When does menopause usually start?

Most women experience menopause between the ages of 45 and 55, but factors like genetics, health, and lifestyle can affect the timing.

What are the best natural menopause relief methods?

Balanced diet, regular exercise, hydration, stress reduction, and herbal menopause supplements can ease symptoms naturally.

Why is it harder to lose weight during menopause?

Hormonal changes slow down metabolism and reduce muscle mass, making weight loss during menopause more challenging.

What causes menopause brain fog?

Fluctuating estrogen levels can affect neurotransmitters, leading to issues with memory and focus. Regular mental activity and good nutrition can help reduce it.

Can supplements really help with menopause symptoms?

Yes, when used correctly. Natural menopause supplements like omega-3s, magnesium, and phytoestrogens may offer symptom relief, but they should complement a healthy lifestyle.

Σε ποια ηλικία ξεκινά συνήθως η εμμηνόπαυση;

Συνήθως μεταξύ 45 και 55 ετών, αλλά μπορεί να διαφέρει ανάλογα με τη γενετική και τον τρόπο ζωής.

Μπορώ να μειώσω τα συμπτώματα της εμμηνόπαυσης χωρίς φάρμακα;

Ναι. Με σωστή διατροφή, άσκηση, τεχνικές χαλάρωσης και υποστήριξη μέσω συμβουλευτικής εμμηνόπαυσης, μπορείτε να ελαχιστοποιήσετε τα συμπτώματα φυσικά.

Γιατί αυξάνεται το βάρος στην εμμηνόπαυση;

Οι ορμονικές αλλαγές επιβραδύνουν τον μεταβολισμό και επηρεάζουν την κατανομή του λίπους, ειδικά γύρω από την κοιλιά.

Πώς μπορώ να βελτιώσω τη μνήμη μου;

Με επαρκή ύπνο, ισορροπημένη διατροφή και νοητική δραστηριότητα, μπορείτε να ενισχύσετε σημαντικά τη μνήμη και τη συγκέντρωση.

Είναι φυσιολογικές οι διακυμάνσεις διάθεσης;

Απολύτως. Οι αλλαγές στις ορμόνες επηρεάζουν τη σεροτονίνη, αλλά μπορείτε να διατηρήσετε την ψυχική ισορροπία με άσκηση και mindfulness.

Privacy Policy

This Privacy Policy regarding the processing of personal data by VivianLab aims to help you understand what personal data we collect, why we collect it, and what we do with it. Please take time to read this Privacy Policy carefully. We want you to be clear about how we use your information and the ways you can exercise your rights.

Territorial Scope. This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and applicable data protection laws in Greece and the European Economic Area (EEA). Our Platform and Services are intended primarily for users located within the EEA. If you choose to access or use the Platform from a country outside the EEA, you do so on your own initiative and you are solely responsible for ensuring that such access and use complies with the laws of your country of residence. VivianLab does not represent or warrant that its Services or this Privacy Policy meet the requirements of any non-EEA jurisdiction.

To the extent that the laws of your country impose stricter obligations than this Privacy Policy, your local laws shall apply only to your use of the Platform, but VivianLab’s processing of personal data remains governed exclusively by GDPR.

This Privacy Policy applies to your personal data when you visit and use our web Platform www.vivianlab.com (the “Platform” or “the Platform”) or use our services available on the Platform, and/or use our mobile/technological applications (Apps). It does not apply to other applications/sites/e-shops and/or services that we do not own or control.

When you use our services available on the Platform, you accept that you have read and understood this Privacy Policy regarding the processing of personal data by “VivianLab”.

1. Who are we?

The company that provides services to you through the Platform is VIVIANLAB SINGLE MEMBER P.C., with registered office and address of management: 47 Samou Str, Athens, Greece, email info@vivianlab.com (referred to as “We/Us”, “the Company/Company”, “the Enterprise/Enterprise”).

