Legal Effective date: 10 May 2026 · Version 1.0
GDPR Compliant

GDPR Compliance

PreKare processes personal data of EU and EEA residents in strict accordance with Regulation (EU) 2016/679 — the General Data Protection Regulation. This page provides a clear reference to our GDPR obligations and your rights.

1. Overview

The GDPR grants EU/EEA residents strong rights over their personal data and imposes obligations on any organisation that processes that data, regardless of where the organisation is based. PreKare processes data of EU/EEA residents through its Portuguese operating subsidiary, PreKare Lda, and is therefore fully subject to GDPR.

This document supplements our Privacy Policy with GDPR-specific detail. In the event of any conflict between this page and the Privacy Policy, this page takes precedence for EU/EEA data subjects.

2. Data Controller Identity

  • Controller name: PreKare Lda
  • Legal representative: Amina Khan
  • Registered address: c/o IPN Incubadora, Rua Pedro Nunes, 3030-199 Coimbra, Portugal
  • GDPR contact: dpa@prekare.ai
  • Portuguese NIF: [to be registered]
  • Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), Portugal

PreKare Lda is a wholly owned subsidiary of Teramag Holding FZC (Sharjah, UAE). The UAE entity acts as a separate controller for non-EU/EEA user data and has entered into intra-group data transfer agreements with Standard Contractual Clauses with PreKare Lda.

3. Lawful Basis for Each Processing Activity

Under GDPR Article 6, every processing activity must have a lawful basis. The table below maps our key activities to their legal bases:

Processing activity Lawful basis GDPR Article
Account creation & authentication Contract performance Art. 6(1)(b)
Generating AI recommendations Contract performance Art. 6(1)(b)
Reading health data (Apple/Google Health) Explicit consent Art. 6(1)(a) + Art. 9(2)(a)
Reading location (city-level) Explicit consent Art. 6(1)(a)
Reading calendar events Explicit consent Art. 6(1)(a)
Subscription management Contract performance Art. 6(1)(b)
Crash & error reporting Legitimate interests Art. 6(1)(f)
Usage analytics (anonymised) Legitimate interests Art. 6(1)(f)
Marketing emails (opt-in only) Consent Art. 6(1)(a)
Legal record-keeping Legal obligation Art. 6(1)(c)

4. Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights. All requests are processed within 30 days (extendable to 3 months for complex requests).

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including the purposes, categories, recipients, and retention periods. We provide data exports in JSON format.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data. Most profile data can be updated directly in Settings → Profile.

Right to Erasure — "Right to be Forgotten" (Art. 17)

Request deletion of your personal data. Available in-app at Settings → Account → Delete my data. We complete erasure within 30 days, except where retention is required by law.

Right to Restriction of Processing (Art. 18)

Restrict how we use your data while a dispute is being resolved or while you object to processing based on legitimate interests.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON) for transfer to another service provider. Applies to data processed on the basis of consent or contract.

Right to Object (Art. 21)

Object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Art. 7(3))

Withdraw any consent (Health, Location, Calendar, Marketing) at any time, without affecting the lawfulness of prior processing. Manage in Settings → Privacy or via device permissions.

Rights Related to Automated Decision-Making (Art. 22)

PreKare's recommendations are generated by AI. You have the right to request human review of any automated recommendation and to opt out of profiling for direct marketing purposes.

To exercise any right, email dpa@prekare.ai with subject line "GDPR Request — [Right type]". We may need to verify your identity before processing the request.

5. Special Categories of Personal Data (Art. 9)

Health and biometric data are "special category" data under GDPR Art. 9 and require a higher level of protection. PreKare processes the following special category data only with your explicit, informed, granular consent:

  • Sleep quality and duration (from Apple/Google Health)
  • Activity levels and step count
  • Heart rate and HRV (if shared by your health app)

Technical safeguards specific to health data:

  • Processed entirely on-device or ephemerally on our servers. Not persisted in our database.
  • Only anonymised signals ("sleep quality: low/medium/high") are transmitted to our recommendation engine.
  • Never shared with third parties in identifiable form.
  • Never used to train AI models without separate explicit consent.
  • Automatically purged from all processing queues within 60 minutes of a session ending.

