Ti-linkedin Facebook Instagram Youtube

HolistaCare Privacy Policy

Last Updated: Nov 25, 2025

HolistaCare (“HolistaCare”, “we”, “us”, or “our”) is a health and wellness application that uses an Agentic AI framework to provide personalized assessments, insights, and guidance. We are committed to protecting your personal data and handling it in a transparent, lawful, and secure manner.

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our mobile application, websites, and related services (collectively, the “Services”).

HolistaCare is not a medical device and does not provide professional medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional regarding medical questions or conditions.

By using the Services, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller and Contact Details

For purposes of data protection laws such as the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, the data controller is:

Maxxpace solutions s.r.o
Address: Vídeňská 297/99, 639 00 Brno, Czech Republic
Email: enquiry@maxxpace.com

If you are in the European Economic Area (EEA), the UK, or Switzerland, and we are required to appoint a representative, their details will be:

  • EU Representative: [If applicable, insert Representative Name & Contact]
  • UK Representative: [If applicable, insert Representative Name & Contact]

If we are required to appoint a Data Protection Officer (DPO), their contact details are:

  • Email: enquiry@maxxpace.com

2. Scope and Who This Policy Applies To

This Privacy Policy applies to:

  • Users of the HolistaCare mobile app (Android, iOS)
  • Visitors to our websites and web portals
  • Individuals who contact us via support channels, email, or feedback forms

This Privacy Policy does not apply to third-party websites, services, or applications that we do not control, even if they are linked from our Services.

3. Key Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Special Category Data: Certain types of sensitive data under GDPR, including health-related data.
  • Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure).
  • Controller: The entity that determines the purposes and means of processing personal data.
  • Processor: A third party processing data on behalf of the controller.

4. What Data We Collect

We collect the following categories of personal data. Some of this data may be considered special category data (e.g., wellness and health-related information) under GDPR.

4.1 Data You Provide Directly

  1. Account and Profile Data
    • Name, email address, password (hashed), username or display name.
    • Optional demographic data such as age range, country/region, preferred language, and optionally gender (if you choose to provide it).
  2. Wellness and Assessment Data (Special Category Data)
    • Information you provide in assessments and questionnaires (e.g., sleep, stress, nutrition, activity, mood, lifestyle habits).
    • Goals and preferences (e.g., “improve sleep”, “reduce stress”, “increase activity”).
    • Notes or reflections you choose to store in the app (e.g., journal entries).
  3. AI Interaction Data
    • Text messages, prompts, and content you submit to the AI assistant.
    • Voice inputs and recordings (where enabled), including any transcriptions.
    • Ratings, flags, and feedback on AI responses.
  4. Payment and Subscription Data
    • Subscription plan details, renewal dates, and status.
    • Transaction-related identifiers, billing country, and limited payment metadata.
    • We do not store full payment card numbers. Payments are processed via secure third-party gateways (e.g., Google Pay, Apple Pay, Stripe/Pioneer, Czechia Merchant Gateway – Unicredit).
  5. Support, Feedback, and Communications
    • Content of messages you send to support.
    • Survey responses, beta feedback, or research participation (if you choose to participate).

4.2 Data Collected Automatically

  1. Device and Technical Data
    • Device type, operating system, app version, device identifiers, language, and region.
    • IP address, date and time of access.
  2. Usage and Interaction Data
    • Screens and features you use, time spent, navigation flows.
    • Crash logs, performance data, error reports.

We typically use this data in aggregated or pseudonymized form to improve performance and user experience.

4.3 Data from Third-Party Services (Optional Integrations)

If you choose to connect HolistaCare to third-party services (collectively, “Third-Party Services”), we may receive:

  • Wellness or activity data from integrated platforms/devices (where supported).
  • Authentication information from sign-in providers (e.g., Google Sign-In, Apple Sign-In).
  • Payment confirmation or subscription status from payment gateways.
  • Meal plans from Suggestic
  • Wearables/HealthConnect data via Saha
  • Cardiac and blood flow data extraction via ShenAI
  • Exercise/fitness plan from HyperHuman

We will only access such data according to the permissions you grant and the configuration you choose, and you can revoke access at any time.

5. Purposes and Legal Bases for Processing (GDPR / UK GDPR)

We process your personal data for the following purposes and under the following legal bases:

5.1 To Provide and Operate the Services

  • Purposes
    • Create and manage your account.
    • Deliver assessments, generate reports, and provide personalized wellness insights.
    • Provide AI-based assistance (text/voice), including interpreting your inputs and generating responses.
    • Process payments and manage subscriptions.
  • Legal Bases
    • Performance of a contract (Art. 6(1)(b) GDPR): To provide you with the Services you requested.
    • Explicit consent for processing of wellness/health-related (special category) data (Art. 9(2)(a) GDPR), where applicable.

