Privacy Policy

1.1 This Privacy Policy (“Policy”) sets out the basis upon which Serenyc Limited (“Serenyc”, “Company”, “we”, “us”, “our”) collects, uses, processes, stores, and discloses Personal Data in connection with its products, services, platforms, and connected technologies (collectively, the “Services”).

1.2 This Policy applies to:

• Users of Serenyc’s website(s);
• Mobile and web-based applications;
• Connected devices (including IoT-enabled multisensory systems);
• Subscription services;
• Beta programmes; and
• All associated digital and physical interfaces.

1.3 This Policy is drafted in accordance with:

• Regulation (EU) 2016/679 (GDPR);
• UK GDPR;
• Irish Data Protection Act 2018;
• Applicable ePrivacy laws including S.I. No. 336 of 2011 (Ireland). This Policy is issued in accordance with the transparency obligations under Articles 13 and 14 GDPR, which require us to provide clear and accessible information about our data processing activities at the time personal data is collected.

1.4 This Policy shall be read together with:

• Terms of Use;
• Cookie Policy;
• Beta Participation Terms.

1.5 Our lead EU supervisory authority is the Irish Data Protection Commission (DPC), Canal House, Station Road, Portarlington, R32 AP23, Co. Laois. Website: www.dataprotection.ie.

1.6 For UK residents, the relevant supervisory authority is the Information Commissioner's Office (ICO) — www.ico.org.uk. Serenyc will appoint a UK GDPR representative under Article 27 UK GDPR prior to UK market entry.

2.1 Serenyc Limited is the Data Controller for the purposes of GDPR.

2.2 Registered Office:

6 Fern Road, Sandyford, Co. Dublin, Ireland

2.3 Contact Email:

hello@serenyc.com

2.4 Serenyc has not formally appointed a Data Protection Officer.

2.5 Data protection queries and requests may be directed to our data protection contact at hello@serenyc.com. We will acknowledge requests within five (5) business days and respond within one calendar month in accordance with Articles 12 and 77 GDPR.

3.1 Our Services are intended for individuals aged 16 and over. We do not knowingly collect personal data from children under 16.

3.2 If you believe a child has provided us with personal data, contact us at hello@serenyc.com.Upon receipt of such notification, we will review the data and, where confirmed, permanently delete it within fourteen (14) days. We will confirm deletion to you in writing.

3.3 This Policy applies when you visit our website, sign up for beta access, subscribe to our mailing list, participate in surveys or research, purchase or use our products (including hardware devices, scent pods, and related consumables), interact with our connected devices or multisensory platform, or otherwise engage with our Services.

4.1 Data You Provide

4.1.1 Identity and contact information: name, email address, telephone number, postal address, country of residence, and language preference.

4.1.2 Account and authentication information: account identifiers, login credentials, authentication tokens, security settings, and preferences. We do not store plain-text passwords.

4.1.3 Beta signup and onboarding information: waitlist registration, product interest, preferred use-cases, household or environment preferences, and questionnaire responses.

4.1.4 Communications and support information: content of messages, support tickets, diagnostic information, customer support queries, feedback and correspondence.

4.1.5 Transaction and fulfilment information: purchase history, billing and shipping details, order identifiers, delivery status, returns, and subscription details. Payment card data is processed by Stripe and is not stored by Serenyc except in tokenised form for recurring billing.

4.2 Data Collected Automatically

4.2.1 Technical and device information: IP address (anonymised where feasible), device type, browser, operating system, device identifiers, approximate location derived from IP, session identifiers, crash reports, diagnostic logs, and performance metrics.

4.2.2 Usage and interaction information: pages viewed, navigation paths, session duration, feature engagement, and interaction with communications, subject to your cookie consent.

4.2.3 Connected device and IoT information: where you use a Serenyc connected device, we collect device identifiers, firmware version, connectivity status, usage frequency, sensory profile selections (scent, lighting, sound, haptic settings), device interaction logs, and operational telemetry. This data is necessary for the device to function, to personalise your experience, and for product improvement. Collection of this data is limited to what is strictly necessary for these purposes — see Clause 4.4 for our data minimisation and granularity controls.

4.2.4 Environmental and preference information: user-selected schedules, scent profiles, lighting settings, sound environments, haptic configurations, room characteristics, and automation preferences you provide or that are observed from your usage patterns.Processing of this data to personalise and automate your sensory environment constitutes behavioural profiling within the meaning of Article 4(4) GDPR — see Clause 4.4 for the full description of this processing and the safeguards applied, and Clause 6.5 for the applicable lawful basis.

