Privacy Policy

Our Commitment to Your Privacy

Somatic Wealth OS is committed to protecting your privacy with the same care and intentionality we bring to your somatic and financial wellbeing. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Somatic Wealth OS platform, including its web interface, mobile components, wearable integrations, and coaching features (collectively, the "Service").

By using Somatic Wealth OS, you agree to the practices described in this Privacy Policy.

Who We Are and How to Contact Us

Somatic Wealth OS is operated as a wellness and coaching platform designed to help individuals understand the relationship between their physiological nervous system states and their financial behaviors and decisions.

Data Controller Contact

Email: privacy@somaticwealthos.com

For all privacy-related requests, inquiries, or complaints, please contact our Privacy Team. We respond to all privacy inquiries within 30 days.

The Data We Collect and Why

We collect only data that is necessary for the Service to function.

2.1 Account and Identity Data

What we collect: Name, email address, account role (Explorer or Guide), date of account creation, authentication tokens.

Why: To create and maintain your account, authenticate your identity, and route you to the correct experience within the platform.

Lawful basis: Performance of a contract (Terms of Service).

2.2 Usage and Interaction Data

What we collect: Pages visited, features used, session duration, button interactions, timestamps of activity, error logs.

Why: To improve the Service, diagnose technical issues, and understand aggregate usage patterns.

Lawful basis: Legitimate interests (service improvement and security).

2.3 Device and Technical Data

What we collect: Browser type, operating system, IP address (truncated), screen resolution, time zone.

Why: To ensure compatibility and troubleshoot technical issues. We truncate IP addresses and do not use this data for tracking or profiling.

Lawful basis: Legitimate interests (security, compatibility).

2.4 Coaching Configuration Data

What we collect: Calibration thresholds set by a Guide (HRV yellow, red, and blue threshold values), coaching relationship linkage records.

Why: To enable the coaching features and allow Guides to configure personalized parameters for their Explorers.

Lawful basis: Performance of a contract; explicit consent.

Biometric and Health Data — Special Protections

We treat biometric and health data as a separate and elevated category of sensitive personal information.

3.1 What We Collect

• Heart Rate Variability (HRV): Measured in milliseconds (RMSSD standard after normalization). Raw device values are preserved separately.
• Resting Heart Rate: In beats per minute, as reported by a connected device.
• Nervous System State Classifications: Regulated, Activated, Overload, or Shutdown — computed from HRV and resting heart rate against personal baseline thresholds.
• Cortisol Proxy: An estimated stress indicator derived from HRV pattern analysis. This is a computational estimate, not a clinical measurement.
• Dysregulation Flags: Whether a reading is more than 20% below your 7-day HRV baseline.

3.2 The 7-Day Calibration Phase

When you first connect a wearable, we enter a 7-day silent calibration phase. During this phase, data is collected and stored but no alerts, risk scores, or nervous system state flags are generated or shared with your Guide. This ensures all baseline thresholds reflect your actual physiology before the system acts on them.

3.3 How We Use Biometric Data

Biometric data is used exclusively to:

• Compute your nervous system state and present it on your personal dashboard.
• Generate personalized session recommendations (breathing, grounding, vagal toning).
• Build your historical baseline for trend analysis and cycle reflections.
• Share with your Guide only if you have explicitly toggled "Share Somatic Data" to ON.
• Power the AI-based dysregulation prediction model described in Section 8.

3.4 Biometric Data Storage

Biometric data is encrypted at rest using AES-256 and in transit using TLS 1.3. Your biometric history is never deleted without your explicit instruction, even if you sever a coaching relationship or deactivate your account.

3.5 Clinical Disclaimer

Somatic Wealth OS is a wellness platform. Nervous system state classifications, HRV readings, and intervention recommendations provided by this Service are not medical diagnoses, clinical assessments, or substitutes for professional medical care. If you are experiencing a mental or physical health crisis, please contact a qualified healthcare provider or emergency services.

Financial and Behavioral Data — The Decision Audit

4.1 What We Collect

• Financial Context Flags: User-entered indicators that a journal entry has a financial dimension. We do not collect account numbers, balances, portfolio values, or transaction data.
• Market Volatility Context: External market data (VIX index, SPY and QQQ price movements) from third-party providers. Not linked to your personal financial accounts.
• Behavioral Patterns: Derived correlations between market events and your biometric readings.

4.2 What We Do Not Collect

• Bank account or brokerage account information.
• Investment portfolio details or holdings.
• Credit card or payment information (beyond standard subscription processing).
• Tax records or financial statements.

4.3 How We Use Decision Audit Data

To help you identify patterns between market events and your physiological responses. Shared with your Guide only if you have explicitly enabled "Share Decision Audit" in your Privacy & Sharing settings.

Journal and Reflection Data

5.1 What We Collect

• Reflection entries including text, stressor tags, mood ratings, and intensity levels.
• AI-generated pattern analysis stored alongside your entries.
• Cycle Reflection summaries generated at the end of each reflection cycle.

5.2 Sensitivity of Journal Data

Journal data is:

• Encrypted at rest using AES-256 encryption.
• Never used to train external AI models without your explicit opt-in consent.
• Never sold, licensed, or disclosed to third parties outside the limited sharing described in Section 6.
• Shared with your Guide only if you have explicitly enabled "Share Reflections."

Coaching Relationships — The Guide and Explorer Data Bridge

6.1 How Sharing Works

Somatic Wealth OS is designed around explicit, granular consent. As an Explorer, you have three independent sharing toggles in your Privacy & Sharing settings:

• Share Somatic Data — Gives your Guide access to your HRV readings, heart rate, and nervous system state history.
• Share Decision Audit — Gives your Guide access to your financial behavioral patterns and market correlation data.
• Share Reflections — Gives your Guide access to your journal entries and reflection summaries.

6.2 What Guides Can See

When a toggle is ON, your Guide can view that data stream. When OFF, they see a "Private" indicator and cannot access or infer the contents. No administrative override exists for Guide access.

6.3 Guide Calibration Access

Your Guide may set HRV threshold values for your Balance Gauge. This does not grant access to your underlying data unless the relevant sharing toggle is ON.

6.4 The Guide Link Record

When you establish a coaching relationship, we create a GuideLink record storing both email addresses, the linked date, data categories shared, and severance details. This record is retained for 3 years after the relationship ends for audit purposes only.

Wearable Device Integrations

7.1 Supported Devices

Somatic Wealth OS integrates with Garmin, Fitbit/Google Health, Samsung Health, Whoop, and Apple Watch (via companion iOS component). Each integration requires your explicit authorization through that provider's standard OAuth consent flow.

7.2 Data Normalization

When data arrives from a connected wearable, it passes through our normalization function before storage. This converts device-specific formats (e.g., Apple Watch's SDNN metric, Fitbit's proprietary HRV score) into a standardized RMSSD-equivalent. The original raw value and unit are always preserved separately — no information is lost.

7.3 Device Authorization and Revocation

You may revoke any wearable connection at any time via the Wearables page or directly through the device provider's account settings. Revocation stops future data syncing immediately. Historical data already stored in your Sanctuary is not deleted upon revocation unless you separately request deletion.

7.4 Third-Party Data Practices

Each device provider's own privacy policy governs data on their systems. Somatic Wealth OS only receives data you authorize during the OAuth consent flow. We encourage you to review the privacy policies of any connected provider.

AI and Machine Learning Processing

8.1 How AI is Used

Somatic Wealth OS uses large language model (LLM) AI to:

• Predict dysregulation risk (0–100 score with contributing factors).
• Generate Cycle Reflection narratives.
• Analyze journal patterns and identify recurring stressor correlations.
• Compose personalized proactive alert messages.

8.2 Human Oversight

AI-generated risk scores, state classifications, and intervention recommendations are decision-support tools, not autonomous decisions. No AI output produces a consequence for you without your active choice to engage with it.

8.3 Model Training

We do not use your personal data to train or fine-tune AI models without your explicit, separately obtained, opt-in consent.

8.4 Simulated and Demo Data

New users who have not yet connected a wearable will see clearly labeled simulated demonstration data in analytics views. It is not your data, is not stored under your account, and is replaced automatically when you connect a real wearable.

Market Data and Third-Party Financial Feeds

Market volatility data (VIX index, SPY and QQQ price data) is fetched from Alpha Vantage, a third-party financial data provider. This is public market data and does not involve any access to your personal financial accounts. Alpha Vantage's privacy policy governs their data practices. Market data is fetched every 30 minutes during US market hours, Monday through Friday.

How We Use Your Data

We use your data to:

• Operate, maintain, and improve the Service.
• Provide personalized nervous system state monitoring and coaching features.
• Generate AI-powered insights, risk scores, and cycle reflections.
• Send proactive alerts when market volatility matches your personal trigger profile.
• Enable coaching relationships with your explicitly chosen Guide.
• Detect and prevent fraud, abuse, and security threats.
• Comply with legal obligations.

