Legal

Privacy Policy

Last updated: June 12, 2026 · Version 1.0

1. Introduction

Omstille (“we”, “our”, “the Application”) is a private wellness session management application developed and operated by Omstille LLC(“Omstille”, “us”, “we”). The Application is exclusively available to healthcare and wellness practitioners whose employer or practice is enrolled in the Omstille enterprise programme. It is not available to the general public.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use the Omstille mobile application on an organisation-managed Android device. It also describes the rights available to individuals whose personal data is processed through the Application.

This Policy applies to users and organisations in all jurisdictions where Omstille operates, including the European Union / European Economic Area (governed by GDPR), the United States (including CCPA/CPRA for California residents and HIPAA where applicable), and Mexico (governed by LFPDPPP).

By using the Application, you confirm that you have read and understood this Privacy Policy.

2. Who We Are

Omstille LLC
Attn: Data Privacy
Nye Sandviksveien 56
5032 BERGEN, Norway
privacy@omstille.com
https://omstille.com

2.1 Data Controller / Data Processor roles

For EU/EEA users, Omstille LLC is the data controller for practitioner account data under GDPR 2016/679. For patient data, the subscribing healthcare/wellness organisation is the data controller and Omstille LLC acts as the data processor pursuant to a Data Processing Agreement (DPA).
For US users, Omstille LLC is the business as defined under CCPA/CPRA (California Civil Code § 1798.100 et seq.). If your organisation operates in the US healthcare sector and patient data constitutes Protected Health Information (PHI) under HIPAA, a Business Associate Agreement (BAA) is required between Omstille LLC and the covered entity before processing PHI.
For Mexican users, Omstille LLC acts as the responsible party (responsable) for personal data processing under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP). This document also serves as the required Aviso de Privacidad under Mexican law.

3. What Personal Data We Collect

3.1 Practitioner Account Data

When a practitioner registers and uses the Application:

Data	Purpose
Full name	Identity within the platform; session attribution
Email address	Account authentication (AWS Cognito); communication
Phone number	Account verification; contact
Organisation name	Access control; subscription management
Authentication tokens	Session management (stored securely via Expo SecureStore)

3.2 Patient Data

Practitioners may enter the following data about their patients. Patients are not directly users of the Application.

Data	Purpose
Full name	Patient identification within the session record
Email address	Optional identifier (not used for communication by the Application)
Phone number	Optional identifier
Age	Wellness context for protocol execution
Gender	Wellness context for protocol execution
Occupation	Wellness context for protocol execution
Wellness notes	Practitioner notes attached to patient record

3.3 Session Data

Each wellness session creates a record containing:

Data	Purpose
Form/protocol responses	Core wellness output; review and analysis
Session start and end time	Audit log; session metrics
Audio recording of the session	Wellness reference; stored on the organisation's private cloud
Automatic speech-to-text transcript	Assist practitioner review (processed entirely on-device)

3.4 Technical and Device Data

Data	Purpose
Device identifiers (via Expo Constants)	App version management; diagnostics
Push notification token	In-app session notifications
App version and build number	Support and diagnostics

We do not collect precise location, browsing history, advertising identifiers, or financial information.

4. Sensitive Data

Patient wellness assessments, session recordings, and transcripts constitute sensitive personal data:

Under GDPR Art. 9 — special category data concerning health.
Under CCPA/CPRA — sensitive personal information.
Under LFPDPPP — datos personales sensibles.

This data is:

Only accessible to authorised practitioners within the same organisation.
Stored in Omstille LLC's dedicated AWS infrastructure (EU-West-3, Paris data centre).
Never used for advertising, profiling, or sold to third parties.

Important notice for US organisations — HIPAA
If your organisation is a covered entity under the US Health Insurance Portability and Accountability Act (HIPAA) and patient data processed through Omstille constitutes Protected Health Information (PHI), you must execute a Business Associate Agreement (BAA) with Omstille LLC before using the Application. AWS, our sole infrastructure provider, offers a HIPAA-eligible BAA. Contact privacy@omstille.com before onboarding.

5. How We Use Personal Data

Purpose	Legal basis — EU (GDPR)	Legal basis — US	Legal basis — Mexico (LFPDPPP)
Providing the session management service	Contract performance (Art. 6(1)(b))	Contractual necessity	Execution of a legal relationship
Processing patient health data for wellness purposes	Art. 9(2)(h) — health care; or explicit consent	BAA / consent	Consent of the data subject
Authentication and access control	Legitimate interests (Art. 6(1)(f))	Contractual necessity	Legitimate interest
Sending session notifications to practitioners	Legitimate interests	Contractual necessity	Consent
Diagnosing application issues and support	Legitimate interests	Legitimate interests	Legitimate interest
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))	Legal obligation	Legal obligation

6. Audio Recording

When a practitioner starts a wellness session with audio recording enabled:

The device's microphone records the session audio.
On-device automatic speech recognition (ASR) transcribes speech in real time using the Moonshine AI voice recognition model running entirely on the device. No audio data is ever sent to an external ASR service or third-party cloud. The ASR model runs locally and its output stays on the device until uploaded as part of the session record.
The complete audio recording file is uploaded over encrypted HTTPS to Omstille's private AWS S3 bucket (EU-West-3) upon session completion.
Audio recordings are accessible only to authorised practitioners of the patient's organisation.
An on-screen indicator is shown at all times while recording is active. The practitioner can stop recording at any time.

The Application requests the RECORD_AUDIO Android permission solely for this purpose. It is never used for background monitoring or surveillance.

