Privacy policy

This Privacy Policy applies to our website www.moonbird.life (the "Website"), our Apps and Devices (together, our "Products") and our offices. Please ensure that you have read this Privacy Policy carefully before browsing through our Website, using our Products or visiting our offices.

Have any questions? Leave us a message at hello@moonbird.life.

Who are we?

We, moonbird BV, are the data controller under the European General Data Protection Regulation (the "GDPR") of your personal data processed in the context of our Website, our Products and your visit to our offices. This means we determine, and are responsible for, how your personal data is used. We have our registered office at Kaasrui 3/2, 2000 Antwerp (Belgium). Our company number is 0732.862.615 and our contact email address is hello@moonbird.life.

What information do we collect from you?

We may collect several types of personal data from you via the Website, Products and your visit to our offices, such as, but without limitation:

• Contact details, such as name and email address;
• Birthdate, age, sex, and gender;
• Financial information, such as bank account number;
• Information collected via our Products such as your heart rate (HR), heart rate variability (HRV) and information concerning your state of mind while using the Products (e.g. stressed, burned out, relaxed), as well as coherence scores derived from these measurements;
• Questionnaire data;
• Information about how you use our Website and the Products. For instance, information about the features you use in the Apps, the pages you view on the Website and how often you use the Website or the Products and your language settings. We may collect such information through cookies and other automated technology;
• Information about the device you use to access the Website and the Apps. For instance, your IP address, operating system version, device identifier, device type, model and manufacturer;
• Information in helpdesk enquiries;
• Employment data when you apply for a position with us, such as working experience and education;
• Video images of your visit to our offices;
• Demographic data voluntarily provided during onboarding, such as age, sex, height, and weight (all optional);
• Coherence scores derived from your heart rate variability (HRV) data while using the Products;
• Emotional check-in data, such as your self-reported emotional state on a two-dimensional grid (energy and pleasantness) and a five-point intensity scale;
• Inferred pre-session emotional state, derived by combining your self-reported emotional check-in data with your physiological data (e.g. HRV);
• EN6 personalisation profile, a machine-learning-derived profile used to personalise breathing exercises to your needs;
• Data from third-party wearable devices and health platforms that you choose to connect, such as Oura, Apple Health, Garmin, or WHOOP, including but not limited to sleep, activity, and recovery data. Where you connect Apple Health, moonbird may also write data back to Apple Health, such as mindful minutes;
• Voice data, processed in real time via third-party AI providers (OpenAI and ElevenLabs) to deliver voice-guided coaching sessions. Voice data is not stored by moonbird and is retained by these providers for no more than 30 days in accordance with their respective data processing agreements.

If you request us to provide certain information to your health insurance, we may process other information in addition to the list set out above, such as your insurance identification number.

What do we expect from you?

We expect that you only communicate personal data about yourself to us. If you also communicate personal data about other people to us, then you must ensure that you are entitled to do so.

We also expect that the personal data that you communicate to us is correct and that, if specific data changes, you promptly inform us of this change.

At the same time, we also ask you to protect your privacy and security by, for example, not allowing others to use your personal account and/or login details. You are responsible for safeguarding such authentication information and to immediately notify us in case of unauthorised use.

Why do we process your personal data?

We may process your personal data for the following purposes:

