Skip to main content
Legal

Privacy Policy

This Privacy Policy explains how BEDENX OÜ ("BEDENX", "we", "us", or "our") collects, uses, discloses, and safeguards personal data across all BEDENX applications, SaaS products, websites, APIs, and services (collectively, the "Services"). It applies to every current and future BEDENX product, whether delivered via web, iOS, Android, desktop, or embedded platforms.

Data Controller
BEDENX OÜ (Reg. 17523357)
Tartu mnt 67/1-13b, 10115 Tallinn, Estonia
Effective Date
9 July 2026
Last Updated
9 July 2026

1. Introduction

BEDENX OÜ is an Estonian company that builds, owns, and scales digital products across healthcare, artificial intelligence, commerce, software, and adjacent industries. We are committed to protecting your personal data and respecting your privacy rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Estonian Personal Data Protection Act, and applicable local laws worldwide.

This policy applies uniformly to every BEDENX product and service — including all mobile applications published under the BEDENX developer accounts on the Apple App Store and Google Play, all SaaS platforms, all public websites, all APIs, and all developer tools we operate. By using any BEDENX Service, you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect the following categories of personal data:

  • Identity & account data: name, email, phone number, password (hashed), profile photo, date of birth (when required), and authentication provider identifiers (Google, Apple, Microsoft, etc.).
  • Transaction data: subscription status, purchase history, product entitlements, invoice metadata, billing country, and tax identifiers. Full payment card numbers are never stored by BEDENX — they are processed exclusively by our PCI-DSS-compliant payment processors (Stripe, Apple, Google, RevenueCat).
  • Device & technical data: device model, operating system, unique device identifiers, language, time zone, IP address, browser type, app version, and diagnostic logs.
  • Usage data: features accessed, session duration, in-app events, referral source, and interaction telemetry.
  • User-generated content: files, images, text, prompts, or media you submit to our Services.
  • Communications: messages you send to support, survey responses, and marketing preferences.

Legal bases under GDPR: performance of a contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), and consent where required (Art. 6(1)(a)).

3. Account Data

When you create a BEDENX account we store your email address, a salted hash of your password (or the OAuth identifier from your provider), and a unique user ID. Account data is used to authenticate you, sync entitlements across devices, provide support, and comply with legal obligations. You can update or delete your account at any time from in-app settings or by emailing info@bedenx.com.

4. Usage Analytics

We use privacy-respecting analytics to understand how our Services are used and to improve them. Analytics events are keyed to a pseudonymous installation ID, not to your name or email. Providers we may use include Google Analytics for Firebase, Mixpanel, PostHog, and Amplitude. Where required by law (including in the EEA and UK), analytics are only enabled after you provide consent through our in-app consent banner.

5. Cookies & Similar Technologies

Our websites use strictly-necessary cookies (for authentication and security), preference cookies (to remember settings), and — with your consent — analytics and marketing cookies. Mobile apps use equivalent local-storage identifiers. You can withdraw consent at any time via the cookie preferences link in the website footer or the privacy settings in each app.

6. Firebase Services

Several BEDENX apps use Google Firebase (operated by Google Ireland Limited) for services including Authentication, Cloud Firestore, Realtime Database, Cloud Functions, Cloud Messaging (FCM), Remote Config, App Check, Crashlytics, and Google Analytics for Firebase. Firebase processes device identifiers, IP addresses, event data, and — where applicable — the account data you provide. Data processing is governed by Google's Data Processing and Security Terms and the EU Standard Contractual Clauses. See firebase.google.com/support/privacy for details.

7. RevenueCat Subscriptions

We use RevenueCat, Inc. to manage in-app subscriptions and entitlements across platforms. RevenueCat receives your app-user ID, subscription events, purchase receipts, device information, country, and IP address in order to validate purchases with Apple and Google, unlock entitlements, and prevent fraud. RevenueCat acts as a data processor on our behalf under a Data Processing Addendum incorporating the EU Standard Contractual Clauses. Details: revenuecat.com/privacy.

8. Apple App Store Purchases

Purchases made through iOS or macOS apps are processed by Apple. Apple provides us with an anonymized transaction identifier and receipt, which we validate (directly or via RevenueCat) to grant the corresponding entitlement. We never receive your full payment card details, Apple ID password, or Apple account information. Refunds, family sharing, and subscription management are handled by Apple in accordance with the Apple Privacy Policy.

