Privacy Policy

Last updated: 6 May 2026

This policy explains what we collect, why, and what rights you have. Controller: [COMPANY NAME], [COMPANY ADDRESS]. Contact: [PRIVACY_EMAIL]. EU representative (Art. 27 GDPR): [EU_REP_NAME, ADDRESS]. Data Protection Officer (if applicable): [DPO_EMAIL].

1. What we collect

• Account: email, display name, hashed password (via auth provider).
• Situational inputs: location text, mood, energy, time, budget, interests.
• Behavioral signals: which scenarios you pick, expand, or dismiss.
• Derived signals: overstimulation and hyperfocus scores (see §6 below).
• Technical: IP, user-agent, error logs, anonymized analytics.

2. Why (lawful bases under GDPR)

• Contract (Art. 6(1)(b)): generating scenarios you request.
• Legitimate interest (Art. 6(1)(f)): service security, abuse prevention, product improvement.
• Consent (Art. 6(1)(a)): non-essential cookies, neurodivergence-related signals (see §6).
• Legal obligation (Art. 6(1)(c)): tax, accounting, lawful requests.

3. Sub-processors

• Lovable Cloud / Supabase — hosting, database, authentication (EU/US).
• Google Maps Platform — geocoding, places, distances. Google privacy.
• Foursquare Places — supplemental venue metadata. Foursquare privacy.
• Lovable AI Gateway — large language model inference for narratives.
• Open-Meteo — weather (no personal data shared).

International transfers rely on EU Standard Contractual Clauses where applicable.

4. Retention

• Account data: until you delete your account.
• Scenario history: 24 months unless you delete sooner.
• Cached place data: ≤30 days (Google Maps Platform terms).
• Logs: 90 days.

5. Your rights

Under GDPR/UK GDPR you have rights of access, rectification, erasure, restriction, portability, and objection. Under CCPA/CPRA you have rights to know, delete, correct, opt out of sale/sharing (we do not sell), and limit use of sensitive personal information. Exercise any right from Profile → Your data or by emailing [PRIVACY_EMAIL]. You may also lodge a complaint with your local supervisory authority.

6. Sensitive / health-adjacent data

Ask SLIP records "overstimulation" and "hyperfocus" signals derived from how you interact with suggestions. These are not medical data and Ask SLIP is not a medical device. However, because they relate to neurodivergence, we treat them as sensitive and ask for explicit consent on signup. You can disable adaptive ND tracking and delete the scores at any time from Profile. We do not share these signals with third parties.

7. Children

Ask SLIP is not directed at children under 13 (US) or 16 (EU/UK). We do not knowingly collect data from them.

8. Security

Data is encrypted in transit (TLS) and at rest. Row-level security restricts each user to their own records. No system is perfectly secure — we'll notify affected users and regulators within 72 hours of a qualifying breach.

9. Changes

Material changes will be announced in-app or by email.

See also: Terms · Cookies · Safety · Contact