Privacy Policy

A. Data Collection & Anonymization

We collect the following categories of information:

• Account Information: Email address and username, collected at registration.
• Chat & Session Data: Messages you send to the AI agent, therapy session recordings, transcriptions, and summaries. This data is sent to third-party AI services to generate responses and analysis (see Section C for details).
• Audio Recordings: Voice recordings from therapy sessions. These are sent to third-party services for transcription and voice generation (see Section C for details).
• Journal Entries: Text you write in the journal. Journal text is sent to a third-party service for emotional tone analysis (see Section C for details).
• Usage Data: Device type, operating system, app version, and general interaction patterns (e.g., session frequency). We do not use third-party analytics or advertising trackers.

Before any chat or journal data is processed by our AI partners, it undergoes a stripping process where Personally Identifiable Information (PII) is removed.

B. Legal Basis for Processing

We process your information on the following legal bases:

• Contract Performance: To provide the Service you signed up for.
• Legitimate Interest: To improve the Service, ensure security, and prevent abuse.
• Consent: Where required by applicable law (e.g., for users in the EU/UK under GDPR), we rely on your explicit consent to process sensitive personal data.

C. What Data We Share & Who We Share It With

To provide the Service, we send specific categories of your data to third-party AI and infrastructure providers. Data shared with each provider is limited to what is necessary for the stated purpose. We obtain your consent before sharing this data, and PII is stripped before transmission to AI providers.

Data Sent to AI Services

• Chat messages and conversation history are sent to Anthropic (Claude), Google (Gemini), and OpenAI (GPT) to generate AI chat responses and therapy session summaries. PII is stripped before transmission.
• Audio recordings are sent to ElevenLabs for voice transcription (speech-to-text) and voice generation (text-to-speech), and to Hume AI for emotional tone analysis.
• Journal and session text is sent to Hume AI for emotional tone analysis, which powers mood insights and emotional trend tracking.

Infrastructure Providers

• Supabase: Database, authentication, and edge functions (hosted on AWS). Stores your account information, chat history, journal entries, and session data.
• Twilio: Video sessions, real-time sync, and in-session chat.
• Vercel: Website hosting and edge deployment.

D. Cookies & Tracking

We use only essential, first-party cookies required for authentication and session management. We do not use third-party advertising cookies, analytics trackers, or cross-site tracking pixels. We do not participate in ad networks or data broker exchanges.

E. Security & Encryption

Your data is protected using AES-256 encryption at rest and TLS/SSL encryption during transit. While we strive for "as safe as possible" standards, no method of electronic transmission is 100% secure.

F. Data Retention & Deletion

You may request the deletion of your account and all associated data at any time by emailing [email protected]. Upon request, data is purged from our active databases within 30 days. Backups containing your data are purged within 90 days of a deletion request.

G. International Data Transfers

Your data is stored and processed in the United States. If you are accessing the Service from outside the United States, you consent to the transfer of your data to the U.S. For users in the EU/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where required to transfer data internationally.

H. Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a user under 18, we will delete that data promptly. If you believe a child under 18 has provided us with personal information, please contact us at [email protected].

I. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access & Portability: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data.
• Opt-Out: Opt out of certain processing activities (where applicable).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

J. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and/or in-app notification within 72 hours of becoming aware of the breach, in accordance with applicable law.

K. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice within the app at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

L. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: