At Jessalyn AI, your privacy is fundamental to everything we build. This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have. We believe you deserve complete transparency — especially when it comes to sensitive wellness conversations. This policy applies to all users of the Jessalyn AI application and related services.
01
Information We Collect
We collect the minimum information necessary to provide, maintain, and improve Jessalyn AI. The types of information we collect include: Account Information. When you create an account, we collect your email address, display name, date of birth, and password. If you sign up through a third-party service (such as Apple or Google), we receive basic profile information from that service. Conversation Data. This includes the text and voice messages you exchange with Jessalyn, your selected options during guided exercises, mood check-in responses, daily intentions, and session summaries generated by the AI. We treat conversation data as highly sensitive. Usage Data. We collect information about how you interact with the App, including session frequency and duration, features used, screens visited, and interactions with the AI. This helps us understand how the Service is used and where we can improve. Device Information. We collect device type, operating system and version, app version, device language settings, and general crash and performance data. We do not collect device advertising identifiers for advertising purposes. Payment Information. If you subscribe to a paid plan, payment processing is handled by the Apple App Store, Google Play Store, or our authorized payment processor. We do not directly store your credit card number or full payment details. We receive transaction confirmations, subscription status, and billing history. We do not collect location data, contacts, browsing history, photos (unless you share them in a conversation), or any data unrelated to your use of Jessalyn.
02
How We Use Your Information
We use the information we collect for the following purposes: Providing the Service. To deliver personalized conversations, generate session summaries, create guided meditations, set and track daily intentions, and provide emotional wellness insights. Safety & Crisis Detection. To detect language that may indicate crisis or self-harm and to surface appropriate crisis resources. This is an automated process and does not involve real-time human monitoring of conversations. Service Improvement. To analyze usage patterns (in aggregate and anonymized form), fix bugs, improve AI response quality, and develop new features. We may use anonymized and aggregated data for research purposes. Communications. To send you service-related notifications (such as account verification, security alerts, and subscription reminders). We will only send promotional communications with your explicit consent, and you can opt out at any time. Legal Compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests. We never use your data for targeted advertising. We never sell your personal information. We never share your conversation content with advertisers or data brokers.
03
AI & Your Conversation Data
Given the sensitive nature of wellness conversations, we want to be transparent about how your data interacts with AI systems. How Conversations Are Processed. When you send a message to Jessalyn, it is processed through a large language model (LLM) to generate a response. Before your conversation data is sent to any third-party AI model provider, we automatically strip personally identifiable information (PII) — including your name, email, and other identifying details — from the data. Zero Data Retention at AI Providers. We contractually require our AI model providers to maintain zero data retention for Jessalyn conversations. This means your conversation content is processed in real time and is not stored, logged, or retained by the AI model provider after the response is generated. No Third-Party AI Training. Your conversation data is never used to train third-party AI models. We do not permit our AI model providers to use Jessalyn user data for their own model training or improvement. Internal Improvement. We may use anonymized and de-identified conversation data to improve the safety, quality, and relevance of Jessalyn's responses. This data cannot be linked back to you. If you prefer that your data not be used even in anonymized form, you may opt out by contacting privacy@jessalyn.ai. Safety Guardrails. All AI-generated responses pass through content filtering and safety systems designed to prevent harmful, inappropriate, or clinically irresponsible outputs. These systems are regularly reviewed and updated. Human Review. In limited circumstances, our safety and quality team may review flagged conversations to evaluate and improve safety systems. When this occurs, conversations are reviewed in de-identified form, and reviewers are bound by strict confidentiality obligations.
04
How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances: Service Providers. We work with trusted third-party companies that help us operate and improve the Service, including cloud infrastructure providers (Cloudflare), AI model providers, analytics services, and payment processors. These providers are contractually obligated to use your data only as necessary to provide services to us and are bound by data protection agreements. Legal Requirements. We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request. We will notify you of such requests unless we are legally prohibited from doing so. Safety. We may disclose information if we believe in good faith that it is necessary to: (a) protect the safety of any person; (b) address fraud, security, or technical issues; or (c) protect the rights or property of Jessalyn AI. Business Transfers. If Jessalyn AI is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the App before your information becomes subject to a different privacy policy. Aggregated & De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you. For example, we may share aggregate statistics about how many users engage with meditation features. We never share your conversation content with advertisers, marketing companies, or data brokers. We never use your data for targeted advertising or cross-context behavioral advertising.
05
Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Account Data. Retained for the duration of your account. If you delete your account, we will delete or anonymize your account data within 30 days, except where we are required by law to retain it. Conversation Data. Retained for the duration of your account to provide session continuity and generate insights. Upon account deletion, conversation data is permanently deleted within 30 days. Usage & Device Data. Retained in identifiable form for up to 12 months, after which it is aggregated or deleted. Payment Records. Retained as required by applicable tax and financial reporting laws, typically up to 7 years. Safety-Related Data. If a conversation triggers our crisis detection system, a de-identified record of the safety event may be retained for up to 3 years for the purpose of improving our safety systems. This record does not contain your identity or the full conversation. You may request deletion of your data at any time through the App settings or by contacting privacy@jessalyn.ai. We will process deletion requests within 30 days, subject to any legal retention obligations.
