Privacy Policy
Last updated: 2026-07-10
My Within is a mobile and web application operated by Inside Out Harmony e.U., a sole-proprietor company based in Austria. This Privacy Policy explains what personal data we collect, why, and how we protect it. We follow the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act.
1. Data controller
Inside Out Harmony e.U.
Außerlitzstraße 10a, 6780 Schruns, Austria — EU
VAT ATU82926238 · FN 668345 k · Landesgericht Feldkirch
Data-protection contact: privacy@my-within.com
2. Data we collect and why
- Account: email, hashed password, name, role, language. Legal basis: Art. 6 (1)(b) GDPR (contract).
- Journal & WEVA data: journal entries, mood, WEVA/Deep Within answers. This is health-related data under Art. 9 GDPR — processed only with your explicit consent (Art. 9 (2)(a)).
- Voice recordings: audio you choose to record. Same legal basis as above.
- Payment records: transaction IDs, amounts, VAT, invoice metadata (via Stripe / Apple IAP / Google Play). Legal basis: Art. 6 (1)(b) and (c) (§ 132 BAO 7-year tax retention).
- Device push token: to deliver push notifications you opted into. Legal basis: Art. 6 (1)(a).
- Crash / error events: anonymised stack traces sent to Sentry EU. Legal basis: Art. 6 (1)(f) legitimate interest in a stable service.
- Anonymised analytics events: screen views, taps — sent to PostHog EU. Legal basis: Art. 6 (1)(a) opt-in.
3. Where your data is stored
All application data is stored on encrypted servers physically located in Helsinki, Finland (Hetzner HEL1) — inside the EU/EEA. Encrypted daily backups go to a Hetzner Storage Box in the same region. No storage of your personal data outside the EU/EEA.
4. Sub-processors
We use carefully selected sub-processors under Art. 28 GDPR contracts. The current list is public at my-within.com/subprocessors.
For AI features we use a pseudonymisation gateway: names, emails, phone numbers and other identifiers are stripped before any prompt is sent to an AI sub-processor. Freemium users are technically blocked from all AI endpoints — no health data leaves the backend in that tier.
5. Retention
- Journal / WEVA / mood data: until you delete your account, then purged within 30 days.
- Coach chat messages: 5 years (statute of limitations for service contracts).
- Invoice records: 7 years (§ 132 Austrian Fiscal Code).
- Crash events: 90 days (Sentry EU auto-purge).
- Analytics events: 30 days per identity, 12 months aggregated (PostHog EU).
6. Your rights (GDPR Art. 15–22)
You have the right to access, rectify, erase, restrict, port and object. See our Account & Data Deletion page for concrete steps. Requests are answered within 30 days at privacy@my-within.com.
Right of complaint: Österreichische Datenschutzbehörde, Barichgasse 40–42, 1030 Wien — dsb.gv.at.
7. Cookies
See our Cookies page for details.
8. Data-protection contact
At our current scale we are not statutorily required to appoint a formal DPO under Art. 37 GDPR. Our internal data-protection responsible person is reachable at privacy@my-within.com.
9. Changes
We will announce changes in the app and update the “Last updated” date at the top of this page.