Your privacy is important to us. This Privacy Policy explains how Oncoly AB collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR).

1. Who We Are (Controller)

Oncoly AB (org. no. 559548-6423), Jönköping, Sweden, is the data controller for the Oncoly app and website.

Privacy contact: dev@oncoly.se

2. What Data We Process

• Account: name, email, age; optional profile fields (e.g., gender).
• Health data (special category): symptoms, mood logs, treatment details, uploaded medical documents.
• Technical/usage: device info, IP (security), app events (non-PHI analytics).

3. Why We Process (Purposes & Legal Bases)

• Provide the service (accounts, secure access, reminders): Art. 6(1)(b) GDPR (contract).
• Health features (you log and view your own entries, trends): Art. 6(1)(b) + Art. 9(2)(a) GDPR (explicit consent).
• Security & integrity (fraud/abuse prevention, access logging): Art. 6(1)(f) GDPR (legitimate interests).
• Support & communications (when you contact us): Art. 6(1)(b)/(f) GDPR.
• Anonymised analytics/quality improvement: Art. 6(1)(f) GDPR; we do not re-identify you.

4. Where Data Is Stored and How It's Transferred

• Location: EU/Sweden. We host with EU-region services (e.g., Supabase in EU).
• Processors: database/storage, infrastructure, email/SMS, and analytics (EU, non-PHI). We sign DPAs with all processors and keep an updated list on our site.
• International transfers (if any): protected by EU Standard Contractual Clauses and supplementary measures (e.g., encryption).

5. Security (Art. 32 GDPR)

• Encryption in transit (TLS) and at rest.
• Row-Level Security and least-privilege access in our database.
• Audit logs: we record who/when/why for any staff access to health data (immutable).
• Admin safeguards: multi-factor auth, key rotation, secure backups, and regular vulnerability testing.

We are preparing Data Processing Agreements (DPAs) with all future processors; for the MVP test, no third-party processors handle health data.

6. Retention & Deletion (MVP)

We keep personal data only as long as needed for each purpose, then delete or anonymise. Default periods (from last activity):

• Account & identity: 12 months after account deletion (fraud/security).
• Health logs (symptoms/mood/treatment): 5 years.
• Uploaded medical documents: 5 years.
• Access/audit logs: 6 years.
• Support tickets: 3 years.
• Backups: 30–90 days rolling.

For the MVP test version, no health data is retained beyond technical logs or analytics necessary to ensure functionality.

7. Your Rights

You can access, rectify, erase, restrict, port, and object, and withdraw consent for health data.

How: in-app or dev@oncoly.se. We reply within 1 month (extendable by 2 months for complex requests). We may verify identity.

8. Data Breaches

We assess incidents promptly and, when required, notify IMY within 72 hours and inform affected users without undue delay. We maintain an incident log.

9. Eligibility & Geography (MVP)

Oncoly is for users 16+ and currently available to residents of Sweden only.

10. Changes to This Policy

We notify material changes 30 days in advance in-app/website. If a change requires renewed consent, we will ask you to opt in again.

11. Contact & Complaints

Questions/requests: dev@oncoly.se

You may lodge a complaint with Integritetsskyddsmyndigheten (IMY) in Sweden.