Our Role – Data Controller and Data Processor:

Depending on the situation, “VIVIAN LAB” Ltd. acts in a different capacity according to the General Data Protection Regulation (GDPR):

We are the Data Controller when you register an account on the Platform, subscribe to our newsletter, or use our services for your own purpose (such as the AI Assistant). In this case, we determine the purposes and means of processing your personal data.
We are the Data Processor when you use our Platform to interact or receive services from third parties (e.g., “Specialists”). In this context, the “Specialist” is the Controller of your data, and we process it on their behalf and upon their instruction, pursuant to a Data Processing Agreement (DPA) concluded between us and the Specialist.

2. Contact Details for Privacy Matters

For questions related to this Policy or the processing of your personal data, you can contact us at info@vivianlab.com or directly with our Data Protection Officer (DPO) at experience@vivianlab.com.

Since the protection of personal data is extremely important to our Company, this document defines the obligations, the manner of use, communication, and protection of the data we receive, as well as how we can resolve any kind of issue through communication between us.

2.1 Definitions

Data Protection Legislation means any law relating to the processing of personal data, privacy and security, including, without limitation, Regulation (EU) 2016/679 “for the protection of natural persons with regard to the processing of personal data and for the free circulation of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation)” (“GDPR”), Directive 2002/58/EC “on the protection of privacy in electronic communications”, as incorporated, valid and applied in the Greek legal order and as amended from time to time, or other applicable or replacing the above international or national laws or rules concerning the protection of personal data, as well as relevant regulations, instructions or guidelines of competent administrative authorities, such as the Greek Personal Data Protection Authority.

“Controller”, “processor”, “data subject”, “personal data” and “processing” shall have the meaning assigned to them in the applicable Data Protection Legislation.

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

Name, email address, phone number
Identification number
Location data (e.g., country or city)
Online identifier (such as IP address, cookie ID)
Payment information (e.g., transaction data)
Or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Specific Categories of Personal Data” (also known as “sensitive data”) are a subset of Personal Data that reveal information such as racial or ethnic origin, political opinions, biometric data (for the purpose of uniquely identifying a person), and health data (such as records of symptoms, menopause stage, or data from wearable devices). We process this data only in compliance with stricter rules, usually based on your explicit consent.

Services: Those mentioned on our Platform and offered for use.

Websites: “www.vivianlab.com” is the website of our Company. The Company maintains an electronic Platform that serves as an online professional directory, connecting end-users (“Users”) with specialists from the health sector (“Specialists”), such as doctors and health experts, with the aim of providing consultations, advice, and support on health issues. In addition, the Platform offers innovative digital services, including, but not limited to, an AI Assistant (AI tracker) for tracking health symptoms and mood, providing personalized AI-assisted guidance, and functionalities for managing appointments (including through third-party integrations). The Platform may also facilitate the submission of orders from collaborating stores of health interest and transfer these orders through a network of independent distributors.

Processing of Personal Data is any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, search of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, deletion or destruction.

Use of the Platform by minors. Our Platform and Services are intended for adults and are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete this information. If you believe that a child has provided us with personal data, please contact us at info@vivianlab.com.

No automated decisions with legal or similarly significant effects. We do not use your personal data to make decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR. Our AI Assistant provides general wellness information and suggestions only and does not make binding decisions about your access to services, insurance coverage, employment, credit, or similar matters.

3. Purpose of Processing and Duration

We process your personal data for the purpose of providing the offered Services described on our Platform. Our role in the processing of your data depends on the specific situation and the Service you are using:

When we act as a Data Controller: For activities such as managing your user account, sending marketing communications (newsletter), or providing our AI Assistant (AI Tracker), we act as a Data Controller. In these cases, we independently determine the purposes and legal bases (such as performance of a contract, your consent, or legitimate interest) for the processing.
When we act as a Data Processor: When you use the Platform to interact with or receive services from third parties (e.g., “Specialists”), that “Specialist” (who provides you with the consultation) generally acts as the Data Controller for the data related to that service. In this situation, the Company acts as a Data Processor, collecting and processing your data (e.g., appointment data, notes) solely on behalf and upon the explicit instruction of the respective “Specialist” (the Controller). In this case, the responsibility for determining the legal basis (such as your consent for the processing of health data) lies with the Controller (i.e., the “Specialist”).

