Privacy Policy

1. Data we collect and why

Account data

• Email address — required to create and authenticate your account and, if you use Letters, to deliver your letter. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Name and handle — optional profile fields you choose to provide, used to personalise greetings. Legal basis: contract / legitimate interest.
• Timezone — optional, used to schedule your daily thought at a relevant local time. Legal basis: contract / legitimate interest.

Reflection content

• What you type in a reflection — sent to Anthropic's API to generate a philosophical response, and stored in our database so you can view your history and so the guide builds continuity over time.
• AI-generated responses — the philosophical perspectives, mantra, and synthesis returned to you, stored alongside your input.
• Derived memory — short summaries of past sessions (not the full text) kept to give the guide context across future conversations.

Legal basis: performance of a contract — this is the core functionality of the service.

Letters to Future Self

• If you save a reflection as a letter, the generated letter text, your chosen delivery date, and your email address are stored until the letter is delivered or you cancel it.
• Your email is passed to Resend solely to deliver the letter. Resend does not use it for any other purpose.

Legal basis: performance of a contract (you explicitly requested the delivery).

Push notifications

If you enable daily notifications, your browser's push subscription token is stored to send your daily thought. Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time in your Profile.

Analytics

We use PostHog (EU cloud, Frankfurt) to understand aggregate usage — for example, how many people complete a reflection. Analytics are enabled only after you accept cookies via the consent banner. Legal basis: consent (Art. 6(1)(a) GDPR).

PostHog is configured with IP anonymisation. No personal text from your reflections is sent to PostHog. We do not use analytics for advertising and do not sell data.

Server logs

Vercel automatically records standard server logs (IP address, request path, timestamp, response code) for security and operational purposes. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retained for 30 days.

2. Sub-processors

We share your data only with the processors listed below. Each operates under a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) for transfers outside the EEA.

We never sell your data or share it with any party not listed above.

3. AI processing and your content

Your reflection text is sent to Anthropic's API (Claude) to generate philosophical responses. Anthropic acts as a data processor under our DPA. Under our agreement, Anthropic does not use your content to train their models.

We do not use your reflection content to train any AI model ourselves.

Please avoid including sensitive personal data about other people (e.g. full names, contact details, health information of third parties) in your reflections.

4. How long we keep your data

• Account and reflection data — kept until you delete your account. Deletion is immediate and permanent via Settings → “Delete my account”.
• Letters — kept until delivered or cancelled, then removed from active storage.
• Push subscriptions — kept until you unsubscribe or the token expires.
• Analytics data — 90 days in PostHog, then automatically purged.
• Server logs — 30 days.

5. Your rights

Under GDPR you have the following rights. To exercise any of them, email privacy@glassbeadguide.com. We will respond within 30 days (extendable to 90 days for complex requests — we will notify you within the first 30).

• Access — request a copy of all personal data we hold about you.
• Erasure — delete your account instantly via Settings. This permanently removes all your sessions, letters, memory, and profile data. You can also email us for selective deletion.
• Portability — request an export of your reflection history and letter content in a machine-readable format (JSON).
• Rectification — update your name and handle directly in Settings at any time.
• Restriction — ask us to pause processing your data while a dispute is resolved.
• Objection — object to processing based on legitimate interest (e.g. server logs).
• Withdraw consent — for analytics: use the cookie preferences link in the footer. For push notifications: turn them off in your Profile. Withdrawal does not affect the lawfulness of prior processing.
• Lodge a complaint — you may complain to your national supervisory authority. Find your authority at edpb.europa.eu.

6. Cookies and local storage

• Authentication cookies (Supabase) — strictly necessary to keep you signed in. No consent required.
• Language preference (lang cookie) — stores your chosen interface language. No consent required.
• Analytics cookies (PostHog) — only set after you accept analytics via the consent banner. You can change this preference at any time via the “Cookie preferences” link.

No advertising, tracking, or third-party marketing cookies are used.

7. Security

All data is transmitted over HTTPS. Our database uses row-level security so each user can only access their own data. Access to production infrastructure is restricted to authorised personnel.

No system is entirely secure. If you discover a security issue, please report it to privacy@glassbeadguide.com.

8. Children

GlassBeadGuide is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have done so inadvertently, please contact us and we will delete it promptly.

9. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top. For material changes we will notify you by email or via a notice in the app at least 14 days before the change takes effect.

10. Contact

For any privacy-related question or to exercise your rights: privacy@glassbeadguide.com