We do not use your data for:

• Advertising or ad targeting. The platform is entirely ad-free.
• Sale or licensing to third parties.
• Insurance, credit, or employment decisions.
• Training AI models without explicit opt-in.
• Behavioral profiling for purposes unrelated to the Service.

How We Share Your Data

We share your data only in the following circumstances:

11.1 With Your Guide

As described in Section 6, and only when you have enabled the relevant sharing toggle.

11.2 With Service Providers

We use a limited number of third-party vendors to operate the Service (cloud hosting, AI/LLM API, financial market data, transactional email). These vendors are contractually bound to process your data only for the purposes of providing their services to us.

11.3 For Legal Compliance

We may disclose your data if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to prevent imminent harm.

11.4 Business Transfers

If Somatic Wealth OS is acquired or merged, your data may be transferred as part of that transaction. We will notify you by email and provide a 30-day window to request deletion before any such transfer takes effect.

11.5 With Your Consent

We will share your data for any other purpose with your explicit prior consent.

Data Retention

You may request deletion of any or all of your data at any time. See Section 13.

Your Rights and Controls

We honor all of the following rights regardless of where you are located.

13.1 Right to Access

Request a complete export of all personal data we hold about you in machine-readable JSON format within 30 days.

13.2 Right to Correction

Request correction of inaccurate or incomplete personal data.

13.3 Right to Deletion

Request permanent deletion of your account and all associated data. The only data retained is the GuideLink audit trail (3 years) and any data we are legally required to retain.

13.4 Right to Restrict Processing

Request that we restrict processing of your data while you contest its accuracy or object to its use.

13.5 Right to Data Portability

Request your data in a structured, machine-readable format for transfer to another service.

13.6 Right to Object

Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.

13.7 Right to Withdraw Consent

Withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior lawful processing.

In-App Controls

Available at any time without a formal request: toggle Guide sharing ON/OFF per category, sever the Guide relationship, disconnect wearable devices, adjust cycle length, and delete individual journal entries or biometric readings.

The Sever Link — Ending a Coaching Relationship

If you choose to end your relationship with your Guide, use the "Sever Link" feature in your Privacy & Sharing settings. Upon severance:

• Your Guide's access to all shared data is revoked immediately and simultaneously.
• All three sharing toggles are set to OFF.
• A timestamped severance receipt is generated and stored in your account.
• Your entire Sanctuary history remains intact and private.
• The GuideLink record is updated with a "severed" status and retained for 3 years as an audit trail.

The Sever Link feature is available at any time without restriction. No notice to your Guide is required, though they will see the relationship has ended when they next access the platform.

Children's Privacy

Somatic Wealth OS is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user under 18 has created an account, we will delete the account and all associated data promptly. Contact: privacy@somaticwealthos.com.

International Data Transfers

Somatic Wealth OS is operated from the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States or other countries where our service providers operate. We implement Standard Contractual Clauses (SCCs) where required by applicable law.

For users in the EEA or United Kingdom, we rely on the following lawful bases: performance of a contract, compliance with a legal obligation, legitimate interests, and explicit consent for sensitive data categories including biometrics.

Security

• Encryption at Rest: AES-256 for all stored personal data including biometric readings, journal entries, and financial behavioral data.
• Encryption in Transit: TLS 1.3 for all data transmission.
• Access Controls: Role-based access with the principle of least privilege. Guide access is gated by your explicit sharing consent, not administrative configuration.
• Incident Response: Documented security incident response plan. Breach notification within 72 hours of discovery, consistent with applicable law.
• Third-Party Security Reviews: Periodic assessments of our infrastructure and service providers.

No system is perfectly secure. Report vulnerabilities to security@somaticwealthos.com.

Changes to This Policy

We will notify you of material changes by:

• Sending an email to your registered address at least 30 days before the change takes effect.
• Displaying a prominent notice within the platform.
• Updating the "Last Updated" date at the top of this document.

For non-material changes (clarifications, formatting), we update the document without prior notice. Continued use after the effective date constitutes acceptance of the revised Policy.

Contact and Complaints

EEA users may lodge complaints with their local data protection authority. UK users may contact the Information Commissioner's Office at ico.org.uk. California users may exercise CCPA rights by contacting us above. We do not sell personal information as defined under the CCPA.