06
Data Security
We take the security of your data seriously and implement industry-standard measures to protect it. Encryption. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Infrastructure. Your data is stored on Cloudflare's global infrastructure, which provides enterprise-grade security, DDoS protection, and data isolation. Access Controls. Access to personal data is restricted to authorized personnel who need it to perform their job functions. All access is logged and audited. AI Data Handling. Personally identifiable information is stripped from data before it is sent to AI model providers. AI providers are contractually required to maintain zero data retention for our users' data. Incident Response. We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with applicable law, typically within 72 hours of becoming aware of the breach. While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security issues that arise.
07
Children & Teens Privacy
Jessalyn AI is designed for users aged 13 and older. We take the privacy of younger users seriously and comply with the Children's Online Privacy Protection Act (COPPA) and other applicable children's privacy laws. Under 13. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has created an account, we will promptly delete the account and all associated data. Ages 13-17. For users between 13 and 17, we require verifiable parental or guardian consent before the account becomes active. Parents and guardians of Minor Users have the right to: (a) review the personal information we have collected from their child; (b) request that we delete their child's personal information; (c) request that we stop collecting further information from their child; and (d) manage or delete their child's account. Enhanced Protections. For all users under 18, we apply enhanced data minimization — we collect only what is strictly necessary to provide the Service. We do not use data from Minor Users for any purpose beyond providing the core Service. We do not serve advertising to any users, and we do not build marketing profiles of Minor Users. AI Training. We do not use conversation data from Minor Users to train AI models, whether first-party or third-party, without separate verifiable parental consent. To exercise parental rights or to report a concern about a child's account, contact us at privacy@jessalyn.ai.
08
Your Rights & Choices
Depending on your location, you may have some or all of the following rights regarding your personal information: Access. You have the right to request a copy of the personal information we hold about you. Correction. You have the right to request that we correct inaccurate or incomplete personal information. Deletion. You have the right to request that we delete your personal information. You can initiate this through the App settings or by contacting us. Data Portability. You have the right to request your data in a structured, commonly used, machine-readable format (such as JSON or CSV). Opt-Out. You have the right to opt out of: (a) promotional communications (via unsubscribe link or App settings); (b) the use of your anonymized data for service improvement (by contacting privacy@jessalyn.ai). Withdraw Consent. Where we process your data based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing based on consent before withdrawal. Restriction. You have the right to request that we restrict the processing of your personal information in certain circumstances. To exercise any of these rights, contact us at privacy@jessalyn.ai or use the in-app privacy settings. We will respond to all requests within 30 days (or sooner if required by applicable law). We will not discriminate against you for exercising your privacy rights.
09
California Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights. Right to Know. You have the right to know what personal information we collect, use, disclose, and sell (if applicable). In the preceding 12 months, we have collected the categories of information described in Section 01 of this policy. Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions. Right to Opt-Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out, but you may still submit a request and we will confirm our practices. Right to Non-Discrimination. We will not deny you the Service, charge different prices, or provide a different quality of service because you exercised your CCPA rights. Sensitive Personal Information. Conversation data that references your mental or emotional state may constitute "sensitive personal information" under CPRA. We use this data only to provide the Service (a disclosed, expected purpose) and do not use it for profiling or advertising. To submit a CCPA request, contact us at privacy@jessalyn.ai. We will verify your identity before processing the request. You may also designate an authorized agent to make a request on your behalf.
10
International Users
If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the following additional provisions apply. Legal Bases. We process your personal data under the following legal bases: (a) Contract Performance — to provide the Service you have requested; (b) Consent — for optional features, marketing communications, and processing of sensitive data; (c) Legitimate Interest — for security, fraud prevention, and service improvement, where our interests do not override your fundamental rights; (d) Legal Obligation — to comply with applicable laws. Data Subject Rights. In addition to the rights described in Section 08, you have the right to: (a) object to processing based on legitimate interest; (b) lodge a complaint with your local data protection authority. Data Transfers. Your data is processed in the United States. We rely on European Commission-approved Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data from the EEA/UK to the United States. We have implemented supplementary measures to ensure an adequate level of protection for your data. Data Controller. Jessalyn AI, Inc. is the data controller for your personal information. For privacy inquiries related to EU/UK data, contact our data protection team at privacy@jessalyn.ai. If you are located in another jurisdiction with data protection laws, we will comply with applicable local requirements. If there is a conflict between this Privacy Policy and local law, local law prevails.
11
Cookies & Tracking Technologies
The Jessalyn AI mobile application does not use cookies. However, if you access any Jessalyn AI web properties (such as our website), the following applies: Essential Technologies. We use essential cookies and local storage to maintain your session and ensure the website functions properly. These cannot be disabled. Analytics. We may use privacy-focused analytics to understand how our website is used in aggregate. We do not use Google Analytics or any advertising-related tracking tools on our website. No Advertising Tracking. We do not use advertising cookies, tracking pixels, or any technology that enables cross-site behavioral advertising. Do Not Track & Global Privacy Control. We honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information (though we do not engage in these practices).
12
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make changes, we will update the "Last updated" date at the top of this page. If we make material changes that affect how we handle your personal information, we will notify you through the App or via email at least 30 days before the changes take effect. For Minor Users, we will also attempt to notify the parent or guardian on file. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
13
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Jessalyn AI, Inc. Privacy Team: privacy@jessalyn.ai General Support: support@jessalyn.ai We take every privacy inquiry seriously and aim to respond within 5 business days. For data subject access requests under GDPR or CCPA, we will respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA).