Privacy Policy
This policy explains what data Aku collects, why we process it, and what your rights are.
Data processing is carried out in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003, as amended and supplemented by Legislative Decree 101/2018 (the Italian Personal Data Protection Code).
1. Data Controller
The data controller is Mattia Peirano, hearing care professional, self-employed practitioner, with registered office at Via Ugo Bassi 22, 20159 Milan, Italy, VAT no. IT01640360085, Italian tax code PRNMTT92S17D969H (the "Controller").
For any privacy-related matter, you can contact the Controller at: privacy@aku-app.com.
2. What Aku is and what data it processes
Aku is a mobile wellness application designed to support adults living with tinnitus. Aku is not a medical device and does not provide diagnoses, therapies, or healthcare services.
To operate, Aku processes the following categories of personal data:
2.1 Identification and account data
- Email address (for authentication)
- The name or nickname you choose to provide
- A pseudonymous user identifier generated by the system
- Technical authentication data via Apple or Google (managed by those providers)
2.2 Health-related data (Art. 9 GDPR)
Aku processes data that the law classifies as "special categories of personal data" because they relate to health. This consists exclusively of information you provide yourself, in subjective, self-reported form:
- Subjective characteristics of your tinnitus (for example, the type of sound and its approximate pitch)
- A qualitative description of your listening experience
- The listening volume you find comfortable
- How you perceive the impact of tinnitus on sleep, concentration, mood, and relationships (qualitative levels)
- Your daily wellbeing check-ins
- Any bodily sensations you report (for example, whether certain movements change your perception of the sound)
- The content of your conversations with the AI companion, which may include references to your health or emotional state
2.3 Usage and purchase data
- Technical usage data (sessions, features used) for the operation and security of the service
- Subscription data (managed through the Apple App Store / Google Play and the provider RevenueCat)
2.4 Data we do NOT collect
By deliberate choice, Aku does not collect: precise location data, biometric data, web browsing data, or data about third parties. Aku contains no advertising SDKs or marketing trackers: no data relating to your health is shared with advertising platforms.
3. Purposes and legal bases of processing
| Purpose | Data used | Legal basis |
|---|---|---|
| Provision of the service (account, app, subscription) | Identification and purchase data | Performance of a contract (Art. 6.1.b GDPR) |
| Operation of the AI companion and personalisation of the experience (sounds, exercises, content) | Health-related data | Explicit consent (Art. 9.2.a GDPR) |
| Transmission of data to the AI model provider to generate responses | Health-related data, in pseudonymised form | Explicit consent (Art. 9.2.a GDPR) |
| Display of your wellbeing journey over time | Check-ins and qualitative reflections | Explicit consent (Art. 9.2.a GDPR) |
| Service improvement through anonymised data | Anonymised data (not traceable to you) | Optional consent covers the anonymisation process; once anonymised, the data is no longer personal data |
| Security, abuse prevention, legal compliance | Technical and account data | Legitimate interest (Art. 6.1.f) / legal obligation (Art. 6.1.c) |
Consent to the processing of health-related data is collected during sign-up in an explicit, freely given and granular way: you are presented with separate checkboxes for each purpose (use of the AI companion, transmission of data to the AI model provider, and any use of anonymised data), with a plain-language explanation. Providing health-related data is optional: you can withdraw your consent at any time from the app settings. Withdrawal does not affect the lawfulness of processing carried out up to that point; from that moment the data concerned is no longer processed for the withdrawn purposes and, where no other retention obligation applies, it is deleted within the timeframes set out in section 6. Withdrawal means the companion and the features that depend on that data can no longer be used.
"Anonymised data" means data stripped of any element that would allow it to be traced back to you. The anonymisation process is itself a processing activity, carried out on the basis of your optional consent; its result is no longer personal data and, as such, falls outside the scope of the GDPR and may be used to improve the service.
4. How artificial intelligence works in Aku
Aku's conversational companion is based on a language model provided by Anthropic (Claude). When you write to Aku, the content of the conversation and a concise profile of the information you have shared are sent to Anthropic's servers to generate the response.
- The structured data sent is pseudonymised: your real name and email address are never transmitted.
- Anthropic retains request data for up to a maximum of 30 days for security purposes, save for longer periods that may be required by legal obligations or ongoing security investigations; after that period it is deleted. The data is not used to train artificial intelligence models.
- Aku's responses are generated automatically and are intended for support and wellbeing purposes: they do not constitute medical advice and may contain inaccuracies.
Important: pseudonymisation applies to the structured data in your profile. It cannot cover the information you choose to write freely in conversations: if you spontaneously include your name, contact details, or other identifying elements in the text of your messages, these are transmitted to the AI model provider exactly as you wrote them. We encourage you not to share identifying or particularly sensitive data in conversations unless necessary.
Aku does not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
5. Who processes your data on our behalf (data processors)
| Provider | Activity | Where the data is | Safeguards |
|---|---|---|---|
| Supabase Pte. Ltd | Database and authentication | European Union (Ireland, eu-west-1 region) | Data Processing Agreement (DPA) with Standard Contractual Clauses |
| Anthropic, PBC | Generation of AI responses | United States | DPA with Standard Contractual Clauses; retention max 30 days; no use for training |
| RevenueCat, Inc. | Subscription management | United States | DPA with Standard Contractual Clauses; receives no health-related data |
| Apple Inc. / Google LLC | Authentication and payments through the stores | United States / global | Terms and safeguards of the respective stores; they receive no health-related data from Aku |
| Expo (650 Industries, Inc.) | Delivery of push notifications | United States | Receives only the device token and the notification text; receives no health-related data |
Some providers are based in the United States, so some data may be transferred outside the European Union. Such transfers take place on the basis of the Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR), supplemented by the related transfer impact assessments and by additional technical measures such as encryption and pseudonymisation. You have the right to request a copy of the safeguards applied to transfers by writing to privacy@aku-app.com.
6. How long we keep your data
| Data category | Retention |
|---|---|
| Profile and account data | For the life of the account, plus 30 days |
| Wellbeing check-ins | 24 months |
| Conversations with Aku | 12 months from the last session |
| Conversation summaries (Aku's memory) | 24 months |
| Listening session data | 24 months |
| Technical logs | 90 days |
| Purchase and billing data | 10 years (legal obligation) |
If you delete your account, your health-related and profile data is erased from production systems without undue delay and in any case within 30 days; any copies present in backups are overwritten according to the normal backup rotation cycle, within a maximum of a further 30 days. The only data retained beyond deletion is tax and accounting data, for the period required by law.
7. Your rights
At any time you can exercise the rights provided by Articles 15-22 of the GDPR:
- Access: obtain confirmation of processing and a copy of your data
- Rectification: correct inaccurate or incomplete data
- Erasure: obtain the deletion of your data ("right to be forgotten")
- Restriction: restrict processing in certain cases
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Withdrawal of consent: at any time, without affecting prior lawful processing
You can exercise your rights of access, portability, erasure, and withdrawal directly from the app settings, or by writing to privacy@aku-app.com. We will respond within 30 days of your request.
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) or with the supervisory authority of your country of residence, if you believe the processing infringes the applicable rules.
8. Minimum age
Aku is intended for adults only (18+). Legal age is declared during sign-up. We do not knowingly collect data from persons under 18. If you believe a minor has created an account, you can report it by writing to privacy@aku-app.com: once the report is verified, we will close the account and delete the related data without undue delay.
9. Security
We adopt technical and organisational measures appropriate to the nature of the data processed, including: encryption of communications (HTTPS), encryption of data at rest, row-level access controls on the database (Row Level Security), pseudonymisation of data sent to the AI provider, and the absence of advertising or tracking SDKs.
In the event of a personal data breach posing a risk to your rights, we will carry out the notifications required by Articles 33 and 34 of the GDPR (supervisory authority within 72 hours and, where required, communication to the individuals concerned).
10. Changes to this policy
This policy may be updated. In the event of substantial changes, we will inform you through the app before the changes take effect. The current version, with its date, is always available within the app and at www.aku-app.com/en/privacy.
11. Language
This document is an English translation provided for convenience. The Italian version of this Privacy Policy is the reference version and shall prevail in the event of any discrepancy, without prejudice to mandatory consumer protections applicable in your country of residence.
12. Contact
Controller: Mattia Peirano — Via Ugo Bassi 22, 20159 Milan, Italy — VAT no. IT01640360085 — Italian tax code PRNMTT92S17D969H
Privacy email: privacy@aku-app.com