Headmate

A new update is available on the App Store that addresses previous crash issues.

Privacy policy for Headmate

Last updated: 15 April 2026

This privacy policy describes how Headmate (“Headmate”, “we”, “us”) processes personal data in connection with the Headmate mobile app, the related backend service (API) and the website headmate.dk.

By using the app or the website, you accept this policy to the extent permitted by law. If you use the app, there are also separate consents and terms in the app itself (e.g. during sign-up and in settings).

Data controller: Headmate · CVR 37058483 · Faste Batteri Vej 56, 2300 Copenhagen S · virk@headmate.dk

1. Purpose and general principles

We only process personal data that is necessary to:

  • deliver and improve the Headmate service;
  • manage your account, security and support;
  • comply with legal obligations;
  • — where you have given consent — support anonymised statistics and product development.

Health-related information you record about yourself (e.g. migraine attacks) is processed with particular care and only under applicable rules (including the GDPR and the Danish Data Protection Act).

2. What personal data we process

2.1 Account and login

  • Email address (for identification, login, important communications and — where needed — confirmations when deleting an account or changing email).
  • Encrypted password (stored as a secure hash; we cannot read your password).

2.2 Profile and settings in the app

From your profile, we may process information such as name, gender, weight, height, year/date of birth, profile photo (if you add one), and technical/settings fields (e.g. medication follow-up, weather display, display of statistics in the app).

We also store whether you have accepted the terms and privacy policy, and whether you have enabled or disabled anonymised app statistics (app statistics / app_stats_enabled). This is a consent choice you can change in the app.

2.3 Migraine and headache records (health data)

We process the data you enter yourself about attacks and related context, including, for example, date/time, intensity, symptoms, triggers, impact, medication, notes, duration, and technical IDs linking records together. The same applies to medication lists (preventive and acute), custom symptoms/triggers, etc.

This information is special category data under the GDPR and is tied to your account until you delete the account.

2.4 Onboarding and questionnaire responses

If you complete onboarding/questionnaires in the app, your responses are stored linked to your user in our database so we can display and reuse them in the app. On account deletion, these responses are deleted together with the account.

We may use aggregated and anonymised extracts to understand the user group and improve the product — in line with your consent to app statistics where relevant.

2.5 Weather and optional location

If you use weather features, we may process optional location data (e.g. a fixed coordinate or area you have set) to display weather and pressure information. This is voluntary and controlled in the app settings.

2.6 Headmate+ (subscription)

Subscriptions are typically purchased via the Apple App Store or Google Play. We receive and update subscription status and related technical fields (e.g. status, expiry, product ID, store) through our backend and RevenueCat (see section 5). We do not process your full payment card details — this is handled by Apple/Google.

2.7 Support and in-app messages

When you create a support request or write in a support thread, we store subject, message content, and technical metadata (timestamps, status). This is necessary in order to help you. Support may be viewed by authorised personnel at Headmate (and to a limited extent via admin tools).

2.8 Technical events and product improvement (metadata — not the content of your attacks)

To operate the service securely and understand usage without logging health content itself as standard analytics, we may process:

a) Account deletion funnel
We may record that a user opened the deletion flow, abandoned it, or completed deletion (screen_viewed, abandoned, completed). On completed account deletion, these events are anonymised so they can no longer be linked to you, but can still be counted in aggregate statistics.

b) Report exports
When you export a report (e.g. PDF, image, CSV), we may record metadata: platform, format, date range, which types of fields you chose to include (e.g. yes/no for pain intensity, medication, MIDAS, etc.), and number of attacks in the period — not the list of attacks itself in the log. The purpose is anonymised usage statistics. On account deletion, these rows are anonymised in the same way as under (a).

c) Errors and support codes
For certain server errors, we may create a support event with a code ID visible in the app, plus technical context (e.g. error type, route, HTTP status, app version, platform). This helps us troubleshoot. The data may be linked to your account if you were logged in. On account deletion, the link to your user is anonymised where technically possible in our system.

2.9 Email via Resend

We use Resend (email provider) for transactional emails (e.g. welcome, password reset, confirmation of account deletion, email change). Resend processes the recipient email and delivery status as a processor for us. We configure webhooks and logging so sensitive content does not unnecessarily appear in server logs.

2.10 The website headmate.dk

The public website is predominantly static. As with any hosting, server and access logs at our hosting provider may contain IP address, timestamp, and requested page. These logs are used for operations and security and are deleted according to the provider’s normal cycle (often weeks/months — see hosting documentation).

We do not use marketing cookies or third-party tracking on the website unless this is specifically added later — if we later add a cookie banner/analytics, this policy will be updated.

3. Legal basis (GDPR)

  • Performance of a contract to deliver Headmate (Art. 6(1)(b)): account, synchronisation of your records, core features.
  • Consent (Art. 6(1)(a) and — for health data — Art. 9(2)(a)): onboarding, optional statistics, weather/location where required, certain settings.
  • Legitimate interests (Art. 6(1)(f)): security, abuse prevention, technical troubleshooting, limited and proportionate logging — where not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): where we are required to comply with law.

4. Sharing with processors and recipients

We do not sell your personal data. We may entrust processing to processors under data processing agreements, typically including:

AreaExample supplier
Cloud/hosting / databaseRastec ApS
EmailResend
Subscriptions / receiptsRevenueCat; Apple; Google
App distribution & updatesApple App Store, Google Play

Public authorities may gain access where required by law.

5. Transfers to countries outside the EU/EEA

Certain suppliers (e.g. Resend, RevenueCat, Apple, Google) may process data in the USA or other third countries. Where required by law, we ensure transfers through the EU Commission’s Standard Contractual Clauses (SCCs) or equivalent mechanisms.

6. Retention

  • Account and health data: until you delete your account, unless we are legally required to retain data longer.
  • Account deletion: your personally identifiable data in the app database is deleted or anonymised in accordance with our deletion routines (including migraine logs, profile, support linked to the account, etc.). As described, aggregate/statistical events without personal references may be retained.
  • Server and security logs: according to hosting provider practice and our internal policy (typically limited retention).

7. Your rights

Under the GDPR, you have rights including:

  • Access to what data we process.
  • Rectification of inaccurate data.
  • Erasure (“right to be forgotten”) — for much of your data, you can delete your account in the app yourself.
  • Restriction and, under certain conditions, data portability.
  • Withdraw consent (without affecting the lawfulness of processing before withdrawal).
  • Lodge a complaint with the Danish Data Protection Agency (www.datatilsynet.dk).

To exercise your rights, contact us at virk@headmate.dk. We may ask for verification of your identity.

8. Security

We apply technical and organisational measures, including encrypted password storage, separation of environments, admin access control, and limited logging of sensitive data. No internet transmission is 100% secure; we continuously work to reduce risk.

9. Children

Headmate is not directed at children under 13 years of age (or the age applicable under local law). We encourage parents to guide children.

10. Changes

We may update this policy. The current version is published on headmate.dk with an updated date. For material changes, we may provide additional notice in the app or by email.

11. Contact

Headmate
37058483 · Faste Batteri Vej 56, 2300 Copenhagen S
Email: support@headmate.dk