GDPR Compliance Statement
This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) 2016/679. We are committed to protecting your personal data and respecting your privacy rights.
Important: Underneath processes deeply personal and psychologically sensitive data, including diary entries, emotional patterns, behavioral analysis, and AI-generated psychological observations. We take the protection of this data extremely seriously.
1. Data Controller
The data controller responsible for your personal data is:
Underneath
Email: info@underneathapp.com
2. Personal Data We Collect
Due to the nature of Underneath as a self-observation and psychological exploration tool, we collect data that may be highly personal and intimate. Below is a full description of the categories of data we collect.
2.1 Account Information
- Email address (used for authentication and communication)
- Password (stored as a one-way hash using bcrypt; we never store your actual password)
- Subscription tier (Free, Basic, Pro, or Premium)
- Account status (Active or Inactive)
2.2 Diary and Self-Observation Data
This is the core of Underneath. When you write diary entries ("daily traces"), the following is collected:
- Diary entry content: Your written reflections, thoughts, and observations
- AI analysis summary: An AI-generated summary of your entry
- Detected patterns: Recurring themes and behaviors identified by the AI
- Detected biases: Cognitive biases the AI identifies in your writing
- AI analysis: Detailed psychological observations generated by our AI system
2.3 Psychological Profile Data
As you use the Service, the AI builds a psychological profile based on your entries:
- Open tensions: Unresolved emotional or psychological concerns you express
- Known facts: Personal truths and beliefs you share
- Attractors: Recurring behavioral themes and gravitational patterns in your life
- Attractor movements: How your behavioral patterns shift over time
- Silence patterns: Topics you avoid or do not address, as observed by the AI
- Detected loops: Repetitive behavioral cycles identified by the AI
2.4 Periodic Synthesis Data
- Weekly and monthly syntheses: AI-generated reports including primary observations, correlations between your behaviors, future projections, and identified contradictions
- Raw AI analysis: The complete analytical output from our AI system
2.5 User Profile and AI Personalization
- Bio and about information: Personal description you provide
- AI interaction preferences: Custom tone, persona, instructions, and notes
- Audio and display settings
2.6 Goal Tracking Data
- Goals: Personal life goals you set, including titles, notes, and duration
- Goal entries: Daily progress notes and completion status
- AI feedback on goals: AI-generated prompts and feedback on your progress
2.7 Conversation Data
- Chat messages: All messages exchanged between you and the AI
2.8 Security and Technical Data
- IP addresses: Registration IP and last login IP (for fraud prevention)
- Login timestamps: Last login time and last activity time
- Authentication tokens: Stored securely in HTTP-only cookies
2.9 Contact and Support Data
- Support messages: Messages you send through our contact form
3. Special Category Data (GDPR Article 9)
Some of the data we process may qualify as special category data under GDPR Article 9, particularly data relating to psychological health, emotional states, and behavioral patterns.
We process this data solely on the basis of your explicit consent (Art. 9(2)(a)), which you provide when you create an account and actively choose to write diary entries and use the self-observation features of the Service.
You may withdraw your consent and request deletion of this data at any time (see Section 7).
4. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
- Explicit Consent (Art. 6(1)(a) and Art. 9(2)(a)): For all diary content, psychological analysis, and sensitive personal data.
- Contract Performance (Art. 6(1)(b)): For account management, authentication, and delivering the core Service functionality.
- Legitimate Interests (Art. 6(1)(f)): For security measures, fraud prevention, and technical maintenance of the Service.
- Legal Obligation (Art. 6(1)(c)): Where required to comply with applicable laws.
5. Data Encryption and Security
Given the extremely sensitive nature of the data we handle, we implement multiple layers of protection:
Important: Our security model is hybrid. We use strong encryption for storage and transport, and when you enable personal-key protection some stored content is additionally protected with a browser-generated key. However, some features still require secure server-side and AI processing during a request.
- Transport encryption (TLS/SSL): All data transmitted between your device, our services, and our infrastructure is encrypted in transit.
