Privacy Policy

At Emotria, we believe that privacy is the foundation of trust, and trust is the foundation of therapy. This document outlines exactly how we protect the deeply personal information you entrust to us.

1. Introduction

This Privacy Policy describes how Emotria ("we," "us," or "our") collects, uses, and discloses your information when you use our AI Therapy website, mobile application, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy. If you do not agree with this Privacy Policy, you must discontinue use of the Service immediately.

This Policy applies to all users of the Service worldwide, including users in the European Economic Area (EEA), the United Kingdom (UK), California (USA), and any other jurisdiction with applicable data protection legislation.

2. Data Controller

For the purposes of applicable data protection laws (including the GDPR), the data controller of your personal data is:

Emotria
Email: privacy@emotria.com
Data Protection Officer (DPO): dpo@emotria.com

3. Information We Collect

We collect information in three primary categories:

A. Information You Provide Directly

• Account Data: Your name, email address, password (hashed — we never store plaintext passwords), and date of birth/age.
• Profile Data: Personal preferences, therapeutic goals, and any biographical information you choose to share with your AI companion.
• Session Content: The text transcripts of your chats, audio recordings of your voice sessions (if enabled), and your written journal entries. This constitutes "Special Category Data" under GDPR.
• Clinical Inputs: Self-reported data such as mood ratings, anxiety levels, sleep quality, and feedback on therapeutic progress.
• Payment Information: Billing details processed by our third-party payment processor (Whop/Stripe). We do not store your full credit card number on our servers.
• Support Communications: Any messages you send to our support team.

B. Information Collected Automatically

• Usage Data: Information about how you interact with the Service, such as session duration, feature usage, navigation paths, and interaction timestamps.
• Device Data: IP address (anonymized where possible), browser type and version, device model, operating system, screen resolution, and timezone to ensure service compatibility and security.
• Log Data: Server logs including access times, pages viewed, referring URLs, and crash reports for diagnostic purposes.

C. Information From Third Parties

• Authentication Providers: If you sign in via Google or Apple, we receive your name, email address, and avatar from those providers. We do not receive or store your passwords from these providers.

4. Sensitive Personal Data (Special Category Data)

Because of the nature of our Service, you may provide data that is considered "sensitive" or "special category" data under applicable laws, including but not limited to data revealing:

• Mental health status and psychological conditions
• Emotional state and wellbeing
• Sexual orientation or identity
• Religious or philosophical beliefs
• Information about substance use or addiction
• Experiences of abuse, trauma, or self-harm

We treat ALL Session Content and Clinical Inputs with the highest level of security and confidentiality available. We process this sensitive data solely on the basis of your explicit consent (GDPR Art. 9(2)(a)) and for the purpose of providing the Service. We do not use sensitive data for marketing, advertising, profiling for commercial purposes, or sale to third parties.

5. Legal Basis for Processing (GDPR Art. 6)

If you are located in the EEA or UK, we process your personal data only when we have a valid legal basis:

• Consent (Art. 6(1)(a)): For processing sensitive/special category data, sending marketing communications, and placing non-essential cookies. You may withdraw consent at any time (see Section 16).
• Contractual Necessity (Art. 6(1)(b)): To perform our contract with you — i.e., to provide the AI therapy service, manage your account, and process payments.
• Legitimate Interest (Art. 6(1)(f)): For service improvement via aggregated analytics, fraud prevention, security monitoring, and providing customer support. We balance these interests against your rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): To comply with applicable tax, accounting, and other legal requirements.
• Vital Interest (Art. 6(1)(d)): In rare cases where we detect imminent risk of self-harm, to provide emergency resources and, where legally required, to contact emergency services.

6. How We Use Your Information

We use your information strictly for the following purposes:

• Service Delivery: To provide personalized AI therapy simulations, generating responsive and context-aware emotional support.
• Memory & Context: To maintain a continuous conversation history so the AI "remembers" past details, creating a consistent therapeutic relationship.
• Safety Monitoring: To algorithmically detect indications of immediate self-harm or danger to others, solely for the purpose of providing emergency resources.
• Service Improvement: To analyze aggregated, anonymized usage patterns to improve the quality of our service (e.g., "users find this module helpful"). Individual session content is never reviewed by human employees for this purpose.
• Communication: To send you transactional notifications (password resets, subscription confirmations) and, with your consent, product updates.
• Security & Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

7. AI Processing & Third-Party AI Providers

Our Service utilizes advanced Large Language Models (LLMs) provided by third-party partners to generate responses. Your conversation data is transmitted to these providers solely for real-time response generation.

8. Third-Party Services & Sub-Processors

We use the following third-party services to operate the platform. Each operates under a Data Processing Agreement (DPA) or equivalent contractual safeguard:

9. How We Share Your Information

We DO NOT sell, rent, or trade your personal data. Ever. We only share information in these limited scenarios:

• Service Providers & Sub-Processors: With the trusted vendors listed in Section 8, under strict Data Processing Agreements, solely for the purpose of operating the Service.
• Legal Requirements: If required by a valid subpoena, court order, or other enforceable legal process, or to prevent imminent physical harm. We will attempt to notify you of such requests unless legally prohibited from doing so.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your data may be transferred as part of the transaction. The successor entity will remain bound by this Privacy Policy. We will notify you before your data is transferred and becomes subject to a different privacy policy.
• With Your Consent: In any other circumstances, we will share your information only with your explicit prior consent.

10. Cookies & Tracking Technologies

We use the following categories of cookies:

• Strictly Necessary Cookies: Required for authentication, security, and core Service functionality. These cannot be disabled.
• Preference Cookies: Remember your settings such as language preference, theme (dark/light mode), and notification preferences.
• Analytics Cookies: Used to collect aggregated, anonymized usage statistics to help us understand how the Service is used and improve it. No individual user is identified through analytics.

We do not use third-party advertising cookies or retargeting pixels. We do not serve ads within the Service.

Do Not Track (DNT) Signals

We respect Do Not Track signals sent by your browser. When we detect a DNT signal, we disable all non-essential analytics cookies. Note that strictly necessary cookies required for the Service to function are not affected by DNT settings.

11. Data Retention & Deletion

We retain your personal information only for as long as your account is active or as needed to provide you the Service, and for the period necessary to fulfill the purposes outlined in this Policy.

• Active Account Data: Retained for the duration of your active account.
• Session Content & Clinical Inputs: Retained for the duration of your account. You may delete individual sessions at any time from within the Service.
• Account Deletion: You may request full account deletion at any time via your Profile settings or by contacting privacy@emotria.com. Upon deletion, your personal identifiers and session content are permanently purged from our active databases within 30 days.
• Backups: Encrypted backups may retain residual data for a limited period (up to 90 days) for disaster recovery purposes before being overwritten.
• Legal Obligations: Certain financial records (transaction history, invoices) may be retained for up to 7 years as required by tax and accounting regulations.
• Anonymized Data: Aggregated, fully anonymized data that cannot be re-identified may be retained indefinitely for statistical and service improvement purposes.

12. Security Measures

We implement industry-leading security measures to protect your data, including but not limited to:

• Encryption at Rest: AES-256 encryption for all stored personal data and session content.
• Encryption in Transit: TLS 1.3 for all data transmission between your device, our servers, and third-party providers.
• Access Control: Strict role-based access control (RBAC). Production database access requires multi-factor authentication and is limited to authorized senior engineers.
• Password Security: User passwords are hashed using industry-standard bcrypt algorithms and are never stored in plaintext.
• Security Audits: Regular penetration testing, vulnerability scanning, and code security reviews.
• Incident Response: A documented incident response plan is in place to handle security events promptly.

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Automated Decision-Making & Profiling

The Service uses AI-based automated processing to generate therapeutic responses and monitor for safety risks. Specifically:

• AI Response Generation: Our AI system processes your conversation history to generate contextually relevant therapeutic responses. This is core to the Service you have consented to use.
• Safety Detection: Automated algorithms monitor conversations for indicators of immediate self-harm or crisis situations, solely to surface emergency resources.
• Mood Tracking: If you use mood tracking features, the system may identify patterns in your self-reported data to provide insights. These are informational only and do not constitute medical diagnosis.

No automated decision-making produces legal or similarly significant effects on you. All AI outputs are informational and advisory only. Under GDPR Art. 22, you have the right to request human review of any automated decision. Contact dpo@emotria.com to exercise this right.

14. Your Rights Under GDPR (EEA & UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you, in a structured, commonly used format.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request permanent deletion of your personal data. This can be exercised via Profile settings or by contacting our DPO.
• Right to Restriction of Processing (Art. 18): Request that we limit the processing of your data in certain circumstances (e.g., while verifying accuracy).
• Right to Data Portability (Art. 20): Receive your personal data in a machine-readable format (JSON/CSV) and transmit it to another service provider.
• Right to Object (Art. 21): Object to the processing of your personal data based on legitimate interests, including profiling.
• Right Related to Automated Decision-Making (Art. 22): Request human review of any solely automated decision that significantly affects you.
• Right to Withdraw Consent (Art. 7(3)): Withdraw your consent for data processing at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe your rights have been violated.

To exercise any of these rights, contact us at dpo@emotria.com. We will respond to all requests within 30 days as required by law. We may request identity verification before processing your request.

15. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out. If this ever changes, we will provide a clear "Do Not Sell My Personal Information" link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different service quality or pricing for exercising your rights.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use and disclosure of sensitive personal information to what is necessary to provide the Service.

To exercise your rights, email privacy@emotria.com or use the in-app data controls. We will respond within 45 days as required by California law.

California Shine the Light: Under California Civil Code § 1798.83, California residents may request information about personal data disclosed to third parties for direct marketing. We do not disclose personal data to third parties for their direct marketing purposes.

16. Consent & Withdrawal

By creating an account and using the Service, you provide explicit consent to the collection and processing of your data as described in this Policy, including the processing of sensitive/special category data.

You may withdraw your consent at any time by:

• Deleting your account through Profile settings
• Contacting us at privacy@emotria.com
• Adjusting cookie preferences in your browser settings

Consequences of Withdrawal: Withdrawing consent for core data processing will result in the inability to use the Service, as the AI requires your conversation data to function. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

17. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via email and in-app notification without undue delay (GDPR Art. 34).
• Our notification will include: the nature of the breach, categories of data affected, likely consequences, and the measures taken or proposed to address the breach.

18. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in jurisdictions where GDPR applies with a higher age threshold). We do not knowingly collect personal information from children under the applicable minimum age.

If you are between 13 (or the applicable minimum age) and 18, you represent that you have obtained verifiable parental or guardian consent to use the Service. We reserve the right to request proof of such consent and to terminate accounts where consent cannot be verified.

If we become aware that a child under the applicable minimum age has provided us with personal information without proper parental consent, we will take immediate steps to delete such information and terminate the associated account.

19. International Data Transfers

Your information, including Personal Data, may be transferred to — and maintained on — servers located outside of your country of residence, including in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers from the EEA/UK, we rely on the following safeguards:

• Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection.
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all sub-processors located outside the EEA to ensure equivalent data protection.
• EU-US Data Privacy Framework: Where applicable, we rely on certifications under the EU-US Data Privacy Framework.

By using the Service, you acknowledge and consent to the transfer, processing, and storage of your data in countries outside your jurisdiction.

20. Data Anonymization & Aggregation

We may create anonymized and aggregated datasets derived from your data for research and service improvement purposes. Such datasets:

• Have all direct identifiers (name, email, IP address) permanently and irreversibly removed
• Cannot be re-identified or linked back to any individual user
• May be used for internal analytics, academic research collaborations, and public statistical reports
• Are not subject to the data deletion provisions of this Policy, as they are no longer "personal data" under applicable law

21. Changes to This Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Revised" date. For material changes (changes that affect your rights, the types of data collected, or how data is shared), we will provide at least 30 days' notice via email and/or a prominent in-app notification before the changes take effect. Your continued use of the Service after the effective date of changes constitutes acceptance of the revised Policy.

22. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General Privacy Inquiries: privacy@emotria.com
• Data Protection Officer (DPO): dpo@emotria.com
• General Support: support@emotria.com

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.