Privacy Policy
Last updated: April 2026
1. Introduction
This Privacy Policy explains how [YOUR COMPANY NAME] (“we,” “us,” “our,” or the “Company”), the operator of the StillBeMe application (“App” or “Service”), collects, uses, shares, and protects your personal data.
We are committed to protecting your privacy. Given that StillBeMe is used for personal communication by individuals who may have health-related speech difficulties, we take data protection extremely seriously.
1.1 Data Controller
[YOUR NAME or COMPANY NAME]
Address: [ADDRESS - can be city/country only for individuals]
Email: [PRIVACY EMAIL, e.g., privacy@stillbe.me]
We are the data controller for the personal data processed through the App under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1.2 Summary of Key Points
- Conversation transcripts stay on your device and are not uploaded to our servers
- We use AI to generate response suggestions, which requires sending transcripts to OpenAI
- We do not store your conversation history in the cloud
- You can delete your account and all associated data at any time
- We use EU-based analytics (PostHog EU) with cookie consent
- We never sell your personal data
2. What Data We Collect
2.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account authentication, password recovery, service communications | Contract performance |
| Password (hashed) | Account security | Contract performance |
| Name (optional) | Personalization of AI responses | Consent |
2.2 Communication Preferences
| Data | Purpose | Legal Basis |
|---|---|---|
| Voice preference | Text-to-speech voice selection | Contract performance |
| Personality traits (up to 5 from 12 options) | Tailoring AI response suggestions to match your communication style | Consent |
| Language preference | App interface and speech language | Contract performance |
| Favorite phrases | Quick access to frequently used phrases | Contract performance |
| Custom/hidden phrases | Personalization of phrase categories | Contract performance |
2.3 Conversation Data
Privacy by Design: Conversation history is stored locally on your device only using IndexedDB. We do not sync conversation history to our servers. To generate personalized response suggestions, recent conversation context is processed securely via OpenAI’s API and is not retained (see Section 5.3).
| Data | Storage | Retention |
|---|---|---|
| Speech transcripts (what your conversation partner says) | Local device only (IndexedDB) | Last 20 turns, then automatically deleted |
| Your selected responses | Local device only (IndexedDB) | Last 20 turns, then automatically deleted |
| Audio recordings | Not stored | Processed in real-time, immediately discarded |
2.4 Analytics Data
With your consent (via cookie banner), we collect anonymized usage analytics to improve the App:
| Data | Purpose |
|---|---|
| Page views and navigation | Understanding user flows |
| Feature usage (e.g., “listening started,” “phrase spoken”) | Product improvement |
| Device type and browser | Compatibility and performance optimization |
| Language/locale | Localization priorities |
We do NOT collect: The content of your conversations, what phrases you speak, or any health information. Analytics events contain category IDs (e.g., “health” category), not the actual phrase text.
3. Special Category Data (Health Data)
Important Notice: While StillBeMe is designed for users with speech difficulties, we do not collect, store, or process health data about your medical condition. The App does not ask you to disclose your diagnosis, and we have no way to identify your specific health condition from your use of the App.
Your use of the App may imply that you experience speech difficulties, but:
- We do not require or request health information
- We do not categorize users by medical condition
- We do not share any health-related inferences with third parties
4. How We Use Your Data
4.1 To Provide the Service
- Authenticate your account
- Generate AI response suggestions based on conversation context
- Convert text to speech using your preferred voice
- Sync your preferences across devices (if logged in)
- Store your favorite and custom phrases
4.2 To Improve the Service
- Analyze anonymized usage patterns
- Identify and fix bugs
- Prioritize feature development
4.3 To Communicate With You
- Send password reset emails
- Notify you of important service changes
- Respond to support requests
5. Data Sharing and Third-Party Processors
We share your data with third-party service providers who help us deliver the App. All processors are bound by data processing agreements (DPAs) and are required to protect your data.
5.1 Third-Party Processors
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Authentication, database | Email, hashed password, preferences, favorites | [VERIFY - e.g., EU/Frankfurt] |
| OpenAI | AI response generation | Conversation transcript (last ~10 turns), personality traits, name (if provided) | United States |
| Microsoft Azure | Text-to-speech | Text of phrase to be spoken | [VERIFY REGION] |
| PostHog | Product analytics | Anonymized usage events (with consent) | European Union |
| Vercel | Hosting, edge functions | HTTP requests, IP addresses (logs) | [VERIFY] |
5.2 International Data Transfers
Some of our processors (notably OpenAI) are located in the United States. For transfers outside the European Economic Area (EEA), we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules where available
You can request a copy of the relevant safeguards by contacting us at [PRIVACY EMAIL].
