Privacy Policy

Personal Information

• Name, email address, and account credentials
• Profile information (role: patient, doctor, volunteer)
• Contact preferences and communication history

Health Data (Special Category Data)

Under UK GDPR Article 9, the following is classified as special category data requiring explicit consent:

• Daily check-in data (mood ratings, energy levels, stress levels)
• Mental health assessment responses (GAD-7, PHQ-9, PSS-10 questionnaires)
• Journal entries and personal notes about your wellbeing
• Activities logged and their correlation with mood patterns
• Psychometric scores and clinical insights
• Appointment history with healthcare professionals

Technical Data

• Authentication cookies (Supabase session management)
• Device information and browser type
• IP address and usage analytics

Primary Purposes

• Wellbeing Tracking: Analyze your mood patterns and provide personalized insights
• AI-Powered Analysis: Generate weekly reports and assessment insights using artificial intelligence
• Healthcare Coordination: Facilitate appointments with NHS specialists and autism consultants
• Community Support: Connect you with trained volunteers through our Befriend Chat feature
• Service Improvement: Improve our platform based on aggregated, anonymized usage patterns

AI Processing

We use artificial intelligence to provide personalized insights. Your data is processed by:

• OpenAI GPT-4o: Generates weekly reports from your check-in data and journal entries
• Anthropic Claude Sonnet 4.5: Analyzes 7-day assessment responses and provides clinical insights

Important: Your data is sent to these AI providers for processing but is not stored or used for training their models. All processing is done in real-time and discarded after generating insights.

Legal Basis for Processing

• Explicit Consent: You provide explicit consent for processing your health data during signup
• Legitimate Interest: Service improvement and security measures
• Contractual Necessity: Providing the services you've requested

Third-Party Processors

We share your data with the following trusted third-party processors:

• Supabase: Database hosting and authentication (EU servers, GDPR compliant)
• Vercel: Application hosting and deployment (GDPR compliant)
• OpenAI: AI processing for weekly reports (data not stored or used for training)
• Anthropic: AI processing for assessments (data not stored or used for training)
• Resend: Email delivery for notifications and appointment confirmations

All third-party processors have Data Processing Agreements (DPAs) in place and comply with UK GDPR requirements.

We Never Share Your Data With

• Advertisers or marketing companies
• Social media platforms
• Data brokers or aggregators
• Any party without your explicit consent

Right to Access

Request a copy of all personal data we hold about you. You can export your data from the Privacy Settings page.

Right to Erasure ("Right to be Forgotten")

Request deletion of your account and all associated data. This can be done from the Privacy Settings page. Deletion is permanent and cannot be undone.

Right to Data Portability

Download your data in machine-readable format (JSON) to transfer to another service.

Right to Rectification

Correct any inaccurate personal data through your profile settings.

Right to Withdraw Consent

Withdraw your consent for data processing at any time. Note that this may limit your ability to use certain features.

Right to Object

Object to processing of your data for specific purposes, including AI analysis.

Right to Lodge a Complaint

If you believe we've mishandled your data, you can lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

How Long We Keep Your Data

• Active Accounts: Data is retained as long as your account is active
• Inactive Accounts: After 2 years of inactivity, we'll email you to confirm if you want to keep your account
• Deleted Accounts: All data is permanently deleted within 30 days of account deletion request
• Backups: Backup copies are retained for 90 days for disaster recovery, then permanently deleted

Security Measures

• Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest (AES-256)
• Row Level Security: Database access is restricted to your own data only
• Authentication: Secure authentication with Supabase Auth (bcrypt password hashing)
• Access Controls: Strict access controls limit who can view your data
• Regular Audits: Security audits and vulnerability assessments

Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

• Notify the ICO within 72 hours
• Notify affected users without undue delay
• Provide details of the breach and steps taken to mitigate harm

Essential Cookies

We use essential cookies required for the service to function:

• Authentication Cookies: Supabase session cookies to keep you logged in
• Security Cookies: CSRF protection and security measures

Analytics

We currently do not use analytics or tracking cookies. If we add analytics in the future, we will update this policy and request your consent.