GDPR Privacy Policy
For residents of the European Union and European Economic Area
Last updated: March 3, 2026
This privacy policy explains how DopaLive ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our ADHD coaching platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the EU AI Act (Regulation (EU) 2024/1689).
This policy applies to users residing in the EU/EEA. For users in Turkey, please also refer to our KVKK disclosure and Privacy Policy (Turkish).
1. Data Controller
Data Controller: DopaLive
Email: privacy@dopa.live
Website: https://dopa.live
Company incorporation is in progress. Legal entity details will be updated upon registration.
EU Representative (Article 27): To be appointed prior to EU launch. Contact details will be published here.
2. Personal Data We Collect
2.1 General Personal Data
Account Data
Name, email address, phone number, profile photo (optional)
Usage Data
Session durations, page views, feature usage, click behavior
Device & Connection Data
IP address, browser type, device type, operating system
Payment Data
Subscription status, plan type, payment history, billing info. Credit card details are processed directly by Stripe and never stored on our servers.
2.2 Special Category Data (Article 9)
Important: As an ADHD coaching platform, we process the following special category data classified as health data under GDPR Article 9. This processing requires your explicit consent.
- ADHD Profile Data: Dopamine profile test results (one of 6 profiles: Seeker, Sprinter, Diver, Juggler, Dreamer, Reactor)
- Mood & Energy Data: Daily mood check-in data, energy level records
- Focus & Performance: Focus session durations, completed tasks, daily progress
- AI Coaching Content: Chat history with Doppa AI, session summaries, goals and vision
- Video Coaching Metadata: 1:1 coaching session metadata (date, duration). Sessions are not recorded.
- Community Posts: Shared experiences about ADHD that may reveal health status
3. Legal Basis for Processing
We process your personal data based on the following legal grounds (Article 6 & 9):
| Purpose | Legal Basis |
|---|---|
| Service delivery, account management | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Health data processing (ADHD profile, mood, coaching) | Explicit consent (Art. 9(2)(a)) |
| AI-powered coaching (Doppa) | Explicit consent (Art. 9(2)(a)) |
| Fraud prevention, security | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies, marketing | Consent (Art. 6(1)(a)) |
| Tax, accounting, legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Artificial Intelligence & Automated Processing
DopaLive uses Google Vertex AI (Gemini) to power our AI coaching assistant, Doppa. This section fulfills our transparency obligations under the GDPR and the EU AI Act.
What Doppa Does
Doppa analyzes your coaching session content, goals, and mood data to generate personalized cognitive support recommendations. It is designed to complement human coaching, not replace it.
Data Sent to AI
Session content (text-based), goals, and mood data are sent to Google Vertex AI. Your identity (name, email) is never sent to the AI system. Data is processed using a pseudonymized user ID.
No Model Training
We use the paid Vertex AI API. Your data is not used for model training or improvement. Google may retain data for up to 55 days for abuse monitoring purposes only.
Automated Profiling (Article 22)
Your ADHD profile test results and usage data are automatically analyzed to generate personalized recommendations. This constitutes automated profiling under GDPR Article 22. You have the right to:
- Object to automated processing
- Request human review of AI-generated recommendations
- Contest decisions based solely on automated processing
Every AI recommendation includes a "Consult your coach" option for human oversight.
EU AI Act Classification
DopaLive's AI system is classified as Limited Risk under the EU AI Act (Regulation 2024/1689). We fulfill our transparency obligations by:
- Clearly disclosing when you are interacting with an AI system
- Explaining how AI processes your data
- Providing opt-out mechanisms and human alternatives
- Not using any prohibited AI practices (e.g., subliminal manipulation, social scoring)
Not Medical Advice
Doppa AI does not provide medical diagnosis or treatment recommendations. All suggestions are cognitive support and coaching in nature. For medical concerns, please consult a qualified healthcare professional.
5. International Data Transfers
Your personal data is transferred to the following third-party processors located outside the EU/EEA:
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Google LLC (Firebase Auth) | Authentication | US | EU SCCs + DPA |
| Google LLC (Cloud Firestore) | Database | US / EU* | EU SCCs + DPA |
| Google LLC (Vertex AI / Gemini) | AI coaching | US / EU* | EU SCCs + DPA |
| Google LLC (GA4) | Analytics | US | EU SCCs + DPA, IP anonymization |
| Stripe, LLC | Payments | US | EU SCCs + DPA |
| Pluot Communications (Daily.co) | Video calls | EU (Frankfurt) + US | DPA, EU media servers |
* Region depends on infrastructure configuration. We are working to ensure EU data residency for EU users.
Transfer Safeguards (Article 46)
- Standard Contractual Clauses (SCCs): All US-based processors operate under EU-approved SCCs (Commission Implementing Decision 2021/914)
- Data Processing Agreements (DPAs): Signed with all sub-processors
- Supplementary Measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), pseudonymization of health data sent to AI, access controls
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Health data (ADHD profile, mood, coaching) | Until account deletion or consent withdrawal |
| AI coaching session history | Until account deletion. Google side: up to 55 days (abuse monitoring) |
| Payment and billing data | As required by tax law (up to 10 years) |
| Firebase Auth data | Until account deletion. Post-deletion: removed within 180 days |
| Analytics data (GA4) | 2 months (user-level), aggregate data longer |
| Video call metadata (Daily.co) | Duration of service. No audio/video stored. |
| Cookies | Session cookies: end of session. Analytics/marketing: up to 13 months |
When you delete your account, all personal data is permanently deleted within a reasonable timeframe, except where retention is required by law.
7. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing (Art. 18)
Request limitation of how we process your data
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing
Right Against Automated Decisions (Art. 22)
Not be subject to decisions based solely on automated processing, including profiling. Request human review of AI recommendations.
Right to Withdraw Consent
Withdraw your consent for health data processing at any time, without affecting the lawfulness of prior processing
How to exercise your rights: Contact us at privacy@dopa.live. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU/EEA DPAs can be found at edpb.europa.eu.
9. Data Security
We implement the following technical and organizational measures to protect your data:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Authentication: Multi-factor authentication options
- Access control: Role-based access with least-privilege principle
- AI data minimization: No identity data sent to AI; pseudonymized IDs used
- Payment security: Credit card data never touches our servers; processed by Stripe (PCI DSS Level 1)
- Video security: Video calls encrypted with 256-bit TLS and AES-256; no recordings made
10. Data Protection Impact Assessment
Given that DopaLive processes special category health data (ADHD profiles, mood data) and uses AI-powered automated profiling, we acknowledge the requirement for a Data Protection Impact Assessment (DPIA) under GDPR Article 35.
A DPIA will be completed and maintained prior to our EU/EEA launch. The assessment covers risks related to health data processing, AI profiling, and international data transfers. Results will inform our data protection measures and be made available to supervisory authorities upon request.
11. Children's Privacy
DopaLive is intended for users aged 13 and above.
- Ages 18+: May use our services directly
- Ages 13-17: May use our services (including DopaLive Campus) with verifiable parental or guardian consent
We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to promptly delete that data.
12. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
For changes affecting the processing of special category data, we will request your explicit consent again.
13. Contact
For questions about this privacy policy or to exercise your data protection rights:
DopaLive Data Protection
Email: privacy@dopa.live
We aim to respond to all data protection requests within 30 days. For complex requests, we may extend this by an additional 60 days with prior notice.