Privacy Policy

1. Introduction and Scope

Orlyn ("Orlyn", "we", "us", or "our") respects your privacy and is committed to protecting your Personal Data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Orlyn mobile application, the orlyn.ai website, and related services (collectively, the "Service"). This Privacy Policy applies to all Users of the Service.

Orlyn is a quit-drinking and sobriety-support application. It helps you track a live sober streak, complete a one-tap daily check-in, work through cravings, and converse with a 24/7 AI support coach (the "Coach"). Because the Service is built around your relationship with alcohol, much of the information you give us is data concerning health within the meaning of Article 4(15) and Article 9 of the GDPR, and "consumer health data" under certain US state laws. We treat it accordingly, as described throughout this Privacy Policy.

This Privacy Policy is designed to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") for Users in the European Economic Area, the UK Data Protection Act 2018 and UK GDPR for Users in the United Kingdom, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") and other US state privacy laws, the Washington My Health My Data Act ("MHMDA") and comparable consumer-health-data laws, and Canadian federal and provincial privacy law (including PIPEDA and Québec Law 25).

Capitalised terms not defined in this Privacy Policy have the meanings given in the Terms of Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not access or use the Service.

2. Controller, Representatives, Data Protection Officer, and Supervisory Authority

The data controller responsible for processing your Personal Data is:

Controller: Luca Diaz Hilterscheid (Einzelunternehmer), operating as a sole proprietor under the laws of the Federal Republic of Germany.

Postal address: Märkische Heide 5, 14532 Kleinmachnow, Germany

Email (privacy and general): luca@orlyn.ai

Support email: support@orlyn.ai

Privacy contact: Luca Diaz Hilterscheid — luca@orlyn.ai

EU representative (Article 27 GDPR): The controller is established in Germany. A representative under Article 27 GDPR is therefore not required.

United Kingdom (Article 27 UK GDPR): Users in the United Kingdom may contact the controller directly about any data-protection matter at: Luca Diaz Hilterscheid, Märkische Heide 5, 14532 Kleinmachnow, Germany — luca@orlyn.ai.

Data Protection Officer (Article 37 GDPR): The controller has assessed its processing activities under Article 37 GDPR and has determined that the appointment of a Data Protection Officer is not strictly mandatory at this time, principally because the controller is a sole proprietor whose current scale of processing is not considered to be "large-scale" within the meaning of Article 37(1)(b)–(c). We recognise, however, that the processing of data concerning health (including sobriety status, alcohol-use answers, cravings, moods, reflections, and Coach conversations) is now a core activity of the Service. We will keep this determination under active review and will appoint a Data Protection Officer (which may be an external or fractional appointment) if and when our scale of processing meets the threshold, publishing the contact details here at that time. All privacy-related inquiries should be directed to the privacy contact above.

Lead supervisory authority: Because the controller's place of establishment is in Kleinmachnow, Brandenburg, the competent lead supervisory authority is Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg), https://www.lda.brandenburg.de. Complaint paths for other jurisdictions are set out in Section 18.

3. Information We Collect

This Section describes the categories of Personal Data we collect. Where a category is, or may be, data concerning health, it is identified as such in Section 3.4.

3.1 Information You Provide Directly

• Account and identity information: your email address; if you use Sign in with Apple, the private-relay email address Apple issues; your name (where you provide it or a sign-in provider supplies it); and the authentication credentials and OAuth or refresh tokens needed to keep you signed in.
• Profile information: the pseudonymous username the Service assigns to your account, your first name (optional), the seed used to generate your avatar, and your timezone.
• Subscription and billing information: the plan you select, subscription and renewal status, and transaction history. Payment-card details for web purchases are collected and stored by Stripe; for in-app purchases, payment is handled by Apple. We never see or store your full payment-card number.
• Communications: the content of messages you send to our support address, together with any feedback and attachments.
• User Content: free-text reflections, named moods, and other content you choose to submit, and your pseudonymous presence on the weekly leagues (your username and generated avatar, together with a health-adjacent count of sober days).

