Privacy Policy

Account information. If you create an account, we collect your email address. We do not collect passwords — authentication is via magic link only.

Session content. If you are signed in and choose to save a session, your inputs (resonance branch, emotion tags, context text) and the Mirror reflection are encrypted with AES-256-GCM before being written to our database. We never store session content in plaintext.

Usage events. We collect anonymised interaction events (e.g. “session started”, “mirror rendered”, “resonance tapped”) in our own database. We do not use Google Analytics, Meta Pixel, or any third-party tracking script.

Payment information. Payments are processed by Stripe. We never see or store your card number, CVV, or banking details. Stripe provides us only with subscription status and a customer ID.

Safety events. When our AI safety classifier flags a session for potential crisis content, a safety event is logged (without the original text) so we can monitor platform safety.

We use the information we collect to:

• Deliver and improve the Soul Space reflection experience
• Send you magic-link sign-in emails and subscription confirmation emails
• Maintain the safety and security of the platform
• Understand aggregate usage patterns (using only our own analytics)
• Process and manage your subscription via Stripe

We do not use your session content to train AI models, and we do not sell, rent, or share your personal information with third parties for marketing purposes.

Session content is encrypted with AES-256-GCM (a military-grade symmetric cipher) before it is stored. The encryption key is never stored alongside the ciphertext.

Our database is hosted on Supabase with row-level security (RLS) enforced on every table — each user can only access their own rows.

All data is transmitted over HTTPS with HSTS enforced. Our servers and database infrastructure are hosted in the United States.

We retain your account and session data for as long as your account is active. Anonymised usage events are retained for up to 24 months for product analytics.

You can delete your account and all associated session data at any time from your account settings. Deletion is permanent and processed within 30 days.

We share limited data with the following sub-processors in order to operate the service:

• Supabase — database, authentication, and row-level security (United States)
• Anthropic — AI model inference for the Mirror reflection and safety classification. Session text is sent to Anthropic’s API for processing and is subject to Anthropic’s Privacy Policy. We do not share identifying information alongside session content.
• Stripe — payment processing (United States)
• Brevo — transactional email delivery (France / EU)
• AWS Amplify — application hosting (United States)

Depending on where you live, you may have rights including:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate data.
• Deletion. Request deletion of your account and associated data.
• Opt-out of sale. We do not sell personal information. If you are a California resident, this satisfies your CCPA/CPRA opt-out right.
• Data portability. Request a machine-readable export of your session data.

To exercise any of these rights, email privacy@soulspacehealth.org from the address associated with your account. We will respond within 30 days.