Privacy Policy
Privacy Policy for the Nearbyto.me Service (nearbyto.me)
1. General Provisions
1.1. This Privacy Policy (hereinafter — the "Policy") describes how personal data of users of the Nearbyto.me Service, available at https://nearbyto.me, is collected, processed, stored, transferred, and destroyed.
1.2. The Controller of personal data is the operator of the Nearbyto.me Service (hereinafter — the "Controller", the "Company", "we"). Full registration details are available on request via [email protected].
1.3. The Nearbyto.me Service is an AI assistant for emotional support based on cognitive behavioral therapy (CBT) methods. The Service is not a medical service, does not render diagnoses, and does not substitute for qualified psychological or psychiatric assistance.
1.5. By using the Service, the User confirms that they have read this Policy, understand its contents, and give their free, informed, and unambiguous consent to the processing of personal data on the terms set forth herein.
1.6. If the User does not agree with the terms of this Policy, they must cease using the Service.
2. Definitions
2.1. The following terms are used in this Policy:
2.1.1. Personal Data — any information relating to an identified or identifiable natural person (data subject), as defined by the Data Protection Law (No. 3144/2023).
2.1.2. Data Subject (User) — a natural person to whom personal data relates.
2.1.3. Controller — a natural or legal person, public authority, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.1.4. Processor — a natural or legal person, public authority, or other body which processes personal data on behalf of the Controller.
2.1.5. Processing — any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
2.1.6. Sensitive Data — special categories of personal data, including data concerning health (physical and mental), biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and data concerning sex life or sexual orientation.
2.1.7. Profiling — any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's behavior, preferences, interests, or emotional state.
2.1.8. Cross-Border Transfer — transfer of personal data to the territory of a foreign state.
3. Categories of Personal Data Collected
3.1. The Controller collects and processes the following categories of personal data:
3.1.1. Identification Data
| Data | Required |
|---|---|
| Name or nickname | Required |
| Email address | Required |
| Mobile phone number | If registering via phone |
3.1.2. Usage Data
| Data | Required |
|---|---|
| Date and time of registration | Automatic |
| Login events (date, time) | Automatic |
| Session data (start/end time, duration, number of sessions) | Automatic |
| User-selected settings and preferences | User-provided |
| Features used, pages visited | Automatic |
3.1.3. Dialogue Content
| Data | Required |
|---|---|
| Text messages sent by the User to the AI Assistant | User-provided |
| AI Assistant responses (stored as part of session history) | Automatic |
3.1.4. Emotional State Data (treated as Sensitive Data)
| Data | Required |
|---|---|
| User-reported emotional state | User-provided |
| Emotional indicators derived from dialogue text analysis | Automatic |
| Psychotyping / profiling results | Automatic |
Important: Data concerning emotional and psychological state is treated as sensitive data (health data) and requires explicit consent for processing. See the Sensitive Data Consent document.
3.1.5. Technical Data
| Data | Required |
|---|---|
| IP address | Automatic |
| Device type and version | Automatic |
| Operating system type and version | Automatic |
| Browser type and version | Automatic |
| Interface language | Automatic |
| Approximate geolocation (country/region level, derived from IP) | Automatic |
3.1.6. Payment Data
Note: Payment data (credit card numbers, bank details) is processed by Lava.top. The Company does not collect, process, or store payment card data. Refer to Lava.top's privacy policy for details on how Lava processes payment information.
4. Purposes and Legal Bases for Processing
4.1. The Controller processes personal data for the following purposes and on the following legal bases:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Identification, Technical | Performance of a contract (Terms of Service) |
| User authentication | Identification, Technical | Performance of a contract |
| Provision of the Service (AI interaction) | Dialogue Content, Usage | Performance of a contract |
| Personalization of content and recommendations | Emotional State, Profiling | Explicit consent (Sensitive Data Consent) |
| Psychotyping / profiling | Dialogue Content, Emotional State | Explicit consent (Art. 6, 19 of Data Protection Law) |
| Service improvement and analytics | Usage, Technical (aggregated/anonymized) | Legitimate interest |
| Service-related notifications | Identification (email) | Performance of a contract |
| Marketing communications | Identification (email) | Explicit opt-in consent |
| Security and fraud prevention | Technical, Usage | Legitimate interest |
| Legal compliance | All categories as required | Legal obligation |
5. Data Retention Periods
5.1. Personal data is retained for the following periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Identification Data | Duration of account + 30 days after deletion request | Contract performance, legal obligations |
| Usage Data | 24 months from collection | Legitimate interest (analytics) |
| Dialogue Content | 12 months from session date, or until deletion by User | Contract performance |
| Emotional State / Profiling Data | 12 months from session date, or until deletion by User | Explicit consent |
| Technical Data | 6 months from collection | Legitimate interest (security) |
| Cookie Consent Records | 24 months | Legal obligation (proof of consent) |
| Marketing Consent Records | Duration of consent + 24 months after withdrawal | Legal obligation (proof of consent) |
5.2. Upon expiry of the retention period, personal data is destroyed (deleted from all active systems and backups within 30 days).
5.3. Data of inactive accounts (no login for 12 consecutive months) is automatically deleted after a 30-day advance notice sent to the registered email address.
6. Data Processing Location and Cross-Border Transfers
6.1. Personal data is processed and stored on servers located in the European Union (AWS infrastructure, Frankfurt region, Germany).
6.2. EU/EEA countries are included in the list of countries with an adequate level of personal data protection.
6.3. Accordingly, the transfer of personal data to EU-based servers does not require:
- Separate consent from the data subject for cross-border transfer;
- Written agreement between the Controller and the data recipient specifically for cross-border transfer purposes;
- Permission from the PDPS for cross-border transfer.
6.4. The Company does not transfer personal data to countries that are not on the PDPS adequacy list. If this changes, the Company will obtain the necessary authorization and/or explicit consent from data subjects before any such transfer.
7. Third-Party Data Recipients (Processors)
7.1. The Controller may share personal data with the following categories of processors:
| Processor Category | Purpose | Data Shared | Location |
|---|---|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure, hosting, AI processing (Bedrock) | All categories stored/processed on servers | EU (Frankfurt) |
| Lava.top | Payment processing | Email, transaction data | Per Lava.top's privacy policy |
| Analytics provider (e.g., PostHog) | Service analytics, aggregated statistics | Usage Data, Technical Data (anonymized) | EU |
| Email service provider | Transactional and marketing emails | Email address, name | EU |
7.2. Data Processing Agreements (DPA) are in place with all processors in accordance with Article 17 of the Data Protection Law.
7.3. AI model provider clarification. Nearbyto.me is an independent product and is not affiliated with, endorsed by, or sponsored by Anthropic or Amazon Web Services. The Service uses third-party AI models (currently Claude by Anthropic) accessed via AWS Bedrock in the EU region. When using AWS Bedrock, the data processor is AWS; Anthropic provides the model but does not receive access to user data, and user data does not leave the EU region.
8. Data Subject Rights
8.1. In accordance with the Data Protection Law (No. 3144/2023), the User has the following rights:
| Right | Description | Response Time |
|---|---|---|
| Right of Access | Obtain confirmation of whether personal data is being processed, and receive a copy of that data | 10 working days |
| Right to Rectification | Request correction of inaccurate personal data | 10 working days |
| Right to Erasure | Request deletion/destruction of personal data | 10 working days |
| Right to Data Portability | Receive personal data in a structured, commonly used, machine-readable format | 10 working days |
| Right to Object | Object to processing based on legitimate interest, including profiling | 10 working days |
| Right to Restriction | Request restriction of processing in certain circumstances | 10 working days |
| Right re: Automated Decisions | Not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects | 10 working days |
8.2. To exercise these rights, the User may:
- Send a request to [email protected];
- Use the data management functions in the Account settings (export, deletion);
- Contact the Company at the address specified in Section 1.2.
8.3. The exercise of the right of access is free of charge. If requests are manifestly unfounded or excessive (e.g., due to repetitive character), the Company may charge a reasonable fee or refuse to act on the request, providing justification.
9. Automated Decision-Making and Profiling
9.1. The Service uses automated processing of personal data for the following purposes:
| Type of Automated Processing | Purpose | Data Used |
|---|---|---|
| Content personalization | Selecting exercises, techniques, and recommendations relevant to the User | Dialogue content, emotional state data |
| Psychotyping | Identifying behavioral and communication patterns to improve Service personalization | Dialogue content |
| Emotional state assessment | Adapting AI responses to the User's current emotional state | Dialogue content |
9.2. The automated processing described above is based on analysis of the User's dialogue text. No solely automated decisions with legal or similarly significant effects are made without the User's explicit consent.
9.3. The User has the right to:
- (a) Object to profiling at any time by contacting [email protected];
- (b) Request human review of any automated decision;
- (c) Withdraw consent to profiling (note: withdrawal may affect the Service's ability to provide personalized recommendations).
9.4. For more details, see the Profiling Disclosure section of the Sensitive Data Consent document.
10. Cookies and Tracking Technologies
10.1. The Service uses cookies and similar technologies. Detailed information is provided in the separate Cookie Policy.
10.2. Non-essential cookies require active consent before being set. The User may manage cookie preferences through the cookie consent banner displayed on the website.
11. Data Security
11.1. The Company implements the following technical and organizational measures to protect personal data:
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2 or higher for all data transmission |
| Encryption at rest | AES-256 or equivalent for stored data |
| Access control | Role-based access, minimum necessary privilege |
| Access logging | All access to user data is logged |
| Regular security assessments | Periodic review of security measures |
| Incident response plan | Procedures for detecting, assessing, and responding to data breaches |
11.2. Despite implementing appropriate security measures, the Company cannot guarantee absolute security of data transmission over the internet or electronic storage.
12. Data Breach Notification
12.1. In the event of a personal data breach:
| Action | Timeframe | Recipient |
|---|---|---|
| Notification to PDPS | Within 72 hours of discovery | Personal Data Protection Service (PDPS) |
| Notification to data subjects | Immediately if the breach poses a significant threat to rights and freedoms | Affected Users |
12.2. The Company maintains an internal incident register documenting all data security incidents, regardless of severity.
13. Children's Data
13.1. The Service is intended for users aged 16 and older. Users under 16 may use the Service only with the consent of a parent or legal guardian.
13.2. The Company does not knowingly collect personal data from children under 16 without parental consent. If the Company becomes aware that personal data of a child under 16 has been collected without appropriate consent, such data will be deleted promptly.
14. Marketing Communications
14.1. The Company may send marketing communications (including information about new features, promotions, and related content) only with the User's explicit opt-in consent.
14.2. Consent to marketing communications is collected separately from consent to the Terms of Service and the Privacy Policy. Pre-checked boxes are not used.
14.3. The User may withdraw consent to marketing communications at any time by:
- Clicking the "Unsubscribe" link in any marketing email;
- Adjusting preferences in the Account settings;
- Contacting [email protected].
14.4. Withdrawal of consent to marketing communications does not affect the lawfulness of processing based on consent before its withdrawal.
15. Amendments to the Policy
15.1. The Company reserves the right to amend this Policy at any time.
15.2. The User will be notified of material changes at least 14 calendar days before the changes take effect, via email and/or in-app notification.
15.3. Continued use of the Service after the changes take effect constitutes the User's acceptance of the amended Policy. If the User does not agree, they must cease using the Service and may request data deletion.
15.4. The current version of the Policy is always available at nearbyto.me/legal/privacy-policy.
16. Contact Information
For any questions regarding this Policy or the processing of personal data:
| Channel | Contact |
|---|---|
| General inquiries | [email protected] |
| Data protection inquiries | [email protected] |