Privacy Policy

Information We Collect

• OAuth login information: name, email address, profile image (provided by Google or Kakao)
• Emotional data: emotions selected during the Stabilize stage, grounding responses
• Transform images: uploaded photos (deleted immediately after processing, never stored on our servers)
• Circle data: check-in content, mood scores, commitments, peer responses, nickname
• Payment information: subscription details via Stripe (card numbers are never stored on HealFrame servers)
• Session data: analysis results via sessionStorage (deleted when browser is closed)
• Recovery reports: AI-generated analysis and mood trend data

How We Use Your Information

• Service delivery: recovery stage guidance, personalized AI guidance generation
• AI analysis: safety classification, imagery rescripting, and recovery reflection via Google Gemini API
• Payment processing: Pro subscription management via Stripe
• Service improvement: anonymized usage pattern analysis

Legal Basis for Processing (GDPR)

For users in the EU/EEA, our processing of personal data is based on the following legal grounds:

• Consent (Art. 6(1)(a)): For optional features such as image upload, Circle participation, and AI analysis
• Performance of contract (Art. 6(1)(b)): For service delivery and account management
• Legitimate interests (Art. 6(1)(f)): For service security, fraud prevention, and service improvement
• Legal obligation (Art. 6(1)(c)): For payment record retention and regulatory compliance

Third-Party Services

• Google Gemini API: text and image data is sent for AI analysis. Data sent via the API is not used for Google's AI model training. Google's privacy policy applies.
• Stripe: payment information is transmitted for payment processing. Stripe's privacy policy applies.
• OAuth providers (Google, Kakao): basic profile information is received for login authentication.
• Vercel: used for service hosting and deployment. Vercel's privacy policy applies.

International Data Transfers

Your personal data may be transferred internationally for service operation:

• Google (United States): text/image data for AI analysis. Google participates in the EU-US Data Privacy Framework.
• Stripe (United States): payment information for payment processing. Stripe is certified under the EU-US Data Privacy Framework.
• Vercel (United States): service hosting. Standard Contractual Clauses (SCCs) apply.

All international transfers are protected by appropriate safeguards including adequacy decisions, Standard Contractual Clauses (SCCs), or the EU-US Data Privacy Framework.

Automated Decision-Making

The Service performs the following automated processing:

• AI content safety classification: AI automatically classifies Circle check-ins and responses into safety levels (GREEN/AMBER/RED). Content classified as RED is automatically blocked and crisis resources are displayed.
• AI recovery reflection: For Pro users, AI automatically generates personalized reflections on check-ins.

You have the right to contest automated decisions and request human intervention. Please contact contact@soursea.io.

Data Processing Delegation

The Service delegates the following personal data processing to third parties:

• Google LLC: AI analysis processing (text/image safety classification, reflection generation)
• Stripe, Inc.: Payment processing and subscription management
• Vercel, Inc.: Service hosting, deployment, and serverless function execution
• Resend, Inc.: Email delivery service

Data Retention

• Account information: retained until account deletion
• Circle data: deleted within 30 days after leaving a circle
• Transform images: deleted immediately after processing (never stored on servers)
• Payment records: retained for 5 years as required by applicable laws

Personal data is destroyed without delay once the retention period expires. Electronic files are permanently deleted using irreversible methods, and paper documents are shredded or incinerated.

Your Rights

• Right to access: you may request to view your collected personal information.
• Right to deletion: you may request deletion of your account and associated data.
• Right to withdraw consent: you may withdraw your consent for data collection at any time.
• Right to portability: you may receive your data in a structured format (JSON). You can export your data directly from your account settings.
• Right to rectification: you may request correction of inaccurate personal information.
• Right to restrict processing: you may request restriction of processing under certain conditions.

Children's Privacy

The Service does not knowingly collect personal information from children under 14. For users in the United States, in accordance with COPPA, children under 13 may not use the Service without parental consent. For users in the EU/EEA, in accordance with GDPR, users under 16 (which may vary by member state) require parental or guardian consent. If we discover that personal information has been collected from a child below the applicable age, it will be deleted immediately.

Cookies and Local Storage

The Service uses only essential cookies. We do not use tracking or advertising cookies.

• NextAuth session cookie (essential): used to maintain your login state. Deleted when the browser is closed or the session expires.
• Cookie consent cookie (essential): stores your cookie consent preference. Retained for 1 year.
• localStorage (functional): used to save theme preferences (light/dark mode).
• sessionStorage (functional): used to pass analysis results between stages, automatically deleted when the browser is closed.

Additional Rights for EU/EEA Users (GDPR)

Users residing in the EU/EEA have the following additional rights:

• Right to lodge a complaint with a supervisory authority: you may file a complaint with the data protection authority in your country of residence.
• Right to object: you may object to processing based on legitimate interests.
• Rights related to automated decision-making: you have the right not to be subject to automated decision-making, including profiling.

California Consumer Rights (CCPA/CPRA)

California residents have the following additional rights:

• Right to know: you have the right to know the categories and specific pieces of personal information collected, used, shared, or sold.
• Right to delete: you may request deletion of your collected personal information.
• Right to opt-out: you may opt out of the sale or sharing of your personal information.
• HealFrame does not sell your personal information and does not share it for targeted advertising purposes.
• Non-discrimination: you will not be discriminated against for exercising your privacy rights.

Notice for Users in Japan (APPI)

• Cross-border transfers: The Service transfers personal data to Google, Stripe, and Vercel located in the United States. For information about personal data protection systems in the destination countries, please refer to the Personal Information Protection Commission website.
• Joint use: In the Circle feature, check-in content, mood scores, and nicknames are jointly used among members of the same circle. HealFrame is the party responsible for managing jointly used data.
• Specification of purpose: Personal data is used only within the purposes specified above. Prior consent will be obtained for any use beyond these purposes.

Notice for Users in Korea (PIPA)

• Privacy Officer: HealFrame Privacy Officer (contact@soursea.io). Complaints or damage relief related to personal data processing can also be addressed through the Personal Information Dispute Mediation Committee (www.kopico.go.kr) or the Privacy Infringement Report Center (privacy.kisa.or.kr).
• Destruction procedure: Personal data is destroyed without delay after the retention period expires or the processing purpose is achieved, in accordance with internal policies.
• Safety measures: To ensure the safe processing of personal data, we implement measures including internal management plans, access control, access log retention, and encryption.

Contact

Privacy inquiries: contact@soursea.io