Privacy Policy
Last updated: March 24, 2026
Your privacy matters deeply to us. Ninoa was created by someone who lives with a chronic condition and knows how sensitive health data can be. We collect only the minimum information necessary for the app to function — nothing more.
1. Data Controller
Ninoa is operated by Mariam Giorgobiani (sole proprietor / autónomo), based in Barcelona, Spain. For any privacy inquiries, contact support@ninoa.space.
2. Personal Data We Collect
Ninoa collects only the information you choose to provide:
- Email address (for account creation and authentication)
- Basic profile information (optional)
- Daily logs (symptoms, mood, sleep, routines, flare-ups, stress levels, triggers, treatments, product use, notes)
- Photos (optional — deletable anytime)
- Timestamps & metadata
- Technical info (device type, app version)
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
- Consent — You provide consent when you create an account and agree to this Privacy Policy.
- Contract performance — Processing is necessary to provide you with the app's features and services you have requested.
- Legitimate interest — We may process anonymized or aggregated data to improve Ninoa's service, provided this does not override your rights.
4. How We Use Your Data
- Core app functionality (tracking, insights, personalization)
- Pattern insights and trend analysis based on your self-reported data
- App improvement and bug fixing
- User support and communication
5. Anonymized & Aggregated Insights
- Cannot identify you personally
- No photos included
- Only aggregated, anonymized data
- Used solely to improve app features and user experience
6. Data Storage & Location
All your data is stored within the European Union:
- AWS RDS PostgreSQL — EU North (Stockholm, Sweden)
- AWS ECS Fargate (Backend) — EU North (Stockholm, Sweden)
- AWS S3 (Images) — EU North (Stockholm, Sweden)
- AWS Cognito (Authentication) — EU North (Stockholm, Sweden)
- All connections encrypted via HTTPS/TLS
No data is transferred outside the EU/EEA. All infrastructure is hosted in the AWS eu-north-1 region (Stockholm, Sweden).
6b. AI-Powered Features
Ninoa includes an optional AI Skin Scanner that analyzes a photo of your skin
to produce gentle visual observations and track changes over time. When you
use the scanner:
-
What is sent: the photo you choose to scan, the body area
label you tag, and (for side-by-side comparison) any prior scan observations
of the same area.
-
Where it goes: the photo is transmitted over encrypted
HTTPS to Anthropic (Claude vision API) for real-time
analysis. Anthropic does not retain the photo or response
after processing, per their API terms.
-
What we store: the photo itself is stored privately in
your account on AWS S3 (EU-North, Stockholm) with a signed-URL access
layer. The AI's text observations are stored alongside it in our database.
Both are deleted when you delete your account.
-
Not a diagnosis: the AI's output is a visual observation
only — not a medical diagnosis. The system prompt instructs the AI to
avoid clinical claims and to recommend a qualified dermatologist for any
actual assessment.
7. Data Retention
- Active accounts: Your personal data is retained for as long as your account remains active.
- Deleted accounts: All personal data is permanently deleted within 30 days of account deletion.
- Anonymized data: Aggregated, anonymized data that cannot identify you may be retained indefinitely for research and service improvement purposes.
- Backups: Personal data in backups is purged within 30 days following account deletion.
8. Your Privacy Rights
Under the GDPR and applicable data protection laws, you have the following rights:
- Right to access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — Request deletion of your personal data.
- Right to data portability — Request your data in a structured, commonly used, machine-readable format.
- Right to restrict processing — Request that we limit how we use your data.
- Right to object — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw your consent at any time (this does not affect the lawfulness of processing before withdrawal).
To exercise any of these rights, contact us at support@ninoa.space. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.
9. CCPA Notice (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
- Right to know — You can request details about what personal information we collect, the sources, the purposes, and with whom we share it.
- Right to delete — You can request deletion of your personal information.
- Right to opt-out of sale — You can opt out of the sale of your personal information.
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.
Ninoa does NOT sell your personal information. We have never sold personal information and have no plans to do so.
To exercise your CCPA rights, contact us at support@ninoa.space.
10. Third-Party Services
Ninoa uses the following third-party services to operate:
- Amazon Web Services (AWS) — Hosting, storage, database, and authentication. All data remains in the EU (eu-north-1, Stockholm, Sweden).
- Anthropic (Claude API) — AI vision analysis for the optional Skin Scanner feature. Photos are sent for real-time processing; not retained by Anthropic per their API terms. See Section 6b.
- RevenueCat — Subscription management. Receives only your anonymized in-app purchase events (no health data).
- Sentry — Crash and error reporting. Receives technical diagnostics (stack traces, device model, OS version, IP). No health data is sent.
- Mixpanel — Anonymized product analytics (which features are used, screen flow). No health data is sent; no identifying user profile is built.
- Expo — App distribution and over-the-air updates.
- OpenWeatherMap — Weather data based on IP-derived location only. Your precise location is not sent or stored.
We do not share your personal data with advertisers or data brokers.
11. Cookies
The Ninoa website may use essential cookies strictly necessary for functionality (e.g., session management). We do not use advertising cookies, tracking cookies, or third-party marketing cookies.
12. Security Measures
- HTTPS/TLS encryption for all data in transit
- JWT-based authentication
- Role-based access control
- Secure password hashing
- System monitoring and logging
- Regular security reviews
13. Children's Privacy
Ninoa is not intended for children under 16 years old (as required by the GDPR) or under 13 years old (as required by COPPA in the United States). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@ninoa.space.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page and notify users via email or in-app notice for significant changes. We encourage you to review this policy periodically.
Contact
If you have any questions about this Privacy Policy or your data, contact us at:
support@ninoa.space
Ninoa by Mariam Giorgobiani
Barcelona, Spain