Privacy Policy

Effective Date: April 1, 2026  |  Last Updated: April 14, 2026

Your privacy isn't a feature we bolt on — it's how we built everything. Cirdia is a wellness technology company, and we believe your health data deserves structural protection, not just promises. This policy explains what we collect, why, and exactly how we protect it.

This policy covers all Cirdia products and services: our mobile apps (Tapestry, Nourish, Groundwork), our wearable devices (Contour, Noir), our websites (cirdia.com and related subdomains), and any other services we offer.

Cirdia Global S.L. is the data controller for your information.

By using any Cirdia product or service, you agree to the practices described in this policy and our Terms of Service.

1. Our Core Principle: We Never Store Your Health Data

Your wellness data — symptoms, habits, heart rate, sleep, temperature, energy, mood, cycle, movement — stays on your device. We do not store it in our databases. There is nothing to sell, nothing to breach, nothing to hand over.

When you use our pattern intelligence features, your data is encrypted on your device, sent to a temporary private processing instance, analyzed, and the instance is destroyed. Not shut down — destroyed. Your results return encrypted to your device. We never see the unencrypted data.

2. What We Collect

Information You Provide

  • Account information — name and email address when you create an account or subscribe
  • Payment information — processed by Stripe; we receive your subscription status but never see or store your card details
  • Partner (practitioner) information — if you register as a wellness practitioner: business name, practice address, professional credentials, bio, and profile photo. This is publicly displayed business information, not personal data in the traditional sense.
  • Lead and contact form submissions — name, email, company, and any message you send us through our website forms
  • Communications — messages you send to our support team

Information Collected Automatically

  • Website analytics (all pages except marketing landing pages) — we use Plausible Analytics, which is cookie-free and collects only aggregate, anonymous usage data. No personal information is stored, and no cookies are set on the main site.
  • Marketing landing pages (/l/*) — these are dedicated pages we use as destinations for social media advertising. With your consent, these pages may set cookies and load the Meta pixel to measure ad performance. The pixel transmits page-view events and standard device/browser data to Meta. This tracking is not present anywhere else on our website. No health, wellness, symptom, or wearable data is ever transmitted. You can decline, and you can change your mind at any time from the "Cookie preferences" link in the landing page footer. See our Cookie Policy for details.
  • Email engagement — we track whether you open our emails and click links, so we can improve our communications. This data is tied to your email address.
  • Country — derived from your IP address via Cloudflare when you submit a form. We store the country, not your IP address.
  • UTM parameters — marketing attribution data from links you follow to our site. Stored temporarily in your browser's session storage and cleared when you close the tab.

Wearable Integrations (Apple HealthKit & Google Health Connect)

If you choose to connect a wearable:

  • We only read; we never write. Tapestry pulls heart rate, HRV, sleep, temperature, and activity data from your device for your use only.
  • Nothing is stored in our database. Raw health data is processed in memory on your device and is never written to our database. A temporary processed version is used in a short-lived, isolated processing environment to generate your Week in Wellness report, which is destroyed after the report is generated.
  • You control the connection. Disconnect at any time from your device settings or in the app. Previously generated reports are kept; no new data will be read.

Information from Cirdia Wearable Devices

If you use a Cirdia wearable device (Contour or Noir):

  • Device data is processed locally. Sensor data from your device is stored on your phone in the Tapestry app. It is not transmitted to our servers.
  • The algorithms that process your device data are open source and auditable.

3. How We Use Your Information and Why It's Lawful

We use the information we collect for specific purposes, each with a clear legal basis under the GDPR:

What we doLegal basis
Provide our services — create and manage your account, process subscriptions, deliver activation codes and magic links, generate your pattern intelligence reportsContract performance — necessary to deliver what you signed up for
Communicate transactionally — send account confirmations, access codes, magic links, program updates, and subscription renewal remindersContract performance and legal obligation
Send marketing communications — product news and updates, if you've opted inYour consent — which you can withdraw at any time
Improve our products — understand how our websites are used in aggregateLegitimate interest — we use anonymous, aggregate analytics only
Support our practitioner network — manage partner relationships and display public practitioner profilesContract performance (for practitioners)
Security and fraud prevention — monitor for abuse, maintain audit logsLegitimate interest — protecting our users and systems
Legal compliance — respond to legal requests, enforce our termsLegal obligation