5.3 OpenAI Data Processing
To generate response suggestions, we send OpenAI:
- The transcript of what your conversation partner just said
- Recent conversation context (approximately the last 10 exchanges)
- Your personality trait preferences (e.g., “warm,” “direct”)
- Your name (if you provided one, for personalization)
- Your language preference
OpenAI does not use this data to train their models when using the API (per OpenAI’s API data usage policy as of 2024). Data is processed for the immediate request and is not retained by OpenAI beyond their standard API logging (up to 30 days for abuse monitoring).
5.4 We Never Sell Your Data
We do not sell, rent, or trade your personal data to third parties for their marketing or commercial purposes.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, preferences) | Until you delete your account |
| Conversation history (local) | Last 20 turns, automatically trimmed. Cleared on account deletion or browser data clear. |
| Favorites and custom phrases | Until you delete them or your account |
| Analytics data | 12 months from collection (PostHog default) |
| Server logs | 30 days (Vercel default) |
7. Your Rights Under GDPR
As a user in the European Union (or where GDPR applies), you have the following rights:
7.1 Right of Access
You can request a copy of the personal data we hold about you. Contact us at [PRIVACY EMAIL].
7.2 Right to Rectification
You can update your account information directly in the App’s Settings, or contact us to correct inaccurate data.
7.3 Right to Erasure (Right to be Forgotten)
You can delete your account and all associated cloud data at any time through the App’s Settings menu (Account > Delete Account). This permanently removes:
- Your authentication record
- Your cloud-stored preferences
- Your favorite and custom phrases
Local data (conversation history) is deleted when you clear browser data or use the App’s “Clear conversation history” function.
7.4 Right to Data Portability
You can request your data in a machine-readable format. Contact us at [PRIVACY EMAIL].
7.5 Right to Object
You can object to processing based on legitimate interests. For analytics, you can withdraw consent via the cookie banner or by disabling cookies.
7.6 Right to Restrict Processing
In certain circumstances, you can request that we limit how we use your data.
7.7 Right to Withdraw Consent
Where processing is based on consent, you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
7.8 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority. For Sweden, this is IMY (Integritetsskyddsmyndigheten): www.imy.se
8. Cookies and Tracking
8.1 Essential Cookies
We use essential cookies for authentication and session management. These cannot be disabled as they are necessary for the App to function.
8.2 Analytics Cookies
With your consent, we use PostHog for product analytics. You can manage your cookie preferences through the cookie banner or by clearing your browser data.
Cookie consent is stored locally as sbm_cookie_consent in your browser’s localStorage.
8.3 No Advertising Cookies
We do not use advertising, marketing, or cross-site tracking cookies.
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit: All data transmitted to and from the App uses HTTPS/TLS
- Encryption at rest: Database data is encrypted at rest
- Password security: Passwords are hashed using industry-standard algorithms (bcrypt via Supabase)
- Access controls: Limited access to production systems
- Local-first design: Sensitive conversation data stays on your device
- JWT authentication: Secure token-based API authentication
While we take security seriously, no system is completely secure. If you believe your account has been compromised, contact us immediately at [SECURITY EMAIL].
10. Children’s Privacy
The App is designed for adults and is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Updating the “Last updated” date at the top of this page
- Posting a notice in the App
- Sending an email to registered users (for significant changes)
Continued use of the App after changes constitutes acceptance of the updated Privacy Policy.
12. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
[COMPANY NAME]
Data Protection Contact: [PRIVACY EMAIL]
Address: [PHYSICAL ADDRESS]
We aim to respond to all legitimate requests within 30 days. If your request is complex, we may need an additional 60 days (90 days total) and will inform you accordingly.
13. Legal Basis for Processing (GDPR Summary)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| AI response generation | Contract performance (Art. 6(1)(b)) |
| Text-to-speech | Contract performance (Art. 6(1)(b)) |
| Preference and favorites sync | Contract performance (Art. 6(1)(b)) |
| Personality traits processing | Consent (Art. 6(1)(a)) |
| Analytics (PostHog) | Consent (Art. 6(1)(a)) |
| Service communications | Contract performance / Legitimate interest (Art. 6(1)(b)/(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
This Privacy Policy is provided in English. Where translated versions exist, the English version prevails in case of discrepancy.