We will use Personal Data only when strictly necessary to fulfill our obligations, in accordance with the General Terms and Conditions and applicable legislation.

The processing activities will continue for the period of time necessary to provide the Services and to comply with our legal obligations, as detailed in Section 14 (“How long do we store your data?”) of this Policy.

Regardless of our role (Controller or Processor), we treat all Personal Data as Confidential Protected Information and apply strict technical and organizational measures for its protection.

4. Is it mandatory to provide your Personal Data?

Providing the Data to the Company may be necessary to achieve the purposes specified in this Privacy Policy or may be optional.

The mandatory or optional nature of the provision of Data is indicated by an asterisk (*) next to mandatory personal data.

If you refuse to provide the information marked as mandatory on the Platform, it will be impossible to achieve the main purpose for which the specific Data is collected, and it may, for example, make it impossible for the Company to fulfill the transportation service or provide other services available on its Websites.

The provision of additional Data to the Company, beyond those marked as mandatory, is optional and has no consequences regarding the main purposes of Data collection, since its provision serves exclusively to optimize the quality of the services provided by us.

5. What Personal Data do we collect about you?

We take care to collect only your absolutely necessary Personal Data, which is appropriate and clear for the intended purpose. This Data includes the following:

Data you provide us during your registration and creation of a user account: According to our registration process, we collect mandatory data such as Name and Surname, Email address, Date of Birth, Country, and City. We also process your password/login password (which is stored encrypted). You may optionally provide other data, such as postal address or phone number.
Data and information you provide us through our transactions and communication: This includes services, options, synergies, and communication between us (the Platform, partners, telephone, email, or through any other means). For example, we collect notes from our conversations with you (communication data), details of any complaints or comments you make, details of the services you select, recurring preferences, etc.
Data related to payment processing: Information required to process payments and complete transactions, such as email address, phone number, payment method information (e.g., cardholder name, card details), and billing address.
Data you provide us when subscribing to our newsletter: Such as Name and Email address, collected based on your consent.
Data for integration with third-party services: If you choose to link your account, we may gain access to data from Google Calendar (such as creating, updating, and deleting appointments) to facilitate their management. This occurs only after your explicit consent (see section “Integration with Google Meet and Google Calendar”).
Data regarding preferences and Platform usage: Data on the options and services you generally choose as a preference, with the aim of recommending services of interest to you. Information collected from the use of cookies in your browser (learn more in our Cookie Policy). Technical information about your internet connections and browser, as well as the country and area code where your computer is located, the web pages shown during your visit, advertisements you click on, and any search terms you enter.
Data from Social Media: Your social media username, if you interact with us through these channels, to help us respond to your comments, questions, or feedback.
Educational information: Such as education, skills, language proficiency, work experience (only in cases where you are responding to a job advertisement).
Data collected through our AI Assistant (AI Tracker): If you choose to use our AI Assistant features, you may voluntarily provide us with special categories (health) of personal data. These include, but are not limited to: profile data (such as age, menopause stage – peri/meno/post –, lifestyle), symptom data (e.g., frequency, severity), mood and emotional state data, and biometric data from connected devices (if applicable). We collect this data solely and exclusively based on your explicit, separate, and granular consent (pursuant to Article 9 of the GDPR), which will be requested before the first use of any of these features.

6. Google Meet and Google Calendar Integration

We highly value your privacy and are fully committed to safeguarding your personal information. Our Platform integrates with Google Meet and Google Calendar to provide a seamless, secure, and user-friendly experience for scheduling and managing virtual meetings. This integration is designed to streamline your workflow, allowing you to arrange meetings directly within our Platform without needing external tools.

The use of this integration and access to your Google Calendar require your separate and explicit consent, which will be requested before you link your account. You retain full control and can terminate this integration and withdraw access at any time through your account settings.

How the Integration Works

Our integration with the Google Calendar API allows Google Account users on our Platform to effortlessly create, update, and delete meetings, with meeting links automatically managed through their Google Calendar. By utilizing the Google Calendar API’s https://www.googleapis.com/auth/calendar.events.owned scope, we ensure a smooth scheduling process while maintaining strict data security standards.

