Privacy Policy

• Transparency: We clearly explain what data we collect and why
• User Control: You choose your privacy mode and have full control over your data
• Security: We employ industry-standard encryption and security measures
• Minimization: We collect only the data necessary to provide our Service
• No Data Sales: We never sell your personal information to third parties

When you use Ophie, we process the content of your conversations to provide our Service. The extent of data storage depends on your selected privacy mode:

To provide personalized mental health support, we may collect and analyze the following sensitive information:

• Core Functionality: Processing your voice and text inputs to provide AI-powered mental health companion conversations
• Personalization: Remembering your preferences, past conversations (in Memory Mode), and adapting responses to your communication style
• Contextual Awareness: Maintaining conversation context across sessions using our Retrieval-Augmented Generation (RAG) system
• Dynamic Tools: Providing personalized breathing exercises, journaling prompts, and wellness activities through our Dynamic Island feature

• Detecting potential crisis situations (e.g., expressions of self-harm or suicidal ideation) to surface appropriate professional resources
• Enforcing safety guardrails to prevent harmful or inappropriate responses
• Maintaining content safety boundaries that cannot be circumvented through conversation framing

• Analyzing aggregated, anonymized usage patterns to improve our Service
• Training and improving our AI models (only with explicit consent and using anonymized data)
• Debugging technical issues and ensuring Service reliability
• Conducting research to enhance mental health support methodologies (with appropriate ethical oversight)

• Sending essential service communications (account verification, security alerts, policy updates)
• Providing customer support and responding to inquiries
• Sending optional wellness reminders (if enabled in your settings)

For users in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract Performance: Processing necessary to provide our Service to you
• Legitimate Interests: Service improvement, security, and fraud prevention
• Consent: For voice data processing, marketing communications, and optional features
• Legal Obligation: Compliance with applicable laws and regulations
• Vital Interests: Crisis detection and intervention to protect life

• Speech-to-Text Conversion: Your voice input is converted to text using third-party speech recognition services (Deepgram) to enable conversation processing
• Text-to-Speech Response: AI responses are converted to audio using text-to-speech services (Cartesia) for voice output
• Real-Time Processing: Voice data is processed in real-time via WebRTC (LiveKit) and is not stored in raw audio format after transcription
• Transcript Storage: Only the text transcription is stored (if in Memory Mode), not the original audio recordings

Before you can use voice features, you must:

1. Acknowledge that your voice will be processed by our Service and third-party providers
2. Consent to the transcription and storage of text derived from your voice input
3. Understand that voice data processing is essential for the voice-first functionality of our Service

You may withdraw consent at any time by switching to text-only mode in your settings, though this will limit your ability to use voice features.

We use the following third-party service providers who process data on our behalf:

All service providers are bound by data processing agreements that require them to protect your data and use it only for the purposes we specify.

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). This includes:

• Complying with a legal obligation
• Protecting and defending our rights or property
• Preventing or investigating possible wrongdoing in connection with the Service
• Protecting the personal safety of users of the Service or the public
• Protecting against legal liability

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

We may share aggregated, anonymized data that cannot reasonably be used to identify you for research, analytics, or industry benchmarking purposes. This data contains no personally identifiable information.

We have implemented automatic data deletion mechanisms:

• Sessions older than 24 hours are automatically marked as ended
• Session data older than 30 days is automatically deleted
• Upon account deletion, all associated data is removed within 30 days

You can exercise your rights in the following ways:

• Account Settings: Update your profile, privacy mode, and preferences directly in the app
• Data Export: Request a complete export of your data through your account settings
• Account Deletion: Delete your account and all associated data through settings (requires email confirmation)
• Contact Us: Email founders@ophie.app for any privacy-related requests

To protect your privacy, we may need to verify your identity before processing your request. This may include:

• Confirming your email address
• Answering security questions
• For account deletion: typing your email address to confirm

We will respond to your request within:

• GDPR (EEA users): 30 days (may be extended by 2 months for complex requests)
• CCPA/CPRA (California users): 45 days (may be extended by an additional 45 days)
• All other users: 30 days

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Data stored in our databases is encrypted using industry-standard encryption
• Access Controls: Strict role-based access controls limit who can access your data
• Row-Level Security: Database policies ensure users can only access their own data
• Secure Authentication: Multi-factor authentication available, secure password hashing

• Regular security audits and penetration testing
• Employee security training and background checks
• Incident response procedures
• Data access logging and monitoring
• Vendor security assessments

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Report to relevant supervisory authorities as required by law
• Provide information about the nature of the breach and steps being taken
• Offer guidance on protective measures you can take

When we transfer personal data outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we use the following safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with our service providers
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Supplementary Measures: Additional technical and organizational safeguards where necessary

Our primary data processing occurs in the United States. Your data may also be processed in the European Union depending on the services used and your location.

We comply with the Children's Online Privacy Protection Act (COPPA) by:

• Requiring age verification during account creation (users must select an age range of 18+)
• Not knowingly collecting data from users under 18
• Promptly deleting any data we discover was provided by a minor

We use the following technologies to collect information about your use of our Service:

• Essential Cookies: Required for authentication and core functionality
• Session Storage: Temporary storage for active session data
• Local Storage: Storing user preferences and settings locally

You can control cookies through:

• Your browser settings (blocking or deleting cookies)
• Our cookie consent banner (where applicable)
• Note: Disabling essential cookies may prevent you from using our Service

Ophie uses artificial intelligence to:

• Process and respond to your voice and text inputs
• Generate personalized conversation responses
• Analyze sentiment and emotional patterns (with your consent)
• Detect potential crisis situations for safety purposes
• Generate session summaries and key moments
• Recommend therapeutic techniques based on effectiveness

We engage in profiling to personalize your experience:

• Building a therapeutic profile based on your conversations
• Learning your communication preferences over time
• Tracking which techniques work best for you
• Remembering relationships and facts you share

This profiling is designed to improve your experience and is not used for any decisions that have legal or similarly significant effects on you.

You have the right to:

• Request human review of any AI-generated content or decisions
• Opt out of automated profiling (by using Ephemeral Mode)
• Request information about the logic involved in AI processing
• Delete your therapeutic profile and learned preferences

For users in the European Union, our EU representative can be contacted at:

If we expand our services to the European Union, we will appoint an EU representative pursuant to Article 27 of the GDPR and update this section accordingly. Please contact founders@ophie.app for any inquiries.

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information, so this right does not apply
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive information to providing the Service

Categories of Personal Information Collected: Identifiers, personal information under Cal. Civ. Code 1798.80, protected characteristics (age), internet activity, geolocation data, audio information, professional information, inferences drawn from the above.

Sensitive Personal Information: We collect mental health information and voice recordings, which are considered sensitive under CPRA. This data is used only to provide our Service and is not sold or shared for cross-context behavioral advertising.

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR) as described in Section 7. Additionally:

• Data Controller: Ophie is the data controller for your personal data
• Legal Basis: We process your data based on consent, contract performance, legitimate interests, or legal obligation as described in Section 3.5
• Special Category Data: Mental health information is processed based on your explicit consent

If you are in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD) including:

• Confirmation of data processing
• Access to your data
• Correction of incomplete or inaccurate data
• Anonymization, blocking, or elimination of unnecessary data
• Data portability
• Information about sharing with third parties
• Revocation of consent

If you are in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to:

• Access your personal information
• Challenge the accuracy of your information
• Withdraw consent (subject to legal restrictions)
• File a complaint with the Privacy Commissioner of Canada

Our Service does not currently respond to "Do Not Track" (DNT) signals. We will update this policy if we implement DNT response in the future.