Privacy Policy

1. Information We Collect

We collect only what is necessary to provide you with meaningful insights and a personalized experience:

2. How We Use Your Information

Your data serves one primary purpose: to help you hear yourself clearly. We use it to:

• Power Your Inner Council: Your journal entries train your 10 inner parts (Warrior, Sage, Lover, etc.) to respond with YOUR wisdom, not generic advice
• Pattern Recognition: Show you when you've been here before — connecting past insights to present situations
• Personalize Experience: Understand which archetypes are loudest so your Council responds authentically
• Improve Service: Enhance features based on aggregated, anonymous usage data
• Communicate: Send important updates about your account or the service

3. Data Security & Encryption

We implement industry-standard security measures to protect your inner work:

• Encryption at Rest: Your journal entries are encrypted in our database using AES-128 (Fernet)
• Secure Transmission: All data is transmitted via SSL/TLS encryption
• Server-Held Keys: Encryption keys are held server-side; we are not end-to-end encrypted
• Access Controls: Strict authentication and authorization protocols
• Regular Audits: Security assessments and penetration testing

4. Your Rights & Control

You have complete sovereignty over your data:

• Access: View all data we have about you at any time
• Export: Download your complete data in standard formats
• Correction: Update or correct any information
• Deletion: Permanently delete your account and all associated data
• Portability: Transfer your data to other services
• Restriction: Limit how we process certain data

5. AI and Your Inner Council

Our AI serves as a mirror, not a judge. Here's how we handle AI processing:

• Journal Analysis: Your journal entries ARE analyzed by AI to train your Inner Council — this is how your 10 voices learn to respond with YOUR wisdom
• Pattern Recognition: AI identifies recurring themes and connects past entries to present questions
• Your Data Only: Your Inner Council is trained on YOUR entries alone — we don't mix your data with other users
• No Third-Party Sharing: We never share your journal content or psychological patterns with third parties
• Built on Jungian Psychology: Our archetype framework is based on Carl Jung's work and Internal Family Systems (IFS)

6. Third-Party Services

We use minimal third-party services, chosen for their privacy commitments:

• Supabase: Database and authentication (GDPR compliant)
• Analytics: Privacy-focused analytics (no personal data shared)
• Google Calendar (InnerOS Practice — therapists only): When a therapist connects their Google Calendar, we access calendar.events (to create session events with Google Meet links) and calendar.freebusy (to read available slots — no event titles or details). We never read or store existing calendar content. Therapists can disconnect at any time from Settings → Calendar.

Limited Use of Google user data. InnerOS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use the Google user data we access only to provide and improve the user-facing features of InnerOS Practice — specifically, creating session calendar events with Google Meet links and reading a therapist's availability. We do not use Google user data for any other purpose. In particular, we do not use it to serve advertisements, we do not use it (or transfer it) to develop, improve, or train generalized or non-personalized AI and/or machine-learning models, it is never sent to any AI service, and we do not sell it or transfer it to third parties except as necessary to provide these features, to comply with applicable law, or as part of a merger or acquisition with notice to affected users.

We do NOT use advertising networks, data brokers, or tracking pixels.

7. InnerOS Practice — Therapists & Clients

InnerOS Practice is a separate product within InnerOS for mental health professionals and their clients. If you use InnerOS Practice — either as a therapist or as a client booking sessions through a therapist's page — the following applies in addition to the rest of this policy.

Data we collect from therapists:

• Profile & credentials: Name, photo, bio, specialisations, languages, years of experience, approach, and service details you add to your public profile
• Availability & calendar: Your connected Google Calendar free/busy slots (no existing event titles or details are ever read or stored). See Section 6 for full scope details.
• Payment & payout data: Bank account or UPI details you provide for receiving session payments, processed via Razorpay. We do not store full card or account numbers — Razorpay holds them under PCI-DSS compliance.
• Session notes: Clinical notes you enter about sessions. These are visible only to you and are never shared with InnerOS or used to train any AI model.
• Communication logs: WhatsApp message delivery status for booking confirmations and reminders sent on your behalf.

Data we collect from clients (people booking with a therapist):

• Booking data: Name, phone number (WhatsApp), selected service, and appointment time
• Intake responses: Answers to any intake questions set by the therapist
• Consent records: Timestamp and record of consent given before the first session
• Payment status: Whether a session was paid, pending, or waived — no raw card data

How data is shared within InnerOS Practice:

• A therapist can see the booking, intake, and payment status of their own clients only
• A client's data is never shared across different therapists
• InnerOS acts as a data processor on behalf of therapists — therapists are the data controller for their clients' personal data
• We do not use client booking or intake data to train AI models

Third-party services used by InnerOS Practice:

• Razorpay: Payment processing for session fees (PCI-DSS compliant)
• WhatsApp Business API (Meta): Sending booking confirmations, reminders, and calendar invites to clients on behalf of therapists
• Google Calendar: Therapist calendar sync — see Section 6
• Google Meet: Conference links embedded in session calendar invites, created automatically on confirmed bookings

Clients can request deletion of their booking and intake data by contacting the therapist directly or emailing privacy@inneros.ai. Therapists can delete their Practice account and all associated data from Settings at any time.

8. Data Retention

We retain your data only as long as necessary:

• Active Accounts: Data retained while account is active
• Deleted Accounts: Fully purged within 30 days
• Backups: Encrypted backups retained for 90 days
• Anonymized Data: May be retained for research and improvement

9. Children's Privacy

InnerOS is designed for adults on a journey of self-discovery. We do not knowingly collect data from anyone under 18 years of age. If we discover such data, we will promptly delete it.

10. International Data Transfers

Your data may be processed in countries other than your own. We ensure all transfers comply with applicable data protection laws and maintain the same level of protection.

11. Changes to This Policy

As InnerOS evolves, so might this policy. We will:

• Notify you of significant changes via email
• Provide 30 days notice before changes take effect
• Allow data export if you disagree with changes
• Maintain a version history of all policy changes

12. Contact Us

For privacy-related questions or to exercise your data rights:

• Email: privacy@inneros.ai
• Data Protection Officer: dpo@inneros.ai
• Website: inneros.ai/contact