About This App
The E-mergir app ("the App") is a research tool developed as part of a scientific study. It is available only to adults (18+) who have enrolled as participants in the study, have received the study information sheet, and have signed the informed consent form before being given access to the App.

This Privacy Policy explains what data is processed through the App, why, and on what legal basis, in line with the EU General Data Protection Regulation (GDPR) and Portuguese data protection law (Law 58/2019).

Data Controller and Research Team
Controller: Faculdade de Psicologia e de Ciências da Educação da Universidade do Porto (FPCEUP)
Address: Rua Alfredo Allen 4200-135
Principal Investigator: Sonia Pieramico (up202101779edu.fpce.up.pt) and Ana Luisa Quinta-Gomes (anagomesfpce.up.pt)
Study contact: saude.emergir@gmail.com
Ethics Approval: Centro Hospitalar Universitário de Coimbra
This study has been reviewed and approved by the Ethics Commitee of Centro Hospitalar Universitário de Coimbra (ref. 2025-TnC-2-NCT05946161). The study is conducted in accordance with the Declaration of Helsinki and applicable Portuguese research ethics standards.

What Data Is Processed
Data processed through the App is pseudonymised: you are identified only by a participant code, not by your name or other direct identifiers. The code-to-identity mapping is held separately by the research team and is not accessible through the App.

The App processes:

Your participant code, used to sign you in.
Content you enter in the App, which includes structured responses (for example, questionnaire and scale answers) and free-text entries (for example, journal entries or open-ended answers).
Technical data generated by Firebase Authentication, such as account creation time and last sign-in time, which are necessary for the sign-in to function. Because pseudonymised data can in principle be linked back to you via the separately held code list, it counts as personal data under the GDPR.

A note on free-text entries: please do not include your name, other people’s names, or other directly identifying information in free-text fields. If you do, the research team will remove or redact it during data processing.

What the App Does Not Collect

For transparency, the App does not: Collect analytics or usage tracking of any kind.
Send push notifications. Reminders use local notifications only, generated on your device.
Access your camera, microphone, location, photos, contacts, or health data.
Contain advertising or advertising identifiers.
Share your data with third parties for their own purposes.
The only device permission the App may request is the permission to show local notifications, which you can decline or revoke at any time in your device settings.

How the Data Is Used
To enable you to use the App as a participant in the study.
To analyse the data for the purposes of the study, in pseudonymised form.
To publish aggregated, non-identifying results in scientific outputs.
Lawful Basis

We rely on two legal bases under the GDPR: Article 6(1)(e) — processing necessary for the performance of a task carried out in the public interest (scientific research at a public university), combined with Article 89 safeguards for research.
Your informed consent, given on the signed consent form before the study begins. This consent is the basis for your participation in the study itself; you can withdraw it at any time, as described below.
Who Has Access to the Data
Only members of the authorised research team at FPCEUP have access to the pseudonymised data. We do not share your data with any third party for their own purposes.

The App’s backend runs on Firebase, a service provided by Google, acting as our data processor under a written agreement:

Firebase Authentication stores the participant code and minimal sign-in metadata. Firebase Authentication data is processed by Google on a global basis — Google does not offer a region lock for this service.
Firebase Firestore stores the content you enter in the App. The database is hosted in the eur3 multi-region, meaning data is stored within the European Union (Belgium and the Netherlands).
We do not use Firebase Analytics, Firebase Cloud Messaging (push), Firebase Ads, or Crashlytics.
International Data Transfers
The content you enter in the App is stored in the European Union (Firestore eur3 multi-region: Belgium and the Netherlands) and does not routinely leave the EEA.

However, Firebase Authentication — which handles the sign-in process — is operated by Google on a global basis, and Google does not offer a region lock for this service. As a result, your participant code and sign-in metadata (account creation time, last sign-in time) may be processed by Google outside the EEA, including in the United States.

This transfer is covered by the European Commission’s Standard Contractual Clauses, which Google signs as part of the Firebase Data Processing and Security Terms, and by Google’s certification under the EU–U.S. Data Privacy Framework.

Data Retention
Study data is retained for 5 years after the end of the study, in line with scientific research practice and the ethics committee’s approval. After that period, data is securely deleted or fully anonymised. If you withdraw from the study before it ends, data already collected up to that point may be retained in pseudonymised form for the integrity of the analysis, unless you request deletion.

Your Rights
Under the GDPR you have the right to: Access the personal data we hold about you.
Have inaccurate data corrected.
Ask for your data to be deleted, subject to the limits that apply to scientific research under Article 17(3)(d) GDPR.
Ask us to restrict processing.
Receive your data in a portable format.
Object to processing.
Withdraw your consent to participate in the study at any time, without giving a reason and without any negative consequences.
Lodge a complaint with a supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt.
To exercise any of these rights, contact the research team at saude.emergir@gmail.com. We will respond within 30 days.

Age Restriction
The App is restricted to participants aged 18 or over. It is not intended for and should not be used by minors.

Data Security
Data is transmitted over encrypted connections (TLS) and stored in Firebase with encryption at rest. Access is restricted to authorised members of the research team. We will notify affected participants and the CNPD of any personal data breach in accordance with the GDPR.

Changes to This Policy
If this policy changes in a way that affects participants, we will post the updated version in the App and notify you through the study’s communication channels before the changes take effect.

Contact
Study email: saude.emergir@gmail.com
Project website: https://emergir.fpce.up.pt/en/
Portuguese supervisory authority: www.cnpd.pt