Most companies in this space make promises about what they won't do with your data. We built a system where those things aren't possible:

  • We can't sell your health data — it's on your device, not in our databases. We don't have it to sell.
  • We can't use your health data for advertising — we never see your wellness data in unencrypted form, and we never transmit it to any advertising platform. Ad measurement on our marketing landing pages is limited to page-level events (you visited the page) and contains no health, wellness, symptom, or wearable data.
  • We can't share it with third parties — the only place your health data exists is on your phone and inside an ephemeral processing instance that's destroyed after your report is generated.
  • We can't train AI on it — our pattern intelligence processes your data in an isolated instance that is permanently destroyed after use. Nothing is retained or fed back into any model.

4. Pattern Intelligence — How It Works

Our weekly pattern intelligence (the "Week in Wellness" report) works like this:

  1. Your wellness data is encrypted on your device
  2. A temporary, private processing instance is created just for you
  3. Your encrypted data is sent to that instance and decrypted only inside it
  4. The analysis runs and your report is generated
  5. The report is encrypted and sent back to your device
  6. The processing instance is immediately and permanently destroyed

Pattern analysis runs on self-hosted Mistral instances within our own infrastructure — your data never leaves our servers during processing, and the instance is destroyed immediately after. Your data is not used to train any AI models.

We also use the Mistral API for internal business tools (like work prioritization), but these never process your health or wellness data.

No health data is retained on our servers at any point in this process.

5. Transactional vs. Marketing Communications

We send two types of emails:

Transactional emails are directly related to your account or actions you've taken — activation codes, magic links, program updates, trial information, and tester communications. These don't require marketing opt-in because you'd reasonably expect to receive them based on something you did.

Marketing emails promote our products or nurture your interest when you haven't taken a specific triggering action. These require your explicit opt-in, and every marketing email includes an unsubscribe link. You can opt out at any time without affecting your account or access to our services.

Your marketing consent is separate from your account consent and your GDPR consent. You control each independently.

6. Who We Share Data With

We work with a small number of service providers to run our business. They process data on our behalf and are bound by contract to protect it.

ProviderWhat they doData involvedWhere
StripePayment processingSubscription and payment statusUS/EU
PostmarkTransactional email deliveryEmail address, email contentUS
Plausible AnalyticsCookie-free website analyticsAnonymous, aggregate data onlyEU
Mistral AIPattern intelligence processingEncrypted wellness data (ephemeral only)EU
HetznerServer hostingAccount data, business dataEU (Germany)
CloudflareDNS, CDN, securityIP addresses (transient, not stored by us)EU
ScalewayInfrastructureVariesEU (France)
MetaAdvertising. On marketing landing pages (/l/*), with your consent, the Meta pixel transmits page-view events and standard device/browser data to Meta to measure ad effectiveness. No pixel runs anywhere else on our website. No health or wellness data is ever transmitted.Page-view events, device/browser data, standard pixel cookies (consent-gated)US
WhatsApp (Meta)Tester community groupYour phone number and messages within the groupUS
Google DriveInternal business storageInternal business documentsUS

We use Nextcloud (self-hosted) as our primary internal business storage and tools. Google Drive is used for collaborative document editing. Neither stores any customer or user data.

We do not share your data with data brokers, information resellers, or advertisers beyond the limited ad performance data described above.

7. Your Rights

Regardless of where you live, you can:

  • Access your data — ask us what we have and receive a copy
  • Correct your data — fix anything that's wrong
  • Delete your data — request deletion of your account and personal information
  • Export your data — download your app data (CSV export available in the app)
  • Withdraw consent — opt out of marketing communications or disconnect health integrations at any time
  • Object to processing — ask us to stop using your data for specific purposes
  • Port your data — receive your data in a structured, machine-readable format

GDPR-level rights for everyone. For customers in the EU, these rights are guaranteed under the GDPR. We extend all of them — including the right to erasure (the "right to be forgotten") — to every person who uses our services, anywhere in the world, regardless of jurisdiction or whether your local law requires it. If you ask us to delete your data, we delete it.

To exercise any of these rights: email [email protected]. We'll respond within 30 days.