4.3 Data from Third Parties

4.3.1 Data from third parties: we may receive personal data from the following categories of third-party sources: (i) analytics and performance providers (such as Google Analytics): aggregated, pseudonymous usage data; (ii) payment processors (such as Stripe): transaction confirmation and billing data; (iii) logistics and fulfilment partners: delivery status and address confirmation; (iv) beta referral and waitlist platforms: registration and interest data submitted via third-party forms. We do not purchase personal data from data brokers or use third-party data for enrichment of individual profiles. All third-party data sources used by Serenyc are disclosed in this Clause 4.3 and in our Cookie Policy. Where we receive data from third-party sources, we rely on those sources having a valid legal basis for sharing the data with us.

4.4 Multisensory Platform — Scope of Data Collection

4.4.1 Serenyc’s platform coordinates multiple sensory outputs including scent diffusion, lighting, sound, and haptic feedback through intelligent automation.

4.4.2 Data relating to your preferences and usage patterns across all sensory modalities is collected and processed for the purpose of personalising and automating your environmental experience.

4.4.3 The system observes behavioural patterns (such as which sensory combinations you use and when) to improve recommendations and automation.

4.4.4 Profiling: Serenyc’s platform carries out behavioural profiling within the meaning of Article 4(4) GDPR through the automated analysis of usage patterns, sensory preference data, and interaction history to personalise and automate your sensory environment. This profiling is limited to behavioural and preference data relating to how you use the Services. It does not extend to inference, labelling, diagnosis, or categorisation of your emotional or mental state, nor does it involve the processing of health data or psychological profiles within the meaning of Article 9 GDPR. The automation outputs (adjustments to scent, lighting, sound, and haptic settings) are based on your configured preferences, usage history, and scheduled routines, not on any assessment of your emotional condition. See Clause 6.5 for the lawful basis applicable to this processing.

4.4.5 Data minimisation: Behavioural and device data collected through the platform is limited to what is strictly necessary to:

• operate the device and platform;
• enable user-configured automations and sensory preferences;
• support product performance, reliability, and security.

4.4.6 Serenyc does not collect unnecessary or excessive behavioural signals beyond what is required for the purposes described in this Clause 4.4. We acknowledge that behavioural pattern recognition of the kind described in Clause 4.4.3 constitutes profiling within the meaning of Article 4(4) GDPR. We apply the following safeguards: purpose limitation (data is processed only for the stated personalisation and automation purposes); data minimisation (only data necessary for those purposes is collected); access controls (profiling data is not shared with third parties for their own profiling purposes); and transparency (the nature and scope of profiling is fully disclosed in this Policy, in particular in Clauses 4.4.4 and 6.5.4). .

4.4.7 Granularity and retention of behavioural data: Serenyc applies the following controls to behavioural and usage data:

• Data is stored at an appropriate level of granularity. Where possible, data is held in aggregated or event-based form rather than as continuous raw streams.
• Detailed interaction logs are retained only for a limited period (see Clause 11 for retention periods) and are then either anonymised or permanently deleted.
• Long-term use of behavioural data is restricted to aggregated, non-identifiable insights for product improvement. No long-term individual-level behavioural profiles are maintained without a specific lawful basis and disclosure.

4.5 Special Category Data

4.5.1 Serenyc does not intentionally collect or process special category data under Article 9 GDPR.

4.5.2 In particular:

• Serenyc does not collect medical data
• Serenyc does not diagnose or monitor mental or emotional conditions
• Serenyc does not create psychological profiles

4.5.3 If any such data is inadvertently provided:

• It shall be minimised;
• Not used for profiling;
• Deleted where not required.

5.1 To operate, maintain, personalise, and improve our Services, connected devices, and multisensory platform.

5.2 To manage beta access, waitlists, onboarding, and research participation.

5.3 To process transactions, manage subscriptions, fulfil orders, handle returns, and provide related support.

5.4 To communicate service-related notices, subscription information, and administrative communications.

5.5 To provide customer support, troubleshoot issues, and respond to enquiries.

5.6 To conduct analytics and understand how users interact with our Services, subject to your consent.

5.7 To operate automation and personalisation features based on your preferences and usage history.

5.8 To develop and improve the systems that power our platform's personalisation features, with appropriate safeguards.

5.9 To detect fraud, abuse, and security threats and to enforce our terms.

5.10 To comply with applicable laws and regulations.

6.1 Contract (Article 6(1)(b) GDPR)

We process personal data where necessary to perform our contract with you — for example, operating your account, processing your subscription or order, and delivering the Services you have requested.

