Privacy & Security Policy
Comprehensive Data Protection for Enterprise Wellness
Document: Privacy & Security Policy
Version: 1.1
Last Updated: February 8, 2026
Owner: Ruhavyn Security Team
Classification: Public
Table of Contents
1. Introduction
Ruhavyn, operated by Healing Sun Haven LLC, is committed to protecting the privacy and security of your personal information. This policy explains how we collect, use, store, and protect data when you use our enterprise wellness platform.
Our Principles
Privacy by Design — Security and privacy are built into every feature from the start
Data Minimization — We only collect data necessary to provide our services
Transparency — We clearly explain what we do with your data
User Control — You control your personal data and can export or delete it anytime
No Data Sales — We never sell your personal information to third parties
2. How We Protect Your Data
Encryption
Layer | Standard | Details |
|---|---|---|
Data at Rest | AES-256 | All stored data encrypted in database |
Data in Transit | TLS 1.3 | All connections encrypted end-to-end |
Backups | AES-256 | Encrypted backups in separate location |
API Keys | SHA-256 | Hashed, never stored in plaintext |
Database Security
Our database implements comprehensive security controls:
37 RLS-Protected Tables — Row Level Security on all data tables
80 Security Policies — Fine-grained access controls
48 Hardened Functions — All database functions secured against injection
Company Isolation — Multi-tenant data completely separated
User Isolation — Personal data only accessible to data owner
Authentication
Industry-Standard Authentication — Enterprise-grade authentication service
bcrypt Hashing — Passwords never stored in plaintext
JWT Tokens — Secure session management
MFA Support — Multi-factor authentication via SSO providers
Enterprise SSO — SAML 2.0 and OIDC support
3. What Data We Collect
Data We Collect
Category | Data Elements | Purpose |
|---|---|---|
Account | Email address, display name | Authentication, communication |
Profile | Avatar, preferred name, mantra | Personalization |
Wellness | Mood entries, diary entries | Core service functionality |
Usage | Feature access, session duration | Analytics, improvement |
Technical | Device type, browser, IP address | Security, troubleshooting |
Data We DO NOT Collect
Social Security numbers
Financial or banking information
Medical records or diagnoses
Health insurance information
Biometric data
Location tracking
Sensitive Data Handling
Diary Entries & Personal Reflections:
Encrypted at rest (AES-256)
Protected by Row Level Security — only the user can access
Employers cannot read employee diary entries
Never shared with AI services without explicit consent
Never used for training AI models
4. How We Use Data
Primary Uses
Purpose | Data Used | Legal Basis |
|---|---|---|
Service Delivery | Account, profile, wellness data | Contract performance |
Analytics | Aggregated, anonymized usage | Legitimate interest |
Support | Account, usage data | Contract performance |
Security | Technical data, audit logs | Legitimate interest |
Communication | Email address | Consent / Legitimate interest |
What We Never Do
Sell personal data to third parties
Share individual wellness data with employers
Use personal data for advertising
Train AI on user-submitted content
Make automated decisions that affect users
Aggregated Analytics
For enterprise clients, we provide anonymized, aggregated analytics only:
Overall engagement rates (no individual data)
Feature adoption trends
Aggregate mood trends (minimum 10 users for anonymity)
ROI metrics based on usage patterns
Privacy Threshold: Analytics require minimum 10 users to prevent individual identification.
5. Third-Party Services
We carefully select third-party partners who meet our rigorous security and privacy standards. All infrastructure and service providers we work with must:
✓ Maintain SOC 2 Type II certification
✓ Comply with ISO 27001 standards
✓ Support GDPR and CCPA compliance
✓ Provide HIPAA-ready infrastructure where applicable
✓ Sign Data Processing Agreements with strict confidentiality terms
Categories of Third-Party Services
Service Category | Purpose | Security Standards |
|---|---|---|
Database & Authentication | Secure data storage, user authentication | SOC 2 Type II, ISO 27001, HIPAA-ready |
Payment Processing | Subscription billing, payment security | PCI DSS Level 1, SOC 2 Type II |
AI Infrastructure | Therapeutic AI features, natural language processing | SOC 2 Type II, enterprise-grade privacy |
Enterprise SSO | Single Sign-On for corporate clients | SOC 2 Type II, ISO 27001 |
AI Service Privacy
When AI features are used:
Only non-sensitive context (preferred name, general mood) is shared
No PII or PHI sent to AI services
No data used for AI model training
All AI providers maintain SOC 2 Type II certification
Third-Party Oversight
We maintain strict contractual agreements with all service providers, ensuring:
Data is used only for specified purposes
No resale or secondary use of data
Regular security audits and compliance reviews
Immediate notification of any security incidents
Right to audit and terminate for non-compliance
For a complete list of sub-processors and detailed vendor security information, enterprise clients may contact: info@healingsunhaven.com
6. Your Privacy Rights
GDPR Rights (EU/EEA Users)
Right | Description | How to Exercise |
|---|---|---|
Access | Obtain a copy of your data | Settings → Export Data |
Rectification | Correct inaccurate data | Settings → Profile |
Erasure | Delete your account and data | Settings → Delete Account |
Portability | Receive data in machine-readable format | Settings → Export Data (JSON) |
Restriction | Limit how we process data | Contact : support@healingsunahven.com |
