Legal
Privacy Policy
Last updated: 2 June 2026
This Privacy Policy explains how Elbe Tech Invest ETI GmbH("we", "us", "our"), the company behind the YouDoo brand, collects and uses personal data when you visit youdoo.ai (this website), contact us, complete our business survey, or use the YouDooplatform and applications (collectively, the "Service"). YouDoo is developed as a regulated medical device (Class IIa, EU MDR).
We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection law.
1. Data controller
The data controller responsible for your personal data is:
Elbe Tech Invest ETI GmbH
Email: privacy@youdoo.ai
2. Data we collect
2.1 Website visitors
When you use this website, we may collect:
- Contact and enquiry data— name, email, company, message content, and similar fields you submit via our contact form or business needs analysis ("Bedarfsanalyse") survey.
- Technical data — IP address, browser type, device information, and approximate usage data (only if you consent to analytics cookies — see our Cookie Policy).
- Cookie and consent records — your cookie preferences and the timestamp of your decision.
2.2 YouDoo platform users
If you create an account and use the Service, we additionally collect:
- Account data — name, email, password (stored as a bcrypt hash), language, role, and organisation affiliation where applicable.
- Health and wellness data — medical history, pain diary entries, therapy session transcripts and AI summaries, exercise records, goals, and progress statistics. This is special category data under Article 9 GDPR, processed on the basis of your explicit consent during registration and onboarding.
- Voice data — if you use voice sessions, audio is processed in real time by our speech provider (ElevenLabs) for transcription. We do not permanently store raw audio; text transcripts are retained for continuity of care.
- Organisation data — for employer programmes: organisation details, administrator contacts, and employee enrolment identifiers. Individual employee health data is never disclosed to employers (see section 6).
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Operating this website and responding to enquiries | Legitimate interest / steps prior to contract (Art. 6(1)(b), (f)) |
| Website analytics (only with consent) | Consent (Art. 6(1)(a)) |
| Providing and personalising the Service | Performance of contract (Art. 6(1)(b)) |
| Processing health data for therapy features | Explicit consent (Art. 9(2)(a)) |
| AI exercise recommendations and session analysis | Explicit consent (Art. 9(2)(a)) |
| Clinical safety monitoring (red flag detection) | Vital interests / explicit consent (Art. 9(2)(c), (a)) |
| Aggregated organisation wellness analytics | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and legal compliance | Legitimate interest / legal obligation (Art. 6(1)(c), (f)) |
4. AI processing and memory
YouDoo uses artificial intelligence (Anthropic Claude) to provide personalised health guidance, including session analysis, memory extraction (vector embeddings for personalisation), exercise recommendations, and red-flag detection. AI outputs are subject to expert clinical review where appropriate. We do not make solely automated decisions with legal or similarly significant effects without human oversight.
5. How employee data is processed
When an organisation enrols employees in a YouDoo programme:
- Individual health data stays private. Employers cannot access individual therapy sessions, pain logs, exercise records, or AI conversation transcripts.
- Employers receive only aggregated analytics — participation and engagement trends that cannot be traced back to identifiable individuals.
- Employees retain full control over their health data, including deletion rights independent of employment status.
Organisations using YouDoo for employee programmes should also review our Data Processing Agreement on the platform.
6. Sharing and processors
We do not sell personal data. We share data only with vetted processors under written agreements:
| Recipient | Purpose | Location |
|---|---|---|
| Resend | Transactional email (contact, survey, account) | USA (Standard Contractual Clauses) |
| Google Analytics | Website analytics (consent only) | USA (Standard Contractual Clauses) |
| Hetzner | Infrastructure hosting | Germany / EU |
| Anthropic | AI processing (Claude) | USA (Standard Contractual Clauses) |
| ElevenLabs | Voice processing (STT/TTS) | USA (Standard Contractual Clauses) |
| Stripe | Payment processing (where applicable) | USA (Standard Contractual Clauses) |
7. International transfers
Personal data is processed in the EU/EEA by default. Where transfers outside the EEA occur, we use Standard Contractual Clauses and supplementary safeguards as required.
8. Retention
- Website enquiries: retained as long as needed to handle your request and for up to 24 months for business records unless you request earlier deletion.
- Account and health data: for the lifetime of your account; deleted within 30 days of account deletion or upon valid erasure request.
- Technical logs: up to 90 days for security and debugging.
- Payment records: as required by tax law (typically up to 10 years under German law).
9. Your rights
You have the right to access, rectify, erase, restrict, port, and object to processing, and to withdraw consent at any time. See our GDPR / data rights page for details. Contact privacy@youdoo.ai — we respond within one calendar month.
10. Security
We use encryption in transit (TLS), encryption at rest, bcrypt password hashing, role-based access controls, and infrastructure hosted in Germany. No method of transmission is 100% secure; we continuously review our measures.
11. Children
The Service is not intended for anyone under 16. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
12. Changes
We may update this policy from time to time. Material changes will be communicated via email or a notice on the Service or website.
13. Contact
Privacy questions or data rights requests: privacy@youdoo.ai
Data Protection Officer: dpo@youdoo.ai