6.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process some personal data based on our legitimate interests in: operating, securing, and improving our Services; product research and development; communicating with users about features; preventing fraud and security threats; and processing business contact information for commercial purposes. We conduct a balancing test before relying on this basis. You have the right to object at any time.

6.3 Legal Obligation (Article 6(1)(c) GDPR)

We process personal data to comply with legal obligations, including Irish tax and accounting requirements (retaining transaction records for 6 years under the Taxes Consolidation Act 1997).

6.4 Consent (Article 6(1)(a) GDPR)

We rely on consent for marketing communications and for non-essential cookies. You may withdraw consent at any time.

6.5 Automation, AI, and Personalisation

6.5.1 Serenyc utilises automated systems to enhance user experience through behavioural pattern recognition.

6.5.2 Inputs may include:

• Usage frequency
• Time-based behaviour
• Selected sensory configurations
• Device interaction patterns

6.5.3 Outputs may include:

• Adjustment of scent diffusion
• Lighting intensity or colour
• Sound environments
• Haptic feedback

6.5.4 For the avoidance of doubt:

• For the avoidance of doubt, the profiling described in Clause 4.4.4 does not involve inference about your emotional or mental state, does not categorise you by mood or psychological condition, and does not constitute special category processing under Article 9 GDPR. Serenyc does not perform solely automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. The automation outputs of the platform (environmental adjustments) do not produce legal effects or equivalent significant effects on data subjects, and Article 22 safeguards are not engaged. If this assessment changes in connection with future features, Serenyc will update this Policy and apply the relevant Article 22 safeguards before deployment.
• Serenyc does not categorise users by mood.
• We do not perform solely automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. We may process behavioural usage patterns to support platform personalisation, but this does not give rise to decisions with legal or equivalent significance.

6.6 All automation is:

• User-controlled
• Configurable
• Optional

6.7 See Clause 15 for future enhancements.

7.1 We may send marketing communications by email or SMS where you have provided consent, or where you are an existing customer and we market similar products (soft opt-in under Irish ePrivacy regulations, SI 336/2011).

7.2 You may opt out at any time by: (i) using the unsubscribe link in any marketing email; (ii) replying STOP to any marketing SMS; or (iii) contacting us at hello@serenyc.com.

We use cookies and similar technologies. Our Cookie Policy sets out full details including which cookies we use, their purpose, duration, and provider. Non-essential cookies are used only after your consent, as required by S.I. No. 336 of 2011.

We share personal data only as described in this Policy and only as necessary:

9.1 With service providers and processors that help us operate the Services. Our current and anticipated processors include the following (this list reflects our intended configuration and may be updated as our platform develops):

• AWS (Amazon Web Services) — cloud infrastructure, currently intended to be hosted in the EU (Ireland) region (eu-west-1), subject to AWS infrastructure configuration (see Clause 10.1 regarding data location);
• Google Analytics — website analytics, EU/US (SCCs apply; IP anonymisation enabled);
• Stripe — payment processing, EU/US (SCCs apply);
• HubSpot — CRM and marketing automation (planned), US (SCCs apply);
• Slack — internal communications, US (SCCs apply);
• Notion — internal knowledge management;
• Airtable — data management;
• Tally — forms and data collection;
• Supabase — backend database services (planned).

9.2 With professional advisors for legitimate business purposes.

9.3 With law enforcement, courts, or regulators where required by applicable law.

9.4 In connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

9.5 At your direction or with your consent.

9.6 We do not sell personal data.

9.7 All processors:

• act only on documented instructions from Serenyc as Data Controller and for no other purpose; (i) are bound by written data processing agreements that comply with Article 28 GDPR, including obligations covering security, sub-processing, data subject rights assistance, and breach notification; (ii) may not engage sub-processors without Serenyc’s prior written authorisation; where sub-processors are engaged, they are bound by data protection obligations equivalent to those imposed on the primary processor; (iii) are subject to audit and inspection rights exercisable by Serenyc or a mandated auditor, in accordance with Article 28(3)(h) GDPR; and (iv) Serenyc remains responsible as Data Controller for ensuring that all processors comply with applicable Data Protection Law.
• Are bound by Article 28 GDPR agreements

9.8 Serenyc remains responsible for ensuring compliance.

10.1 Our primary cloud infrastructure is currently configured to use AWS (Amazon Web Services), with the intended hosting region being the EU (Ireland, eu-west-1). We endeavour to maintain personal data within the EEA where operationally possible. AWS may, in certain circumstances, vary its data centre configuration. In the event that any such variation results in a transfer of personal data outside the EEA, the safeguards described in Clause 10.2 and 10.3 will apply to that transfer.