5.2 To Personalize Content and Recommendations

  • Purposes
    • Tailor assessment flows, recommendations, and AI responses to your profile, past usage, and preferences.
    • Display trends and progress in your reports.
  • Legal Bases
    • Consent (Art. 6(1)(a) GDPR) where personalization uses special category data.
    • Legitimate interests (Art. 6(1)(f) GDPR) for non-sensitive personalization, balanced against your rights and expectations.

5.3 To Operate and Improve AI Models

  • Purposes
    • Use your inputs to generate AI outputs in real time.
    • Evaluate and improve the safety, quality, and relevance of AI responses.
    • Maintain guardrails and filters to reduce harmful or inappropriate content.
  • Legal Bases
    • Performance of a contract (for generating responses you request).
    • Legitimate interests (for improving AI systems), using appropriate safeguards such as pseudonymization and aggregation.
    • Consent where required (especially if we rely on your data to improve models beyond what is strictly necessary to respond to your query and such data includes special category data).

You may be given in-app options to control whether your data can be used to improve our AI systems beyond your direct interactions.

5.4 To Maintain Security, Prevent Abuse, and Ensure Compliance

  • Purposes
    • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our terms.
    • Monitor system performance and maintain service integrity.
    • Comply with legal obligations, law enforcement requests, or regulatory requirements.
  • Legal Bases
    • Legitimate interests in ensuring the security of our Services and users.
    • Legal obligation (Art. 6(1)(c) GDPR), where applicable.

5.5 To Communicate with You

  • Purposes
    • Send service-related messages (e.g., account notices, security alerts, billing updates).
    • Respond to your inquiries and support requests.
    • Send marketing and product communications (where permitted).
  • Legal Bases
    • Performance of a contract and/or legitimate interests for service-related communications.
    • Consent for certain marketing communications, where required. You may withdraw consent or opt-out at any time.

6. How We Use AI and Profiling

HolistaCare uses AI to:

  • Interpret your assessments and inputs.
  • Generate wellness-related suggestions, explanations, and educational content.
  • Highlight trends and possible focus areas based on your usage.

This may involve profiling within the meaning of GDPR. However:

  • We do not make decisions with legal or similarly significant effects on you solely based on automated processing.
  • You always retain the choice whether to act on AI suggestions.
  • You may contact us to request human review or explanation of how a particular AI-driven recommendation was generated, to the extent technically feasible.

7. Data Sharing and Recipients

We do not sell your personal data.

We may share personal data with:

  1. Service Providers (Processors)
    • Cloud hosting and storage (e.g., infrastructure providers).
    • AI platforms (e.g., AWS Bedrock) used to process your inputs and generate outputs.
    • Analytics, logging, and performance monitoring tools.
    • Payment processors and gateways.
    • Customer support and communication tools.

These providers act as processors under GDPR, following our documented instructions and subject to appropriate data processing agreements, confidentiality obligations, and security controls.

  1. Third-Party Services You Choose to Connect
    • When you authorize integrations, we share and receive data as necessary to operate that integration. You can revoke access at any time from within HolistaCare or at the third-party service.
  2. Affiliates and Group Companies
    • Where necessary for internal administration, support, and service delivery, subject to appropriate safeguards.
  3. Business Transfers
    • In connection with a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred as part of that transaction. We will take steps to ensure your rights continue to be protected.
  4. Legal and Safety
    • When required by law, regulation, legal process, or governmental request.
    • To protect the rights, property, or safety of HolistaCare, our users, or the public.

We may share aggregated or de-identified data that cannot reasonably be used to identify you, for research, analytics, or business purposes.

8. International Data Transfers

Your personal data may be processed in countries outside your country of residence, including outside the European Economic Area (EEA), the UK, or Switzerland (for example, where we use cloud providers or service providers located elsewhere).

Where such transfers occur, we will ensure an adequate level of protection by:

  • Relying on an adequacy decision of the European Commission or UK authorities (where applicable), or
  • Using Standard Contractual Clauses (SCCs) or equivalent safeguards approved under applicable law, and
  • Implementing additional technical and organizational measures as necessary (e.g., encryption, access controls).

You can obtain more information about these safeguards by contacting us at enquiry@maxxpace.com.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, including:

  • While your account is active.
  • For the period needed to provide the Services and comply with applicable laws.
  • For the period needed to maintain security, prevent fraud, or resolve disputes.

