Privacy policy for Headmate
Last updated: 5 April 2026
This privacy policy describes how Headmate (“Headmate”, “we”, “us”) processes personal data in connection with the Headmate mobile app, the related backend service (API) and the website headmate.dk.
By using the app or the website you accept this policy to the extent permitted by law. If you use the app, there are also separate consents and terms in the app itself (e.g. when you sign up and in settings).
Data controller: Headmate · CVR 37058483 · Faste Batteri Vej 56, 2300 Copenhagen S · virk@headmate.dk
1. Purpose and general principles
We only process personal data that is necessary to:
- deliver and improve the Headmate service;
- manage your account, security and support;
- comply with legal obligations;
- — where you have given consent — support anonymised statistics and product development.
Health-related information you record about yourself (e.g. migraine attacks) is handled with particular care and only under applicable law (including the GDPR and the Danish Data Protection Act).
2. What personal data we process
2.1 Account and login
- Email address (for identification, login, important notices and — where needed — confirmations when deleting an account or changing email).
- Encrypted password (stored as a secure hash; we cannot read your password).
2.2 Profile and settings in the app
From your profile we may process information such as name, gender, weight, height, year/date of birth, profile photo (if you add one), and technical/settings fields (e.g. medication follow-up, weather display, statistics shown in the app).
We also store whether you have accepted terms and privacy policy, and whether you have turned anonymised app statistics on or off (app statistics / app_stats_enabled). This is a consent choice you can change in the app.
2.3 Migraine and headache records (health data)
We process the data you enter about attacks and related context, including e.g. date/time, intensity, symptoms, triggers, impact, medication, notes, duration and technical IDs linking records. The same applies to medication lists (preventive and acute), custom symptoms/triggers, etc.
This information is special category data under the GDPR and is tied to your account until you delete the account.
2.4 Onboarding and questionnaire answers
If you complete onboarding/questionnaires in the app, your answers are stored linked to your user in our database so we can show and reuse them in the app. On account deletion these answers are deleted with the account.
We may use aggregated and anonymised extracts to understand the user base and improve the product — in line with your consent to app statistics where relevant.
2.5 Weather and optional location
If you use weather features, we may process optional location (e.g. fixed coordinates or an area you set) to show weather and pressure information. This is voluntary and controlled in the app settings.
2.6 Headmate+ (subscription)
Subscriptions are typically purchased via Apple App Store or Google Play. We receive and update subscription status and related technical fields (e.g. status, expiry, product ID, store) via our backend and RevenueCat (see section 5). We do not process your full payment card details — Apple/Google handle that.
2.7 Support and in-app messages
When you create a support request or write in a support thread, we store subject, message content and technical metadata (timestamps, status). This is necessary to help you. Support may be viewed by authorised staff at Headmate (and to a limited extent via admin tools).
2.8 Technical events and product improvement (metadata — not the content of your attacks)
To run the service securely and understand usage without logging health content as standard analytics, we may process:
a) Account deletion funnel
We may record that a user opened the deletion flow, abandoned it, or completed deletion (screen_viewed, abandoned, completed). On completed account deletion these events are anonymised so they can no longer be linked to you, but can still be counted in aggregate.
b) Report exports
When you export a report (e.g. PDF, image, CSV), we may log metadata: platform, format, time range, which field types you chose to include (e.g. yes/no for pain intensity, medication, MIDAS, etc.) and number of attacks in the period — not the list of attacks in the log. The purpose is anonymised usage statistics. On account deletion these rows are anonymised in the same way as (a).
c) Errors and support codes
For certain server errors we may create a support event with a code ID shown in the app, plus technical context (e.g. error type, route, HTTP status, app version, platform). This helps troubleshooting. Data may be linked to your account if you were logged in. On account deletion the link to your user is anonymised where technically possible in our system.
2.9 Email via Resend
We use Resend (email provider) for transactional email (e.g. welcome, password reset, account deletion confirmation, email change). Resend processes recipient email and delivery status as a processor for us. We configure webhooks and logging so sensitive content does not unnecessarily appear in server logs.
2.10 The website headmate.dk
The public website is largely static. As with any hosting, server and access logs at our host may contain IP address, time and requested page. Logs are used for operations and security and are deleted per the provider’s normal cycle (often weeks/months — see hosting documentation).
We do not use marketing cookies or third-party tracking on the website unless added separately — if we later add a cookie banner/analytics, this policy will be updated.
2.11 Admin dashboard (employees only)
Access to admin.headmate.dk (or equivalent) is only for authorised employees. Sessions and actions there are processed for operations, support and security and are not part of the ordinary user app experience.
3. Legal basis (GDPR)
- Performance of a contract to deliver Headmate (Art. 6(1)(b)): account, synchronisation of your records, core features.
- Consent (Art. 6(1)(a) and — for health data — Art. 9(2)(a)): onboarding, optional statistics, weather/location where required, certain settings.
- Legitimate interests (Art. 6(1)(f)): security, abuse prevention, technical fixes, limited and proportionate logging — where not overridden by your rights.
- Legal obligation (Art. 6(1)(c)): where we must comply with law.
4. Sharing with processors and recipients
We do not sell your personal data. We may use processors under a data processing agreement, typically including:
| Area | Example vendor |
|---|---|
| Cloud/hosting / database | Rastec ApS |
| Resend | |
| Subscriptions / receipts | RevenueCat; Apple; Google |
| App distribution & updates | Apple App Store, Google Play |
| Error and version insight (aggregated) | Internal tools on our own databases |
Public authorities may obtain access where required by law.
5. Transfers outside the EU/EEA
Some vendors (e.g. Resend, RevenueCat, Apple, Google) may process data in the USA or other third countries. Where required by law we ensure transfer via the EU Commission Standard Contractual Clauses (SCC) or equivalent mechanisms.
6. Retention
- Account and health data: until you delete your account, unless we must retain longer by law.
- Account deletion: your personally identifiable data in the app database is deleted or anonymised according to our deletion routines (including migraine log, profile, support tied to the account, etc.). As described, aggregate/statistical events without personal reference may be retained.
- Server and security logs: per hosting provider practice and our internal policy (typically limited period).
7. Your rights
Under the GDPR you have rights including:
- Access to what we process.
- Rectification of incorrect data.
- Erasure (“right to be forgotten”) — for much of the data you can delete the account in the app yourself.
- Restriction and under certain conditions data portability.
- Withdraw consent (without affecting lawfulness of processing before withdrawal).
- Lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at www.datatilsynet.dk.
To exercise rights: contact us at [privacy email]. We may ask you to verify your identity.
8. Security
We use technical and organisational measures including encrypted password storage, environment separation, admin access control, and limited logging of sensitive data. No transmission over the internet is 100% secure; we work continuously to reduce risk.
9. Children
Headmate is not directed at children under 13 (or the age applicable under local law). We encourage parents to guide children.
10. Changes
We may update this policy. The current version is published on headmate.dk with an updated date. For material changes we may give additional notice in the app or by email.
11. Contact
Headmate
37058483 · Faste Batteri Vej 56, 2300 Copenhagen S
Email: support@headmate.dk
This text is based on Headmate’s technical architecture and database practices and does not replace legal advice. Have a lawyer with GDPR experience review it for your specific hosting, subprocessors and agreements.