- Encryption at rest: Sensitive content stored in our database is encrypted at rest, including diary entries, analyses, goals, profile fields, syntheses, tensions, and chat history.
- Browser-generated personal-key protection for selected stored content: When configured, certain stored content is additionally protected at rest with a personal key generated in your browser.
- Password hashing: Passwords are stored using bcrypt one-way hashing.
- Authentication security: JWT tokens with short expiration and HTTP-only secure cookies.
- Access controls: Strict role-based access controls.
6. Data Retention and Account Lifecycle
We retain your personal data according to the following policy:
By default, we do not automatically delete your data. You remain in full control of your information.
- Active accounts: All data is retained while your account remains active.
- Inactive accounts: If you do not access the Service for 37 consecutive days, your account is marked as Inactive. Your data remains preserved by default.
- 120-day reminder: After 120 consecutive days without access, we send an inactivity reminder email.
- Optional Privacy Auto-Wipe: If you enable this setting in your profile, after 180 consecutive days of inactivity we start a 30-day grace period for protected-data deletion. If you do not log back in or cancel the request, sensitive content is permanently deleted after 210 days of inactivity while the account itself remains available.
- Account deletion: Upon request, we will permanently delete all your personal data within 30 days.
- Security logs: IP addresses and login data are retained for a maximum of 12 months.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
If you request restriction of diary, chat, or similar content processing, features that depend on that processing - such as AI chat, analyses, syntheses, and personalization - may be limited or unavailable while the restriction is in place.
To exercise any of these rights, contact us at info@underneathapp.com. We will respond within 30 days.
- Right of Access (Art. 15): Request a complete copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate personal data.
- Right to Erasure (Art. 17): Request permanent deletion of all your personal data.
- Right to Restriction (Art. 18): Request that we limit how we process your data.
- Right to Data Portability (Art. 20): Receive all your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Withdraw your consent to data processing at any time.
8. AI Processing and Automated Decision-Making
Underneath uses artificial intelligence to analyze diary entries, chat messages, goals, and other submitted inputs to generate observations and responses. You should be aware of the following:
To provide chat, analyses, syntheses, and personalization, relevant content may be processed in plaintext by our backend and by AI providers during a request, even when stored copies are later protected at rest.
- AI analysis is performed automatically on diary entries, chat messages, goals, and other inputs you submit for supported features.
- The AI identifies patterns, biases, tensions, loops, and other psychological features.
- AI-generated analyses are observations, not diagnoses.
- Content protected with your browser-generated personal key may be re-protected at rest after processing, where applicable.
- Periodic syntheses are generated automatically to provide longitudinal insights.
- You have the right under GDPR Article 22 to not be subject to decisions based solely on automated processing.
9. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA. When this occurs, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions by the European Commission
- Other legally approved transfer mechanisms
10. Third-Party Services
We may share limited data with the following categories of third parties:
We do not sell, rent, or share your personal data with advertisers or data brokers.
- AI Processing: Relevant diary entries, chat messages, goals, profile preferences, and other context needed for a feature may be processed through AI language models to generate responses, analyses, and syntheses.
- Cloud Infrastructure: Data is stored on secure cloud servers with encryption at rest.
- Email Services: Your email address is shared for transactional emails only.
11. Cookies and Local Storage
We use essential cookies and local storage necessary for the Service to function. If you accept the cookie notice, we also use Google Analytics for aggregate traffic measurement.
We do not use advertising cookies, ad-tech pixels, or marketing trackers. Analytics is used only for aggregate product measurement.
- Authentication cookies: HTTP-only secure cookies containing session tokens
- Local storage: UI preferences and theme settings
- Analytics measurement (optional): Google Analytics may store analytics identifiers after consent so we can understand aggregate site traffic and page usage
12. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If we discover that a minor has provided us with personal data, we will delete it immediately.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33). If the breach poses a high risk to you personally, we will also notify you directly (Art. 34).
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. Continued use of the Service after changes constitutes acceptance.
15. Supervisory Authority
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority in your country of residence.
16. Contact Us
For privacy-related questions or to exercise your rights:
Email: info@underneathapp.com