Privacy Policy for Scrambled Brain

Effective Date: November 15, 2025
Last Updated: November 15, 2025

This Privacy Policy explains how River's Lab OY ("we," "us," or "our") handles information in connection with:

Our mobile application, Scrambled Brain (the "App")
Our website, scrambledbrain.app (the "Site")

Data Controller:
Balázs Attila Szász
River's Lab OY
Aallonhuippu 3a 9
02320 Espoo, Finland
Email: hello@scrambledbrain.app

1. Our Core Promise

Your privacy is the foundation of everything we build.

Our promise to you is simple: We cannot see, access, share, or analyze your personal health data entered into the Scrambled Brain App. Period.

This isn't just a policy — it's how we built the software. Your tracking data never leaves your device. We have no servers that store your symptoms, moods, notes, or any other health information. This means we are physically unable to access, share, or sell your personal health data.

2. Understanding Health Data & GDPR

Important Legal Context:

Under the EU General Data Protection Regulation (GDPR) and Finland's Data Protection Act (1050/2018), health information is classified as "special category data" requiring extra protection (GDPR Article 9).

Here's why this matters for Scrambled Brain:

Because your health tracking data is stored exclusively on your device with 256-bit AES encryption, and because we have no technical ability to access it:

River's Lab is not a data controller or processor of your personal health tracking data
Your device itself is the storage system
You are in complete control

We only become a data controller for the limited technical data described in Sections 3 and 4 below.

3. Data Related to the Scrambled Brain App

A. Your Tracking Data (Stored On-Device Only)

What this includes:

Symptoms, moods, habits, notes, and any other health information you log
Custom trackers you create using the Blueprint Editor
Any data you input into the App

Where it's stored:

Exclusively on your device's local storage
Protected with industry-standard 256-bit AES encryption
Never transmitted to our servers or any third party

Your control:

You can delete all data at any time using the in-app "Delete All Data" button
When you uninstall the App, this data is permanently deleted
If you generate a PDF report and share it, that exported data is outside our control — see Section 3.C below

Legal basis:

Not applicable — we do not process this data

B. Anonymous Usage Analytics (Optional)

To be crystal clear: We never collect, see, store, or manage any of your personal tracking data (symptoms, moods, notes, etc.). That data is yours and lives only on your device.

To help us fix bugs and improve the App's features, with your explicit consent, we may collect anonymous, aggregated usage analytics through PostHog (a privacy-focused analytics platform).

What we collect (only if you opt in):

Device type and operating system version
App version number
Which features you use (e.g., "user created a custom tracker") — but never the content
Crash reports and error logs (technical diagnostics only)
Approximate location (country-level only, based on IP address) to understand regional usage

What we DO NOT collect:

Any personal health data you enter (symptoms, moods, notes, etc.)
Your name, email, or any identifiers
Precise location data
Any data that can be linked back to you personally

Legal basis: Your explicit consent (GDPR Article 6(1)(a))

How to opt in/out:

During first launch, you'll be asked if you want to help improve Scrambled Brain by sharing anonymous usage data
You can change this setting anytime in the App under Settings > Privacy > Analytics
Opting out will not affect any App functionality

Data retention: Anonymous analytics data is retained for 24 months, then automatically deleted.

International data transfers: PostHog processes data in the EU and uses Standard Contractual Clauses (SCCs) for any transfers outside the European Economic Area. Read PostHog's privacy policy: https://posthog.com/privacy

C. PDF Reports (Data You Export)

One of Scrambled Brain's key features is generating professional PDF reports from your tracking data.

Important: When you generate and share a PDF report:

The data in that PDF is no longer under our control
You are responsible for how you share or store that PDF
If you email it to a doctor or upload it to a cloud service, those parties' privacy policies apply
We recommend password-protecting PDFs if they contain sensitive information

D. Subscription Management (Future Feature)

Note: Scrambled Brain is currently entirely free. We plan to introduce optional paid "Pro" features in the future (exact timing to be announced).

When subscription features become available:

All payments will be processed by Apple (App Store) or Google (Google Play)
We will use RevenueCat to manage subscription status (active, expired, etc.)
RevenueCat will process your subscription status and device identifier, but never your health tracking data
We will never receive your payment card information

Legal basis (when applicable): Performance of contract (GDPR Article 6(1)(b))

International data transfers: RevenueCat processes data in the United States under Standard Contractual Clauses. Read RevenueCat's privacy policy: https://www.revenuecat.com/privacy

4. Data Related to Our Website (scrambledbrain.app)

When you visit our Site, our hosting provider automatically collects some technical data to ensure the site functions properly.

