. Internet Explorer: support.microsoft.com
7. Opera: help.opera.com
8. Safari: safari.helpmax.net

Impact of Restricting Cookies on the Operation of the Service

Changing browser settings in a way that restricts the use of cookies may affect the functioning of the Service, including for example:
1. inability to log in;
2. interruption of the session;
3. limited access to certain functionalities of the website.

Third-Party Cookies

The Service may use cookies originating from external providers, such as:
1. analytical tools;
2. advertising systems;
3. login functionalities or integrations with social media services.
Such entities may store their own cookies on the User’s device in accordance with their own privacy policies.

Information from System Logs

Data contained in system logs (such as IP address, browser type, operating system, date and time of connection) is used solely for technical and statistical purposes by the hosting provider operating the Service.

Security Measures

The Administrator applies the technical and organisational measures required under applicable personal data protection laws in order to protect data against access by unauthorised persons and against unlawful modification.