Ondum
Legal document

Personal Data Processing — Privacy Policy

Ondum — Self-help app for Obsessive-Compulsive Disorder · App it.stefer.Ondum · Version 1.0 · Effective date: 16 May 2026

This document is bilingual Italian/English. In case of interpretive discrepancy, the Italian version prevails for users resident in the European Union.

Leggi questa informativa in italiano →

1. Data Controller

The data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (hereinafter "GDPR") is Stefano Ferri. Privacy contact: privacy@ondum.app.

Absence of DPO: the controller is not required to designate a Data Protection Officer under Article 37 GDPR. No DPO has been appointed.

2. Introduction and Nature of the Application

Ondum is a mental health self-help application based on the ERP (Exposure and Response Prevention) protocol for people living with Obsessive-Compulsive Disorder (OCD).

Ondum is not a medical device within the meaning of Regulation (EU) 2017/745 (MDR) and does not constitute a clinical diagnosis, therapeutic prescription, or substitute for support from mental health professionals.

Privacy-first architecture — on-device by design: all data is processed exclusively on the user's device in an encrypted container. The controller does not operate proprietary servers and does not receive any personal data from the user, except as expressly stated in this policy.

3. Categories of Data Processed, Purposes and Legal Basis

3.1 Notice — Special Categories of Personal Data (Article 9 GDPR)

The nature of this application involves the processing of mental health data concerning the user, qualifying as special categories of personal data under Article 9 GDPR. This category includes, by way of non-exhaustive example:

  • OCD severity assessments (Y-BOCS scale);
  • content of obsessions and compulsions (including in free-text form);
  • exposure diaries and associated subjective notes;
  • intrusive thoughts and cognitive restructuring records;
  • crisis diary notes;
  • biometric parameters (sleep analysis, heart rate variability).

The legal basis for processing these special categories is the explicit consent of the data subject under Article 9(2)(a) GDPR. Consent is obtained in granular form, separately per purpose, through the consent management system integrated in the application (ConsentLog), with timestamp and policy version tracking. Consent may be freely withdrawn at any time without prejudice to the lawfulness of processing carried out prior to withdrawal.

3.2 On-Device Data (Encrypted Container)

All processed data is stored exclusively on the user's device in the application container protected with FileProtectionType.complete (encryption at rest tied to device screen lock). Categories processed, with their respective purposes and legal bases:

  • User profile: local identifier, display name (optional), creation date, OCD severity level, selected support mode, medication status (yes/no), language. Purpose: journey personalisation. Legal basis: Art. 9(2)(a) — explicit consent.
  • OCD profile: Y-BOCS score, severity level, dominant subtypes. Purpose: assessment and monitoring. Legal basis: Art. 9(2)(a).
  • Obsessions and compulsions: subtype/type, free text, SUDS intensity, duration and frequency. Purpose: exposure hierarchy and ritual reduction. Legal basis: Art. 9(2)(a).
  • Exposure hierarchy and sessions: feared-situation descriptions, pre/peak/post SUDS, response mode, subjective notes. Purpose: ERP planning and tracking. Legal basis: Art. 9(2)(a).
  • Cognitive cards: intrusive thought, misappraisal/realistic meaning, evidence. Purpose: cognitive restructuring. Legal basis: Art. 9(2)(a).
  • Daily check-ins: mood, anxiety, compulsions, themes, ritual minutes, uncertainty tolerance, notes, sleep hours and HRV SDNN (from HealthKit, separate opt-in). Purpose: longitudinal monitoring. Legal basis: Art. 9(2)(a); HealthKit: separate consent.
  • Crisis log: episode date, resource used, notes. Purpose: crisis support. Legal basis: Art. 9(2)(a).
  • Milestones and learning progress: milestone type, lesson progress, quiz answers. Purpose: motivation and content delivery. Legal basis: Art. 6(1)(b) — service performance.
  • Consent log: timestamps and policy version per consent, immutable append-only log. Purpose: accountability under Arts. 7 and 24. Legal basis: Art. 6(1)(c) — legal obligation.

Free-text fields: several fields accept free-text input (obsessions, compulsions, feared-situation descriptions, session notes, crisis notes, cognitive cards) which may contain highly sensitive information. They are processed with the highest available level of technical protection and never leave the device without explicit and voluntary user action.

3.3 System Widget

The system widget reads minimal data from the shared App Group container (current streak, today's check-in status, suggested item label, suggested SUDS) which may be visible on the Home Screen or Lock Screen depending on the user's chosen configuration. They are removed in their entirety upon data deletion (GDPR wipe).

