Aurelia knows you. The cloud doesn’t.

1. Who we are

EmotiVault Ltd (in formation), United Kingdom. We are the data controller for the personal data described in this policy.

Contact: privacy@emotivault.com. Registered office address and ICO registration number are pending and will be published here before public launch.

2. What we collect

• Identity: first name, email address, date of birth (for the 13+ age check), and a public handle for the Echoes surface
• Content you write: journal entries, Echoes posts, mood logs, your conversation history with Aurelia
• Voice (Premium): transcripts of voice journal entries. Audio recordings stay on your device by default; only transcripts sync
• Onboarding answers: preferred Aurelia tone, your first mood + entry, and any goals/triggers you tell her about over time
• Technical telemetry: browser type, device, IP address (truncated for security), and minimal analytics events required to keep the service running

3. What we DON'T collect

• No third-party advertising trackers
• We never sell your data and do not use your private journal entries to train AI models
• No behavioural-profile cookies

4. Lawful basis (UK GDPR)

We rely on the following lawful bases under Article 6(1) of the UK GDPR:

• Consent (Article 6(1)(a)) — for journal content, mood logs, Echoes posts, and conversational data with Aurelia
• Contract (Article 6(1)(b)) — for account management and Premium billing
• Legitimate interests (Article 6(1)(f)) — for security, fraud prevention, and core service operations

Your emotional and mental-wellbeing data is special category data under Article 9. We rely on explicit consent (Article 9(2)(a)) to process it — confirmed during onboarding and withdrawable at any time from /you.

5. Where it lives

Encrypted in transit (TLS 1.3) and at rest (AES-256) in Supabase (UK/EU region). End-to-end encryption — where even we cannot decrypt your content — is on the roadmap for journal entries and voice. Until then, our staff have technical access for moderation, debugging, and support, governed by a strict access-control policy.

AI providers (Anthropic and Google) process individual messages on our behalf. Neither retains your content beyond their own technical caches; both are bound by data processing agreements. We pass the minimum context needed for a single reply, not your full history.

6. Sub-processors

The following processors handle your data on our behalf:

• Supabase Inc. — database + authentication (UK/EU region)
• Anthropic PBC— Aurelia’s deep replies (Claude Sonnet)
• Google LLC— Aurelia’s routine replies (Gemini Flash)
• Cloudflare Inc. — edge infrastructure + rate limiting
• Stripe Payments Europe Ltd — billing (Premium only)
• Google Firebase — static-site hosting

Each sub-processor is bound by a Data Processing Agreement. We will publish the full register, with each provider’s DPA reference, before public launch.

7. Echoes — anonymity & retention

Posts on the Echoes time-capsule surface remain private by default. Locked entries are not readable by anyone — including us — until their unlock date. Once unlocked, they remain visible only to the entry’s owner.

8. Retention

• Journal entries — kept indefinitely while your account exists. Yours forever.
• Aurelia memory window — Free tier: rolling 30 days. Premium: unlimited.
• Account deletion — full erasure within 30 days of request (UK GDPR Article 17)
• Backups — held for 30 days then permanently deleted

9. Your rights under UK GDPR

You have the right to:

• Access — request a copy of all data we hold about you
• Rectification— correct anything that’s wrong
• Erasure(“right to be forgotten”) — delete your account and all associated data
• Portability — export your data as PDF or JSON
• Restriction — limit how we use your data
• Objection — object to certain processing
• Withdraw consent — at any time, from /you or by emailing privacy@emotivault.com
• Complainto the Information Commissioner’s Office (ico.org.uk)

10. Children's data

You must be at least 13 years old to use EmotiVault. The age check happens at onboarding (step 02). We do not knowingly collect data from anyone under 13. If you believe we have, write to privacy@emotivault.com and we will delete it.

For users aged 13–17, we apply additional safeguards: a more conservative crisis-response setting, a clearer disclaimer that Aurelia is not a therapist, and a reminder that parents or guardians can ask for their child’s data to be deleted at any time.

11. International transfers

Your data is primarily stored in the UK/EU. Where data flows to sub-processors outside the UK (Anthropic, Google, Stripe in the US), it is protected by Standard Contractual Clauses (SCCs) or equivalent legal safeguards approved by the ICO.

12. Cookies

We use only essential cookies: a session token for authentication, and a small preference cookie for your theme choice. No marketing cookies, no third-party trackers.

13. Changes to this policy

We will notify you of material changes in-app and by email at least 30 days before they take effect. Your continued use of EmotiVault after the effective date constitutes acceptance.

14. Contact + data protection officer

For privacy questions, exports, deletions, or to exercise any of your rights, write to privacy@emotivault.com.

Our Data Protection Officer is pending formal appointment. Once appointed, their contact details will be published here.