Privacy Policy

Introduction

At Me Growth we take your privacy seriously. This Privacy Policy explains, in line with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), who processes your personal data, for what purpose, on what legal basis, for how long, with which processors we share it, and what rights you may exercise at any time.

This policy applies to every service offered under the Me Growth brand, including the public website (megrowthes.com), the emotional-support application, the administration panel, and the lead-capture and newsletter forms.

1. Data controller

The controller responsible for processing your personal data is:

• Legal name: Me Growth
• Postal address: Postal address pending — request it in writing at info@megrowthes.com
• Privacy contact email: info@megrowthes.com

The full legal entity name and registered postal address will be updated once ongoing legal verification is complete. In the meantime, you may direct any official communication to the email above and we will provide the corresponding corporate documentation.

2. Data Protection Officer (DPO)

We have analysed the criteria of Article 37 GDPR applicable to large-scale processing of special-category data (mental health). While the formal DPO designation or exemption is being documented, the single point of contact for privacy matters and for exercising your rights is info@megrowthes.com.

Privacy contact: info@megrowthes.com

The outcome of the DPO designation analysis will be published in this same section once finalised.

3. Categories of personal data we process

The personal data we process depends on your relationship with us. We group it by data-subject type:

Visitor of the public website (megrowthes.com)

• Technical data: IP address (anonymised before storage), session identifier, browser type, language and detected country.
• Strictly necessary cookies and, with prior consent, analytics cookies (PostHog) and error-monitoring cookies (Sentry).
• Data from any contact, beta, professional or enterprise form you choose to submit (name, email, company, message).

Newsletter subscriber

• Email address, communication language, and consent timestamp.
• Confirmation and unsubscribe tokens stored only as SHA-256 hashes.

Registered application user

• Account data: email address, name, password (hashed by Supabase Auth), language, time zone, and versioned consents.
• If you choose Google sign-in: Google account identifier (sub / provider_id), email and email_verified status, display name, avatar URL, and OAuth identity metadata (issuer, audience) returned by Google Identity Services. Google is the source of these claims; raw_user_meta_data duplicates are scrubbed server-side immediately after callback.
• Emergency contacts (name and phone) encrypted at the field level (AES-256-GCM).
• Professional or patient profile data, as applicable.
• Health and emotional-wellbeing data — special category under Article 9 GDPR: chat content, voice transcripts, emotion analysis, detected crisis severity, and persistent avatar memory. This data is encrypted at rest and only decrypted server-side during processing.
• Service-usage data: course progress, avatar sessions, voice metrics, and audit-log events with hashed IPs (HMAC-SHA256).

Healthcare professional or B2B contact

• Identification and contact data, organisation data, and role.
• Professional verification documentation (PDF/JPEG/PNG) stored in a private Supabase Storage bucket.
• B2B feedback survey responses, with consent and a hashed IP.

Pursuant to Article 9(2)(a) GDPR, processing of mental-health data takes place only on the basis of your explicit consent, collected via a specific independent checkbox at sign-up. You may withdraw it at any time from your profile; withdrawal does not affect the lawfulness of prior processing and is recorded in our audit log in line with Article 7(3) GDPR.

4. Processing purposes and legal bases

We process your personal data for the following purposes, each on the legal basis indicated:

5. Automated decisions (Article 22 GDPR)

We apply the automated systems described below to the content you share with the application. Of the three, only the chat block triggered by a severe crisis (severity ≥ 0.9) produces an effect that similarly significantly affects you within the meaning of Article 22(1) GDPR: when it triggers, you cannot continue the AI conversation and we redirect you to the emergency phone numbers. That interruption exists exclusively to protect you. For every system you always retain the rights under Article 22(3) (human intervention, expression of your point of view, contesting the decision) and, where applicable, under Article 21 (objection to profiling), as detailed at the end of this section.

Crisis detection (significant effect when severity ≥ 0.9)

A deterministic classifier based on keyword lists (no statistical training, no user profiling) that scores each message between 0 and 1. Legal basis: Article 6(1)(b) (performance of the contract) and Article 9(2)(c) (vital interests, in cases of serious risk to life or integrity). Consequences: from 0.7 we inject care instructions into the AI response without interrupting the conversation; from 0.9 the chat is interrupted and we display the emergency phone numbers (024, 717 003 717, 112) along with an informational message. The 0.9 threshold may qualify as a similarly significant effect (Article 22(1)) and is therefore covered by the reinforced safeguards of Article 22(3) detailed below. The decision is made in real time, does not rely on user profiling, and the reason for the block is stored (encrypted at rest) for 90 days to enable human review.