4. Third-Party Processing

Apple HealthKit: where the user grants explicit, separate consent, Ondum reads sleep analysis and heart rate variability (HRV SDNN) in read-only mode. Such data remains on the device within the Apple ecosystem, is not transmitted to the controller or third parties; consent is revocable at any time via iOS Settings → Health → Data Access → Ondum.

Apple CloudKit (iCloud sync), TelemetryDeck (analytics), RevenueCat (in-app purchases) and Anthropic (AI Coach) are not active in the current version: no data is transmitted to these services. Any future activation will be preceded by an update of this policy and the collection of the relevant consent.

Apple App Store / TestFlight and Apple system infrastructure process app download/purchase data and minimal technical data (crashes, performance) according to Apple's policies, if the user has consented to diagnostic sharing. The controller does not control or directly receive such data.

5. Data Transfers

No personal data is transferred to the controller. All data processed by Ondum remains on the user's device; the controller does not carry out any cross-border transfers. Data processed by Apple may be subject to transfers outside the EU/EEA under Apple Inc.'s standard contractual arrangements, in compliance with applicable adequacy decisions and standard contractual clauses under Chapter V GDPR.

6. Data Retention

Data is retained exclusively on the user's device for the duration of application use. No server-side or controller-side storage exists. Data is deleted: (a) upon explicit user request via the "Delete All Data" function (full GDPR Art. 17 wipe: app data, temporary files, widget state); (b) upon uninstallation of the application. No minimum retention period is imposed by the controller.

7. Voluntary Data Export and Sharing

Portability (Art. 20): the user may export the complete data archive in machine-readable .json format at any time from app settings. A weekly PDF report can also be generated for sharing with the user's therapist. Once exported or shared by the user, the file falls outside Ondum's technical protection perimeter; the controller is not responsible for subsequent processing. Temporary files are removed automatically upon GDPR wipe.

8. Technical Security Measures (Art. 32 GDPR)

  • Encryption at rest (FileProtectionType.complete): data encrypted and inaccessible when the device is locked.
  • No advertising, behavioural-analytics or cross-app tracking SDKs.
  • No automated profiling (Art. 22 GDPR).
  • Compliant Privacy Manifest: NSPrivacyTracking = false, no data collected by the developer.
  • No remote account: user identity is exclusively local.

9. Data Subject Rights (Arts. 15–22 GDPR)

  • Access (Art. 15): in-app viewing + full .json export.
  • Rectification (Art. 16): direct in-app editing at any time.
  • Erasure (Art. 17): "Delete All Data" — complete and irreversible wipe.
  • Restriction (Art. 18): not applicable in on-device architecture (direct, immediate user control).
  • Portability (Art. 20): machine-readable .json export.
  • Objection (Art. 21): not applicable (no processing based on legitimate interest).
  • Withdrawal of consent (Art. 7(3)): at any time from the Consents section in settings, without prejudice to prior lawful processing.
  • Automated decisions (Art. 22): guaranteed absence of automated profiling with legal or similarly significant effects.

For the exercise of rights not manageable directly in-app: privacy@ondum.app. Users also have the right to lodge a complaint with the competent supervisory authority. For users resident in Italy: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome — garanteprivacy.it. For users resident in other EU/EEA Member States, the competent authority is that of the Member State of habitual residence.

10. Minors

Ondum is intended exclusively for users aged 18 (eighteen) years and over. The controller does not knowingly collect personal data of minors. Should the controller become aware of personal data belonging to minors processed without parental or legal guardian consent, it will proceed with immediate and permanent deletion. Reports: privacy@ondum.app.

11. Future Features — BuddyLink

A future version will include the BuddyLink feature, allowing the user to designate a trusted person with whom to selectively share part of their journey. It will involve the processing of a third party's personal data (the buddy's name and contact details). It is not active in the current version. Prior to its activation this policy will be updated and supplemented with the applicable legal basis, the method of obtaining consent or other safeguards toward the third party, and the scope of data sharing.

12. Changes to This Policy

The controller reserves the right to update this policy in the event of changes to the technical architecture, activation of new features or developments in applicable legislation. Updates will be communicated via in-app notification; where modifications concern essential processing conditions (Art. 13 GDPR) a new explicit consent will be obtained before the changes take effect. The current version is always available at ondum.app/privacy and accessible from within the application.

13. Contact

Data Controller: Stefano Ferri. Privacy email: privacy@ondum.app.

Version 1.0 — 16 May 2026. The full bilingual (Italian/English) document is the reference; this page reproduces the English part.