Server Log Files

What we collect:

IP address
Browser type and version
Operating system
Date and time of visit
Pages viewed
Referring website (if you clicked a link to reach us)

Why we collect it:

To ensure technical operation and security of the Site
To analyze and improve user experience (aggregated only)
To prevent abuse and detect technical errors

Legal basis: Legitimate interests (GDPR Article 6(1)(f)) — ensuring website security and functionality

Data retention: Server logs are automatically deleted after 90 days

Who has access: Our website hosting provider (details available upon request)

Cookies

Our Site uses cookies — small text files stored on your device to make the website functional.

Essential Cookies (No Consent Required):

Session cookies to remember your navigation during a single visit
These are automatically deleted when you close your browser

Analytics Cookies (Require Consent):

If you consent, we may use cookies to understand which pages are most visited (via PostHog)
These cookies cannot identify you personally

Your control:

You can manage or disable cookies in your browser settings
Disabling essential cookies may affect site functionality
You can withdraw analytics cookie consent anytime by clearing your browser cookies or contacting us

Legal basis:

Essential cookies: Legitimate interests (GDPR Article 6(1)(f))
Analytics cookies: Your consent (ePrivacy Directive, GDPR Article 6(1)(a))

5. Your Data Rights Under GDPR

Under GDPR and Finnish law, you have the following rights regarding any data we process (i.e., website logs and analytics):

✅ Right of Access (Article 15)

Request a copy of any data we hold about you

✅ Right to Rectification (Article 16)

Request correction of inaccurate data

✅ Right to Erasure / "Right to Be Forgotten" (Article 17)

Request deletion of your data

✅ Right to Restriction of Processing (Article 18)

Request that we limit how we use your data

✅ Right to Data Portability (Article 20)

Receive your data in a machine-readable format (though note: your App data is already portable via PDF export and lives on your device)

✅ Right to Object (Article 21)

Object to processing based on legitimate interests

✅ Right to Withdraw Consent (Article 7(3))

If you've consented to analytics, you can withdraw consent anytime without affecting past processing

✅ Right to Lodge a Complaint

File a complaint with the Finnish Transport and Communications Agency (Traficom), Data Protection Ombudsman:

Website: https://tietosuoja.fi/en/home
Email: tietosuoja@traficom.fi
Phone: +358 29 534 5043

How to exercise these rights:Email us at hello@scrambledbrain.app with "Data Rights Request" in the subject line. We will respond within 30 days.

Note on App data: Because your health tracking data is stored only on your device and we cannot access it, the above rights apply only to the limited data we process (website logs, analytics). You have complete control over your App data at all times.

6. Data Security

We take security seriously, though the nature of our on-device architecture means your health data is inherently more secure than cloud-based alternatives.

For App data (on your device):

256-bit AES encryption
No network transmission of health data
Automatic deletion when App is uninstalled

For data we process (website, analytics):

Industry-standard SSL/TLS encryption for website connections
Secure hosting infrastructure
Access controls and monitoring
Regular security audits

Your responsibility:

Protect your device with a passcode/biometric lock
Keep your operating system updated
Be cautious when sharing exported PDF reports

7. Children's Privacy

Age Requirement: Scrambled Brain is intended for users aged 16 and older (or the age of digital consent in your EU country, whichever is higher).

Parental Responsibility: If you are under 18, please use Scrambled Brain with a parent or guardian's knowledge and supervision.

No Intentional Collection: We do not knowingly collect personal data from children under the age of digital consent. If we become aware that we have inadvertently collected such data, we will delete it immediately.

For Parents: If you believe your child has provided us with data without consent, please contact us at hello@scrambledbrain.app.

8. Third-Party Services

We rely on a small number of trusted partners to provide our services. Each has their own privacy policy:

Service	Purpose	Location	Privacy Policy
PostHog	Anonymous analytics (opt-in only)	EU-based	https://posthog.com/privacy
RevenueCat	Subscription management (future)	USA (SCCs)	https://www.revenuecat.com/privacy
Apple/Google	Payment processing (future)	Various	https://www.apple.com/legal/privacy/<br>https://policies.google.com/privacy

Important: We do not share your personal health tracking data with any third party. These services only receive the specific technical data necessary for their function (as described above).

9. International Data Transfers

Primary operations: All primary data processing occurs within Finland and the EU.

