PRIVACY POLICY

Last Updated: May 26, 2025

*NOT MEDICAL ADVICE & REGULATORY STATUS

Zenna is a general-wellness application intended solely to promote relaxation and stress management through personalized soundscapes. Zenna does not diagnose, treat, cure, mitigate or prevent migraine or any other disease and is not cleared or approved by the U.S. Food and Drug Administration, nor does it have a CE-marked under the EU Medical Device Regulation, UKCA. Always consult a qualified healthcare professional for medical advice. 

1. INTRODUCTION AND OVERVIEW

This Privacy Policy explains how Zenna ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our migraine sound session application.

Our service is designed to comply with privacy laws in the EU, UK, United States, Canada, and India. If you are located outside of these regions, please do not use our service. 

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

Zenna has two primary purposes for data processing:

1. Providing personalized sound session based on your migraine symptoms

2. With your separate explicit consent, contributing to migraine research

This Privacy Policy explains how we process your data for these different purposes and the specific legal bases for each type of processing.

Zenna and this Privacy Policy are provided only in English. By using Zenna, you confirm that you understand English well enough to provide informed consent and use the service.

2. TYPES OF DATA WE COLLECT

We collect the following categories of information:

a) Account Information:

• Email address

• Name

• Age range

• Gender 

b) Migraine Information (Special Category Data):

• Migraine history: Information about your migraine patterns, frequency, duration, and current relief methods you've tried (including over-the-counter and prescription medications)

• Current treatment details: Information about medications you currently take for migraine management, including names and dosages

• Pain characteristics: Details about your migraine pain, including severity, location, type (throbbing, stabbing, pressure, etc.), and duration of typical episodes

• Associated symptoms: Information about symptoms that accompany your migraines, such as nausea or vomiting, light sensitivity (photophobia), sound sensitivity (phonophobia), visual disturbances (aura), and sensory changes (tingling, numbness)

• Triggers: Information about factors that may precipitate your migraines, such as hormonal factors (menstrual cycle, pregnancy, menopause), dietary triggers (specific foods, alcohol, caffeine), environmental factors (weather changes, bright lights, strong smells), and lifestyle factors (stress, sleep patterns, exercise)

• Ethnicity or racial origin 

• Country or region of residence 

c) App Usage Information:

• How you interact with the app

• Which sound sessions you use

• Frequency and duration of app usage

• Feedback on effectiveness

3. GENERAL DATA

For general personal data (such as your email address, account information, and app usage activity), we rely on Article 6(1)(b) of the GDPR — processing necessary for the performance of a contract — to deliver the essential services you request through the Zenna app.

4. SPECIAL CATEGORY DATA

The migraine information we collect constitutes "special category data" (specifically health data) under the GDPR. We take additional measures to protect this sensitive information and maintain your privacy.

a) Legal Basis for Processing Special Category Data

For essential service provision we process your health data with your explicit consent in accordance with Article 9(2)(a) of the UK and EU GDPR. This consent is required to provide you with personalized sound sessions as a core part of our service.

We do not rely on exemptions for medical or social care processing under Article 9(2)(h) or related provisions of the UK Data Protection Act 2018, as Zenna is not a regulated healthcare provider. All health-related processing is based solely on your explicit consent.

b) Additional Safeguards for Special Category Data

Due to the sensitive nature of health data, we implement these additional safeguards:

• Enhanced encryption: All health data is encrypted both during transmission and at rest

• Access controls: Only authorized personnel with specific training can access your health information

• Data minimization: We collect only the health information necessary to provide our services

• Retention limitations: We retain your health data only as long as necessary

• Pseudonymization: Where possible, we separate identifiable information from health data

• Regular security assessments: We conduct regular security audits and vulnerability testing

5. HOW WE USE YOUR DATA

We use your information for the following purposes:

a) Essential Service Provision (Legal basis: Contract performance for general data under Article 6(1)(b), and explicit consent under Article 9(2)(a) for health data) 

• Generate personalized sound session based on your migraine symptoms

• Track your migraine patterns over time

• Improve session effectiveness for your specific symptoms

• Provide technical support

b) Research Purposes (Legal basis: Explicit consent under Article 9(2)(a) for health data)

• Study migraine patterns and triggers across user populations

• Analyze effectiveness of different audio sessions for various symptoms

• Develop improved wellness approaches 

• Contribute to scientific understanding of migraine

For research purposes, your data is de-identified and aggregated wherever possible. We only use your data for research if you have provided explicit consent separate from accepting our Terms & Conditions.

