Legal Document

Privacy Policy

Last updated: June 1, 2025  ·  Effective immediately

1. Introduction & Scope

Conipi ("we", "our", "us") operates the website conipi.com and the Conipi daily wellness assistant service (collectively, the "Service"). We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. Please read this document carefully before using our Service.

2. Data We Collect

Data you provide directly:

• Quiz responses: gender/identity, age range, lifestyle goals, wellness preferences
• Email address (when subscribing or contacting us)
• Payment information (processed by Stripe — we do not store card details)
• Communications with our support team

Data collected automatically:

• IP address and approximate geolocation (country/city level)
• Browser type, version, and device type
• Operating system
• Pages visited, time spent, click paths, referral URLs
• Session identifiers and cookies

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data only when we have a valid legal basis:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including delivering your personalized plan and managing your subscription.
• Consent (Art. 6(1)(a)): For marketing emails and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6(1)(f)): Service improvement, fraud prevention, security, and analytics — where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): Where we must retain or process data to comply with EU or Latvian law (e.g., accounting, tax records).

4. How We Use Your Data

• Generate and deliver your personalized daily wellness plan
• Process subscription payments and manage billing via Stripe
• Send transactional emails (receipts, subscription confirmations, account alerts)
• Send marketing and promotional communications (only with your consent)
• Respond to support inquiries and complaints
• Analyze usage patterns to improve the Service
• Detect, prevent, and investigate fraud or security incidents
• Comply with legal and regulatory obligations

5. Cookies & Tracking Technologies

Essential cookies are required for the Service to function (session management, authentication). These cannot be disabled without breaking the Service.

Analytics cookies help us understand how visitors use the site (e.g., page views, session duration). These are only set with your consent.

Marketing cookies are used to deliver relevant advertising and track conversions. These are only set with your explicit consent.

You can manage cookie preferences through your browser settings or our cookie banner. Withdrawing consent for non-essential cookies does not affect Service functionality.

6. Payment Processing

All payments are processed by Stripe, Inc. (USA), a PCI DSS Level 1 certified payment processor. We transmit your payment intent to Stripe but do not store, see, or have access to your full card number, CVV, or sensitive financial credentials on our servers.

Stripe acts as an independent data controller for payment data under its own Privacy Policy. By making a purchase, you acknowledge Stripe's data practices.

7. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients, solely to the extent necessary:

• Stripe, Inc. — payment processing and fraud prevention
• Email service providers — delivery of transactional and marketing emails
• Analytics providers — anonymized/pseudonymized usage statistics
• Hosting providers — infrastructure and data storage (EU-based where possible)
• Legal authorities — if required by law, court order, or to protect our legal rights

Where we transfer data outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses under Art. 46 GDPR, or adequacy decisions).

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Policy:

• Account data: for the duration of your subscription + 2 years after account closure
• Payment records: 7 years (Latvian accounting law requirement)
• Support communications: 3 years from last contact
• Analytics data: aggregated/anonymized, retained indefinitely; raw session data up to 26 months
• Marketing consent records: until consent is withdrawn + 3 years for proof of consent

Upon expiry of the retention period, data is securely deleted or anonymized. You may request early deletion at any time (see Section 9).

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, email us at [email protected]. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), where no legal obligation requires retention.
• Right to restriction (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV).
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Withdraw any consent previously given at any time. This does not affect prior lawful processing.
• Right to lodge a complaint: With the Latvian Data State Inspectorate (DVI) at dvi.gov.lv, or with the supervisory authority in your EU country of residence.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

• HTTPS/TLS encryption for all data in transit
• Encrypted storage for sensitive data at rest
• Role-based access controls limiting internal access to personal data
• Regular security reviews and vulnerability assessments
• Incident response procedures for personal data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR Art. 33–34.

11. Children's Privacy

The Service is intended solely for persons aged 18 and over. We do not knowingly collect personal data from minors under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will delete it promptly.

12. Links to Third-Party Sites

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account) and update the "Last updated" date at the top. Your continued use of the Service after changes constitutes acceptance of the revised Policy.

14. Contact & Data Protection Inquiries

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us at [email protected]. We will respond within 30 days.