Your Privacy Matters

We take the protection of your data very seriously. Importantly, we do not share or transfer your Google user data to any third parties, except as necessary to enhance and deliver this scheduling functionality. Our use of the Google Calendar API is strictly limited to improving your experience with meeting scheduling and management.

Data Security and Control

You retain complete control over your meetings, and our integration helps boost productivity and efficiency without compromising your privacy. We only access the necessary information from your Google Calendar to provide the intended functionality, ensuring that all interactions remain secure.

Third-Party Data Sharing

We do not share your data with any third parties, other than to facilitate the functionality of Google Meet and Google Calendar as described. For more details on how Google ensures secure sharing of user data, please refer to the Google Support article.

Commitment to Secure Communication

Our Google Meet integration is part of our ongoing commitment to providing you with a secure, efficient, and user-centric experience. By centralizing your meeting management on our Platform, we help simplify your communication processes while maintaining strict data protection practices. If you have any questions or concerns regarding your privacy and our integration with Google services, please feel free to contact us.

7. How do we use your Personal Data?

Where applicable, we use your Data:

To complete service options (Performance of a contract): The Company processes your Data in order to fulfill its contractual relationship, process service selection, provide customer service, comply with legal obligations, payment requirements, raise or exercise legal claims. If we do not collect your Data when completing your selection (via our service phone or via our online store), we will not be able to process your selection and comply with our legal obligations. It may be necessary to transfer your Data to third parties for the service and processing of the service you have preferred (see “Who are the recipients of your Data?”).
To create a User Account (Performance of a contract and legitimate interest): The Company processes your Data in order to provide you with account functions and to facilitate the conclusion of service provision.
For providing the AI Assistant services (Explicit Consent): The Company processes your Data to enable you to track and monitor your health symptoms and to provide you with AI-assisted guidance, personalized support, and health suggestions based on the data you enter. The processing of your special categories (health) data for these purposes is carried out solely based on your explicit and separate consent (Art. 9 of the GDPR).
For integration with Google Meet and Google Calendar (Explicit Consent): The Company processes your Data to facilitate the creation, updating, and deletion of your appointments directly through the Platform, by synchronizing them with your Google Calendar. This feature is activated solely based on your explicit and separate consent to link your Google account.
For communication (Legitimate interest): The Company uses your Data to respond to your requests/questions, refund requests and/or any complaints. The information you share with us enables us to manage your requests and respond to you in the best possible way. We may also keep a record of your queries/requests to us to better respond to any future communications. We do this based on our contractual obligations to you, our legal obligations and our legitimate interests to provide you with the best possible service and to be able to improve our services based on your own personal experience.
For sending newsletters/offers (Consent): With your consent, we will use your Personal Data, preferences and transaction details to inform you via email, internet, phone and/or social media for related services including personalized offers. You may withdraw this consent at any time.
For web push notifications (Consent): Depending on your navigation, you may receive, having previously given your consent, notifications about our offers, news, wish list and your main preferences and choices. You may withdraw this consent at any time.
For participation in a reward program: The Company may process your Data for the needs of your participation in a reward program, i.e. both the examination of your application for participation, as well as the collection and redemption of points and in general the enjoyment of customer privileges. This allows us to offer personalized offers that interest you.
To develop and improve the options, offers, operation and services: We do this based on our legitimate business interests.
To offer relevant offers and suggestions: We want to offer you offers and suggestions that are more relevant to your interests and needs.
To show you interesting content: We may display a list of recently viewed services or offer recommendations based on your selection history and data you have shared with us, in accordance with your consent to cookies or notifications.
To send you research and evaluation requests: So that we can improve our services. These messages will not contain advertising content and do not require prior consent when sent by email or SMS. You are free to opt out at any time.
To protect your account from fraud and other illegal activities: This includes using your Data to maintain, update and protect your account. We also monitor browsing activity with us to quickly identify and resolve any issues and protect the integrity of our website.
To process payments and prevent fraudulent transactions (Legitimate interest and legal obligation): This helps protect our customers from fraud and cyber incidents.
To comply with our contractual obligations or the law: For example, updates on these privacy notices, withdrawal notices and legally required information about your choices.
Processing on behalf of Specialists (as Data Processor): When you interact with a “Specialist” through the Platform, we process your personal data (such as communication content, appointment data) as a Data Processor, on behalf of the “Specialist” (who is the Controller), to facilitate the provision of their service to you.

Processing is carried out either by specially authorized personnel of the Company, or through IT systems and electronic devices by the Company, and exceptionally by third parties, who, having contractually committed to confidentiality and protection of your data, carry out tasks necessary to achieve the purposes strictly related to the use of our Websites and services. Information about this can be found below in “Who are the recipients of your Data? How Your Data is Shared”.

8. What is the legal basis for processing your Data by the Company?

We process your personal data lawfully, transparently, and in good faith. Depending on the purpose for which we use your data (described in Section 7), we rely on the following legal bases pursuant to the GDPR:

Performance of a contract (Art. 6(1)(b) GDPR): E.g. creating and maintaining your user account, processing payments and completing services requested by you.
Compliance with a legal obligation (Art. 6(1)(c) GDPR): E.g. storing transaction data in accordance with tax and accounting legislation, responding to legal requests.
Your Consent (Art. 6(1)(a) GDPR): For certain activities that are not covered by other legal bases, such as sending newsletters, web push notifications, and placing analytical or advertising cookies.
Our Legitimate Interest (Art. 6(1)(f) GDPR): E.g. protecting your account from fraud, preventing fraudulent transactions, developing and improving services, and maintaining security of our network and IT systems.
Processing of Special Categories (Health) Data (Art. 9 GDPR): For the processing of your special categories (health and biometric) data (e.g., via the AI Assistant), we rely on your explicit and separate consent (Art. 9(2)(a) GDPR), requested before the first use of the relevant feature.

When collecting your personal data, we will always inform you which data is mandatory (marked with an asterisk *) and which is optional, as well as the consequences of not providing them.

9. Who are the recipients of your Data?

Access to your Data is given to the absolutely necessary personnel of the Company, who are bound by confidentiality, and to companies cooperating with us or third-party service providers, who process your Data as Processors on our behalf and in accordance with our instructions.

10. How is your Data shared?

10.1 Third-Party Service Providers (Data Processors)

These are companies that process personal data on our behalf and upon our instructions. We enter into contracts (DPAs) with them that oblige them to implement appropriate technical and organizational measures to protect your personal data. They include:

Hosting and Cloud Infrastructure Providers: Companies that provide server space and infrastructure for the operation of the Platform (e.g., AWS, Render).
AI Service Providers: For our AI Assistant (AI Tracker) to function, we transfer data (including health data, only after your explicit consent) to our technology partner Anthropic (Claude AI), which is based in the USA.
Payment Service Providers (PSPs): For processing credit cards and payments. We do not store your card data; they are processed directly by these providers, who are PCI DSS certified.
Analytics Service Providers: To understand how our Platform is used, we share data (e.g., via cookies) with partners such as Google Analytics.
Marketing and Communication Service Providers: For the distribution of emails (newsletter), surveys, and analyses.

10.2 “Specialists” (in their role as Controllers)

When you, as a “User,” initiate contact or book a service with a “Specialist” through the Platform, we share the necessary data (such as name, email, appointment data, and possibly health data entered by you) with that “Specialist.” In this situation, the “Specialist” acts as an independent Controller of your data, and we act as a Processor on their behalf to facilitate the service.

10.3 Other Third Parties (with your consent or upon your initiative)

These are third parties to whom you have consented to share data yourself. Example: When you explicitly consent to link your Google Calendar for appointment management.

10.4 Government Authorities and Legal Obligations

We share data with other third parties to the extent required for the following purposes:

(i) Compliance at the request of a competent government authority of Greece, a court order, or applicable law.
(ii) Prevention of illegal uses of our Platform or violations of our Terms of Use and policies.
(iii) Our own protection against third-party claims.
(iv) Contribution to the prevention or investigation of fraud cases.