7. Data Storage and Retention

All data is stored in AWS infrastructure in the EU (eu-west-3, Paris, France).

Data type	Storage	Retention period
Practitioner account data	AWS Cognito + DynamoDB (EU-West-3)	Active account lifetime + 30 days after closure
Patient records and session data	AWS DynamoDB (EU-West-3)	5 years from the date of last session activity, then permanently deleted
Audio recordings	AWS S3 (EU-West-3)	5 years from the session date, then permanently deleted. Practitioners may delete individual recordings earlier from within the app.
Authentication tokens	Device SecureStore (local Android Keystore)	Cleared on sign-out or device wipe

Data retention periods may be adjusted where required by local law (e.g. longer retention may apply under healthcare regulations in specific jurisdictions). Omstille will notify affected organisations of any such change.

8. Data Sharing and Third-Party Processors

We do not sell, rent, license, or share personal data with advertising networks, data brokers, or third-party analytics providers.

The only sub-processor we use is:

Sub-processor	Service	Location	Data processed	DPA in place
Amazon Web Services (AWS)	Cloud infrastructure (Cognito, S3, DynamoDB, Lambda, API Gateway)	EU — eu-west-3, Paris, France	All user and session data in transit and at rest	Yes (AWS DPA; HIPAA BAA available on request)

The Application does not embed any third-party analytics SDK (e.g. Firebase Analytics, Amplitude), advertising SDK, or crash-reporting service that transmits data externally.

9. Security

Technical and organisational measures in place:

Encryption in transit: HTTPS/TLS 1.2+ for all network communication. API endpoints protected by AWS API Gateway with JWT token authorisation (AWS Cognito).
Encryption at rest: AWS S3 and DynamoDB use AES-256 server-side encryption.
Authentication: Email-verified account confirmation via AWS Cognito. Session tokens stored in the Android Keystore-backed SecureStore on the device.
Access control: Practitioners can only access patients and sessions belonging to their own organisation.
Device management: All devices are enrolled in Android Enterprise (AMAPI) and subject to the organisation's security policies (screen lock, remote wipe, etc.).
Secrets management: Signing keys and environment credentials are managed outside of source control.

In the event of a personal data breach, we will notify affected organisations and, where required, the relevant supervisory authority:

EU/EEA: Within 72 hours (GDPR Art. 33).
US (California): In the most expedient time possible under California Civil Code § 1798.82.
Mexico: Within the timeframe required under LFPDPPP and its Regulations.

10. Managed Device Context

The Application is deployed on Android devices fully managed by the organisation using Android Management API (Google AMAPI):

The organisation's IT administrator can view device status, enforce security policies, and remotely wipe the device.
The Application is silently installed and updated without requiring action from the practitioner.
The Omstille Application does not read device management configurations, other installed apps, or IT administrator policies — it only responds to them.

11. Children's Data

The Application is exclusively for healthcare and wellness professionals aged 18 and over. We do not knowingly collect personal data from individuals under 18 through the Application.

Patient records for minors may be created by practitioners in the course of legitimate wellness practice, subject to the applicable law and the organisation's own consent procedures.

12. Your Rights

EU / EEA (GDPR)

Right	How to exercise
Access	Request a copy of your data
Rectification	Request correction of inaccurate data
Erasure ("right to be forgotten")	Request deletion where no longer necessary
Restriction of processing	Request limited processing in certain circumstances
Data portability	Receive your data in machine-readable format
Objection	Object to processing based on legitimate interests
Withdraw consent	Withdraw at any time without affecting prior processing

Contact: privacy@omstille.com
You may also lodge a complaint with your national supervisory authority (e.g. CNIL in France, AEPD in Spain, ICO in the UK).

California (CCPA / CPRA)

California residents have the right to:

Know what personal information is collected, used, shared, or sold.
Delete personal information held by us (subject to legal exceptions).
Correct inaccurate personal information.
Opt out of the sale or sharing of personal information. We do not sell or share personal information.
Non-discrimination for exercising privacy rights.

To submit a CCPA request: privacy@omstille.com
We will respond within 45 days.

Mexico (LFPDPPP)

Individuals whose data is processed have ARCO rights (derechos ARCO):

Acceso — access to their personal data.
Rectificación — correction of inaccurate data.
Cancelación — deletion of data.
Oposición — objection to processing.

To exercise ARCO rights: privacy@omstille.com
We will respond within 20 business days as required by LFPDPPP Art. 32.

13. Cookies and Tracking

The Application does not use cookies, advertising pixels, or cross-app tracking technologies. The Application uses expo-web-browser solely to open external hyperlinks in the system browser — no browsing data is captured by Omstille.

14. International Data Transfers

Data is stored in the EU (Paris, France). When accessed by organisations or practitioners in Mexico or the United States, data is transferred internationally. We rely on the following mechanisms:

EU → US: AWS Standard Contractual Clauses (SCCs) and AWS's participation in the EU-US Data Privacy Framework.
EU → Mexico: Contractual safeguards with the subscribing organisation in accordance with GDPR Chapter V.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Application or applicable law. Material changes will be communicated to the organisation's designated administrator by email at least 30 days before they take effect. The “Last updated” date at the top will always reflect the current version.

16. Where to Find This Policy

Web: https://omstille.com/privacy
In-app: Accessible from the Settings or About section of the Omstille application.

17. Contact Us

Omstille LLC
Attn: Data Privacy
Nye Sandviksveien 56
5032 BERGEN, Norway
privacy@omstille.com
https://omstille.com