6. LAWFUL BASIS FOR PROCESSING

We process your personal data on the following legal grounds:

• Performance of Contract: Processing necessary to provide you with personalized sound session services based on the symptoms you report. This is essential for the functioning of the app.

• Explicit Consent: For optional research purposes, we only process your data with your freely given, specific, informed, and unambiguous consent. You have the right to withdraw this consent at any time.

• Legitimate Interests: In limited circumstances, we may process certain data based on our legitimate interests, such as to ensure the security of our services, prevent fraud, or detect abuse. Where we rely on legitimate interests, we ensure that these interests do not override your fundamental rights and freedoms, in accordance with the balancing test required under GDPR. You may object to this type of processing at any time by contacting us at info@zenna.io.

7. DATA PROTECTION IMPACT ASSESSMENT

We have conducted a Data Protection Impact Assessment (DPIA) to identify and minimize risks associated with processing your special category data. This assessment has guided our security measures and data processing practices. We review and update our DPIA periodically to reflect changes in data processing activities, technologies, or emerging risks. 

8. EXPLICIT CONSENT MECHANISMS

We obtain your consent through clear, specific actions:

a) Essential Service Consent:

When you create an account and begin using Zenna, you consent to our collection and processing of your migraine data to provide personalized sound sessions. This processing is necessary for our service. 

b) Research Consent (Optional):

We obtain separate explicit consent for using your data in migraine research. This consent is:

• Freely given through a clear affirmative action

• Specific to research purposes

• Informed by clear information about how your data will be used

• Unambiguous and distinct from other matters

• As easy to withdraw as it is to give

9. YOUR DATA RIGHTS

Zenna's core functionality requires certain information to generate personalized sound sessions. If you do not wish to share this data, please do not use the app.

Under the GDPR and UK data protection law, you have the right to:

• Access your personal data and receive information about how we process it

• Rectify inaccurate data about you

• Erase your data ("right to be forgotten") in certain circumstances

• Restrict or object to processing in certain circumstances

• Data portability: receive your data in a structured, commonly used format

• Withdraw consent at any time for processing based on consent

In relation to your special category health data, you also have these specific rights:

• Right to restrict processing: You can request that we restrict the processing of your health data in certain circumstances

• Right to object to processing: You can object to the processing of your health data, particularly for research purposes

For data used with consent (such as for research purposes), withdrawing consent is simple and accessible within the app settings. Withdrawing consent for research will not affect your access to essential app services. To exercise these rights, go to Edit Profile within the app.

For special category data, because the use of that data is essential to providing app services, if you wish to withdraw consent, please delete the app. All your data will be deleted from our system within 48 hours.

US State Privacy Rights (e.g., CCPA/CPRA)
If you are a resident of California or certain other US states with data privacy laws, you may have the following rights:

• Right to know what personal information we collect, use, disclose, or sell

• Right to request deletion of your personal information

• Right to correct inaccurate personal information

• Right to opt out of the sale or sharing of personal information (Note: Zenna does not sell user data)

• Right to limit use of sensitive personal information

To exercise any of these rights, please contact us at info@zenna.io. We will verify your identity before fulfilling any request.

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of personal data

• Regular security assessments

• Access controls and authentication procedures

• Staff training on data protection

• Data minimization practices

If an unauthorized disclosure of your health data occurs, we will notify you without undue delay and, in any event, within 72 hours (EU/UK GDPR) and 30 days (U.S. FTC Health Breach Notification Rule) of becoming aware of the breach, and will file the required reports with required entities.

