Privacy Policy

We collect the following categories of information:

• Account information: name, email address, password (hashed), and authentication identifiers (e.g., Google OAuth ID).
• Profile and usage content: objectives, journal entries, lessons, advisor conversations, challenges, settings, and any other content you submit.
• Device & technical data: IP address, browser type, operating system, device identifiers, language, time zone, and access timestamps.
• Cookies and similar technologies: session cookies, authentication tokens, and limited analytics identifiers.
• Communications: messages you send to support, feedback, and survey responses.
• Payment data (if applicable): processed exclusively by PCI-DSS compliant third-party processors. We do not store full card numbers.

• Provide, operate, maintain, and improve the Service.
• Authenticate users and secure accounts.
• Personalize content, recommendations, and AI-generated guidance.
• Communicate with you about updates, security alerts, and support.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms.
• Conduct aggregated, de-identified analytics to improve the product.

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases:

• Contract: to deliver the Service you requested.
• Legitimate interests: to secure, improve, and market our Service in a proportionate way.
• Consent: for optional features (e.g., marketing emails, certain cookies). You may withdraw consent at any time.
• Legal obligation: to comply with applicable laws.

The Service uses third-party AI models (including but not limited to OpenAI and Google Gemini, accessed via secure gateways) to generate insights, advice, and content based on your inputs. Your prompts and relevant context may be transmitted to these providers solely to generate responses. We do not permit these providers to train their models on your content where the provider offers such an opt-out, and we apply it by default. AI outputs may be inaccurate; do not rely on them as professional, medical, legal, or financial advice. You have the right to request human review of any decision that produces legal or similarly significant effects.

We do not sell your personal information. We share data only as follows:

• Service providers: hosting (Cloudflare), database & authentication (Supabase / Lovable Cloud), AI gateways, email delivery, and analytics — all bound by contractual confidentiality and data protection obligations.
• Legal compliance: when required by law, subpoena, court order, or to protect rights, safety, or property.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy protections.
• With your consent: for any other purpose disclosed at the time of collection.

Your information may be processed in the United States, the European Union, and other jurisdictions where our service providers operate. Where required, we rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, or equivalent safeguards.

We retain personal information for as long as your account is active, as needed to provide the Service, and as required to comply with legal obligations, resolve disputes, and enforce agreements. You may request deletion at any time, subject to limited retention for legal, security, or fraud-prevention purposes.

Depending on your jurisdiction, you may have the right to:

• Access, correct, update, or delete your personal information.
• Object to or restrict certain processing.
• Receive a portable copy of your data.
• Withdraw consent at any time without affecting prior processing.
• Lodge a complaint with your local supervisory authority.
• California residents (CCPA/CPRA): request disclosure of categories collected, request deletion, and opt out of "sharing" for cross-context behavioral advertising. We do not sell personal information.

To exercise any right, email privacy@sophisticatedsavage.com. We respond within 30 days.

We implement administrative, technical, and physical safeguards designed to protect your information, including encryption in transit (TLS), encryption at rest, row-level security policies, principle-of-least-privilege access, and continuous monitoring. No system is perfectly secure; you use the Service at your own risk and are responsible for keeping your credentials confidential.

The Service is not directed to children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

We use strictly necessary cookies for authentication and security. We may use limited first-party analytics to understand usage. We do not use third-party advertising cookies. You can control cookies through your browser settings; disabling essential cookies may prevent you from signing in.

We honor Global Privacy Control (GPC) signals where legally required. Our Service does not respond to other "Do Not Track" browser signals at this time.

We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Questions, requests, or complaints: privacy@sophisticatedsavage.com.