1. Who we are
Raquel DeOliveira is the operator of UNSAID ("we", "us", "our") and acts as the data controller for personal data processed through the Service. This Notice explains what data we collect, why, who we share it with, and the rights you have.
2. Data we collect
- Account data — email address, hashed password (or Google account identifier if you sign in with Google), account creation date.
- Profile & preferences — language, honesty level, avatar style, and similar settings.
- User content — the situations you write, optional follow-up details, the "their perspective" responses you collect, and any voice notes you record. This content can be sensitive; treat it accordingly.
- AI-generated content — the reflections, decodes, and summaries the Service produces from your inputs.
- Usage & technical data — log records, IP address, device and browser identifiers, timestamps, and basic interaction events needed to operate and secure the Service.
- Support communications — messages you send us when requesting help.
- Billing data — handled by Paddle (see Section 5). We receive a Paddle customer ID, subscription status, plan, renewal dates, and country of purchase. We do not store your card details.
3. Why we use it (purposes & legal bases)
- Provide the Service — create your account, generate AI reflections, store your insights, run voice transcription. Legal basis: contract performance.
- Authentication & security — verify it's you, prevent fraud and abuse, detect attacks. Legal basis: legitimate interests & legal obligation.
- Customer support — answer your questions and resolve issues. Legal basis: contract performance & legitimate interests.
- Service improvement — aggregate, de-identified usage analytics to fix bugs and improve features. Legal basis: legitimate interests.
- Transactional emails — receipts, important account notifications, security alerts. Legal basis: contract performance & legal obligation.
- Legal compliance — tax, accounting, responding to lawful requests. Legal basis: legal obligation.
4. AI processing of your content
To generate reflections, your inputs (text and voice transcripts) are sent to AI model providers acting as our processors. These providers process your content only to return a response and do not use it to train their public models without your separate consent. We do not sell your content. AI outputs may be inaccurate — do not treat them as professional advice.
5. Who we share data with
- Paddle (Merchant of Record) — Paddle.com Market Limited and its affiliates process all payments, taxes, invoices, refunds, and subscription billing on our behalf. Paddle is also a data recipient and acts as the seller of record. See Paddle's Privacy Policy.
- Hosting & infrastructure — Lovable Cloud / Supabase (database, authentication, file storage, edge functions). Cloudflare for serverless runtime and content delivery.
- AI providers — Google (Gemini) and OpenAI (GPT) act as processors for generating reflections and translations.
- Email delivery — providers used to send transactional and account email.
- Professional advisers — accountants and lawyers, where strictly necessary.
- Authorities — when required by law, court order, or to protect rights, safety, and security.
We do not sell your personal data and we do not share it for cross-context behavioral advertising.
6. International transfers
Some processors may be located outside your country (including the United States and the EEA). When transfers leave the UK/EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or adequacy decisions where applicable.
7. How long we keep data
- Account & user content — for as long as your account is active.
- After deletion — your account and associated insights, voice notes, and preferences are deleted (or irreversibly anonymized) within a reasonable period after you delete your account, except where we must keep records to comply with legal obligations (e.g. tax records of purchases).
- Billing records — retained for the period required by applicable tax and accounting law (typically up to 7–10 years).
- Logs & security data — retained for a short period (typically up to 90 days) before rotation or deletion.
8. Your rights
Depending on where you live, you have the right to:
- access the personal data we hold about you;
- correct inaccurate data;
- delete your data ("right to erasure");
- restrict or object to certain processing;
- port your data to another service;
- withdraw consent (where processing is based on consent);
- lodge a complaint with your local data protection authority.
For UK/EEA residents: we respond to verified requests within one (1) month. To exercise any right, contact us via the support contact in the Service. For payment data held by Paddle, you can also contact Paddle directly at paddle.net.
9. Security
We use appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS/TLS), encryption at rest for our database and file storage, role-based access controls, and security monitoring. No system is perfectly secure — please keep your password safe and notify us if you suspect unauthorized access to your account.
10. Cookies & local storage
We use a small number of strictly necessary cookies and browser storage entries to keep you signed in, remember your preferences (language, calm mode, avatar style), and operate the checkout. We do not use third-party advertising or cross-site tracking cookies. Paddle's checkout overlay may set its own cookies necessary to process the payment.
11. Children
UNSAID is not directed at children under the age of digital consent in your country. If you believe a child has provided personal data without authorization, contact us so we can delete it.
12. Changes to this Notice
We may update this Notice from time to time. Material changes will be communicated via the Service or email. The "Last updated" date at the top reflects the latest revision.
13. Contact
For privacy questions or to exercise your rights, contact Raquel DeOliveira via the support contact provided in the Service.