Privacy Policy
Last updated: April 2026
1. Who We Are
PMC Baltic FZ-LLC (LICENCE NO: 45001684) (“we”, “us”, “our”) is the data controller responsible for your personal data.
Address: SFFO0507 Compass Building, Al Shohada Road, AL Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates
Email: services@pmcbaltic.com
2. Data We Collect
We collect the personal data described in the Data Inventory table above. This includes information you provide directly (email, quiz answers), information generated through your use of our service (behavioral segment, funnel events, listening progress), and information from payment processing (payment identifiers, order history).
| Category | Fields | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Email address | email | Deliver personalized quiz results, create account, transactional emails | Consent (Art. 6(1)(a)) | Active accounts: duration of account; Abandoned sessions: 90 days |
| Health-related quiz answers | quiz_answers (JSONB) | Generate personalized health/wellness recommendation | Explicit consent (Art. 9(2)(a)) - special category data | Active accounts: duration of account; Abandoned sessions: 90 days |
| Behavioral segment | result_segment | Tailor product recommendations to quiz outcome | Legitimate interest (Art. 6(1)(f)) or consent | Active accounts: duration of account; Abandoned sessions: 90 days |
| Payment identifiers | stripe_customer_id, default_payment_method, stripe_payment_intent_id | Process payments, enable one-click upsells, handle refunds | Contract performance (Art. 6(1)(b)) | 7 years (tax/accounting obligation) |
| Order history | amount_cents, currency, status, product_name | Fulfill purchases, provide order receipts, handle disputes | Contract (Art. 6(1)(b)) + legal obligation (Art. 6(1)(c)) | 7 years (tax/accounting obligation) |
| Listening progress | day_number, listen_duration_seconds, language | Track user progress through audio program, resume playback | Contract performance (Art. 6(1)(b)) | Duration of account |
| OTP login attempts | email, ip_address, success, attempted_at | Security monitoring, brute-force protection | Legitimate interest (Art. 6(1)(f)) - security | 30 days |
| Funnel behavior events | event_type, step_number, metadata | Analytics, conversion optimization, drop-off detection | Consent (Art. 6(1)(a)) | Non-purchased sessions: 90 days; Purchased sessions: 2 years |
| Entitlements | product_slug, access_level, granted_at, expires_at | Grant and verify access to purchased digital products | Contract performance (Art. 6(1)(b)) | Duration of account |
3. Purpose of Processing
We process your personal data for the following purposes:
- Quiz personalization: to generate a tailored health/wellness recommendation based on your answers
- Account management: to create and maintain your user account and track your product entitlements
- Payment processing: to process purchases, manage subscriptions, and handle refunds or disputes
- Service delivery: to provide access to purchased digital content and track your listening progress
- Analytics and optimization: to understand how users interact with our funnel, identify drop-off points, and improve conversion (with your consent)
- Retargeting: to show relevant advertising to users who did not complete their purchase (with your consent)
- Security: to detect and prevent fraudulent login attempts and unauthorized access
4. Legal Basis for Processing
We rely on the following legal bases under GDPR Article 6(1):
- Consent (Art. 6(1)(a)): for email collection, analytics tracking, marketing communications, and funnel behavior events. You may withdraw consent at any time.
- Explicit consent (Art. 9(2)(a)): for processing health-related quiz answers (special category data). This consent is collected separately before the quiz begins.
- Contract performance (Art. 6(1)(b)): for payment processing, order fulfillment, account management, entitlement delivery, and listening progress tracking.
- Legal obligation (Art. 6(1)(c)): for retaining order and payment records as required by tax and accounting law.
- Legitimate interest (Art. 6(1)(f)): for security monitoring (OTP attempt logging, fraud prevention) and behavioral segmentation where consent is not required.
5. Data Recipients
We share your personal data with the third-party service providers listed in the Third-Party Processors table above. Each provider acts as a data processor under a Data Processing Agreement (DPA) and processes data only on our instructions.
We do not sell your personal data to any third party.
| Service | Role | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| PostHog | Processor | Session ID, email (when identified), event names, page URLs | EU (eu.i.posthog.com) | EU data residency |
| Google Tag Manager / Google Ads | Processor / Controller | Hashed email (SHA-256), session ID, event names, metadata | US (Google LLC) | EU-US Data Privacy Framework + SCCs |
| Stripe | Processor | Email, payment card (tokenized), amounts, customer ID, metadata | US (Stripe Inc.) | EU-US Data Privacy Framework + SCCs |
| Vercel Analytics | Processor | Page URLs, Web Vitals, referrer, user agent | US (Vercel Inc.) | EU-US Data Privacy Framework + SCCs |
| Vercel Speed Insights | Processor | Page load metrics, connection type | US (Vercel Inc.) | EU-US Data Privacy Framework + SCCs |
| Supabase | Processor | All database contents (sessions, orders, events, progress, auth) | Check project region | Check project region |
| Meta Pixel | Processor | Hashed email (SHA-256), session ID, page views, purchase events | USA (Meta Platforms, Inc.) | EU-US Data Privacy Framework + SCCs |
| ActiveCampaign | Processor | Email address, lead metadata, tags, quiz completion status | USA (ActiveCampaign, LLC) | Standard Contractual Clauses (SCCs) |
6. International Data Transfers
Some of our processors are located in the United States. We ensure adequate protection for international transfers through the following mechanisms:
- EU-US Data Privacy Framework: Stripe, Google, and Vercel are certified under the EU-US DPF, providing an adequacy basis for transfers.
- Standard Contractual Clauses (SCCs): where applicable, we use the European Commission's standard contractual clauses as an additional safeguard.
- EU data residency: PostHog processes analytics data within the EU (eu.i.posthog.com), so no international transfer occurs.
- Supabase: the transfer mechanism depends on the configured project region. Contact us for details about the specific region used.
7. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy. Specific retention periods are listed in the Data Inventory table above. In summary:
- Abandoned quiz sessions (no purchase): 90 days, then automatically deleted
- Purchased sessions and account data: duration of your account relationship
- Orders and payment records: 7 years (tax/accounting legal obligation)
- Funnel behavior events (non-purchased): 90 days
- Funnel behavior events (purchased): 2 years
- OTP login attempts: 30 days
- Entitlements: duration of your account
8. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16): correct inaccurate or incomplete personal data
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18): restrict the processing of your data in certain circumstances
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest or for direct marketing
- Right to withdraw consent (Art. 7(3)): withdraw any consent you have given, at any time, without affecting the lawfulness of processing before withdrawal
- Right to lodge a complaint (Art. 77): file a complaint with your national data protection authority
9. How to Exercise Your Rights
To exercise any of the rights listed above, please contact us at services@pmcbaltic.com. You can also reach us by post at SFFO0507 Compass Building, Al Shohada Road, AL Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates.
We will respond to your request within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by a further 60 days, and we will notify you of any such extension.
We may ask you to verify your identity before processing your request to ensure the security of your personal data.
Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.
10. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You can complain to the data protection authority in your country of residence, your place of work, or the place of the alleged infringement.
The lead supervisory authority for PMC Baltic FZ-LLC (LICENCE NO: 45001684) is the United Arab Emirates Data Protection Authority.
11. Data Provision Requirements
Providing your personal data is partly a requirement and partly voluntary:
- Email address: required to receive your personalized quiz results. Without it, we cannot deliver your recommendation.
- Quiz answers: required to generate your personalized recommendation. Without them, the service cannot function.
- Payment data: required to purchase products. This data is processed by Stripe; we do not store your full card details.
- Analytics data: voluntary. You can decline analytics cookies and the service will still function fully.
- Marketing consent: voluntary. You can use the service without opting in to marketing communications.
12. Automated Decision-Making and Profiling
Our quiz uses automated processing to generate a personalized recommendation based on your answers. This constitutes profiling under GDPR Article 4(4).
How it works: your quiz answers are analyzed to determine a behavioral segment (e.g., stress-related, sleep-related). This segment is used to recommend specific products and tailor the content you see on the results and offer pages.
This automated processing does not produce legal effects or similarly significantly affect you. The recommendation does not restrict your access to any service and does not make decisions about your legal rights.
You have the right to obtain human intervention, express your point of view, and contest the recommendation by contacting us at services@pmcbaltic.com.