Privacy Policy
Your privacy matters. Here's how we protect and handle your data.
Last Updated: January 2026
Introduction
Prompt & Pause ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mental health reflection service.
We operate in compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the UK Data Protection Act 2018, and applicable US privacy laws including the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and other state regulations.
Data Controller: Prompt & Pause, registered in the United Kingdom.
Data We Collect
Account Information
- Email address (required for account creation)
- Name (optional)
- Password (encrypted and stored securely via Supabase Auth)
- Account preferences and settings
Reflection Data
- Your responses to daily prompts
- Self-journal entries (private, not shared with AI)
- Optional check-in information (if you choose to use it)
- Custom focus areas and preferences
- Reflection history
- Timestamps of interactions
- Delivery preferences (email, Slack)
Payment Information
- Payment details (processed and stored by Stripe, not by us)
- Billing address
- Transaction history
Technical Data
- IP address
- Browser type and version
- Device information
- Usage data and analytics
- Cookies and similar tracking technologies
How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: To provide daily mental health prompts and reflection tools
- AI Processing: To generate personalized prompts using multiple AI providers (OpenAI, Anthropic, Groq, etc.). Your reflection data is processed for personalization only and is NOT used to train AI models.
- Communication: To send prompts via email (Resend) or Slack
- Account Management: To manage your account, authentication, and preferences
- Payment Processing: To process subscriptions via Stripe
- Service Improvement: To analyze usage patterns and improve our service
- Legal Compliance: To comply with legal obligations and protect our rights
- Security: To detect and prevent fraud, abuse, and security incidents
Legal Basis (GDPR): We process your data based on (1) your consent, (2) contractual necessity, (3) legitimate interests, and (4) legal obligations.
Third-Party Services
We use the following third-party services to operate Prompt & Pause:
Supabase
Database hosting and authentication. Data stored in EU/UK regions.
Groq API
Primary AI processing for prompt generation. Data not used for training.
OpenAI API
Secondary AI processing. Data not used for training (zero retention policy).
Resend
Email delivery service for prompts and notifications.
Stripe
Payment processing. We do not store your payment details.
Vercel
Hosting and infrastructure. Data stored in EU/US regions.
Slack
Optional integration for prompt delivery to your workspace.
All third-party services are carefully selected and comply with GDPR requirements. We have Data Processing Agreements (DPAs) in place where required.
Data Security
We implement industry-standard security measures to protect your data:
- Encryption: All data is encrypted in transit (TLS/SSL) and at rest
- Authentication: Secure authentication via Supabase with password hashing
- Access Controls: Strict access controls and role-based permissions
- Regular Audits: Security audits and vulnerability assessments
- Monitoring: 24/7 monitoring for suspicious activity
- Backups: Regular encrypted backups with disaster recovery plans
Important: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data.
Your Rights (GDPR)
Under GDPR, you have the following rights:
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data (subject to legal obligations).
Right to Restrict Processing
Request limitation of how we process your data.
Right to Data Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent
Withdraw consent at any time (where processing is based on consent).
To exercise any of these rights, contact us at privacy@promptandpause.com. We will respond within 30 days.
Right to Complain: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local data protection authority.
Data Retention
- Account Data: Retained while your account is active, plus 30 days after deletion
- Reflection Data: Retained while your account is active, deleted upon account deletion
- Payment Data: Retained for 7 years for tax and legal compliance
- Analytics Data: Anonymized and retained for up to 2 years
- Backup Data: Retained for 90 days in encrypted backups
International Transfers
Your data may be transferred to and processed in countries outside the UK/EU, including the United States (Vercel, OpenAI, Groq).
We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- Data Processing Agreements with all third-party processors
- Adequacy decisions where applicable
Children's Privacy
Prompt & Pause is not intended for children under 16 (UK/EU) or 13 (US). We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately at privacy@promptandpause.com.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice on our website. Continued use after changes constitutes acceptance.
Last updated: January 2026
Contact Us
For privacy-related questions or to exercise your rights:
Email: privacy@promptandpause.com
Data Protection Officer: dpo@promptandpause.com
General Inquiries: support@promptandpause.com