3.2 Information Collected Automatically

• Device information: device type and model, operating system and version, app version, and similar technical attributes.
• Usage and analytics information: features used, screens viewed, interaction patterns, session duration and frequency, and similar product-analytics events (subject to your choices in Section 15).
• Crash and error telemetry: diagnostic information, error reports, and stack traces that help us keep the Service stable.
• Log data: IP address, access times and dates, and standard server-log information, processed for security and network operation.
• On-device country: an approximate country indication derived on your device (for example, to present the correct legal information). The Service does not collect, infer, or use precise geolocation, and does not use GPS or venue check-ins.
• Push token: a device push token used to deliver notifications you have enabled.

3.3 Information from Third Parties and Sign-In Providers

• Sign-in providers: the Service supports Sign in with Apple, Google sign-in, and email sign-in. When you use Apple or Google, we receive your name and email address (or Apple's private-relay email) solely to create and authenticate your account; we do not receive your contacts, posts, or other social-media data.
• App stores and subscription tooling: Apple (App Store / StoreKit) and RevenueCat provide receipt-validation and subscription-state data for in-app purchases. Stripe provides transaction status and limited billing information for web purchases.
• Analytics and crash reporting: PostHog and Sentry provide aggregated information about how the Service performs and is used.

3.4 Health Data (Data Concerning Health)

The following categories are, or may be, data concerning health under Article 9 of the GDPR (and "consumer health data" under the MHMDA and comparable laws). We process them only on the basis of your explicit consent (Article 9(2)(a) GDPR) and as further described in Section 4 and Section 5:

• Sobriety status and streak data: your quit date (the date you became, or intend to become, sober), your current and lifetime sober streak, and any relapse or reset history (which preserves your lifetime progress).
• Daily check-ins: your mood rating (on a 1–5 scale), the named moods you select, your craving intensity (on a 0–4 scale), and any free-text reflections you write.
• AUDIT-C alcohol-use answers: your responses to the AUDIT-C alcohol-use screener, which we treat as self-reflection inputs and not as a clinical diagnosis (see Section 16).
• Onboarding quiz responses: your stated motivations for change, craving triggers, whether you have tried to quit before, your intended quit date, and the inputs to your Sober Readiness score.
• AI Coach conversations: the message text you author in your conversations with the Coach, which concerns your relationship with alcohol and your wellbeing. How this is processed and transferred is described in detail in Section 5.
• Pre-account web quiz leads: if you complete the quiz on the orlyn.ai website before creating an account, we collect the email address you provide together with your AUDIT-C answers ("web quiz leads"). These are captured prior to account creation so we can send you your results and follow-up information.

We do not derive characteristics about you from your health data beyond what is necessary to operate the features described in this Privacy Policy, and we do not use your health data for advertising or to train third-party AI models.

3.5 Consent, Terms, and Deletion Records

• Consent and terms records: timestamps and records of the consents you give and of your acceptance of the Terms of Service and this Privacy Policy, kept to evidence compliance.
• Deletion log: when you delete your account, we retain a one-way hash of your email address (from which your email cannot be reconstructed) to honour your deletion and to prevent the re-creation of a deleted account. This is described further in Section 8.

4. How and Why We Use Your Information, and Our Lawful Bases

We use your information for the purposes set out below. For Users in the EU, EEA, and UK, each purpose is matched to its lawful basis under Article 6 of the GDPR, and — for any processing of data concerning health — to the additional condition under Article 9. All processing of data concerning health is carried out only on the basis of your explicit consent under Article 9(2)(a) GDPR, which you may withdraw at any time (see Section 9).

Per-purpose lawful-basis table. The following list maps each processing purpose to its lawful basis:

• Create and operate your account, deliver the core Service (streak tracking, daily check-ins, craving toolkit, leagues), and provide customer support → Article 6(1)(b) GDPR (performance of a contract); and, because this involves data concerning health, Article 9(2)(a) GDPR (explicit consent).
• Process and manage your subscription and billing → Article 6(1)(b) GDPR (performance of a contract), and Article 6(1)(c) GDPR (legal obligation) for tax and accounting records.
• Operate the AI Coach (generate support responses to the messages you author) → Article 9(2)(a) GDPR (explicit consent), supported by Article 6(1)(b) GDPR for the contractual delivery of an optional feature you have chosen to use (see Section 5).
• Make your pseudonymous presence visible on the weekly leagues → Article 9(2)(a) GDPR (explicit consent), because sober-day counts are health-adjacent; league visibility is optional and defaults to a privacy-protective setting.
• Send transactional and service communications (for example, check-in reminders, security alerts, and subscription notices) → Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests) in keeping you informed about the Service.
• Compute your informational Sober Readiness score → Article 9(2)(a) GDPR (explicit consent) (the score is non-consequential and informational only; see Section 16).
• Maintain the security and integrity of the Service, detect and prevent fraud and abuse, and diagnose and fix crashes and errors → Article 6(1)(f) GDPR (legitimate interests) in operating a safe and reliable Service.
• Measure and improve the Service through product analytics → Article 6(1)(a) GDPR (consent), obtained through an in-app analytics setting (default off; see Section 15) and, on the website, through a consent banner.
• Display advertising-attribution and measurement pixels on the website → Article 6(1)(a) GDPR (consent), obtained through the website consent banner (see Section 15).
• Process pre-account web quiz leads (send you your results and related follow-up) → Article 6(1)(a) GDPR (consent) for the email follow-up, and Article 9(2)(a) GDPR (explicit consent) in respect of the AUDIT-C answers, which are data concerning health.
• Send marketing communications, where you have opted in → Article 6(1)(a) GDPR (consent).
• Comply with legal obligations and establish, exercise, or defend legal claims → Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests); where health data is involved, Article 9(2)(f) GDPR (legal claims) additionally applies.

Where we rely on consent, you may withdraw it at any time, and withdrawal is as easy as giving consent (see Section 9). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you may object as described in Section 9.

5. The AI Coach and DeepSeek (International Transfer to China)

The Service offers an optional 24/7 AI support coach (the "Coach"). The Coach is a support-only feature: it is not a human, not a therapist, and not a medical service, and it does not diagnose, treat, or provide medical advice (see Section 16 and the Terms of Service).

What is sent. When you send a message to the Coach, only the message text you author is transmitted to our AI provider to generate a reply. We do not add your name, email address, account identifier, or other system-level identifiers to the content sent to the provider. We apply data minimisation so that the provider receives the conversational text needed to respond and nothing more.

Who generates the replies. The Coach's replies are generated by DeepSeek, a third-party large-language-model provider that processes data in China. DeepSeek acts as our processor for this purpose and is bound by a data processing agreement.

This is an international transfer to China. Sending your Coach message text to DeepSeek is a transfer of Personal Data — including data concerning health — to China. The European Commission has not adopted an adequacy decision for China, and neither has the United Kingdom. We therefore rely on the following safeguards:

• the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), in the controller-to-processor module (Module Two), supplemented for UK data by the UK International Data Transfer Addendum / IDTA;
• a documented Transfer Impact Assessment (TIA) that evaluates the relevant Chinese legal environment (including laws permitting government access to data) and the effectiveness of the safeguards; and
• supplementary measures, including encryption in transit (TLS), strict data minimisation, and the practice of not adding system-level identifiers (such as your name, email, or account ID) to the message payload.

Potential impact you should understand. Despite these safeguards, you should be aware that transferring data to China carries risks that cannot be fully eliminated by contract. In particular, a foreign government or authority may be able to access data under local laws in ways that differ from, and may offer less protection than, the standards you are used to in the EEA, the UK, or your home country, and your ability to obtain effective legal redress in such circumstances may be limited. A data protection authority could also restrict or suspend transfers of this kind in the future.

You can decline. Use of the Coach is optional. If you do not wish your message text to be processed by DeepSeek in China, you can simply decline to use the Coach — the rest of the Service (streak tracking, check-ins, craving toolkit, and leagues) works without it. You may request a copy of the safeguards applied to this transfer by contacting us at luca@orlyn.ai (we may redact commercial information).

You are always clearly told, in the chat itself, that you are interacting with an AI and not a human.

6. How We Share Your Information and Our Subprocessors

We do not sell your Personal Data, and we do not sell consumer health data. We share your information only as described below, and only to the extent necessary.

6.1 Subprocessors

We share Personal Data with the following service providers (subprocessors), each engaged under a data processing agreement that requires it to process Personal Data only on our documented instructions and to apply appropriate technical and organisational measures. The list states each provider's purpose and processing region:

• DeepSeek (China) — generates the AI Coach replies; receives the user-authored message text you send to the Coach, which may be data concerning health (see Section 5).
• Supabase, Inc. (European Union (Western Europe)) — primary database, authentication, edge functions, and file storage.
• RevenueCat, Inc. (United States) — in-app purchase and subscription-state management.
• Apple Inc. (United States / global) — App Store distribution, Sign in with Apple authentication, Apple Push Notification service, and in-app purchase processing.
• Google (Google LLC / Google Ireland Limited) (United States) — Google sign-in authentication.
• Stripe (United States / Ireland — Stripe Payments Europe Ltd for EEA Users; Stripe, Inc. for US Users) — website subscription checkout and payment processing.
• PostHog Inc. (EU-hosted instance for both the mobile app and the website) — product analytics.
• AppsFlyer Ltd (EU-hosted data center) — mobile install attribution and ad-campaign measurement; receives pseudonymous device-level technical data (IP address, device model, the app-scoped Apple identifier (IDFV), and app milestone events), never health data and never your name or email. Attribution on iOS uses Apple's aggregated SKAdNetwork framework; the app does not use the advertising identifier (IDFA) and does not track you across other companies' apps or websites.
• Meta Platforms, Inc. (United States) — website advertising-attribution pixel (consent-gated; see Section 15).
• TikTok / ByteDance (United States / China-governed) — website advertising-attribution pixel (consent-gated; see Section 15).
• Functional Software, Inc. (Sentry) (United States / Germany) — crash and performance monitoring.
• Expo / EAS (Expo, Inc.) (United States) — push-notification delivery infrastructure.
• DiceBear (dicebear.com) — generates a default avatar from your avatar seed; receives the seed value only.
• Resend (Resend, Inc.) (United States) — transactional email delivery.
• Cloudflare, Inc. (Turnstile) (global) — bot defence and abuse prevention.

The advertising-attribution pixels (Meta and TikTok) operate on the website only and are set only with your consent. The Service does not use Apple HealthKit, the Apple Screen Time API, step-count data, wallet, banking, money-transfer, or staking integrations of any kind.

6.2 Other Recipients

• Legal requirements. We may disclose Personal Data where required to do so by law or in response to a valid request by a public authority (for example, a subpoena, court order, or other legal process), to protect our rights, property, or safety or those of our Users or the public, to detect, prevent, or address fraud or security issues, and to enforce the Terms of Service. We will notify affected Users of any such disclosure where permitted by law.
• Business transfers. If Orlyn is involved in a merger, acquisition, financing, reorganisation, insolvency, or sale of all or part of its assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such transfer and of any material change in how your Personal Data is processed.
• Aggregated and de-identified data. We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or other purposes.

7. International Data Transfers

Your Personal Data may be transferred to, and processed in, countries other than your country of residence, including those of the subprocessors listed in Section 6.1. These countries may have data protection laws that differ from those of your country.

For transfers from the EEA, the UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented where appropriate by the UK International Data Transfer Addendum for UK data;
• the Swiss Federal Data Protection and Information Commissioner's standard contractual clauses for transfers from Switzerland;
• transfer impact assessments and supplementary technical, contractual, and organisational measures, where necessary; and
• data processing agreements with all processors and subprocessors.

The most significant transfer is to DeepSeek in China, which has no adequacy decision; this transfer, its safeguards, and its potential impact are described in detail in Section 5. Where US providers participate in a recognised transfer framework, we rely on that framework or on the Standard Contractual Clauses as applicable. For Canadian Users, please also see the cross-border processing notice in Section 11.

You may request a copy of the safeguards applied to a specific transfer by contacting us at luca@orlyn.ai. We may redact commercial information.

8. Data Retention and Deletion

We retain Personal Data only for as long as necessary for the purposes for which it was collected, subject to legal retention obligations.

• Coach conversations and daily check-ins: retained for as long as your account is active, that is, until you delete your account. We currently apply no fixed shorter cap to this content; we recommend, and intend to introduce, a retention limit in a future version of the Service.
• Account, profile, streak, and onboarding-quiz data: retained for the duration of the account and deleted on account deletion as described below.
• Pre-account web quiz leads (email + AUDIT-C answers): retained to provide your results and follow-up. We recommend, and intend to implement, an automated cleanup of these leads after a defined period.
• Subscription and billing records: retained as required by applicable tax and accounting law.
• Log and security data: retained for a limited period for security and operational purposes.
• Consent and terms records: retained for the period necessary to evidence compliance.

Account deletion. You may delete your account at any time from within the Service (in-app account deletion is available in Settings). On deletion, your account enters a 30-day soft-delete period (or is deleted immediately, depending on the path you choose), after which an automated server-side process cascade-deletes the rows associated with your account, including your authentication record, profile, streak and relapse history, check-ins, onboarding-quiz responses, Coach conversations, league presence, and other Personal Data linked to your account. The only item retained is a one-way hash of your email address, which cannot be reversed to recover your email and is kept solely to honour your deletion and prevent re-creation of a deleted account, together with any records we are required by law to retain or that are necessary to establish, exercise, or defend legal claims.

If you signed in using Sign in with Apple, we additionally call Apple's token-revocation endpoint as part of deletion, so that Orlyn no longer appears under "Apps Using Apple ID" in your iCloud settings. If you cannot use the in-app deletion flow, you may contact us at luca@orlyn.ai and we will process your request manually.

9. Your Rights (GDPR / UK GDPR) and How to Exercise Them

If you are in the EU, EEA, or UK, you have the following rights with respect to your Personal Data:

• Access (Article 15): confirmation of whether we process your Personal Data and, if so, a copy of it and related information.
• Rectification (Article 16): correction of inaccurate Personal Data and completion of incomplete data.
• Erasure (Article 17): deletion of your Personal Data in the circumstances provided by law.
• Restriction (Article 18): restriction of processing in certain circumstances.
• Data portability (Article 20): receipt of the Personal Data you provided in a structured, commonly used, machine-readable format.
• Object (Article 21): objection to processing based on legitimate interests and to processing for direct-marketing purposes.
• Withdraw consent at any time, including for all health-data processing and for the Coach, without affecting the lawfulness of processing before withdrawal. Withdrawing consent is as easy as giving it.
• Rights related to automated decision-making (Article 22): as explained in Section 16, the Service does not make decisions about you that are based solely on automated processing and produce legal or similarly significant effects.
• Lodge a complaint with a supervisory authority (see Section 18).

How to exercise your rights. You can request a copy of your data using the "Request my data" action in the in-app Settings, which opens a pre-addressed email to our privacy contact; email us directly at luca@orlyn.ai; and delete your account at any time using in-app account deletion (see Section 8). Please include enough information for us to verify your identity (such as your account email address). We will respond within one (1) month under the GDPR and UK GDPR, extendable by two (2) further months for complex or numerous requests. We do not charge a fee unless a request is manifestly unfounded or excessive, and you may appeal a refusal in accordance with applicable law.

10. US State Privacy Rights

This Section applies to Users who are residents of US states with applicable privacy laws. We do not sell Personal Data, and we do not sell sensitive or consumer health data.

10.1 California (CCPA/CPRA)

California residents have the right to know/access, delete, and correct Personal Information, to opt out of the sale or sharing of Personal Information, to limit the use and disclosure of Sensitive Personal Information, and to non-discrimination for exercising these rights.

• Sensitive Personal Information (SPI). Your health-related information is Sensitive Personal Information under the CCPA/CPRA. We use it only to provide and secure the Service and the features you have chosen, and not to infer characteristics about you. You may exercise the "Limit the Use of My Sensitive Personal Information" right by contacting us at luca@orlyn.ai.
• Do Not Sell or Share. We do not sell Personal Information for money. To the extent that the use of advertising-attribution pixels on the website constitutes "sharing" for cross-context behavioural advertising under the CCPA/CPRA, you may exercise "Do Not Sell or Share My Personal Information" by declining or withdrawing consent in the website consent banner, by contacting us at luca@orlyn.ai, or by using the Global Privacy Control signal.
• Global Privacy Control (GPC). We recognise and honour the GPC browser signal as a valid opt-out of sale/sharing; exercising it does not require an account, and we apply it across logged-out and logged-in sessions.
• Categories collected. In the preceding twelve (12) months we have collected: identifiers; customer records; commercial information (subscription/transaction data); internet or other electronic network activity information; health information / Sensitive Personal Information; and inferences limited to operating the Service.

10.2 Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and Other States

Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with comprehensive privacy laws have the rights to access, correct, delete, and obtain a portable copy of their Personal Data, and to opt out of the sale of Personal Data, targeted advertising, and certain profiling. Because health data is "sensitive data" under these laws, we process it only with your opt-in consent, which you may revoke as easily as you gave it.