Emotion detection (no significant effect)

A remote classifier that infers a primary emotion (joy, sadness, anxiety, anger, etc.) from the text of the message. Legal basis: Article 6(1)(b) (performance of the contract) and Article 9(2)(a) (explicit consent collected when activating health-data processing). The prediction is used solely to enrich the AI prompt with empathetic context when confidence exceeds 0.40 and the emotion is not "neutral". It is not used to deny access, allocate professionals, or for commercial profiling. You may object to this processing at any time from your profile via the "Object to emotional profiling" toggle (Article 21 GDPR); when the objection is active, we stop invoking the classifier on your messages and any analytics events sensitive to profiling are disabled.

Off-topic message classifier (no significant effect)

Automated filter that distinguishes queries clearly outside the emotional-support scope (operational requests, technical tasks, etc.) so we can respond with a gentle clarification. Legal basis: Article 6(1)(b) (performance of the contract). It does not deny access to the service, imposes no adverse consequence, and is not stored beyond 90-day operational logs.

Pursuant to Article 22(3) GDPR, and in a reinforced manner for the severe-crisis chat block, we recognise the following rights: (a) human intervention — you may request that an authorised member of the team review the blocked message and the decision; (b) expression of your point of view — you may explain why you consider the classification incorrect or disproportionate; (c) contestation of the decision — you may formally request reconsideration of the block or of any emotion inference. To exercise any of these rights, write to info@megrowthes.com indicating, if available, the approximate date and time of the block. We will respond with genuine human (non-automated) intervention within one month, in line with Article 12(3) GDPR. As a complement, you may object to emotional profiling from your profile (Article 21) and you may delete your chat history and persistent memory at any time.

Other than the chat block triggered by a severe crisis (severity ≥ 0.9) — whose sole purpose is to protect you against a vital risk — none of these classifiers is used to deny you access to the service, set differential pricing, allocate professionals, transmit information to any third party other than the processors detailed in section 6, or carry out commercial profiling.

6. Recipients and processors

To deliver the service we share personal data with the processors and identity providers below. Processors act under a data processing agreement (Art. 28 GDPR) and apply technical and organisational measures equivalent to ours. Where a provider acts as an independent controller for its own account or security service (e.g. Google Identity Services for federated sign-in), we identify that role in the row and the provider's own public privacy terms also apply. We keep this list up to date and notify material changes as described in section 14.

Detailed public list (categories, data processed and sensitivity tier): Sub-processors page.

7. International data transfers

Some of the processors above are located outside the European Economic Area. In every case we apply the safeguards required by Articles 44 to 49 GDPR:

• For the United States: a combination of the EU-US Data Privacy Framework (Adequacy Decision 2023/1795) when the provider is self-certified and, failing that, Standard Contractual Clauses (SCCs) approved by Decision 2021/914.
• Encryption in transit (TLS 1.3) and, for special-category data, additional application-level encryption before the data leaves our EU servers.
• Data minimisation: for example, only the textual chunk strictly needed to generate the response is sent, and never identifying metadata such as the email address.

Following the CJEU Schrems II ruling (C-311/18), for each transfer we assess whether the destination country's legislation affects the effectiveness of the safeguards. The detail of those assessments is available on a reasoned request basis.

8. Retention periods

We keep your personal data only for as long as necessary to fulfil the indicated purposes. As an indication:

9. Your rights

As a data subject, you are entitled to the following rights, which you may exercise free of charge at any time:

• Access (Art. 15): Find out what data we process about you and obtain a copy.
• Rectification (Art. 16): Correct inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion when the data is no longer necessary or you withdraw consent.
• Restriction (Art. 18): Ask that your data be only stored, with no further processing.
• Portability (Art. 20): Receive your data in a structured, commonly used format (JSON), or request its transmission to another controller.
• Objection (Art. 21): Object to processing based on legitimate interest or to the automated decisions described in section 5.
• Withdrawal of consent (Art. 7(3)): Without affecting the lawfulness of prior processing.

