Transparency · Data practices
What we collect. Why. For how long.
A matter-of-fact inventory. Each category of data names what it is, the reason we hold it, how long we keep it by default, and how it is protected. If a category is absent from this list, we do not collect it.
The privacy commitment governs how these categories are treated. The full policy is the legal instrument.
- Inventory style
- Category by category
- Retention
- Stated per category
- Encryption
- At rest and in transit
- Sub-processors
- Named annually
Category 1
Account and identity.
The minimum required to give you an account you can return to and recover if you lose access to it.
What
Email address, display name, password hash (never the password itself), account creation and last-login timestamps.
Why
To authenticate you, to communicate about account-critical events, to recover your account if you lose access.
Retention
For the life of the account. Deleted within 90 days of account deletion, including from backups.
Protection
Encrypted at rest. Passwords hashed with a modern algorithm. MFA supported; passkeys preferred.
Category 2
Communications with the companion.
The conversation you have with the AI companion, and the context it builds about you over time so it can be useful across weeks and months rather than starting fresh each time.
What
Messages you send the companion. A working memory summarising what you have discussed, goals you have named, and things you have asked for help with.
Why
So the companion is a presence that remembers, not a stranger every session. The memory is yours; it is not training data for someone else.
Retention
Messages retained for the life of the account by default. You can clear conversation history, clear the companion memory, or delete both on demand.
Protection
Encrypted at rest and in transit. Not used to train any third-party model. Not shared with advertisers (there are none).
Category 3
Circle and Connections graph.
The private record of the people who matter to you and the connections you have made on the platform. This is some of the most sensitive data the Foundation holds.
What
Your Circle members, your active connections and groups, and the per-relationship notes and timelines you have built.
Why
Circle exists to help you tend a small set of important relationships. Connections exists to match you with people by character over time.
Retention
Retained while the relationship is active. Tied to account deletion; when you leave, this goes with you.
Protection
Private to you. Never aggregated with strangers. Never shared with third parties. Circle messaging designed for end-to-end encryption.
Category 4
Community posts.
The posts, replies, and reactions you contribute in communities. These are public in the community you posted them in. They are not public on the open web.
What
Posts, replies, reactions, the community you posted in, and the timestamp.
Why
Community is the heart of the product. These posts are how people meet, talk, and stand with each other.
Retention
Retained while your account is active. Fully portable via data export. Deleted with your account.
Protection
Visible inside the community. Not indexed by search engines. Not scraped by third parties with our cooperation.
Category 5
Telemetry and diagnostics.
A small amount of technical data the app and our services emit so we can tell when something is broken. Kept minimal on purpose.
What
Crash reports, error traces, basic platform and app-version metadata, anonymous event counters (e.g. feature X loaded N times).
Why
To notice when a feature is broken before you have to tell us. We do not use telemetry to build behavioural profiles.
Retention
Aggregated at source; individual rows retained under 90 days. Opt-out available in settings.
Protection
No third-party analytics beyond Vercel infrastructure metrics. No ad identifiers. No device fingerprinting.
Category 6
Research opt-in data.
If you choose to participate in Foundation research, your contribution enters a separate, governed pipeline. You opt in per study. You can withdraw at any time.
What
Only what a specific study calls for: survey responses, validated-instrument scores, longitudinal wellbeing signals.
Why
To understand what works. Foundation research is published openly so others can build on it.
Retention
Aggregated and anonymised on the published schedule for the study. Raw linked records held under IRB protocol for the study duration only.
Protection
Governed by an independent research committee. IRB-reviewed where applicable. Never combined with advertising data; there is none.
What we do not collect
The absence is the policy.
Some categories are deliberately missing. Not by omission. By design. If a category is on this list, the Foundation will not begin collecting it under this charter.
Advertising identifiers
No IDFA, no AAID, no ad-network IDs. Apps are built to run without them.
Cross-site trackers
No third-party tags on our surfaces. No pixels embedded on partner sites that beacon data back to us.
Device fingerprinting
We do not build synthetic identifiers from browser/device characteristics to re-identify visitors.
Third-party analytics
No Google Analytics, no Facebook SDK, no Mixpanel, no Segment. Vercel infrastructure metrics only, scoped to serving the site.
Sold data
We do not buy user data from data brokers to enrich your profile. Full stop.
Sub-processors
A full list of sub-processors (infrastructure hosts, payment, email, error monitoring) will publish with the first annual transparency report, including what each is used for and the region they operate from. Until then, the major categories are: hosting, transactional email, payments processing, and error monitoring.
The legal version.
The full privacy policy contains the same practices in legal form. Both documents are the same commitment, in two registers.