• Appeals. If we decline a rights request, you may appeal. To appeal, reply to our decision or contact us at luca@orlyn.ai; we will respond within the period required by your state's law. If your appeal is denied, you may contact your state Attorney General (see Section 18).
• Universal opt-out / GPC. In states that require it, we honour a recognised Universal Opt-Out Mechanism, including the Global Privacy Control.

10.3 Washington and Other Consumer-Health-Data States

If you are a Washington resident (or a resident of another state with a consumer-health-data law, such as Nevada, Connecticut, or Colorado), your sobriety, craving, mood, AUDIT-C, reflection, and Coach data are "consumer health data." Your consumer-health-data rights, the categories we collect, our sources and purposes, the categories of third parties and the specific affiliates and processors with whom we share consumer health data (including DeepSeek), and how to exercise your rights, are set out in our separate Washington Consumer Health Data Privacy Policy, available at orlyn.ai/consumer-health-data. That standalone policy governs consumer health data and is incorporated here by reference. We do not engage in geofencing around health-care facilities.

11. Canada (PIPEDA, Québec Law 25, and CASL)

For Users in Canada, we handle Personal Data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Québec's Law 25 and the Canadian Anti-Spam Legislation (CASL).

• Accountability and openness. The individual accountable for our handling of Personal Data, and the privacy officer / responsible person for the purposes of Québec Law 25, is the controller named in Section 2 (Luca Diaz Hilterscheid), contactable at luca@orlyn.ai.
• Express consent for sensitive information. Health/sobriety information is sensitive; we collect and use it only with your express, meaningful, opt-in consent, described in plain language and withdrawable at any time. Under Québec Law 25, the highest-confidentiality settings apply by default (for example, league visibility is off by default), and consent for sensitive information is obtained separately and granularly.
• Cross-border processing. Your Personal Data may be processed outside Canada, including in the United States and, for the Coach, in China (see Section 5). Information processed in another country may be accessible to the courts, law enforcement, and authorities of that country. We require comparable protection by contract and disclose these transfers to you here.
• Automated processing. Where the informational Sober Readiness score is based on automated processing (see Section 16), you may request information about it and submit observations.
• Marketing (CASL). We send commercial electronic messages only with your express opt-in consent, identify ourselves and provide a postal address and contact in each message, and honour unsubscribe requests within ten (10) business days.
• Access and complaints. You may request access to and correction of your Personal Data, and you may complain to the Office of the Privacy Commissioner of Canada (OPC) or, in Québec, the Commission d'accès à l'information (CAI) (see Section 18).

12. We Are Not a HIPAA Covered Entity

Orlyn is a direct-to-consumer wellness application. We are not a "covered entity" or "business associate" under the US Health Insurance Portability and Accountability Act (HIPAA), and HIPAA does not apply to the Service. Instead, our handling of health-related information is subject to the Federal Trade Commission Act (including the FTC's prohibition on unfair or deceptive practices and the FTC Health Breach Notification Rule) and to state consumer-health-data laws such as the Washington My Health My Data Act. This means your health-related information is not protected by HIPAA, but it is protected by the commitments in this Privacy Policy and by those laws.

13. Data Security

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction.

Technical measures: encryption in transit (TLS); encryption of data at rest; salted hashing of authentication secrets; least-privilege access controls; secure development practices; and ongoing monitoring.

Organisational measures: access limited to authorised personnel on a need-to-know basis; confidentiality undertakings; documented incident-response procedures; periodic review of security practices; and data minimisation.

Breach notification. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours where required by Article 33 GDPR, and affected Users without undue delay where required by Article 34 GDPR. Where the FTC Health Breach Notification Rule, Québec Law 25, or a US state breach law applies, we will provide the notifications those laws require within the time they prescribe.

No method of transmission over the Internet or electronic storage is completely secure; while we work to protect your Personal Data, we cannot guarantee absolute security.

14. Age — The Service Is for Adults (18+) and Not for Children

The Service is intended only for individuals aged 18 or older. We do not knowingly collect Personal Data from anyone under 18 years of age. If you are under 18, you must not use the Service or provide us with any Personal Data.

If you are a parent or guardian and believe a person under 18 has provided us with Personal Data, please contact us at luca@orlyn.ai. If we learn that we have collected Personal Data from a person under 18, we will promptly delete it and terminate the account. In the United States we comply with the Children's Online Privacy Protection Act (COPPA); in the EU and UK we apply the GDPR and UK GDPR provisions on children's data. Because the Service is offered only to adults, the question of digital consent under Article 8 GDPR does not arise.

