1. Introduction and Scope

GMX Quantum LLC ("Company," "We," "Us," or "Our") is committed to protecting the privacy and data rights of users in the European Economic Area (EEA), United Kingdom, and Switzerland. This document explains:

• Your rights under the General Data Protection Regulation (GDPR);
• Our compliance with the European Union Artificial Intelligence Act (EU AI Act);
• How we process, store, and protect your personal data;
• How our AI features comply with EU transparency and safety requirements.

This document supplements our Privacy Policy, Terms of Service, and Account & Data Deletion Policy.

2. Our Legal Basis for Processing Your Data (GDPR Article 6)

Under GDPR, we must have a lawful basis to process your personal data. We process your data based on the following legal grounds:

2.1 Contractual Necessity (GDPR Article 6(1)(b))

Processing is necessary to provide the diAry service to you, including:

• Account creation and authentication;
• Cloud synchronization of journal entries (Elite subscribers);
• Subscription billing and payment processing;
• AI transcription and companion features.

2.2 Legitimate Interests (GDPR Article 6(1)(f))

Processing is necessary for our legitimate business interests, including:

• App performance monitoring and error detection;
• Security monitoring and fraud prevention;
• Anonymized analytics to improve user experience;
• Customer support and issue resolution.

You have the right to object to processing based on legitimate interests at any time.

2.3 Consent (GDPR Article 6(1)(a))

For certain optional features, we rely on your explicit consent:

• Optional email marketing communications;
• Optional analytics and app usage tracking;
• Optional third-party integrations (future features).

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

2.4 Legal Obligations (GDPR Article 6(1)(c))

Processing is necessary to comply with legal obligations, including:

• Tax and accounting record retention (7 years);
• Compliance with lawful government or court orders;
• Detection and reporting of illegal activity when required by law.

3. Your GDPR Data Subject Rights

As a user in the EEA, UK, or Switzerland, you have the following legally enforceable rights:

3.1 Right to Access (Article 15)

You have the right to request:

• Confirmation of whether we process your personal data;
• A copy of all personal data we hold about you;
• Information about the purposes of processing, categories of data, and recipients;
• Information about retention periods and your other GDPR rights.

To request access: Email [email protected] with subject line "GDPR REQUEST – RIGHT TO ACCESS". We will respond within thirty (30) days with your data in a structured, commonly used, and machine-readable format (JSON or CSV).

3.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data. You can update your account information directly in the app under Settings → Account, or email [email protected].

3.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

You have the right to request deletion of your personal data. See our Account & Data Deletion Policy for complete details on:

• How to delete your account (in-app or via email);
• What data is deleted and when;
• Legal exceptions to deletion (e.g., payment records, legal compliance).

Account deletion is permanent and irreversible. We cannot recover data after deletion.

3.4 Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your data (without deleting it) if:

• You contest the accuracy of your data and want us to verify it;
• Processing is unlawful, but you prefer restriction over deletion;
• We no longer need the data, but you need it for legal claims;
• You have objected to processing and verification is pending.

To request restriction: Email [email protected] with subject line "GDPR REQUEST – RESTRICTION OF PROCESSING".

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another service provider.

Data portability includes:

• Your journal entries (text and metadata);
• Your mood tracking data;
• Your account information (name, email);
• Your AI transcription history (if applicable).

To request data export: Email [email protected] with subject line "GDPR REQUEST – DATA PORTABILITY". We will provide your data within thirty (30) days.

3.6 Right to Object (Article 21)

You have the right to object to processing of your data for:

• Direct marketing: You may opt out of marketing emails at any time via the "unsubscribe" link in our emails;
• Processing based on legitimate interests: You may object to analytics or performance monitoring; we will cease processing unless we have compelling legitimate grounds that override your interests.

To object: Email [email protected] with subject line "GDPR REQUEST – RIGHT TO OBJECT".

3.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

IMPORTANT: diAry does NOT use automated decision-making or profiling that produces legal effects or significantly affects you.

• Our AI transcription feature converts speech to text but does not make automated decisions about you;
• Our AI companion feature provides conversational responses but does not evaluate, score, or categorize you;
• We do not use AI to make decisions about subscriptions, access, or account status.

If this changes in the future, we will update this policy and notify you.

4. How to Exercise Your GDPR Rights

To exercise any of your GDPR rights:

1. Email [email protected];
2. Use a clear subject line (e.g., "GDPR REQUEST – RIGHT TO ACCESS");
3. Include: Your full name, email address associated with your account, and a description of your request;
4. We will verify your identity and respond within thirty (30) days.

There is no fee for exercising your GDPR rights. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request.

5. Data Retention Periods (GDPR Article 5(1)(e))

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations:

• Account and journal data: Deleted within 48 hours of account deletion;
• Backup copies: Deleted within 30 days of account deletion;
• Payment records: Retained for 7 years (tax compliance);
• Customer support emails: Retained for 3 years;
• Anonymized analytics: Retained indefinitely (cannot be linked to you).