Right to complain: If you're in the EU and believe we're not handling your data correctly, you have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

What happens when you delete your account:

  • If you're a trial user, we delete your data entirely
  • If you're a paid or former paid subscriber, we anonymize your data (removing all personally identifiable information) to maintain aggregate business records, then delete the identifiable data

In all cases, health and wellness data is already on your device only — we have nothing to delete on our end.

8. Data Retention

  • Account data — retained while your account is active, then deleted or anonymized per Section 7
  • Audit logs (security events, IP addresses) — retained for a defined period, then automatically purged
  • Lead and contact data — retained while relevant to the business relationship, then deleted
  • Email engagement data — retained while you're subscribed to communications
  • Website analytics — aggregate only, no personal data to retain
  • Health and wellness data — never stored on our servers; retention on your device is entirely under your control

9. Data Security

  • No passwords — we use magic links and activation codes only. No password database to breach.
  • Token hashing — all authentication tokens are SHA-256 hashed before storage. Raw tokens never touch our database.
  • Encryption in transit — all traffic uses HTTPS
  • Encryption at rest — database encryption via our hosting provider
  • EU hosting — our servers are in Germany (Hetzner) with Cloudflare providing edge security from EU points of presence
  • Limited access — our team is small and access to production systems is tightly restricted
  • Wearable device algorithms — open source and auditable, so you can verify what runs on your device

10. Age Requirement

You must be at least 16 years old to use our services. This is intentional — it meets the strictest GDPR threshold across EU member states and exceeds Spain's minimum of 14. We do not knowingly collect data from anyone under 16. If you believe we have, contact us at [email protected] and we will delete it promptly.

To create an account, purchase a subscription, or enter into a contract with us, you must be at least 18 years old (or the age of majority in your jurisdiction), as described in our Terms of Service.

11. International Data Transfers

Cirdia Global S.L. is based in Spain. Our primary infrastructure is in the EU (Germany, France). Some service providers operate in the US (Stripe, Postmark, Meta, Google). Where data is transferred outside the EU, we ensure appropriate safeguards are in place as required by the GDPR, including standard contractual clauses.

12. Changes to This Policy

If we make significant changes, we'll notify you by email or prominent notice on our website before the changes take effect. Minor clarifications or formatting changes may be made without notice.

13. For California Residents (CCPA/CPRA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know: You can request the categories and specific pieces of personal information we've collected about you. See Section 2 for a complete list.
  • Right to delete: You can request deletion of your personal information. See Section 7 for how this works.
  • Right to opt out of sale or sharing: We do not sell your personal information. On our marketing landing pages (/l/*), we use the Meta pixel to measure ad performance, which qualifies as "sharing for cross-context behavioral advertising" under CPRA. You can opt out by declining cookies on those pages, by using the "Cookie preferences" link in the landing page footer, or by using a Global Privacy Control (GPC) browser signal, which we honor. Pixel tracking is not present anywhere else on our site.
  • Right to non-discrimination: We will not treat you differently for exercising your privacy rights.

Categories of personal information we collect: Identifiers (name, email), commercial information (subscription status), and internet activity (anonymous website analytics). We do not collect biometric information, geolocation, or sensitive personal information on our servers.

14. For Washington State Residents (My Health My Data Act)

The Washington My Health My Data Act provides specific protections for consumer health data. Cirdia's architecture is designed around the principle that we never collect or store your health data on our servers. Your wellness data — including any data that would qualify as "consumer health data" under this law — stays on your device. When processed for pattern intelligence, it is handled in ephemeral instances that are immediately destroyed. We do not collect, share, or sell consumer health data as defined by this law.

Our direct-to-consumer marketing landing pages (at cirdia.com/l/*) are not intended for, and are not advertised to, Washington State residents. If you are a Washington resident who has arrived at one of these pages and has questions about our data practices, please contact [email protected].

15. Data Protection Contact

Until Cirdia appoints a dedicated Data Protection Officer, the Chief Executive serves in this capacity.

Privacy questions: [email protected]
General support: [email protected]

16. Contact Us

Cirdia Global S.L.
Valencia, Spain

Privacy questions: [email protected]
General support: [email protected]
Website: www.cirdia.com