Objection | Object to certain processing | Contact : support@healingsunahven.com |
Withdraw Consent | Revoke previously given consent | Settings or contact us |
CCPA Rights (California Users)
Right to Know — What personal information we collect
Right to Delete — Request deletion of your data
Right to Opt-Out — We do not sell personal data
Non-Discrimination — No penalty for exercising rights
Exercising Your Rights
Self-Service Options:
Export data: Settings → Privacy → Export My Data
Delete account: Settings → Account → Delete Account
Contact Us:
Email: support@healingsunhaven.com
Response time: Within 30 days
Verification required for data requests
7. Data Retention & Deletion
Retention Periods
Data Type | Retention Period | Reason |
|---|---|---|
User account data | Duration of account + 30 days | Service provision |
Diary entries | Until user deletes | User-controlled |
Mood entries | Until user deletes | User-controlled |
Audit logs | 90 days | Security & compliance |
API request logs | 90 days | Security monitoring |
Backups | 7 days (PITR) | Disaster recovery |
Deleted account data | Purged within 30 days | GDPR compliance |
Account Deletion Process
When you delete your account:
Immediate: Account deactivated, no further access
Within 24 hours: Personal data removed from active systems
Within 7 days: Removed from backups (PITR window)
Within 30 days: Complete purge from all systems
Audit logs: Anonymized, retained for compliance
Enterprise Employee Offboarding
When an employee is deactivated by their company admin:
Access immediately revoked
Personal wellness data (diary, mood) retained for user if they return
Can request full deletion through support
Cross-Border Data Transfers
For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States:
Standard Contractual Clauses (SCCs) — Module Two (Controller to Processor) per European Commission Decision 2021/914
Supplementary Measures — Encryption (AES-256 at rest, TLS 1.3 in transit), access controls, and contractual protections
Data Residency — Primary processing occurs in the United States. EU data residency is available upon request for enterprise clients, subject to additional terms.
8. Security Measures
Technical Controls
Access Control:
Role-Based Access Control (RBAC): Admin, Member, Service
Company-scoped data isolation
User-level data isolation via authenticated checks
JWT token validation on all requests
Database Security:
Row Level Security (RLS) on all 37 tables
80 security policies enforcing access rules
48 hardened database functions with secure configurations
Parameterized queries preventing SQL injection
API Security:
API keys hashed with SHA-256
Rate limiting by tier
HTTPS-only connections
HMAC-SHA256 webhook signatures
Operational Security
Monitoring:
Real-time security monitoring
Automated alerting for anomalies
Failed authentication tracking
API error rate monitoring
Audit Logging:
Admin actions logged with IP, timestamp, details
90-day retention
Tamper-proof storage
Exportable (CSV/JSON) for compliance
Compliance Certifications
Framework | Status | Notes |
|---|---|---|
SOC 2 Type I | Ready | Formal audit Q2 2026 |
SOC 2 Type II | Planned | Targeted Q4 2026 |
GDPR | Compliant | EU hosting available |
CCPA | Compliant | Privacy controls implemented |
HIPAA | Ready | BAA available upon request |
ISO 27001 | Aligned | Via certified infrastructure |
9. Incident Response
Our Commitment
In the event of a security incident affecting your data:
Action | Timeline |
|---|---|
Containment | Within 4 hours of detection |
Assessment | Within 24 hours |
Customer notification | Within 48 hours (critical) |
Regulatory notification | Within 72 hours (GDPR) |
Post-incident report | Within 7 days |
What We Communicate
In the event of a breach affecting your data:
Nature of the incident
Types of data affected
Estimated number of affected users
Steps we're taking to remediate
Steps you can take to protect yourself
Contact for questions
Reporting Security Issues
Found a security vulnerability?
Security Team: support@healingsunhaven.com
Response Time: Within 24 hours
Bug Bounty: Planned Q3 2026
10. Cookie Policy
Ruhavyn uses only essential cookies required for authentication and session management. We do not use:
Tracking cookies
Advertising cookies
Third-party analytics cookies
Social media tracking pixels
Essential cookies are strictly necessary for the platform to function and cannot be disabled. No user consent banner is required as these cookies do not track personal behavior.
11. Contact Us
Privacy Inquiries
Data Protection Contact
Email: support@healingsunhaven.com
Response: Within 5 business days
Security Inquiries
Security Team
Email: support@healingsunhaven.com
Response: Within 24 hours (critical), 5 days (general)
General Support
Support Team
Email: support@healingsunhaven.com
Response: Within 24 hours
Legal Entity
Healing Sun Haven LLC
Address available upon request for enterprise contracts
Updates to This Policy
We may update this policy periodically. Material changes will be communicated via:
Email notification to account holders
In-app notification
Updated "Last Updated" date
Continued use after changes constitutes acceptance.
Enterprise Security Documentation
This document provides a comprehensive overview of our privacy and security practices. For additional detailed documentation, including:
Complete sub-processor list with vendor details
SOC 2 Readiness Report
Data Processing Addendum (DPA)
Vendor Security Questionnaire responses
Detailed security architecture diagrams
Compliance certification status
Penetration testing reports
Interested enterprise clients may contact: info@healingsunhaven.com
Questions? Contact: support@healingsunhaven.com
Last reviewed: February 8, 2026
© 2026 Healing Sun Haven LLC. All rights reserved.
