Privacy Policy
Effective: March 15, 2026
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
KaProblem e.U.Stefan Nothegger
Weissachstraße 6e
A-6330 Kufstein, Austria
Email: [email protected]
2. Overview of Data Processing
This privacy policy informs you about which personal data we collect, process, and store in connection with the use of the meditation app "Seirazen" (web app and mobile app), as well as your rights as a data subject.
3. Data Collected and Purposes of Processing
3.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account management, login, communication | Art. 6(1)(b) GDPR (contract performance) |
| Name | Personalization (e.g., addressing in meditations) | Art. 6(1)(b) GDPR |
| Encrypted password | Authentication | Art. 6(1)(b) GDPR |
| OAuth provider & ID (Google/Apple) | Third-party login | Art. 6(1)(b) GDPR |
| Language preference (locale) | Localization of app content | Art. 6(1)(b) GDPR |
| User preferences (notifications, privacy, app settings) | Individual app configuration | Art. 6(1)(a) GDPR (consent) |
3.2 Meditation Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Meditation texts and SSML data | Generation and playback of meditations | Art. 6(1)(b) GDPR |
| Audio files (voice, mixed) | Meditation playback | Art. 6(1)(b) GDPR |
| Selected topics, voice, background sound | Meditation personalization | Art. 6(1)(b) GDPR |
| Description/input for personal meditations | Text generation via language model | Art. 6(1)(b) GDPR |
3.3 Usage Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Playback history (meditation, timestamp, source, duration) | Usage statistics and recommendations | Art. 6(1)(f) GDPR (legitimate interest) |
| Transaction history (credits, purchases, refunds) | Billing and accountability | Art. 6(1)(b) & (c) GDPR |
| User agent (device information during token creation) | Security and session management | Art. 6(1)(f) GDPR |
3.4 Server Log Data
When accessing our web app, the following technical data is automatically collected and stored in server log files:
- IP address of the accessing device
- Date and time of access
- Browser type and version
- Operating system used
- Referrer URL (previously visited page)
- Page accessed and amount of data transferred
This data is not combined with other data sources and is deleted after a maximum of 90 days. Processing is based on our legitimate interest in ensuring the smooth operation and security of our systems (Art. 6(1)(f) GDPR).
3.5 Alexa Integration
When using the Alexa integration, the following additional data is processed:
- Alexa User ID: To identify your Alexa device and link it to your Seirazen account.
- Language preference (Alexa locale): To provide content in the correct language.
- Session data: Number of sessions, time of last use.
- Link code: Time-limited 6-digit code for account linking (expires after 15 minutes).
Legal basis: Art. 6(1)(a) GDPR (consent through active linking).
4. Third-Party Providers and Data Processors
To provide our Service, we engage the following third-party providers to whom personal data may be transferred:
| Provider | Purpose | Data Transferred | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | File storage (S3) | Audio files, images | EU (Frankfurt, eu-central-1) |
| Google Cloud | Speech synthesis (Text-to-Speech) | Meditation texts (SSML) | EU/USA* |
| OpenAI | Text generation for meditations | Meditation description, first name, language | USA* |
| RevenueCat | Payment and subscription management | User ID, purchase data | USA* |
| Stripe | Payment processing (web) | Payment data (sent directly to Stripe, not stored by us) | USA/EU* |
| Mailgun | Email delivery | Email address, name | EU/USA* |
| Sentry/GlitchTip | Error monitoring | Technical error data (typically no personal data) | EU/USA* |
| Google (OAuth) | Login via Google | OAuth token (short-lived, not stored) | USA* |
| Apple (OAuth) | Login via Apple | Identity token (short-lived, not stored) | USA/Ireland |
* For data transfers to the USA, we rely on the EU-U.S. Data Privacy Framework (DPF) pursuant to the European Commission's adequacy decision of July 10, 2023, as well as Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR as supplementary safeguards.
5. Cookies and Session Data
We only use technically necessary cookies for session management
(_relax_server_session). This cookie is required
for the operation of the web app and does not contain personal data. It is set with the
Secure,
HttpOnly, and
SameSite attributes.
We do not use tracking cookies, analytics cookies, or advertising cookies. Consent pursuant to the ePrivacy Directive (implemented in Austrian law as § 165 TKG 2021) is therefore not required.
6. Data Retention
- Account data: Until you delete your account.
- Meditations and audio files: Until account deletion.
- Transaction data: 7 years after contract termination (statutory retention obligation under § 132 BAO, Austrian Federal Fiscal Code).
- Playback history: Until account deletion.
- Refresh tokens: Automatically deleted upon expiration (configurable) or upon logout.
- Alexa link codes: Automatically deleted after 15 minutes.
- Server logs: Maximum 90 days.
7. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR): You have the right to request information about the personal data we process.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply. Account deletion is available directly in the App.
- Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you may request the restriction of processing.
- Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21 GDPR): You may object to the processing of your data based on legitimate interest at any time.
- Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent at any time with effect for the future.
To exercise your rights, please contact us at: [email protected]
8. Right to Lodge a Complaint
You have the right to lodge a complaint with the competent data protection authority:
Austrian Data Protection Authority (Österreichische Datenschutzbehörde)Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: [email protected]
Website: www.dsb.gv.at
9. Data Security
We implement technical and organizational measures to protect your data, including:
- Encrypted transmission of all data via TLS/HTTPS.
- Encrypted storage of passwords (bcrypt hashing).
- Refresh tokens are stored exclusively as cryptographic hashes (SHA-256).
- Server-side encryption of all stored files (AWS S3).
- Rate limiting to protect against brute-force attacks.
- Filtering of sensitive parameters in server logs.
10. Minors
Our Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that personal data of a child under 16 has been transmitted to us without the consent of a legal guardian, we will delete this data immediately.
11. Voluntary Nature of Data Provision
The provision of your personal data is generally voluntary. There is no legal or contractual obligation to provide us with your data. Please note, however, that without providing certain data (e.g., email address for registration), some features of the App cannot be used.
12. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to our Service. The current version is always available on our website. We will notify you of material changes via email or in-app notification.
13. Contact
If you have questions regarding data protection, please contact us at:
[email protected]