10.5 Sharing of Data by You

When you use certain social media features on our Platform, you may create a public profile that includes information such as your username, profile picture, and city. You may also share content with your friends or the general public, including information about your interaction with the Company. We encourage you to use the tools we provide for managing sharing on the Company's social media to control the information you provide.

11. What is the policy we apply with third-party Processors?

Those performing the processing on our behalf have agreed and contractually committed to the Company to:

Maintain confidentiality.
Not send your Data to third parties without the Company's permission.
Take appropriate security measures.
Comply with the legal framework for the protection of personal data and in particular the GDPR.

To improve your customer experience on our Sites and Apps, we use the above service providers who will process your Personal Data as part of their contracts with us. If you wish to receive more information about sharing your Data with third parties, please contact us by email at info@vivianlab.com.

12. How do we ensure that Processors respect your Data?

Those performing the processing on our behalf have agreed and contractually committed to the Company:

To maintain confidentiality.
Not to send your Data to third parties without the Company's permission.
To take appropriate security measures.
To comply with the legal framework for personal data protection and in particular the GDPR.

13. Data Transfer

The personal data we collect (or process) in the context of our Platform will be stored primarily within the European Union (EU) and the European Economic Area (EEA), for example on our main servers hosted in Germany.

However, to provide certain Services and functionalities, some of the Data recipients with whom the Company shares your Personal Data may be located in countries outside the EEA (“third countries”). This notably includes:

a) Hosting and Cloud Infrastructure Provider: To the extent that VivianLab LTD utilizes Amazon Web Services, Inc. (“AWS”) as a hosting and cloud infrastructure provider for the processing of your personal data, AWS acts as a Data Processor on behalf of the Company in accordance with the GDPR. The relationship between the Company and AWS is governed by the AWS Data Processing Addendum (“AWS DPA”), incorporated into the AWS Service Terms and available at the AWS website. Where AWS services involve the transfer of your personal data from the EEA to countries outside the EEA (including the USA), the Company ensures appropriate safeguards in accordance with Article 46 GDPR, particularly through the Standard Contractual Clauses (SCCs).
b) AI Service Providers: For our AI Assistant (AI Tracker) to function, we transfer data to our technology partner Anthropic (Claude AI), which is based in the United States of America (USA).
c) Analytics Service Providers: For the purposes of web analysis, we use services such as Google Analytics, which may involve transferring data to the USA.

Legislation in these countries (such as the USA) may not provide the same level of data protection compared to the EEA. We are committed to protecting your Personal Data and take all necessary measures to comply with the applicable legal requirements for such transfers. To ensure that your Personal Data is adequately protected, we primarily rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

Specifically for the transfer of your special categories (health) data to our AI partners in the USA, in addition to the Standard Contractual Clauses, we will also rely on your explicit and separate consent for such transfer, requested before you use the AI Assistant service.

14. How long do we keep your Data?

We store your Personal Data for as long as is necessary to fulfill the purposes set out in this Privacy Policy (unless a longer retention period is required by applicable law).

Generally, this means we will store your Personal Data related to your account for as long as you have an active account with our Company.

Regarding your Personal Data related to the services we offer (e.g., transaction data), we store this data for a longer period to comply with our legal obligations (such as tax and commercial law).

At the end of this retention period, your data will be completely deleted or anonymized, for example by aggregating it with other data, so that it can be used in an unidentified manner for statistical analysis and business planning.

Some examples of retention periods:

Account and Services Data (Client Register): We store your basic account data while it is active. Data related to transactions and performance of services is stored for five (5) years after termination of the contractual relationship.
Newsletter Data (Marketing Register): Your consent and data for sending the newsletter (name, email) are stored until you withdraw your consent.
AI Assistant Data (AI Tracker Register): Due to the sensitive nature of this data, we apply the following time limits: actively processed while you use the feature; if you become inactive, we may retain the data for a limited period (e.g., 18 months after your last activity). Upon explicit closure of your profile or upon your request for deletion, your personal health data from the AI Assistant will be permanently deleted.

15. Is your data secure?

VivianLab is committed to safeguarding your Personal Data using industry-leading security measures. We recognize the importance of protecting your information, particularly sensitive health data, and have implemented comprehensive technical and organizational safeguards throughout the entire data lifecycle.