Third-party transfers:

PostHog (analytics): EU-based with SCCs for any non-EEA transfers
RevenueCat (future subscriptions): USA-based, uses Standard Contractual Clauses (SCCs) approved by the EU Commission

We ensure all international transfers comply with GDPR Chapter V requirements.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we'll notify you:

Significant changes: In-app notification + email (if you've provided one for support)
Minor changes: Updated "Last Updated" date at the top of this policy

Your continued use of Scrambled Brain after changes take effect constitutes acceptance of the updated policy.

Version history: Available upon request at hello@scrambledbrain.app

11. Future Features: Scrambled Brain Insights (Coming 2026)

Looking ahead: We're developing Scrambled Brain Insights, a companion app for healthcare professionals to create custom tracking templates for their patients.

When this launches:

It will have a separate Privacy Policy specific to clinician users
The core privacy promise remains: patient health data stays on the patient's device
Template sharing will use a privacy-preserving mechanism (details in future documentation)

We'll update this policy and notify you before Insights affects how Scrambled Brain works.

12. Contact Us

Questions about this Privacy Policy?
Email: hello@scrambledbrain.app

Data rights requests or complaints:
Email: hello@scrambledbrain.app
Subject: "Data Rights Request"

Data Protection Officer: Not applicable (River's Lab is a small operation not required to appoint a DPO under GDPR Article 37)

Supervisory Authority:
Finnish Transport and Communications Agency (Traficom)
Data Protection Ombudsman
Website: https://tietosuoja.fi/en/home
Email: tietosuoja@traficom.fi

Summary: What You Need to Know

✅ Your health data never leaves your device — we physically cannot access it
✅ You control everything — delete anytime, no accounts, no cloud storage
✅ Optional analytics are truly optional — and completely anonymized
✅ We're transparent — this policy explains exactly what we do (and don't do)
✅ You have rights — access, deletion, portability, and more under GDPR
✅ Currently 100% free — paid features coming later, but core tracking stays free

Questions? We're a small, human team in Finland. Email us anytime: hello@scrambledbrain.app

This policy complies with:

EU General Data Protection Regulation (GDPR) 2016/679
Finland Data Protection Act (1050/2018)
ePrivacy Directive 2002/58/EC (as amended)
Finland Act on Electronic Communications Services (917/2014)

Last reviewed by legal: November 2025

Privacy Policy

An overview of data protection

General

The following gives a simple overview of what kind of personal information we collect, why we collect them and how we handle your data when you are visiting or using our website. Personal information is any data with which you could be personally identified. Detailed information on the subject of data protection can be found in our privacy policy found below.

Data collection on our website

Who is responsible for the data collection on this website?

The data collected on this website are processed by the website operator. The operator's contact details can be found in the website's required legal notice.

How do we collect your data?

Some data are collected when you provide them to us. This could, for example, be data you enter in a contact form.

Other data are collected automatically by our IT systems when you visit and use our website. These data are primarily technical data such as the browser and operating system you are using or when you accessed the website. These data are collected automatically as soon as you enter our website.

What do we use your data for?

Part of the data is collected to ensure the proper functioning of the website. Other data can be used to analyze how visitors use the site.

What rights do you have regarding your data?

You always have the right to request information about your stored data, its origin, its recipients, and the purpose of its collection at no charge. You also have the right to request that your data be corrected, blocked, or deleted. You can contact us at any time using the address given in the legal notice if you have further questions about the issue of privacy and data protection. You may also, of course, file a complaint with the competent regulatory authorities.

Analytics and third-party tools

When visiting our website, statistical analyses may be made of your surfing behavior. This happens primarily using cookies and analytics. The analysis of your surfing behavior is usually anonymous, encrypted, and pseudonimized, meaning that we will not be able to identify you through this data. You can object to this analysis or prevent it by not using certain tools. Detailed information can be found in the following privacy policy.

General information and mandatory information

Data protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data as confidential and in accordance with the statutory data protection regulations and this privacy policy.

If you use this website, various kinds of personal data will be collected. Personal information is any data with which you could be personally identified. This privacy policy explains what information we collect and what we use it for. It also explains how and for what purpose this happens.

Please note that data transmitted via the internet (e.g. via email communication) may be subject to security breaches. Complete protection of your data from third-party access is not possible.

Notice concerning the party responsible for this website

The party responsible for processing data on this website is:

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (names, email addresses, etc.).

Revocation of your consent to the processing of your data

Many data processing operations are only possible with your express consent. You may revoke your consent at any time with future effect. An informal email making this request is sufficient. Please note that data processed before we receive your request may still be legally processed.

Right to file complaints with regulatory authorities

If there has been a breach of data protection legislation, the affected person may file a complaint with the competent regulatory authorities.

Right to data portability

You have the right to have data which we process based on your consent or in fulfillment of a contract automatically delivered to yourself or to a third party in a standard, machine-readable format. If you require the direct transfer of data to another responsible party, this will only be done to the extent technically feasible.

Encrypted payments on this website

If you enter into a contract which requires you to send us your payment information (e.g. account number for direct debits), we will require this data to process your payment.

Payment transactions using common means of payment (Visa/MasterCard, direct debit) are only made via encrypted SSL or TLS connections. You can recognize an encrypted connection in your browser's address line when it changes from "http://" to "https://" and the lock icon in your browser line is visible.

In the case of encrypted communication, any payment details you submit to us cannot be read by third parties.

Information, blocking, deletion

As permitted by law, you have the right to be provided at any time with information free of charge about any of your personal data that is stored as well as its origin, the recipient and the purpose for which it has been processed. You also have the right to have your data be corrected, blocked or deleted. You can contact us at any time using the address given in our legal notice if you have further questions on the topic of personal data.

Opposition to promotional emails

We hereby expressly prohibit the use of contact data published in the context of website legal notice requirements with regard to sending promotional and informational materials not expressly requested. The website operator reserves the right to take specific legal action if unsolicited advertising material, such as email spam, is received.

Data collection on our website

Cookies

Some of our web pages use cookies. Cookies do not harm your computer and do not contain any viruses. Cookies help make our website more user-friendly, efficient, and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies." They are automatically deleted after your visit. Other cookies remain in your device's memory until you delete them. These cookies make it possible to recognize your browser when you next visit the site.

You can configure your browser to inform you about the use of cookies so that you can decide on a case-by-case basis whether to accept or reject a cookie. Alternatively, your browser can be configured to automatically accept cookies under certain conditions or to always reject them, or to automatically delete cookies when closing your browser. Disabling cookies may limit the functionality of this website.

Cookies which are necessary to allow electronic communications or to provide certain functions you wish to use (such as the shopping cart) are stored pursuant to Art. 6 paragraph 1, letter f of the EU DSGVO/GDPR. The website operator has a legitimate interest in the storage of cookies to ensure an optimized service provided free of technical errors. If other cookies (such as those used to analyze your surfing behavior) are also stored, they will be treated separately in this privacy policy.

Server log files

The website provider automatically collects and stores information that your browser automatically transmits to us in "server log files". These are:

Browser type and browser version
Operating system used
Referrer URL
Hostname of the accessing computer
Time of server request
IP address

These data will not be combined with data from other sources.

The basis for data processing is Art. 6 (1) (f) of the EU DSGVOGDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.

Processing of data (customer and contract data)

We collect, process, and use personal data only insofar as it is necessary to establish, or modify legal relationships with us (master data). This is done based on Art. 6 (1) (b) of the EU DSGVOGDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract. We collect, process and use your personal data when accessing our website (usage data) only to the extent required to enable you to access our service or to bill you for the same.

Collected customer data shall be deleted after completion of the order or termination of the business relationship. Legal retention periods remain unaffected.

Data transmitted when entering into a contract with online shops, retailers, and mail order

We transmit personally identifiable data to third parties only to the extent required to fulfill the terms of your contract, for example, to companies entrusted to deliver goods to your location or banks entrusted to process your payments. Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.

The basis for data processing is Art. 6 (1) (b) of the EU DSGVOGDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.

Data transferred when signing up for services and digital content

We transmit personally identifiable data to third parties only to the extent required to fulfill the terms of your contract with us, for example, to banks entrusted to process your payments.

Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.

The basis for data processing is Art. 6 (1) (b) of the EU DSGVOGDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.

6. Analytics and advertising

Matomo (formerly Piwik)

This website uses the open source web analytics service Matomo. Matomo uses so-called "cookies". These are text files that are stored on your computer and that allow an analysis of the use of the website by you. For this purpose, the information generated by the cookie about the use of this website is stored on our server. The IP address is anonymized before it is stored.

Matomo cookies remain on your device until you delete them.

The storage of Matomo cookies is based on Art. 6 (1) (f) of the EU DSGVOGDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising.

The information generated by the cookies about your use of this website will not be disclosed to third parties. You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website.

If you do not agree with the storage and use of your data, you can disable this feature here. In this case, an opt-out cookie will be stored in your browser to prevent Matomo from storing your usage data. If you delete your cookies, this will mean that the opt-out cookie will also be deleted. You will then need to reactivate it when you return to our site if you wish your activity not to be tracked.