Rational Mind

Web app coming soon

Your Privacy. Our Duty.

Read exactly how Rational Mind protects and manages your data.

Last updated: ${new Date().toLocaleDateString()}

PRIVACY POLICY

Rational Mind ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application ("the App", "Rational Mind", "Inner"). By using our App, you consent to the data practices described in this policy.

This Privacy Policy complies with:

  • • General Data Protection Regulation (GDPR) (EU Regulation 2016/679)
  • • Zakon o varstvu osebnih podatkov (ZVOP-1) (Slovenian Personal Data Protection Act)
  • • Other applicable data protection laws

1. INFORMATION WE COLLECT

1.1 Personal Information (Collected During Registration and Onboarding)

When you create an account and complete onboarding, we collect:

  • • Name: Your display name (encrypted at rest)
  • • Age Group: Age category you select (encrypted at rest)
  • • Email Address: Required for account authentication and account management
  • • Main Topics: Topics you specify that are relevant to your goals (encrypted at rest)
  • • Goals: Personal goals you define during onboarding (encrypted at rest)

If you authenticate using "Sign in with Apple", Apple may provide us with:

  • • Your Apple ID email address (or a private relay email if you choose to hide your email)
  • • Your name (if you choose to share it)

1.2 Usage Data and Content

When you use the App, we collect and store:

  • • Chat Messages: All text messages exchanged between you and the AI assistant (encrypted at rest)
  • • Session Data: Information about your therapy sessions, including:
  • – Session start and end times
  • – Session status (active, completed)
  • – Session summaries generated by AI (encrypted at rest)
  • – Patterns identified from your sessions (encrypted at rest)
  • • AI-Generated Insights: Dynamic profile information and thinking patterns generated by AI based on your conversations (encrypted at rest)
  • • People Data: Names and descriptions of people you mention in conversations (stored in our database for context)
  • • Session Metadata: Session numbers, timestamps, and associated metadata

1.3 Voice and Audio Data

When you use voice input features:

  • • Voice Recordings: Audio files are temporarily processed through OpenAI Whisper API for speech-to-text transcription
  • • Storage: Audio files are NOT permanently stored. They are:
  • – Sent to OpenAI Whisper API for transcription
  • – Transcribed text is saved (encrypted at rest)
  • – Original audio files are immediately deleted after successful transcription
  • • Text-to-Speech: If you use text-to-speech features, audio is generated on-demand and not stored

1.4 Technical Data

We automatically collect:

  • • Device Information: Device type, operating system version, device identifiers
  • • App Performance Data: Crash reports, error logs, performance metrics
  • • Network Information: IP address (for security and fraud prevention)
  • • Push Notification Tokens: Expo push notification tokens for delivering notifications to your device
  • • Usage Patterns: How you interact with the App (screens visited, features used)

1.5 Authentication Data

  • • Account Credentials: Email and password (hashed and secured by Supabase Auth)
  • • Session Tokens: Authentication tokens for maintaining your login session
  • • User ID: Unique identifier assigned to your account

2. HOW WE USE YOUR INFORMATION

2.1 Primary Purposes

We use your information to:

  • • Provide AI Conversations: Enable personalized conversations with our AI assistant using OpenAI GPT-4o-mini model
  • • Personalization: Generate and maintain your dynamic profile to provide personalized support over time
  • • Session Management: Create, manage, and store your therapy sessions
  • • Context Retrieval: Use RAG (Retrieval-Augmented Generation) to retrieve relevant context from your previous sessions, patterns, and mentioned people to improve AI responses
  • • Pattern Recognition: Analyze your conversations to identify patterns and generate insights about your thinking processes
  • • Security: Authenticate your identity, prevent fraud, and secure your account
  • • Notifications: Send you push notifications (with your consent) for reminders and updates

2.2 AI Processing

Your data is processed by AI systems to:

  • • Generate conversational responses using OpenAI GPT-4o-mini
  • • Create session summaries and identify patterns
  • • Update your dynamic profile and main thinking patterns
  • • Extract and store information about people mentioned in conversations
  • • Generate embeddings (vector representations) for semantic search and context retrieval

2.3 Service Improvement

We use aggregated and anonymized data to:

  • • Improve AI model performance and accuracy
  • • Identify and fix bugs and errors
  • • Enhance user experience and app functionality
  • • Conduct analytics and research (on anonymized data only)

2.4 Legal Compliance

We process your data to:

  • • Comply with legal obligations
  • • Respond to legal requests and court orders
  • • Protect our rights and prevent fraud
  • • Enforce our Terms of Service

3. LEGAL BASIS FOR PROCESSING (GDPR Compliance)

Under GDPR, we process your personal data based on:

  • • Consent: You provide consent when you create an account and accept this Privacy Policy
  • • Contract Performance: Processing is necessary to provide the App services you requested
  • • Legitimate Interests: For security, fraud prevention, and service improvement (we balance these against your privacy rights)
  • • Legal Obligation: To comply with applicable laws and regulations

4. DATA STORAGE AND ENCRYPTION

4.1 Storage Location

Your data is stored in:

  • • Supabase Cloud Infrastructure: PostgreSQL database hosted on Supabase servers
  • • Geographic Location: Data is stored in Supabase's data centers (location may vary)

4.2 Encryption Measures

We implement multiple layers of encryption:

  • • Encryption at Rest: Sensitive personal data (name, age group, main topics, goals, messages, session summaries, patterns, dynamic profile) is encrypted using AES-GCM encryption before storage. Each user has a unique encryption key.
  • • Encryption in Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
  • • Database Security: Row-Level Security (RLS) policies ensure users can only access their own data
  • • Authentication Security: Passwords are hashed using industry-standard algorithms (managed by Supabase Auth)

4.3 Access Controls

  • • Only authorized personnel with legitimate business needs can access user data
  • • All access is logged and monitored
  • • Service role keys are secured and never exposed to client applications

5. THIRD-PARTY SERVICES AND DATA SHARING

5.1 Third-Party Service Providers

We share your data with the following third-party services:

• OpenAI (OpenAI, L.L.C.)

  - Purpose: AI conversation generation, speech-to-text transcription, text-to-speech generation

  - Data Shared: Your messages, profile information, session context (sent to OpenAI API for processing)

  - Privacy Policy: https://openai.com/privacy/

  - Data Processing: OpenAI processes your data according to their privacy policy. They do not use your data to train their models by default (as of our last update), but you should review OpenAI's current policy.

• Supabase (Supabase Inc.)

  - Purpose: Database hosting, authentication, cloud infrastructure, edge function execution

  - Data Shared: All your data stored in our database, authentication credentials

  - Privacy Policy: https://supabase.com/privacy

  - Data Processing: Supabase acts as our data processor and processes data according to our instructions and their privacy policy.

• Sentry (Functional Software, Inc.)

  - Purpose: Error monitoring, crash reporting, performance monitoring

  - Data Shared: Device information, crash reports, error logs, IP addresses (for debugging)

  - Privacy Policy: https://sentry.io/privacy/

  - Note: We configure Sentry to minimize data collection and avoid sending sensitive content.

• Expo (Expo, Inc.)

  - Purpose: Push notification delivery

  - Data Shared: Push notification tokens

  - Privacy Policy: https://expo.dev/privacy

5.2 Data Sharing Limitations

  • • We do NOT sell your personal data to third parties
  • • We do NOT share your data for marketing purposes with third parties
  • • We only share data necessary for service provision and legal compliance
  • • All third-party processors are contractually bound to protect your data

6. YOUR RIGHTS UNDER GDPR AND ZVOP-1

You have the following rights regarding your personal data and data related to your account:

6.1 Right to Access

You can request a copy of all personal data we hold about you. Contact us at [email protected] to exercise this right.

6.2 Right to Rectification

You can correct inaccurate or incomplete personal data through the App settings or by contacting us.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data at any time through the App settings or by contacting us. We will delete your data within 30 days, except where we are required to retain it for legal reasons.

6.4 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format. Contact us to request a data export.

6.5 Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances.

6.6 Right to Object

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

6.7 Right to Withdraw Consent

You can withdraw consent for data processing at any time by deleting your account or contacting us.

6.8 Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority:

  • • EU Users: Contact your national data protection authority
  • • Slovenian Users: Informacijski poobla??enec (Information Commissioner), https://www.ip-rs.si/

7. DATA RETENTION

7.1 Retention Periods

  • • Account Data: Retained while your account is active. Deleted within 30 days of account deletion.
  • • Chat Messages: Retained until you delete them individually or delete your account.
  • • Session Data: Retained until you delete sessions or your account.
  • • AI-Generated Insights: Retained until you delete your account.
  • • Voice Recordings: NOT retained. Audio files are deleted immediately after transcription.
  • • Push Notification Tokens: Retained while your account is active.
  • • Crash Reports and Logs: Retained for 12 months, then anonymized or deleted.
  • • Encrypted Data: Encryption keys are retained while your account is active. After account deletion, keys are deleted, making encrypted data permanently inaccessible.

7.2 Deletion Process

When you delete your account:

  • • All personal data is permanently deleted within 30 days
  • • Encrypted data becomes permanently inaccessible (keys are deleted)
  • • Backup copies are deleted within 90 days
  • • Some anonymized, aggregated data may be retained for analytics (contains no personally identifiable information)

8. CHILDREN'S PRIVACY

Our App is designed for users aged 16 and older. We do not knowingly collect personal data from children under 16. If we discover we have collected data from a child under 16, we will delete it immediately. Parents or guardians who believe we have collected data from a child should contact us at [email protected].

9. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

  • • United States (OpenAI, Supabase, Sentry, Expo servers)
  • • Other countries where our service providers operate

We ensure appropriate safeguards are in place:

  • • Standard Contractual Clauses (SCCs) approved by the European Commission
  • • Adequacy decisions where applicable
  • • Third-party processors committed to GDPR compliance

10. COOKIES AND TRACKING

Our App does not use cookies or third-party tracking technologies for advertising purposes. We only use:

  • • Essential authentication tokens for app functionality
  • • Error tracking through Sentry (minimal data collection)

11. DATA BREACH NOTIFICATION

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • • Notify relevant supervisory authorities within 72 hours (as required by GDPR)
  • • Inform affected users without undue delay
  • • Provide details about the breach and recommended actions

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect:

  • • Changes in our data practices
  • • Legal or regulatory requirements
  • • Service improvements

We will notify you of material changes by:

  • • Displaying a notice in the App
  • • Sending an email to your registered address
  • • Updating the "Last updated" date at the top of this policy

Continued use of the App after changes constitutes acceptance of the updated policy.

13. YOUR RESPONSIBILITIES

To help protect your privacy:

  • • Use a strong, unique password
  • • Do not share your account credentials
  • • Log out when using shared devices
  • • Contact us immediately if you suspect unauthorized access
  • • Keep your App updated to the latest version

14. CONTACT US

For questions, concerns, or to exercise your rights regarding this Privacy Policy or your personal data:

Email: [email protected]

Support: [email protected]

We will respond to your requests within 30 days (or as required by applicable law).

15. DATA PROTECTION OFFICER

If you are located in the EU and wish to contact our Data Protection Officer, please email: [email protected]

This Privacy Policy is effective as of the date shown above and applies to all users of the Rational Mind application.