• To ensure that the content from our Website and our Apps is presented in the most effective manner for you and for your computer or device;
• To administer our Website and our Apps and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• To improve our Website and our Apps to ensure that content is presented in the most effective manner for you and for your computer or device;
• To carry out our obligations arising from any Agreement entered into between you and us and to provide you with the Products and Services that you request from us;
• To answer and manage your requests (e.g. request for information, subscription to our newsletter, submit reviews, file a complaint in relation to our Products and Services, request to provide documentation to your health insurance);
• To inform you about our products and services which we feel may interest you (e.g. by sending you marketing messages);
• To follow up on your purchase of our Products and Services (e.g. by asking for your feedback on our Products and Services);
• To improve our Products and Services, by analysing pseudonymised data (i.e. personal data from which all directly identifying elements are replaced by a code);
• To manage our legal obligations and any disputes or claims (e.g. prevention/detection/sanctioning of unlawful activities and/or abuse of our resources, defence of legal claims);
• To manage the job application process you initiated, allowing us to get to know you and make an informed decision (e.g. analyse your CV and compare it with our requirements), and to be able to contact you for other suitable positions;
• To measure or understand the effectiveness of advertising we deliver to you and others, and to deliver relevant advertising to you;
• To protect the company offices and the company goods;
• To personalise your breathing exercises and coaching sessions based on your physiological data, emotional check-in data, and EN6 personalisation profile;
• To assess your emotional state before and after sessions, including by inferring your pre-session emotional state from a combination of self-reported and physiological data;
• To deliver AI-powered voice coaching sessions via third-party AI providers (OpenAI and ElevenLabs for voice processing, Google Gemini for session insights and emotion analysis), where your voice data is processed in real time and not stored by moonbird;
• To integrate with third-party wearable devices and health platforms (e.g. Oura, Apple Health, Garmin, WHOOP) that you choose to connect, in order to enrich your experience and provide personalised insights;
• To manage your freemium account and, where applicable, your premium subscription, including access control, billing, and feature availability;
• To conduct scientific research in collaboration with research partners, using pseudonymised or anonymised data, subject to your explicit consent and, where applicable, ethics committee approval.

Legal bases for processing

The provision of your personal data may be necessary for:

• The performance of a contract to which you are a party (e.g. your purchase contract) or in order to take pre-contractual steps at your request (e.g. in the context of a request for information);
• Compliance with a legal obligation applicable to us (e.g. with regard to invoicing);
• The legitimate interests pursued by us (or a data recipient) provided that these interests prevail over your fundamental rights and freedoms (e.g. pseudonymised data processed for research purposes, your email address for direct marketing purposes if you are a customer from us, protecting our company offices and company goods);
• In some cases, we will ask for your free, prior and informed consent before processing some of your personal data (e.g. your email address for direct marketing purposes if you are not yet a customer from us, employment data when you apply for a position with us). In particular, we will ask for your explicit consent under Article 9(2)(a) of the GDPR before processing special categories of personal data, such as health data (e.g. heart rate, HRV, coherence scores), emotional check-in data, inferred emotional states, and your EN6 personalisation profile. You will be asked to provide separate, granular consent for each of these processing activities through the moonbird app.

We do not subject you to decisions based exclusively on automated processing that produce legal effects concerning you or similarly significantly affect you. However, some features of our Products involve automated processing of your personal data, such as the inference of your emotional state and the generation of your EN6 personalisation profile. These features are designed to personalise your experience and do not produce legal effects or similarly significantly affect you. You have the right to object to such processing at any time (see "What are your rights?" below).

The provision of some of your personal data (e.g. your name, address, contact data, bank account, etc.) is in some cases a condition to the conclusion of the Agreement with us, necessary for us to be able to provide you with all the functionalities of our Products and Services or may be necessary for us to comply with our legal obligations. The possible consequences of not providing your personal data could include our inability to meet our obligations under the Agreement, our inability to provide you with all the available functionalities or a breach by us of one or more obligations under applicable laws (e.g. laws on accounting).

With whom do we share your personal data?

We may transfer (some) of your personal data to, for example, but without limitation:

• Providers of marketing related services and solutions;
• Providers of IT related services and solutions (e.g. Shopify);
• Our professional advisors (e.g. legal counsel, business consultants);
• Providers of CRM related services and solutions (e.g. Segment and Triplewhale);
• Providers of customer support related services (e.g. Intercom);
• Providers of bookkeeping related services and solutions;
• Third parties in the context of a potential business transaction;
• The police or judicial authorities at their request if they are entitled to request the personal data;
• Providers of online payment services;
• Providers of analytics-related services and solutions (e.g. Google);
• Providers of postal services (e.g. MyParcel, ShopWeDo, Byrd, Amazon FBA);
• Providers of security services and solutions (e.g. surveillance camera operators);
• Partners (e.g. affiliate partners, doctors and therapists, partnering health insurance companies);
• AI service providers that process your data on our behalf: OpenAI and ElevenLabs for voice-guided coaching (voice data is processed in real time and may be retained for up to 30 days), and Google Gemini for generating session summaries and emotion analysis. These providers do not use your data to train their models;
• Third-party wearable device and health platform providers (e.g. Oura, Apple Health, Android Health Connect, Garmin, WHOOP) that you choose to connect to our Products. Where you connect Apple Health or Android Health Connect, moonbird may write data such as mindful minutes or mindfulness sessions back to these platforms;
• Research partners, where you have given your explicit consent, for the purpose of conducting scientific research using pseudonymised or anonymised data;
• Authentication and identity providers (e.g. Supabase for account sign-up and sign-in using your email address, Google Sign-In and Apple Sign-In for single sign-on);
• Cloud infrastructure and database providers that host and store your personal data, including health and biometric data, on our behalf (e.g. DigitalOcean for database and sensor data storage in the EU, Render.com for application hosting in the EU);
• Push notification providers (e.g. Expo) that deliver session reminders and health insights to your device;
• Subscription and payment management providers (e.g. RevenueCat) that process your purchase and subscription data to manage your access to premium features.