11. DATA RETENTION

We retain your personal data only as long as necessary for the purposes for which it was collected:

• Account and migraine data is kept as long as you maintain an active account

• We will delete or anonymize your personal data within 48 hours of your deletion request. Secure system backups may retain data longer but will be isolated and inaccessible to operational systems, and will be deleted in accordance with our data retention schedule.

• For optional research purposes, anonymized data may be retained for a longer period as necessary for scientific research

Anonymized research data may be retained for up to 10 years for scientific research purposes, in line with ethical research standards, unless a longer period is legally required or justified.

12. DATA SHARING AND TRANSFERS

We only process personal data of users located in the EU, UK, Canada, United States, and India. We do not knowingly collect data from individuals in other jurisdictions.

 We share your data only in limited circumstances:

a) Service Providers: 

We may share data with third-party service providers (such as cloud hosting and analytics providers) who help us operate and maintain our services. These providers are contractually bound to process your data securely and in compliance with applicable data protection laws.

b) Research Partners (Only with explicit consent):

If you have consented to research use, we may share de-identified, aggregated data with research partners, academic institutions, or medical facilities studying migraine treatments.

c) Legal Requirements:

We may disclose personal information if required to do so by law, regulation, or legal process.

d) International Transfers:

All user data is stored and processed on secure servers located in the United Kingdom.

• For EU users, your data is transferred to and stored in the UK based on the European Commission’s adequacy decision, which confirms that the UK provides an adequate level of data protection.

• For US users, we comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), and implement GDPR-level safeguards such as encryption and restricted access controls.

• For users in India, your data is processed in accordance with India’s Digital Personal Data Protection Act, 2023. There are currently no restrictions preventing the transfer of data to the UK, and we apply appropriate security and confidentiality measures.

• For users in Canada, your data is transferred to the UK and protected in accordance with this Privacy Policy and Canada's PIPEDA law. While your data is stored outside Canada, it will receive a comparable level of protection and may be subject to access by UK authorities under applicable law.

We continue to monitor changes in international data transfer laws and will update our safeguards and Privacy Policy accordingly.

If your health data is ever transferred outside the UK, European Economic Area (EEA), or other regions with similar protections, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Binding Corporate Rules (BCRs)

• Adequacy decisions issued by the European Commission or UK government

• Participation in recognized frameworks such as the EU-U.S. Data Privacy Framework, where applicable

13. AUTOMATED DECISION-MAKING

Our application uses your health data to automatically personalize sound sessions. This process simply matches audio parameters to your symptom profile; it does not recommend medication or clinical action. In addition, this process:

• Is necessary to provide our core service

• Does not have legal or similarly significant effects

• Is supported by human oversight

You can request human intervention, express your point of view, and contest any automated decisions by contacting us at info@zenna.io.

14. COOKIES AND SIMILAR TECHNOLOGIES

Our app may use cookies and similar technologies to enhance your experience and collect information about how you use our service. You can manage your preferences regarding cookies through your device settings.

15. CHILDREN'S PRIVACY

Zenna is intended for use only by individuals who are 16 years of age or older, regardless of their country of residence.

We do not knowingly collect or process personal data from individuals under the age of 16. If you are under 16, please do not use the app or provide any personal information.

If we become aware that we have collected personal information from someone under 16, we will take steps to delete that information promptly and restrict further access to the service.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make significant changes, we will identify the date of the updated Privacy Policy in the app or by email. Your continued use of our services after such notification constitutes your acceptance of the updated Privacy Policy.

17. PRIVACY CONTACT

We have appointed a privacy contact responsible for overseeing our data protection practices. You can reach them at: info@zenna.io  

18. COMPLAINTS

If you believe your rights regarding your data have been infringed, you have the right to lodge a complaint with:

• Our Privacy Contact at info@zenna.io

• The Information Commissioner's Office (ICO) at www.ico.org.uk (for UK users)

• Your local data protection authority (for users in other jurisdictions)

19. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Email: info@zenna.io