6. Sub-processors & Third-Party Processors

We have Data Processing Agreements (DPAs) in place with all sub-processors. All sub-processors meet GDPR adequacy requirements.

Processor Purpose Location
Supabase Inc. Database, auth, storage EU (Frankfurt, Germany)
OpenAI / Anthropic LLM inference for recommendations USA (SCCs in place)
Amazon Associates (Amazon.com, Inc.) Product catalogue queries, affiliate tracking USA (SCCs in place)
OpenWeatherMap Weather data by city Bulgaria (EU)
RevenueCat Subscription management USA (SCCs in place)
Sentry Crash & error reporting USA (SCCs in place)
Apple Inc. / Google LLC App Store payments, HealthKit / Google Fit APIs USA (SCCs in place)

We review our sub-processor list at least annually. Changes are communicated to users with 30 days' notice.

7. International Data Transfers

Where personal data of EU/EEA residents is transferred outside the EU/EEA, we use one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) — approved by the European Commission under Decision 2021/914. Applied to all US-based sub-processors.
  • EU adequacy decisions — where available for the destination country.
  • Intra-group Data Transfer Agreement — between PreKare Lda (Portugal) and Teramag Holding FZC (UAE), incorporating SCCs for any data shared with the UAE entity.
  • Technical supplementary measures — end-to-end encryption ensuring data cannot be accessed in clear form during transit.

UAE does not yet have an EU adequacy decision. All transfers to the UAE parent entity are governed by SCCs and are minimised to what is strictly necessary for consolidated group reporting.

8. Data Retention Schedule

Data category Retention period Legal basis for retention
Account data (email, profile) While active + 30 days post-deletion Contract / GDPR Art. 6(1)(b)
Health signals Ephemeral (max 60 min per session) Consent / GDPR Art. 9(2)(a)
Chat / recommendation history 12 months (user-deletable) Legitimate interest / Art. 6(1)(f)
Anonymised usage analytics 24 months Legitimate interest / Art. 6(1)(f)
Crash reports 6 months Legitimate interest / Art. 6(1)(f)
Subscription / billing records 7 years Legal obligation / Art. 6(1)(c)
Consent records 7 years post-withdrawal Legal obligation / Art. 6(1)(c)

9. Data Breach Protocol

In the event of a personal data breach, PreKare will:

  • Within 72 hours — notify the CNPD (Portuguese DPA) as required by GDPR Art. 33, unless the breach is unlikely to result in risk to individuals.
  • Without undue delay — notify affected users if the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34), providing details of the breach, data affected, likely consequences, and measures taken.
  • Containment — immediately isolate affected systems, revoke compromised credentials, and engage our incident response team.
  • Post-incident review — document all breaches in our internal breach register regardless of notification threshold.

To report a suspected breach, email security@prekare.ai.

10. Supervisory Authorities

You have the right to lodge a complaint with the supervisory authority in your EU/EEA member state. Our lead supervisory authority is:

  • CNPD — Comissão Nacional de Proteção de Dados (Portugal)
  • Website: www.cnpd.pt
  • Address: Rua de São Bento, 148-3°, 1200-821 Lisboa, Portugal
  • Email: geral@cnpd.pt

If you are located in another EU/EEA member state, you may also lodge a complaint with your local DPA. The CNPD will coordinate with other authorities as appropriate.

12. Contact Our Data Protection Point of Contact

While GDPR does not require PreKare to appoint a formal Data Protection Officer (DPO) at our current stage, we have designated a Data Protection Point of Contact (DPOC) who handles all GDPR-related enquiries:

  • DPOC email: dpa@prekare.ai
  • General privacy: privacy@prekare.ai
  • Response time: Within 5 business days for acknowledgement; 30 days for substantive response
  • Postal address: PreKare Lda, Attn: Data Protection, c/o IPN Incubadora, Rua Pedro Nunes, 3030-199 Coimbra, Portugal

Please include "GDPR" in your subject line and describe your request clearly. We may request identity verification before processing sensitive data requests.

Privacy Policy · Terms of Service · GDPR Compliance · Back to home