15.1 Technical security measures

(a) Encryption in transit

All data transmitted between your device (web browser or mobile application) and our servers is secured using HTTPS with Transport Layer Security (TLS) 1.2 or higher. This encryption protocol prevents interception, eavesdropping, or tampering with your data during transmission over the internet.

(b) Encryption at rest

Personal data stored in our databases and storage systems is protected using AES-256 encryption. This ensures that your data remains secure even in the unlikely event of physical infrastructure compromise.

(c) Password security

Your account password is never stored in plain text. We use strong, one-way cryptographic hashing algorithms with salting (bcrypt or equivalent) to protect your login credentials. Not even our system administrators can view your actual password. Each password is hashed with a unique random salt, and only you know your password.

15.2 Payment security

VivianLab’s payment infrastructure is designed to never store, transmit, or process raw cardholder data on our servers. All payment processing is delegated to Stripe, a globally trusted payment provider certified as a PCI DSS Level 1 Service Provider.

When you enter your payment details, this information is transmitted directly from your browser to Stripe’s servers over TLS-encrypted connections, completely bypassing VivianLab’s backend. Stripe tokenizes your card data; VivianLab only stores a token, not your actual card details.

15.3 Infrastructure and platform security

Our Platform is built on secure marketplace infrastructure (such as Sharetribe), with encryption in transit (TLS 1.2+) and encryption at rest (AES-256). Our infrastructure is hosted on secure cloud providers (e.g., AWS, Azure) that maintain ISO 27001, SOC 2, and similar certifications. Physical security, network security, and redundancy are handled by these providers.

15.4 Organisational security measures

Role-based access control (RBAC)
Principle of least privilege
Audit logs and monitoring
Limited-access operational environments
Confidentiality obligations for staff and contractors
Regular security and GDPR training
Incident response and business continuity plans

15.5 Personal data security – Overview table

The following table summarizes key safeguards:

Data category	Examples	Encryption in transit	Encryption at rest	Additional security measures
Account credentials	Username, password, email	HTTPS/TLS 1.2+	AES-256	Password hashing (bcrypt + salt), session management, optional MFA
Personal identification data	Name, surname, date of birth, country, city, address, phone	HTTPS/TLS 1.2+	AES-256	RBAC, audit logging, data minimisation
Payment information	Cardholder name, card number, CVV, expiry date, billing address	Direct to Stripe via TLS	Tokenised (no raw card data stored)	PCI DSS Level 1 (via Stripe), tokenisation, 3D Secure, fraud detection
Transaction metadata	Transaction ID, amount, date, status	HTTPS/TLS 1.2+	AES-256	Audit logs, retention per tax law
Health data	Symptoms, menopause stage, mood, biometrics from wearables, lifestyle	HTTPS/TLS 1.2+	AES-256	Explicit consent, segregated storage, pseudonymisation where applicable, limited retention, DPIA
Consultation & appointment data	Appointment dates, specialist name, notes	HTTPS/TLS 1.2+	AES-256	Processor role on behalf of Specialist, RBAC, audit logs, secure channels
Google Calendar integration data	Events, meeting links, metadata	HTTPS/TLS 1.2+ (OAuth 2.0)	AES-256 (tokens)	Explicit consent, limited scope, user-controlled revocation, Google API security
Newsletter & marketing data	Email, name, consent records	HTTPS/TLS 1.2+	AES-256	Consent-based, unsubscribe link, consent logs
Cookies & analytics data	IP, device ID, browser info, usage patterns	HTTPS/TLS 1.2+	AES-256 (where stored)	Anonymisation/pseudonymisation, consent management, retention limits
Social media data	Username, public profile, interactions	HTTPS/TLS 1.2+	AES-256	Only public data, limited retention, user-controlled sharing
Technical & device data	IP address, OS, device ID, language, time zone	HTTPS/TLS 1.2+	AES-256	IP pseudonymisation, aggregation, log retention policies, security monitoring
Job application data	CV, education, skills, work experience	HTTPS/TLS 1.2+	AES-256	Access limited to HR/hiring managers, limited retention, secure deletion

15.6 Continuous Security Improvement

We are committed to continuous improvement through:

Regular security audits
Vulnerability scanning and penetration testing
Security patch management
Compliance monitoring
Incident response drills
Monitoring emerging security threats

15.7 Your role in security

You should:

Keep your password confidential and strong
Log out after use on shared devices
Enable MFA if available
Monitor your account and report suspicious activity
Keep your devices and software up to date
Beware of phishing attempts

15.8 Data breach notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

You can report any suspected security incidents or data breaches to info@vivianlab.com.

