How we handle your personal data.

This Privacy Policy explains how we, the controller named below, collect and use your personal data when you use the Spiritual Intelligence service. It is written to comply with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

We take privacy seriously because the nature of the Service means you will tell us things about yourself you would not ordinarily tell a company: the patterns you’re carrying, where they came from, who was involved. Protecting that information is a legal obligation and a moral one.

The data controller is {{LEGAL_ENTITY_NAME}}Placeholder: LEGAL_ENTITY_NAME — see web/docs/launch-checklist.md. (“we”, “us”), a company registered in England and Wales. Company number: {{COMPANY_NUMBER}}Placeholder: COMPANY_NUMBER — see web/docs/launch-checklist.md.. Registered office: {{REGISTERED_ADDRESS}}Placeholder: REGISTERED_ADDRESS — see web/docs/launch-checklist.md..

For any question about this policy, or to exercise your rights, contact {{CONTACT_EMAIL}}Placeholder: CONTACT_EMAIL — see web/docs/launch-checklist.md.. See also section 14 for complaint routes.

We only collect what we need to run the Service. Specifically:

Account data

• Your email address (and, if you sign in with Google, your Google display name and profile picture URL).
• An authentication identifier issued by Firebase Authentication (a UID). We use this to recognise you on return visits.
• A hashed password, if you sign up with email and password (we never see or store the password itself — only a one-way hash kept by our authentication provider).
• Optional profile fields: display name, phone number, avatar.

Diagnostic and pathway content

• Your conversation transcript during the diagnostic.
• The written responses you provide at each step of the pathway.
• The generated analysis document (your report).
• Your pathway state: which patterns you’re working on, which steps you’ve completed, and when.

This is the most sensitive data we hold. It is encrypted at rest with keys separate from the database (see “Security”). We treat it as special category data under UK GDPR (see “Special category data”).

Payment metadata

• Transaction records, amounts, currency, and status.
• The last four digits of your card and the card brand, returned to us by the payment processor.
• We never receive or store your full card number, CVC, or expiry. These are handled by the payment processor directly.

Technical data

• Server logs (IP address, user agent, request path, response status, timestamp). Retained for 90 days and used to detect abuse and diagnose problems.
• Authentication session cookies, described in “Cookies” below.
• Error reports generated when something goes wrong in the client or server, scrubbed of personal content where practicable.

Under UK GDPR we must rely on a lawful basis for every use of your data. Below, for each purpose, is the purpose itself, the data involved, and the lawful basis under Article 6.

We do not:

• sell your personal data;
• share your personal data with advertisers or data brokers;
• use your personal data for advertising profiling or retargeting;
• use your diagnostic or pathway content to train AI models;
• permit our AI provider to use your content to train their models (see “Who we share your data with”).

Psychological profile information likely qualifies as special categorypersonal data under Article 9 UK GDPR (data concerning health, or revealing sensitive aspects of a person’s life). Processing special category data requires a specific Article 9 basis in addition to the general Article 6 basis.

We rely on your explicit consentunder Article 9(2)(a). Before the diagnostic begins, you are asked to tick consent boxes at checkout confirming that you have read this Privacy Policy and our Terms & Conditions and that you understand how your conversation data will be processed and stored. That consent is:

• freely given: you can decline and the checkout will not complete; we will not charge you or run the diagnostic;
• specific: it is tied to this service and the purposes set out in this policy;
• informed: you have this policy available to read before consenting;
• unambiguous: tick-boxes are not pre-ticked and the checkout cannot proceed without them.

We continue to refine the consent wording so the link between the tick-box and this Article 9 basis is more explicit on the page. If that wording changes materially, we will update this policy and the “Last updated” date at the top.

You can withdraw that consent at any time by emailing {{CONTACT_EMAIL}}Placeholder: CONTACT_EMAIL — see web/docs/launch-checklist.md.. Withdrawal stops any further processing of your special category data; it does not make lawful processing we carried out before the withdrawal retrospectively unlawful.

We do not sell your data and we do not share it for anyone else’s marketing. We do use the third-party processors below to run the Service. Each one acts on our written instructions and under a data-processing contract that meets UK GDPR Article 28 requirements.

We will update this list when it changes. If we appoint a new processor with access to your special category data, we will update this policy and notify active users by email before the change takes effect.

We may also disclose personal data where we are required to by law — for example in response to a court order, a lawful request from a regulator, or to establish, exercise, or defend legal claims. We do not disclose more than is strictly required and, where we’re allowed to, we tell you first.

Some of the processors above operate outside the UK. Where that means your personal data is transferred outside the UK, we use one of the transfer mechanisms approved under UK GDPR:

• Adequacy decision. The UK has found the EEA to provide adequate protection; transfers to Hetzner (Germany) rely on this.
• UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. Used for transfers to Google LLC, Anthropic PBC, and Stripe, Inc. (when live) in the USA, and for any other non-adequate destination.

We keep copies of the signed agreements on file and can make them available on request where that’s appropriate.

We keep different categories of data for different periods, depending on why we hold them.

You have the following rights in relation to your personal data:

• Access (Article 15) — ask us for a copy of the personal data we hold about you.
• Rectification (Article 16) — ask us to correct data that is wrong or incomplete.
• Erasure(Article 17) — ask us to delete data we no longer need. We can’t delete records we are legally required to retain (e.g. tax records), but we can and will delete everything else.
• Restriction (Article 18) — ask us to limit what we do with your data while a question about it is resolved.
• Data portability(Article 20) — ask for a machine-readable export of the data you’ve given us. For diagnostic and pathway content this is a JSON export delivered over a secure link.
• Objection (Article 21) — object to processing based on our legitimate interests.
• Rights in relation to automated decision-making (Article 22) — we do not use your personal data to make decisions that produce legal or similarly significant effects solely by automated means.
• Withdraw consent — where we rely on your consent (including explicit consent for special category data), you can withdraw it at any time.

To exercise any of these rights, email {{CONTACT_EMAIL}}Placeholder: CONTACT_EMAIL — see web/docs/launch-checklist.md. with “Data protection” in the subject line. We’ll respond within one month as required by law. We may ask for information to verify your identity before acting — this is itself a data-protection safeguard.

We do not charge for responding to these requests except where allowed by law (e.g. for manifestly unfounded or excessive repeated requests).

We use only strictly necessary cookies. Under the UK Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require consent because the Service cannot function without them.

We do not use analytics cookies, marketing cookies, or cross-site tracking. If we introduce any in the future, we will update this policy and ask for your consent through a compliant cookie banner before setting them.

We take technical and organisational measures appropriate to the sensitivity of the data, including:

• TLS in transit for every request between your browser, our servers, and any processor.
• Encryption at rest at the infrastructure layer for every volume that holds user data (database, backups, object storage). Our architecture commits us to adding a second layer of application-level encryption for diagnostic transcripts, pathway responses, and analyses before these products leave their limited beta; until that rollout lands, that extra layer is not yet in production and this policy will be updated to confirm when it is.
• Role-scoped access to production systems; production access is restricted to named individuals and reviewed regularly.
• Principle of least privilege and short-lived credentials for all service-to-service communication.
• Isolated production and development environments. No real user data is used in development.
• Automatic security patching on the operating-system layer and dependency-vulnerability scanning on our build pipeline.
• Logging and alerting for anomalous behaviour, with retention limits on raw logs.
• Regular offline-tested database backups, encrypted and held in a geographically separate location.

No security is perfect. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where the risk is high, also notify you without undue delay.

The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from anyone under this age. If you believe a child has provided personal data to us, please contact {{CONTACT_EMAIL}}Placeholder: CONTACT_EMAIL — see web/docs/launch-checklist.md. so we can investigate and delete it.

We may update this policy from time to time. When we do:

• we update the “Last updated” date at the top of this page;
• for material changes — especially changes to the lawful basis we rely on, retention periods, or the list of processors that handle special category data — we email active users at least 30 days before the change takes effect.

For any question about this policy, or to exercise any of your rights, contact {{CONTACT_EMAIL}}Placeholder: CONTACT_EMAIL — see web/docs/launch-checklist.md.. You can also write to our registered office at {{REGISTERED_ADDRESS}}Placeholder: REGISTERED_ADDRESS — see web/docs/launch-checklist.md..

If you’re not satisfied with how we’ve handled a personal-data matter, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You can call them on 0303 123 1113. We’d prefer you gave us a chance to put things right first, but your right to complain to the ICO is unconditional.