For complete details, see our Account & Data Deletion Policy.

6. International Data Transfers (GDPR Article 44-50)

WHERE IS YOUR DATA STORED?

Your data may be stored and processed in:

• United States: Our primary servers are located in the United States;
• European Union: We may use EU-based cloud infrastructure for certain services.

6.1 Legal Safeguards for Data Transfers

When transferring personal data from the EEA to the United States, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers;
• Adequacy Decisions: We may rely on EU Commission adequacy decisions when available;
• Technical and Organizational Measures: We implement encryption, access controls, and security monitoring to protect data in transit and at rest.

6.2 Third-Party Processors with Access to Your Data

The following third-party processors may have access to your data:

• Apple (App Store, RevenueCat): Payment processing for iOS subscriptions (covered by Apple's GDPR-compliant Data Processing Agreement);
• Google (Play Store, RevenueCat): Payment processing for Android subscriptions (covered by Google's GDPR-compliant Data Processing Agreement);
• OpenAI or Anthropic (AI transcription and companion features): AI processing under GDPR-compliant Data Processing Agreements with strict data minimization and deletion policies.

We do NOT sell your personal data to third parties under any circumstances.

7. EU AI Act Compliance

The European Union Artificial Intelligence Act (EU AI Act) regulates the development, deployment, and use of AI systems within the EU. diAry's AI features are designed to comply with the EU AI Act requirements.

7.1 AI Risk Classification

diAry's AI features are classified as "MINIMAL RISK" under the EU AI Act.

• AI Transcription: Converts speech to text for personal journaling purposes. Does not make decisions about you, evaluate you, or affect your legal rights;
• AI Companion: Provides conversational responses and journaling prompts. Does not use biometric identification, predictive policing, social scoring, or emotion recognition for prohibited purposes.

diAry does NOT deploy "high-risk" AI systems as defined by the EU AI Act (Annex III).

7.2 Transparency Requirements (EU AI Act Article 52)

We clearly disclose when you are interacting with an AI system:

• AI transcription features are labeled as "AI Transcription" in the app;
• AI companion responses are clearly marked and distinguishable from human-generated content;
• We do not use AI to generate "deepfakes" or manipulated content that could deceive you.

7.3 Data Minimization and Privacy by Design (EU AI Act Article 10)

Our AI features are designed with privacy and data minimization principles:

• No training on your data: Your journal entries and voice recordings are NOT used to train AI models;
• Ephemeral processing: Voice recordings for transcription are deleted immediately after processing;
• On-device processing (when possible): We prioritize on-device AI processing to minimize data transmission;
• Encryption: All AI processing requests are encrypted in transit (TLS/SSL).

7.4 Human Oversight and Accountability

While diAry uses AI for transcription and conversational features, you remain in full control:

• You can edit, delete, or override AI-generated transcriptions;
• You can disable AI features at any time in Settings;
• AI companion responses are suggestions, not automated decisions that affect your rights;
• We maintain logs of AI processing for accountability and debugging purposes (anonymized where possible).

8. Security Measures (GDPR Article 32)

We implement technical and organizational measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256);
• Access controls: Role-based access controls (RBAC) limit employee access to personal data;
• Authentication: Passwords are hashed using industry-standard bcrypt;
• Monitoring: We monitor for security incidents, unauthorized access, and data breaches;
• Data breach notification: In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

9. Your Right to Lodge a Complaint

If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

EEA/UK/Switzerland Data Protection Authorities:

• Austria: Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
• Belgium: Belgian Data Protection Authority (Autorité de protection des données)
• France: CNIL (Commission Nationale de l'Informatique et des Libertés)
• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
• Ireland: Data Protection Commission (DPC)
• United Kingdom: Information Commissioner's Office (ICO)
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

You can find a complete list of EU Data Protection Authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

10. Updates to This Policy

We may update this GDPR & EU AI Act Compliance document to reflect:

• Changes in GDPR or EU AI Act regulations;
• Changes in our data processing practices;
• New features or services that affect data processing.

We will notify you of material changes via:

• Email notification to your registered account email;
• In-app notification when you next open diAry;
• Updated "Last Updated" date at the top of this document.

Continued use of diAry after such changes constitutes acceptance of the updated policy.

11. Contact Information

For GDPR-related inquiries, data subject rights requests, or EU AI Act compliance questions, contact:

GMX Quantum LLC
Data Protection Officer
Email: [email protected]
Subject Line: "GDPR REQUEST" or "EU AI ACT INQUIRY"
Registered Address: Wilmington, Delaware, United States

Response Time: We will respond to GDPR requests within thirty (30) days. If we need more time, we will notify you and explain the reason for the delay.

Effective Date: April 8, 2026 | Version: 1.0

This document is legally binding and enforceable under the General Data Protection Regulation (GDPR) and the European Union Artificial Intelligence Act (EU AI Act). By using diAry, you acknowledge that you have read, understood, and agreed to the terms outlined in this document.