Privacy Policy

Effective Date: October 23, 2025

Last Updated: October 23, 2025

1. Introduction

This Privacy Policy describes how we ("we," "us," or "our") collect, use, disclose, and protect your personal information when you use our AI-powered conversational platform (the "Service"). We are committed to protecting your privacy and handling your data with transparency and care.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, password (encrypted), and profile details
• Conversation Content: Voice recordings (processed in real-time, not permanently stored), conversation transcripts, and messages
• Program Data: Enrollment information, progress tracking, and assessment responses
• User-Generated Content: Any content you create or share through the Service

2.2 Automatically Collected Information

• Usage Data: Session duration, features used, and interaction patterns
• Device Information: Browser type, operating system, IP address (anonymized)
• Cookies: Essential cookies for authentication and session management
• Analytics: Aggregated usage statistics (when analytics are enabled)

2.3 AI-Generated Information

• Conversation Summaries: AI-generated insights and summaries of your conversations
• Memory System: Important topics, themes, and context extracted from conversations
• Progress Insights: AI-generated assessments of your engagement and progress

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Provide AI-powered conversational experiences
• Generate personalized insights and summaries
• Track your progress through structured programs
• Maintain conversation history and memory for context
• Enable voice interactions and transcription

3.2 Service Improvement

• Improve AI model performance and accuracy
• Develop new features and capabilities
• Diagnose technical issues and bugs
• Analyze usage patterns to enhance user experience

3.3 Communication

• Send essential service notifications
• Respond to support inquiries
• Notify you of important policy changes

3.4 Legal Compliance

• Comply with legal obligations
• Protect against fraud and abuse
• Enforce our Terms of Service

4. Third-Party Services

We use trusted third-party services to deliver our platform. These services process your data on our behalf and are contractually bound to protect it:

4.1 AI Processing

• OpenAI: Conversation analysis, insight generation, and memory selection (GPT-4 models)
• ElevenLabs: Voice conversation processing (audio is processed in real-time and not permanently stored by ElevenLabs)

4.2 Infrastructure

• Supabase: Database hosting, authentication, and secure storage
• Vercel: Application hosting and content delivery

4.3 Analytics (Optional)

• Umami: Privacy-friendly analytics (when enabled, no personal data collected)

Data Processing Agreements: We have Data Processing Agreements (DPAs) in place with all third-party processors to ensure GDPR and CCPA compliance.

5. Data Sharing and Disclosure

We do NOT sell your personal information. We only share your data in the following limited circumstances:

5.1 Service Providers

With third-party service providers (listed above) who help us operate our platform, under strict data protection agreements.

5.2 Legal Requirements

When required by law, court order, or governmental authority, or to protect our rights and safety.

5.3 With Your Consent

With your explicit consent for any other purpose.

We do NOT:

• Sell your data to advertisers or marketers
• Share your conversations with other users
• Use your data for marketing without your consent
• Share personal information with third parties for their own purposes

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted using TLS/HTTPS encryption
• Encryption at Rest: Database encryption for all stored data
• Access Controls: Row-Level Security (RLS) policies ensure users can only access their own data
• Password Security: Passwords are hashed using industry-standard algorithms and checked against known breach databases
• Authentication: Secure authentication with email verification required
• Tenant Isolation: Complete data separation between different organizations using the platform
• Audit Logging: All sensitive operations are logged for security monitoring

While we implement robust security measures, no system is 100% secure. We continuously monitor and update our security practices.

7. Your Privacy Rights

Under GDPR (European Union) and CCPA (California), you have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you. Use the "Export Data" feature in your account settings.

7.2 Right to Rectification

You can update your profile information at any time through your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. Use the "Delete Account" feature in your account settings. This action is permanent and irreversible.

7.4 Right to Data Portability

You can export your data in machine-readable JSON format at any time.

7.5 Right to Restrict Processing

You can request that we limit how we process your data. Contact us to exercise this right.

7.6 Right to Object

You can object to certain types of data processing. Contact us to discuss your concerns.

7.7 Right to Withdraw Consent

You can withdraw consent for optional data processing (like analytics) at any time through cookie settings.

To exercise these rights: Visit your Account Settings or contact us at privacy@[DOMAIN].com

8. Data Retention

We retain your data as follows:

• Active Accounts: Data is retained while your account is active
• Deleted Accounts: Data is permanently deleted within 30 days of account deletion
• Legal Holds: Data may be retained longer if required by law or legal proceedings
• Backups: Backup copies are automatically deleted within 90 days
• Anonymous Analytics: Aggregated, anonymized data may be retained indefinitely

9. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete it.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure that such transfers comply with applicable laws through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party processors
• Adequacy decisions where applicable

11. Cookies and Tracking

We use the following types of cookies:

11.1 Essential Cookies

Required for the Service to function (authentication, session management). These cannot be disabled.

11.2 Analytics Cookies (Optional)

Used to understand how the Service is used. You can opt out through cookie settings.

We do NOT use:

• Advertising cookies
• Third-party tracking cookies
• Social media tracking pixels

For more details, see our Cookie Policy.

12. Important Disclaimers

12.1 Not Professional Services

IMPORTANT: Our Service provides AI-powered conversational support but is NOT a substitute for professional medical, psychological, legal, or financial advice. Conversations are for informational and personal development purposes only.

12.2 AI Limitations

AI-generated content (summaries, insights, responses) may contain errors or inaccuracies. Do not rely solely on AI-generated information for critical decisions.

12.3 Crisis Resources

If you are experiencing a mental health crisis, please contact emergency services or a crisis hotline immediately. Our Service is not equipped to handle emergencies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be communicated through:

• Email notification to your registered email address
• In-app notification upon next login
• Updated "Last Modified" date at the top of this policy

Continued use of the Service after changes constitutes acceptance of the updated policy. If you do not agree to changes, you may delete your account.

14. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us:

• Email: privacy@[DOMAIN].com
• Data Protection Officer: dpo@[DOMAIN].com
• Mail: [Physical Address]

We will respond to your inquiry within 30 days (or as required by applicable law).

15. Supervisory Authority

If you are in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

---

This Privacy Policy is designed to comply with GDPR (EU), CCPA (California), and other applicable privacy laws. We are committed to protecting your privacy and handling your data responsibly.