Privacy Policy

1. Introduction

Bramera, MB ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Your Soul Echo website and services (collectively, the "Services").

This Privacy Policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws. We are the data controller responsible for your personal data.

2. Information We Collect

2.1 Personal Information You Provide

We collect the following personal information when you register and use our Services:

• Account Information: Name, email address, password (encrypted)
• Profile Information: Age, gender, preferences, and other optional profile details
• Communication Data: Your conversations with our AI agents, journal entries, and reflections
• Payment Information: Billing address, payment method details (processed securely by Stripe)
• Support Communications: Any information you provide when contacting our support team

2.2 Information Automatically Collected

We automatically collect certain information when you use our Services:

• Usage Data: Pages visited, features used, time spent, interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Analytics Data: User behavior, feature usage, and performance metrics via Mixpanel
• Cookies and Tracking Technologies: See our Cookie Policy for details

2.3 Sensitive Personal Data

3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

• Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): For processing sensitive personal data such as emotional health information, we rely on your explicit consent.
• Contract Performance (Art. 6(1)(b) GDPR): To provide our Services, manage your account, and process payments as required by our contract with you.
• Legitimate Interests (Art. 6(1)(f) GDPR): To improve our Services, prevent fraud, and ensure security, where our interests do not override your fundamental rights.
• Legal Obligations (Art. 6(1)(c) GDPR): To comply with legal requirements such as tax laws, accounting requirements, and regulatory obligations.

4. How We Use Your Information

We use your personal data for the following purposes:

• Provide Services: To deliver AI-guided conversations, personalized recommendations, and access to your journal and diary entries.
• Account Management: To create and manage your account, authenticate access, and handle subscription management.
• Payment Processing: To process payments, manage subscriptions, and handle billing through our payment processor Stripe.
• Service Improvement: To analyze usage patterns, improve our AI models, enhance user experience, and develop new features.
• Communication: To send service notifications, respond to inquiries, provide customer support, and send marketing communications (with your consent).
• Security and Fraud Prevention: To protect against unauthorized access, detect and prevent fraud, and ensure the security of our Services.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• Analytics: To understand how users interact with our Services using tools like Mixpanel to improve user experience.

5. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our Services:

• Supabase: Database hosting and authentication services (data stored in EU)
• OpenAI: AI language models for conversational agents
• Stripe: Payment processing and subscription management
• Mixpanel: Analytics and user behavior tracking
• Vercel/Cloud Hosting: Application hosting and content delivery

All service providers are contractually bound to protect your data and use it only for the purposes we specify. Where providers are located outside the EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)
• Governmental or regulatory authorities
• Law enforcement agencies
• Protection of our rights, property, or safety, or that of others

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers (such as OpenAI) are located.

When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Your explicit consent where appropriate
• Other lawful transfer mechanisms under GDPR

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:

• Account Data: Retained while your account is active and for 30 days after deletion
• Conversation and Journal Data: Retained while your account is active; deleted upon account deletion
• Payment Records: Retained for 7 years to comply with tax and accounting regulations
• Analytics Data: Aggregated and anonymized data may be retained indefinitely
• Legal and Compliance Data: Retained as required by applicable laws

After the retention period expires, we will securely delete or anonymize your personal data.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

To exercise any of these rights, please contact us at [email protected] or through your account settings. We will respond to your request within one month as required by GDPR.

9. Supervisory Authority

If you have concerns about our data processing practices, you have the right to lodge a complaint with the Lithuanian Data Protection Inspectorate or your local data protection authority:

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication with password hashing
• Regular security audits and vulnerability assessments
• Access controls and authentication for our systems
• Employee training on data protection and privacy
• Incident response procedures and breach notification processes

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

11. Children's Privacy

Our Services are not intended for children under the age of 16 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children under 16 without parental consent.

If you believe we have inadvertently collected information from a child under 16, please contact us immediately at [email protected], and we will take steps to delete such information.

12. Automated Decision-Making and Profiling

Our Services use AI to provide personalized recommendations and guidance. This involves automated processing and profiling based on your interactions, preferences, and usage patterns.

We do not make automated decisions that produce legal effects or similarly significantly affect you without human intervention. Our AI recommendations are designed to support your personal growth and self-reflection, not to make consequential decisions about you.

You have the right under Art. 22 GDPR not to be subject to a decision based solely on automated processing. If you have concerns about our use of automated processing, please contact us.

13. Marketing Communications

With your consent, we may send you marketing communications about our Services, new features, and special offers. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at [email protected]

Please note that opting out of marketing communications will not affect service-related communications, such as account notifications, payment confirmations, or security alerts.

14. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, secure, and improve our Services. For detailed information about our use of cookies, including the types of cookies we use and how to manage your cookie preferences, please see our Cookie Policy.

15. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our Services

Your continued use of our Services after any changes constitutes acceptance of the updated Privacy Policy. If we make material changes that affect sensitive personal data, we may seek your renewed consent.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all legitimate requests within one month as required by GDPR. In complex cases, we may extend this period by an additional two months and will notify you of any such extension.