9. Google Play Purchases

Purchases made through Android apps distributed via Google Play are processed by Google. Google provides us with a purchase token and order identifier, which we validate (directly or via RevenueCat) to grant the corresponding entitlement. We never receive your full payment card details or Google account credentials. Refunds and subscription management are handled by Google in accordance with the Google Privacy Policy. Our data handling is disclosed in each app's Google Play Data Safety form.

10. Crash Reporting

To improve reliability we collect crash reports using Firebase Crashlytics and/or Sentry. Reports include stack traces, device model, OS version, app version, and a pseudonymous installation ID. Reports may incidentally include limited memory contents (such as the last function arguments). We do not intentionally include personal identifiers, and we retain crash data no longer than 90 days.

11. Push Notifications

With your permission, we send push notifications via Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). We process a device push token, notification preferences, and delivery status. You can disable push notifications at any time from your device settings or in-app preferences.

12. AI-Powered Features

Certain BEDENX Services use artificial intelligence, including large language models and generative image, audio, and video models. When you use these features, the prompts, files, and context you submit may be transmitted to our AI infrastructure partners (such as OpenAI, Anthropic, Google, Mistral, Meta, Stability AI, or self-hosted models on Cloudflare and AWS) strictly for the purpose of generating your response.

We do not permit these providers to use your content to train their foundation models. Prompts are retained only as long as needed to deliver the feature, provide history, and enforce abuse controls (typically up to 30 days), unless you explicitly save the content to your account.

13. Third-Party Services

We share personal data with vetted service providers only to the extent necessary to deliver the Services. Categories include: cloud hosting (Cloudflare, Amazon Web Services, Google Cloud, Microsoft Azure), authentication (Supabase, Firebase Auth, Auth0), payments (Stripe, Apple, Google, RevenueCat, Paddle), email (Resend, Postmark, SendGrid), customer support (Intercom, Zendesk, Crisp), analytics (Google Analytics, Mixpanel, PostHog, Amplitude), and monitoring (Sentry, Datadog, Better Stack). Each processor is bound by a written data-processing agreement incorporating the EU Standard Contractual Clauses where applicable.

We do not sell personal data. We do not share personal data with advertising networks for cross-context behavioural advertising.

14. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. Typical retention periods:

  • Account data — for the life of the account, then 30 days after deletion.
  • Transaction and billing records — 7 years (Estonian accounting law).
  • Support tickets — 3 years after last interaction.
  • Analytics events — up to 26 months.
  • Crash reports — up to 90 days.
  • Backups — up to 35 days after primary deletion.

15. Your Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; port your data to another provider; and withdraw consent at any time. To exercise any of these rights, email info@bedenx.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority. In Estonia this is the Estonian Data Protection Inspectorate (aki.ee).

Residents of California, Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws have equivalent rights and may exercise them through the same email address.

16. Children’s Privacy

Our Services are not directed to children under 13 (or under 16 in the EEA, where a higher age applies). We do not knowingly collect personal data from children below the applicable age of digital consent. If we learn that we have collected such data, we will delete it promptly. Apps that are intended for a family or child audience comply with the Children’s Online Privacy Protection Act (COPPA), Apple’s Kids Category requirements, and Google Play’s Designed for Families programme. Parents or guardians who believe their child has provided us with personal data may contact info@bedenx.com to request deletion.

17. International Data Transfers

BEDENX operates globally and may transfer personal data to countries outside the EEA, including the United States and the United Kingdom. Whenever we transfer personal data outside the EEA to a country not deemed adequate by the European Commission, we rely on appropriate safeguards including the EU Standard Contractual Clauses (2021/914) and, where relevant, the EU–US Data Privacy Framework. A copy of the safeguards applicable to any given transfer is available on request.

18. Security

We implement industry-standard technical and organisational measures to protect personal data, including TLS 1.3 encryption in transit, AES-256 encryption at rest, hashed passwords (bcrypt/argon2), least-privilege access controls, row-level security on all databases, mandatory two-factor authentication for staff, continuous vulnerability scanning, quarterly penetration testing, and 24/7 monitoring. No system is 100% secure, but we work continuously to protect your information.

If you believe you have discovered a security vulnerability, please report it responsibly to info@bedenx.com.

19. Contact Information

For any question about this Privacy Policy, to exercise your rights, or to reach our Data Protection contact, please write to:

BEDENX OÜ
Tartu mnt 67/1-13b
10115 Tallinn, Estonia
Reg. 17523357

20. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or operating practices. When we make material changes, we will notify you by email or through an in-app notice at least 30 days before the changes take effect. The "Last Updated" date at the top of this page always reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated policy.