Privacy Policy

Your privacy matters. Here's how we protect and handle your data.

Last Updated: July 2026

Introduction

Prompt & Pause ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mental health reflection service.

We operate in compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the UK Data Protection Act 2018, and applicable US privacy laws including the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and other state regulations.

Data Controller: Prompt & Pause, registered in the United Kingdom.

Data We Collect

Account Information

  • Email address (required for account creation)
  • Name (optional)
  • Password (encrypted and stored securely via Supabase Auth)
  • Account preferences and settings

Reflection Data

  • Your responses to daily prompts
  • Self-journal entries (private, not shared with AI)
  • Optional check-in information (if you choose to use it)
  • Custom focus areas and preferences
  • Reflection history
  • Timestamps of interactions
  • Delivery preferences (email, Slack)

Social & Community Data

  • Profile information you choose to add (display name, username, bio, avatar, cover photo, theme preferences)
  • Reflections you mark as "Public" or "Friends Only," and who can see them based on that setting
  • Likes, comments, and whiteboard messages you post or receive
  • Follow and friend connections between accounts
  • Users you block, and users who block you
  • Reports you submit about other users' content, and reports submitted about your content

Payment Information

  • Payment details (processed and stored by Stripe, not by us)
  • Billing address
  • Transaction history

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage data and analytics
  • Cookies and similar tracking technologies

How We Use Your Data

We use your personal data for the following purposes:

  • Service Delivery: To provide daily mental health prompts and reflection tools
  • AI Processing: To generate personalized prompts using multiple AI providers (OpenAI, Anthropic, Groq, etc.). Your reflection data is processed for personalization only and is NOT used to train AI models.
  • Communication: To send prompts via email (Resend) or Slack
  • Account Management: To manage your account, authentication, and preferences
  • Payment Processing: To process subscriptions via Stripe
  • Service Improvement: To analyze usage patterns and improve our service
  • Legal Compliance: To comply with legal obligations and protect our rights
  • Security: To detect and prevent fraud, abuse, and security incidents

Legal Basis (GDPR): We process your data based on (1) your consent, (2) contractual necessity, (3) legitimate interests, and (4) legal obligations.

Social Features & Public Content

Prompt & Pause includes optional social features: a public community feed, following other users, friends-only sharing, comments, likes, and a profile whiteboard. These features are entirely opt-in -- by default, your reflections are private and visible only to you.

You control visibility per-reflection. Each reflection you write can be set to Private (only you), Friends Only (accepted friend connections), or Public (visible to any signed-in user, including in the community "For You" feed). Changing a reflection's visibility takes effect immediately, but we cannot guarantee removal from another user's device cache or from anyone who already viewed or screenshotted it before you changed the setting.

Your profile. If you set your profile to public, your display name, username, avatar, bio, and any reflections you've marked Public or Friends Only (to the relevant audience) are visible to other users of the service. Your profile is not indexed for public web search by us, but we cannot control third-party search engines or archival services.

Comments and likes. When you comment on or like another user's public or friends-only reflection, your name, profile, and the content of your comment are visible to that user and, depending on the reflection's visibility, to other users who can see that reflection. Reflection owners can remove comments from their own reflections; you can always delete your own comments.

Blocking. If you block another user, neither of you will see the other's public content, comments, or likes, and any existing follow or friend connection between you is automatically removed. Blocking does not delete content that already existed before the block, and does not notify the blocked user.

Content Moderation & Reporting

Users can report reflections, comments, or other users for reasons including spam, harassment, hate speech, inappropriate content, or content indicating risk of self-harm. When you submit a report, we collect the reported content, your account identifier as the reporter, the reason selected, and any additional details you provide.

Reports are reviewed by our moderation team. We may remove reported content, restrict an account, or take no action if a report does not violate our guidelines. We do not disclose the identity of the reporter to the reported user.

Self-harm and safety reports: If a report indicates a user may be at risk of self-harm, we prioritize that report for review. Prompt & Pause is not a crisis service; if you or someone else is in immediate danger, contact local emergency services. Our in-app Crisis Resources page lists further support options.

Third-Party Services

We use the following third-party services to operate Prompt & Pause:

Supabase

Database hosting and authentication. Data stored in EU/UK regions.

Groq API

Primary AI processing for prompt generation. Data not used for training.

OpenAI API

Secondary AI processing. Data not used for training (zero retention policy).

Resend

Email delivery service for prompts and notifications.

Stripe

Payment processing. We do not store your payment details.

Vercel

Hosting and infrastructure. Data stored in EU/US regions.

Slack

Optional integration for prompt delivery to your workspace.

All third-party services are carefully selected and comply with GDPR requirements. We have Data Processing Agreements (DPAs) in place where required.

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest
  • Authentication: Secure authentication via Supabase with password hashing
  • Access Controls: Strict access controls and role-based permissions
  • Regular Audits: Security audits and vulnerability assessments
  • Monitoring: 24/7 monitoring for suspicious activity
  • Backups: Regular encrypted backups with disaster recovery plans

Important: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

Your Rights (GDPR)

Under GDPR, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal obligations).

Right to Restrict Processing

Request limitation of how we process your data.

Right to Data Portability

Receive your data in a machine-readable format.

Right to Object

Object to processing based on legitimate interests or direct marketing.

Right to Withdraw Consent

Withdraw consent at any time (where processing is based on consent).

To exercise any of these rights, contact us at privacy@promptandpause.com. We will respond within 30 days.

Right to Complain: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local data protection authority.

Cookies & Tracking

We use cookies and similar tracking technologies to improve your experience. See our Cookie Policy for detailed information.

You can control cookies through your browser settings. Note that disabling cookies may affect functionality.

Data Retention

  • Account Data: Retained while your account is active, plus 30 days after deletion
  • Reflection Data: Retained while your account is active, deleted upon account deletion
  • Payment Data: Retained for 7 years for tax and legal compliance
  • Analytics Data: Anonymized and retained for up to 2 years
  • Backup Data: Retained for 90 days in encrypted backups
  • Public/Friends-Only Reflections, Comments, Likes, Whiteboard Entries: Retained while the content or your account exists, or until you delete the specific item or change its visibility. Deleting your account removes this content going forward, subject to our backup retention above.
  • Content Reports: Retained for as long as necessary for moderation, safety, and legal purposes, typically up to 2 years after resolution.

International Transfers

Your data may be transferred to and processed in countries outside the UK/EU, including the United States (Vercel, OpenAI, Groq).

We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Data Processing Agreements with all third-party processors
  • Adequacy decisions where applicable

Children's Privacy

Prompt & Pause is not intended for children under 16 (UK/EU) or 13 (US). We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately at privacy@promptandpause.com.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice on our website. Continued use after changes constitutes acceptance.

Last updated: January 2026

Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@promptandpause.com

Data Protection Officer: dpo@promptandpause.com

General Inquiries: support@promptandpause.com

Questions About Your Privacy?

We're here to help. Reach out anytime.

Contact Us