Other than as set out above, we may also share statistics and insights developed by us from your personal data. These statistics and insights are derived from anonymised and aggregated information, such that it would not be possible to identify you (directly or indirectly) or even single you out from this information.

We will also disclose your information to third parties:

• In the event that we sell or buy any business or assets, in which case we may disclose your information to our current shareholders, the prospective seller or buyer of such business or assets;
• If moonbird or substantially all of its assets are acquired by a third party, in which case information held by it about its customers may be one of the transferred assets;
• If we are under a duty to disclose or share your information in order to comply with any legal obligation or to protect the rights, property, or safety of moonbird, our customers, or others. This includes exchanging information with public authorities (including judicial and police authorities) in the event of, for example, a cyber security incident;
• If that is appropriate to achieve any of the purposes set out in this Privacy Policy.

Can my data be transferred outside the European Union?

We may transfer your personal data to countries outside the European Union, including the United States. The following categories of data may be transferred to US-based processors: voice data to OpenAI and ElevenLabs for AI coaching; session transcripts and emotion data to Google Gemini for session insights; authentication data to Supabase; push notification tokens to Expo; subscription data to RevenueCat for payment management; and health data to wearable platform providers (e.g. Oura, WHOOP) that you choose to connect, where each provider acts as an independent data controller.

Your health and biometric data, including raw sensor data from the moonbird device, is stored on DigitalOcean servers located in Amsterdam (EU) and is not transferred outside the EU. Our application hosting is also located in the EU (Render.com in Frankfurt). Each international transfer is based on appropriate safeguards, such as an adequacy decision under Article 45 of the GDPR and/or standard data protection clauses as approved by the European Commission under Article 46.2 of the GDPR. We have entered into data processing agreements that include standard contractual clauses with our US-based processors. If you wish to enquire further about these safeguards, contact us via hello@moonbird.life.

How long will we store your personal data?

We will store the personal data we collect about you for no longer than necessary for the purposes set out above, and in accordance with our legal obligations and legitimate business interests. This means, in general, that we will retain your personal data at least for as long as you are in contact with us (e.g. as long as you use our Products and Services, subscribe to our newsletter etc.). We may need to retain your personal data for longer if the processing purposes or the law requires us to do so.

We use the following criteria to determine the retention periods of personal data according to the context and purposes of each processing operation:

• The time elapsed since the end of your commercial relationship with us;
• The sensitivity of personal data;
• Security reasons (for example, the security of our information security systems);
• Any current or potential dispute or litigation (for example, a litigation involving the sale of a product to you);
• Any legal or regulatory obligation to retain or delete personal data (for example, a retention obligation imposed by an accounting or tax).

Without prejudice to the above, the following specific retention periods apply to data processed through our moonbird app:

• If you do not convert from a free trial to a paid subscription, your personal data will be retained for six months after the end of the trial period, after which it will be deleted;
• Health data (e.g. heart rate, HRV, coherence scores), wearable data, emotional check-in data, and your EN6 personalisation profile will be retained for two years after the deletion of your account;
• App usage data (e.g. session logs, feature usage, interaction patterns) will be retained for two years after the deletion of your account;
• Electronic identification data (e.g. device identifiers, IP addresses, Apple ID) will be retained for six months after the deletion of your account;
• Voice data processed by OpenAI and ElevenLabs is retained by these providers for a maximum of 30 days, after which it is automatically deleted. Moonbird does not store raw voice audio; however, conversation transcripts are stored as described above;
• Pseudonymised data used for product improvement, scientific research, and model training (e.g. improving our breathing algorithms and EN6 personalisation models) may be retained for up to 10 years, subject to annual review of necessity, in accordance with GDPR Article 89(1) and with appropriate technical and organisational safeguards. Direct identifiers (name, email, device IDs) are removed before data enters the pseudonymised dataset. Identifiable data is deleted according to the retention periods listed above. You may request deletion of your data from the pseudonymised dataset at any time by contacting us.

Personal data collected during the job application process is deleted immediately after the end of the recruitment process, unless you consent to us contacting you for other suitable positions. In that case, we will keep your personal data for six months after the end of the recruitment process.

What are your rights?

You can contact us to exercise the following rights, in accordance with the conditions laid down in the applicable legislation:

Right to access

You have the right to request access to the personal data which we hold or process about you. If you ask us, we will provide you with information about the personal data that are being processed, the purpose of the processing, the source of those personal data and to whom we share these personal data.

Right to rectification and erasure

You have the right to request us, free of charge, to correct, erase or block any inaccuracies in your personal data if such personal data would be incomplete, inaccurate or processed unlawfully.

Right to restrict processing

You have the right, in some circumstances, to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you.

Right to data portability

You have the right, in certain circumstances, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.

Right to object

You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.

Rights in relation to automated decision making and profiling

You have the right to request us not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to withdraw consent

If our processing of your personal data is based specifically on your consent, you have the right to withdraw that consent at any time. This includes your right to withdraw consent to our use of your personal data for direct marketing purposes.

Right to object to personalisation

Where our Products use your personal data to personalise your experience (e.g. through your EN6 personalisation profile or inferred emotional state), you have the right to object to such processing under Article 21 of the GDPR. You may also withdraw your consent to specific processing activities (e.g. health data processing, emotional check-in processing, inference model, EN6 personalisation) independently through the settings in your moonbird app, without affecting the lawfulness of processing carried out before withdrawal.

You may exercise some of these rights, review and edit some of the personal data you have submitted to us through the settings in your personal account in the Apps (in case you have such a personal account).

Further, you can also contact us via hello@moonbird.life.

Due to the confidential nature of data processing we may ask you to provide proof of identity when exercising the above rights.

We will seek to respond to any request relating to your rights within one month of receipt of such request. Where, given the complexity of the claim or the number of requests received, the above deadline cannot be met, we will inform you of the extended deadline in which we will respond to your request. Such extension may not be more than two months from the date on which we notify you that an extension is required.

Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, change or damage. All personal data we collect will be stored on secure servers. We will never send you unsolicited emails or contact you by phone requesting your account ID, password, credit or debit card information or national identification numbers.

Third party websites or applications

Our Products and Services may contain links to and from third party websites, including those of our partner networks, advertisers, partner merchants, news publications, and retailers. If you follow a link to any of these websites, please note that these websites have their own privacy policies. We do not in any way review or endorse the privacy practices of such Third Parties, and thus we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.

Additional information for California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information. This section supplements the rest of this Privacy Policy.

You have the right to know what personal information we collect, use, and disclose about you. You also have the right to request the deletion of your personal information, subject to certain exceptions. You may exercise these rights by contacting us at hello@moonbird.life.

moonbird does not sell your personal information, nor do we share your personal information for cross-context behavioural advertising purposes, as those terms are defined under the CCPA. We will not discriminate against you for exercising any of your CCPA rights.

Children

Our Products and Services are not directed at persons under 18 and we do not knowingly collect personal data from any persons under 18. If you become aware that your child has provided us with personal data, without your consent, then please contact us using the details below so that we can take steps to remove such personal data and terminate any account your child has created with us.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time and you should review this page periodically. When we change this Privacy Policy substantially, we will update the "last modified" date at the end of this Privacy Policy, and we will provide you with a notice indicating that the Privacy Policy has been updated. Changes to this Privacy Policy are effective when they are posted on this page. For any questions or comments regarding updates to the Privacy Policy, please contact us on hello@moonbird.life.

Contacting us

Please contact hello@moonbird.life if you have any questions, comments and requests regarding this Privacy Policy.

If we are unable to deal with any issues you raise with us, you have the right to lodge a complaint with your national data protection authority. Further information about how to contact your local data protection authority is available here. For instance, in Belgium this is the Belgian Data Protection Authority, rue de la Presse 35, 1000 Brussels, commission@privacycommission.be.

Last revised: 25 April 2026