15. Cookies, SDKs, and Tracking Technologies

Website. On orlyn.ai, only strictly necessary cookies are used by default. Non-essential technologies — PostHog product analytics (hosted on its EU instance) and, if enabled, the Meta Pixel and TikTok Pixel for advertising attribution — are governed by a regional consent model. Where opt-in consent is required (including the EEA, the United Kingdom, and Switzerland), they are loaded only with your prior consent, collected through a consent banner where you can accept or reject non-essential categories (rejecting is as easy as accepting, and no boxes are pre-ticked); for Users in Germany, this opt-in requirement reflects § 25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz). In other regions, these technologies run by default and you can opt out at any time. In every region you can make, change, or withdraw your choice through the "Cookie preferences" link in the website footer, and we honour the Global Privacy Control signal as an opt-out as described in Section 10.

Mobile app. Product analytics in the app are on by default: pseudonymous usage events (see Section 3.2) are sent to PostHog's EU-hosted instance to help us understand and improve the Service. The app also includes the AppsFlyer SDK for install attribution: it measures, in pseudonymous and campaign-level form, which advertising campaign (if any) led to your installation, using Apple's privacy-preserving SKAdNetwork framework. The app does not request the App Tracking Transparency permission, does not access the advertising identifier (IDFA), and does not track you across other companies' apps or websites; no health data is ever shared with AppsFlyer or any advertising partner. You can turn analytics off at any time using the analytics toggle in Settings — it governs PostHog and AppsFlyer alike, and your choice takes effect immediately on your device. Crash and error telemetry are used to keep the Service stable as described in Section 4.

16. Automated Processing and the Sober Readiness Score

The Service computes a Sober Readiness score from inputs you provide during onboarding (such as your motivations, your AUDIT-C answers, your stated craving triggers, and whether you have tried to quit before). To give you meaningful transparency about the logic involved:

• the score is produced by combining your self-reported answers using a fixed, rules-based scoring method; it reflects what you told us and is intended to help you reflect on your own readiness to change;
• it is informational and non-consequential: it does not gate access to the Service, set your price, restrict any feature, or make any other decision that produces legal or similarly significant effects for you. You remain in control and may disregard it;
• it is not a clinical assessment, diagnosis, or prediction. The AUDIT-C is used as a self-reflection tool, not as a medical screening or diagnosis.

The Coach generates support responses using an AI model (DeepSeek; see Section 5); these responses are suggestions only and are not professional or medical advice. Because none of these features makes a decision about you based solely on automated processing with legal or similarly significant effect, they do not constitute automated individual decision-making within the meaning of Article 22 GDPR. If you would like a human to look at anything the Service has shown you, you can contact us at luca@orlyn.ai. Under Québec Law 25, you may request information about the automated processing and submit observations.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy in the Service and on orlyn.ai, updating the "Last Updated" date, and, where we have your email address, emailing you. For material changes that affect how we process your Personal Data, we will provide reasonable advance notice — at least thirty (30) days where practicable — before the changes take effect, except where a shorter period is required by law. Your continued use of the Service after the effective date of a change constitutes acknowledgement of the updated Privacy Policy; if you do not agree, you may delete your account as described in Section 8 before the effective date.

18. Contact and Complaint Authorities

For any question or request about this Privacy Policy or our processing of your Personal Data:

Controller: Luca Diaz Hilterscheid (Einzelunternehmer)

Postal address: Märkische Heide 5, 14532 Kleinmachnow, Germany

Email: luca@orlyn.ai

You also have the right to complain to a supervisory or data-protection authority:

• EU / Germany: Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg), https://www.lda.brandenburg.de — our lead supervisory authority. You may also complain to the authority in your own EU/EEA country of residence or place of work; a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
• United Kingdom: the Information Commissioner's Office (ICO), https://ico.org.uk.
• United States: your state Attorney General (for example, the California, Washington, Virginia, Colorado, Connecticut, Texas, Oregon, or Montana Attorney General), in addition to any rights of appeal described in Section 10.
• Canada: the Office of the Privacy Commissioner of Canada (OPC), https://www.priv.gc.ca, or, in Québec, the Commission d'accès à l'information du Québec (CAI), https://www.cai.gouv.qc.ca.