10.2 Serenyc implements appropriate transfer safeguards for all transfers of personal data outside the EEA or UK. Current processors operating outside the EEA do so under Standard Contractual Clauses adopted by the European Commission or, where applicable, an adequacy decision issued by the European Commission or the UK Secretary of State. Serenyc is in the process of formally executing bilateral data processing agreements and SCCs with all applicable service providers and maintains a current internal register of transfer mechanisms. Details of the specific safeguards in place for each processor are available on request at hello@serenyc.com.

10.3 Serenyc is in the process of formally reviewing and signing data processing agreements and SCCs with all applicable service providers. This process will be completed before commercial launch. Details of specific transfer mechanisms are available on request at hello@serenyc.com.

We retain personal data only for as long as necessaryfor the purpose for which it was collected, in accordance with the storage limitation principle under Article 5(1)(e) GDPR. The table below sets out our retention periods by category, together with the legal basis and rationale for each period. These periods reflect our assessment of the minimum retention necessary to fulfil each purpose.

D

Data Category

Retention Period and Legal Basis/Rationale

Account data

30–60 days after account closure (unless legal holds apply)

Purpose limitation (Art.5(1)(e) GDPR): retained only to allow resolution of outstanding matters at account closure. Deleted promptly thereafter as no further lawful basis for retention exists.

Transaction records

6 years (Irish tax and accounting obligations, Taxes Consolidation Act 1997)

Legal obligation (Art.6(1)(c) GDPR): mandatory retention under section 886 of the Taxes Consolidation Act 1997 (Ireland) and the Companies Act 2014, which require accounting records to be retained for 6 years.

Beta programme data

Up to 2 years after programme completion, then anonymised or deleted

Legitimate interests (Art.6(1)(f) GDPR): retained to analyse product performance, address post-programme queries, and support regulatory compliance. 2 years is proportionate to the expected product development cycle.

Marketing consents

Duration of active subscription plus 2 years after unsubscribing

Consent and legitimate interests (Art.6(1)(a)/(f) GDPR): retained for the subscription period to fulfil the marketing contract, and for 2 years thereafter to comply with the ePrivacy soft opt-in framework (SI 336/2011) and to handle re-subscription requests.

Website analytics

14–26 months (Google Analytics GA4 settings; IP anonymisation enabled)

Legitimate interests (Art.6(1)(f) GDPR) / Consent (Art.6(1)(a) GDPR where analytics cookies are declined: no collection occurs): 26 months is the maximum GA4 retention setting and aligns with industry standard for trend comparison. Data is pseudonymous. Shorter periods would impair year-on-year product analysis.

Connected device / IoT

12–24 months from date of collection, then deleted or anonymised

Contract performance and legitimate interests (Art.6(1)(b)/(f) GDPR): retained to operate device features, resolve faults, and improve personalisation. Retention beyond 24 months is not necessary for these purposes. Behavioural data is subject to data minimisation controls (see Clause 4.4.7).

Customer support records

2 years after resolution of the relevant support request

Legitimate interests (Art.6(1)(f) GDPR): retained to handle follow-up queries, warranty claims, and any complaint or litigation arising from the original issue. 2 years reflects the general limitation period for minor consumer claims.

Security / fraud logs

12 months from date of generation

Legitimate interests (Art.6(1)(f) GDPR): retained for security monitoring, fraud investigation, and incident response. 12 months is proportionate to the risk cycle for security events. Longer retention would exceed what is necessary for these purposes.

We are implementing a formal automated data deletion framework as our platform scales. If you request deletion, we will comply to the extent required by law, subject to retaining data we are legally required to keep.

We implement appropriate technical and organisational security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. Our current security framework includes the following:

(i) Encryption: data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent industry-standard protocols. (ii) Access controls: personal data is accessible only to authorised personnel on a strict need-to-know basis, with role-based access controls and multi-factor authentication on critical systems. (iii) Access logging and audit trails: access to personal data is logged and monitored. Logs are retained for a minimum of 12 months for security audit purposes. (iv) Incident response: Serenyc maintains an internal incident response procedure covering: detection and initial assessment; containment and mitigation; impact assessment (including data subject risk evaluation); notification to the DPC within 72 hours where required under Article 33 GDPR; direct notification to affected data subjects where required under Article 34 GDPR; and post-incident review and remediation. (v) Secure infrastructure: cloud infrastructure is hosted within the EEA where operationally possible (currently intended to use AWS eu-west-1, Ireland). (vi) Regular reviews: internal security reviews, vulnerability assessments, and staff data handling procedures are conducted and updated on a regular basis. No system is completely impenetrable and we cannot guarantee absolute security of data transmitted over the internet; we will however take all reasonable and proportionate steps to minimise risk and respond effectively to any incident.