Retention guidelines (subject to applicable law and internal policies):

  • Account Data: Retained while your account is active and for a limited period thereafter (e.g., 2 years) for record-keeping and legal obligations.
  • Wellness & Assessment Data: Retained while your account is active, or until you delete it or request erasure, subject to backups and legal obligations.
  • AI Interaction Data: Retained to operate the Services and, if permitted, to improve AI models for a defined period, after which it may be anonymized or deleted.
  • Payment & Transaction Data: Retained for accounting and tax purposes for the period required by law.
  • Logs and Security Data: Retained for a limited period (typically 2 months) unless required longer for investigations.

When your personal data is no longer needed, we will delete or anonymize it in a secure manner.

10. Your Rights (GDPR / UK GDPR / Similar Laws)

Depending on your location, you may have the following rights:

  1. Right of Access
    Request confirmation of whether we process your personal data and obtain a copy.
  2. Right to Rectification
    Request correction of inaccurate or incomplete personal data.
  3. Right to Erasure (“Right to be Forgotten”)
    Request deletion of your personal data where certain grounds apply (e.g., withdrawal of consent, no longer needed, unlawful processing).
  4. Right to Restriction of Processing
    Request limiting the processing of your data in certain circumstances.
  5. Right to Data Portability
    Receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  6. Right to Object
    Object to processing based on legitimate interests or for direct marketing purposes.
  7. Right to Withdraw Consent
    Where processing is based on consent, you may withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing before withdrawal.
  8. Right to Lodge a Complaint
    You have the right to lodge a complaint with a data protection authority, in particular in the EEA/UK country where you live, work, or where a suspected infringement has occurred.

To exercise your rights, please contact us at enquiry@maxxpace.com. We may need to verify your identity before responding.

11. Children’s Privacy

HolistaCare is not intended for children under 16 (or higher age as required by local law), and we do not knowingly collect personal data from children in this age group without appropriate parental or guardian consent, where required.

If you believe we have collected personal data from a child contrary to this policy, contact us at enquiry@maxxpace.com, and we will take steps to delete such data.

12. Security, SOC 2, and ISO 27001–Aligned Controls

We maintain an information security program designed to be compatible with recognized frameworks such as ISO/IEC 27001 and SOC 2. While this Privacy Policy does not itself constitute certification, our controls include:

  1. Governance and Policies
    • Documented information security policies approved by management.
    • Clear roles and responsibilities for security and privacy.
  2. Risk Management
    • Regular risk assessments covering confidentiality, integrity, availability, and privacy risks.
    • Risk treatment plans and periodic reviews.
  3. Access Control and Identity Management
    • Principle of least privilege and role-based access control.
    • Strong authentication and secure credential management.
    • Access reviews and revocation processes.
  4. Data Protection and Encryption
    • Encryption in transit (e.g., HTTPS/TLS) and at rest where appropriate (e.g., database or volume-level encryption).
    • Segregation of environments (development, staging, production).
  5. Secure Development and Change Management
    • Secure coding guidelines and code review processes.
    • Change control procedures for infrastructure and application changes.
    • Testing and approval before deployment to production.
  6. Logging, Monitoring, and Incident Response
    • Centralized logging of critical activities and security events.
    • Monitoring for anomalies, unauthorized access, and performance issues.
    • Documented incident response plan, including escalation paths and notifications.
  7. Vendor and Subprocessor Management
    • Due diligence and security reviews for third-party service providers.
    • Data Processing Agreements (DPAs) with processors.
    • Ongoing monitoring for vendor security posture where appropriate.
  8. Backup and Business Continuity
    • Regularly tested backups of critical systems and data.
    • Business continuity and disaster recovery plans.
  9. Training and Awareness
    • Security and privacy awareness training for staff.
    • Confidentiality obligations in employment and contractor agreements.

If we obtain or maintain formal SOC 2 or ISO 27001 certifications, details may be provided upon request or in separate documentation.

13. Third-Party Websites and Services

Our Services may contain links to, or integrations with, third-party websites and services that are not operated or controlled by HolistaCare. This Privacy Policy does not apply to those third parties.

We encourage you to review the privacy policies of any third-party services you use in connection with HolistaCare.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page, and
  • Provide additional notice where required (e.g., in-app notice or email).

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

HolistaCare – Privacy Contact
Email: enquiry@maxxpace.com
Address: Vídeňská 297/99, 639 00 Brno, Czech Republic

If applicable, you may also contact our Data Protection Officer at:
Email: info@holista.care