15.9 Third-party security

All third-party service providers and data processors with whom we share your data are contractually obligated to:

Implement appropriate technical and organizational security measures
Process data only according to our documented instructions
Maintain confidentiality
Notify us of any data breaches or security incidents
Comply with GDPR and applicable data protection laws
Submit to audits and security assessments where applicable

16. What are your rights?

You have a number of rights under the GDPR regarding your Personal Data:

Right of access: To know whether we process your data, and if so, to receive information about the processing and a copy of your data.
Right to rectification: To request correction of inaccurate or incomplete data (e.g., name, address).
Right to erasure (“right to be forgotten”): To request deletion of your data where it is no longer necessary for the purposes of processing or where you withdraw consent and there is no other legal basis.
Right to data portability: To receive the data you have provided in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller.
Right to restriction of processing: To request restriction of processing while objections or disputes are being examined.
Right to object: To object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on your consent, you can withdraw it at any time with future effect (e.g., for newsletters, marketing communications, AI Assistant health data).

Choosing not to receive Marketing Communications. You can choose not to receive marketing communications by changing your email and SMS registrations, clicking the unsubscribe link or following the instructions in the message, or by contacting us.

17. How can you exercise your rights?

To exercise your rights, you can submit a request to info@vivianlab.com with the subject “Exercise of Right”. We will examine it and respond as soon as possible.

Exceptionally:

If you wish to correct your Data in your user account, you can log in and make the correction/change directly.
If you wish to withdraw your consent to the newsletter, you can do so via the unsubscribe link in each newsletter.
If you wish not to receive web push notifications, you can disable them from your browser settings.

To protect the confidentiality of your information, we may ask you to verify your identity before acting on your request. If you have authorized a third party to make a request on your behalf, we may ask them to provide proof of such authorization.

18. When do we respond to your Requests?

We respond to your Requests free of charge without undue delay and, in any case, within one (1) month of receiving your request. If your request is complex or we have received a large number of requests, we may need up to an additional two (2) months; in that case, we will inform you within the first month.

19. What is the applicable law when we process your Data?

Applicable law is Greek Law, as formulated in accordance with the GDPR and, in general, the current national and European legislative and regulatory framework for the protection of personal data.

Any dispute arising out of or related to the protection of your Personal Data shall be subject to arbitration in accordance with the Mediation Regulation of the European Mediation and Arbitration Organization (EOMIA). If the dispute or part thereof is not resolved through mediation, it shall be resolved exclusively, finally and irrevocably by an arbitral tribunal, in accordance with the EODID Arbitration Rules.

In any case of disputing the above, the competent courts are the courts of the city of Athens.

20. Where can you go if we breach the applicable law for the protection of your Personal Data?

You have the right to submit a complaint to the Personal Data Protection Authority, if you consider that the processing of your Personal Data violates the applicable legal and regulatory framework for the protection of personal data:

Hellenic Data Protection Authority, Kifisias 1-3, 115 23, Athens, Greece, Tel: +30 210 6475600, Email: contact@dpa.gr.

21. How will you be informed of any changes to this Policy?

We update this Privacy Policy whenever necessary. If there are significant changes to the Privacy Policy or the way we use your Personal Data, we will post an update on our website before the changes take effect and will notify you as soon as possible.

We encourage you to read this Policy periodically to know how your Data is protected. This Privacy Policy was last modified on 16 November 2023.

We remain at your disposal for any further information and concerns that may arise from this Privacy Policy. Please contact us at info@vivianlab.com.