• Encryption of data in transit and at rest using industry-standard protocols.
• Access controls ensuring personal data is accessible only to authorised personnel.
• Secure cloud infrastructure hosted within the EEA where operationally possible.
• Regular internal security reviews and vulnerability assessments.
• Staff access policies and data handling procedures.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission (DPC) within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights, we will also inform you directly without undue delay, in accordance with Article 34 GDPR.

We take security seriously, but no system is completely impenetrable. We cannot guarantee absolute security of personal data transmitted over the internet. We will, however, take all reasonable and proportionate steps to minimise risk and to respond effectively to any breach.

Depending on where you live, you may have the following rights:

13.1 Right of access: to obtain a copy of the personal data we hold about you.

13.2 Right to rectification: to correct inaccurate or incomplete data.

13.3 Right to erasure: to request deletion where we have no lawful reason to retain your data.

13.4 Right to restriction: to ask us to restrict processing in certain circumstances.

13.5 Right to data portability: to receive your data in a structured, machine-readable format.

13.6 Right to object: to object to processing based on legitimate interests or for direct marketing.

13.7 Right to withdraw consent: where processing is based on consent, to withdraw it at any time.

13.8 Right not to be subject to solely automated decisions with significant effects: see Clause 6.5.4 for our current position on automated processing. 13.9 Right to lodge a complaint with a supervisory authority: under Article 77 GDPR, you have the right to lodge a complaint with your competent supervisory authority at any time, without prejudice to any other administrative or judicial remedy. You do not need to contact us first, although we welcome the opportunity to address your concern directly. See Clause 17 for supervisory authority contact details.

13.9 US state residents (California, Virginia, Colorado) may have additional rights under applicable state privacy laws.

13.10 To exercise any right, contact us at hello@serenyc.com. We will respond within one calendar month.

14.1 Serenyc processes personal data of UK residents and intends to operate commercially in the United Kingdom. Serenyc is not established in the UK. Accordingly, to the extent that our processing falls within the territorial scope of the UK GDPR (Article 3 UK GDPR), we comply with the requirements of the UK GDPR and the Data Protection Act 2018 (UK).

14.2 UK representative: Serenyc will appoint a UK GDPR representative under Article 27 UK GDPR before we knowingly direct our Services to UK residents or systematically process personal data of UK residents — including through UK-facing marketing, UK user accounts, or UK beta programmes — regardless of whether a formal UK commercial sales programme has been launched.

14.3 UK international data transfers: transfers of personal data from the UK to third countries are governed by the UK GDPR transfer framework. Where Serenyc transfers UK personal data outside the UK, we rely on: (i) an adequacy regulation made by the UK Secretary of State; (ii) the International Data Transfer Agreement (IDTA) issued by the ICO under Section 119A of the Data Protection Act 2018; or (iii) the Addendum to EU Standard Contractual Clauses (UK Addendum) approved by Parliament. Details of specific transfer mechanisms are available on request.

14.4 UK supervisory authority: the ICO is the relevant supervisory authority for UK residents. ICO contact: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: www.ico.org.uk. UK residents may lodge a complaint with the ICO under Article 77 UK GDPR

15.1 Serenyc may in the future introduce enhanced personalisation features that involve more sophisticated analysis of usage data. Any such features will be subject to a formal compliance review before deployment, including an assessment of the applicable lawful basis, transparency requirements, and any DPIA obligation.

15.2 Before deploying any new processing activity that: (i) introduces a materially new category of personal data collection; (ii) involves processing for a new purpose not described in this Policy; or (iii) may require explicit consent under Article 9 GDPR, Serenyc shall: (a) conduct a Data Protection Impact Assessment (DPIA) where required under Article 35 GDPR; (b) update this Policy in advance; (c) obtain explicit consent where required; (d) implement appropriate technical safeguards; and (e) provide clear opt-in controls.

15.3 No new processing feature will be deployed without completion of the steps in Clause 15. We will notify users of material changes in accordance with Clause 16.

16.1 Serenyc may update this Policy periodically.

16.2 Material changes shall be notified to users where required.

You may lodge a complaint with your supervisory authority:

17.1 Ireland: Irish Data Protection Commission — www.dataprotection.ie

17.2 United Kingdom: Information Commissioner's Office — www.ico.org.uk

We encourage you to contact us first at hello@serenyc.com so we can try to resolve your concern promptly.