How to exercise your rights

If you hold an account in the application (app.megrowthes.com), you can exercise most of your rights directly from your profile once you sign in: Open profile.

If you only gave us your email through a public form (beta, professional, enterprise, professionals) or subscribed to the newsletter, your confirmation email contains a personal signed link to download or delete your data. Those links are issued only at submission time and are the sole self-service path: if you lost them, cannot find the email or never interacted with the website, write to us and we will handle the request manually at no cost.

For any request (including a lost email link) write to us at: info@megrowthes.com

To protect your privacy we may ask you to prove your identity before processing the request, especially when it involves special-category data.

We will reply within one month at the latest (extendable by two more for complex requests, in line with Art. 12(3) GDPR).

10. Right to lodge a complaint with the supervisory authority

If you consider that our processing of your data does not comply with the law, before or after contacting us, you may lodge a complaint with the Spanish Data Protection Agency (AEPD), the competent supervisory authority:

• Address: C/ Jorge Juan, 6. 28001 — Madrid (Spain)
• Phone: +34 901 100 099 / +34 912 663 517
• Online portal: https://www.aepd.es
• Complaint forms: https://sedeaepd.gob.es/sede-electronica-web/vistas/formReclamacionDerechos/reclamacionDerechos.jsf

11. Cookies and similar technologies

We use strictly necessary cookies and local storage for the operation of the service (session, language, preferences) and, with prior consent, analytics cookies (PostHog) and error-monitoring cookies with replay (Sentry). If you choose Google sign-in, the redirect to Google sets and reads cookies on Google domains (accounts.google.com); we do not set or read those cookies on megrowthes.com, and the redirect only occurs when you explicitly click the Google button. You may accept or reject each category from the cookie preferences panel, available at any time from the footer and, on your first visit, from the cookie banner.

Full detail of every cookie, its purpose, duration and provider: Cookie Policy.

12. Minors

The service is not directed to children under 14. Under Article 7 of the Spanish LOPDGDD, this is the minimum age at which a minor's consent is valid in Spain. If you are between 14 and 18 you may use the service, although we recommend doing so with the knowledge of your legal guardian given the nature of the topics involved. If we detect an account of a child under 14 we will suspend it and delete the associated data; if you are a parent or legal guardian and believe a minor in your care has provided us with data without your authorisation, please email info@megrowthes.com and we will proceed with immediate deletion.

13. AI Training Consent

As an independent and optional processing operation, we offer the option for your conversations to be used, after anonymisation, to improve our artificial intelligence models. This consent:

• Is completely optional and is not required to use the service.
• Is based on Articles 6(1)(a) and 9(2)(a) GDPR (explicit consent for special-category data).
• Can be enabled or disabled at any time from the Privacy section of your profile.
• When active, allows the app to learn from your conversations to offer increasingly personalised support.
• Data is anonymised before being used for training.
• Withdrawal of consent is recorded in our audit log in line with Art. 7(3) GDPR and stops any future use.

Users registered before 25 March 2026 were migrated with this consent enabled. They can disable it at any time from their profile.

14. Changes to this policy and version

Whenever we update this policy we will revise the date and version in the header. Material changes are notified before they take effect: in the application, through the re-consent flow that triggers the next time you sign in when the version stored in your profile is older than the published version; on the public website, through a prominent notice and, in the case of leads and newsletter, through a fresh consent collection on the next interaction.

Version history

• 2026-05-28: Google sign-in and account-linking disclosures: OAuth identity-claim categories under section 3, pre-contractual legal basis (Art. 6(1)(b)) under section 4 for the brief pre-consent window, Google Identity Services added under section 6 as an independent identity provider, identity-data retention under section 8, and Google OAuth redirect cookie note under section 11. No change to health-data processing or the explicit Art. 9(2)(a) consent.
• 2026-05-08: Full update under Articles 13/14 GDPR: controller identity, DPO, legal bases, automated decisions (Art. 22), processors, international transfers, retention periods, data-subject rights, AEPD, cookies, minors, and version log.
• 2026-04-19: Fourth consent for commercial communications.
• 2026-03-25: Explicit consent section for AI training.
• 2026-03-06: Explicit consent for the processing of health data.
• 2026-03-01: Initial version published with the opening of the beta program.

Current version: 2026-05-28

Contact

If you have any questions about this Privacy Policy or about the processing of your data, please write to us at:

Email: info@megrowthes.com