AI meditation requires sharing personal information. You tell it how you’re feeling, what you’re worried about, what you want to work on.
Naturally, you might wonder: what happens to all that data?
This is a fair and important question. Let me explain exactly how privacy works with AI meditation at InTheMoment.
What data is collected
When you use InTheMoment, several types of data are collected:
Account information
Email address — Required for login and account-related communications.
Password — Stored only in hashed form (we never see your actual password).
Profile details — Optional information you choose to add, like display name or preferences.
Check-in content
Your check-in conversations — What you share before each session. This might include:
- How you’re feeling
- What’s on your mind
- What you’d like to work on
- Details about your day or situation
This is the most sensitive data, and it’s essential for personalisation.
Session data
Generated meditation/hypnosis content — The sessions created for you.
Session ratings and feedback — How you rate sessions and what you share about what worked.
Automatically collected data
Device and browser information — To ensure the app works properly.
Usage data — Which features you use, page visits, timestamps.
How the data is used
Here’s what happens with your information:
Personalisation (the main purpose)
Your check-in content is used to generate personalised sessions. When you say “I’m anxious about tomorrow’s interview,” that context goes to the AI to create relevant content.
This is the core value exchange: you share context, and you receive personalised guidance.
Improving the service
Aggregated, anonymised data helps improve the overall service — understanding which features are used, where people struggle, what works.
However, we don’t use your personal content to train AI models. Your check-ins aren’t being used to improve AI systems.
Account operations
Email is used for necessary communications — password resets, account notifications, service updates.
Who has access to your data
InTheMoment (the data controller)
We’re the primary custodian of your data. We’re a UK company subject to UK GDPR.
AI providers (for content generation)
To generate your personalised sessions, your check-in content is sent to AI inference providers (currently DeepInfra, Google Cloud, and Groq).
These providers are configured with no-logs policies where possible. Your data is processed to generate the response and not retained for their model training.
Hosting providers
Data is stored using Supabase (UK region) and hosted via Vercel (UK/EU where available) and Oracle Cloud Infrastructure.
Analytics (privacy-friendly)
We use Plausible Analytics — a privacy-friendly, cookieless analytics tool. It provides aggregated statistics without tracking individuals.
Who does NOT have access
- Advertisers. We don’t sell your data.
- Third parties for marketing. We don’t share data for others’ marketing.
- Anyone without legitimate need. Access is role-limited.
Data security
Your data is protected through multiple layers:
Encryption in transit. All connections use HTTPS. Your data is encrypted while traveling to our servers.
Encryption at rest. Data is encrypted while stored.
Row-level security. Database security ensures your data is isolated from other users.
Access controls. Role-based access limits who can see what.
Monitoring. We actively monitor for security issues.
No system is perfect. If a breach occurs that affects you, we’ll notify you as required by law (within 72 hours).
Sensitive health data
Some check-in content may include health or mental wellbeing information — you might mention anxiety, depression, sleep problems, or other sensitive topics.
Under UK GDPR, this is “special category data” with extra protections.
We only process this data with your explicit consent. When you sign up and agree to personalisation, you’re consenting to this processing.
You can withdraw consent at any time through Settings or by contacting us. We’ll stop processing this data and delete it unless legally required to retain it.
What you control
You have significant control over your data:
Delete your account
You can delete your account from your profile settings. This removes your data from active systems (typically within 30 days). Some data may persist in encrypted backups until those cycle out.
Withdraw consent
You can withdraw consent for sensitive data processing at any time.
Access your data
You can request a copy of your data.
Correct your data
You can correct inaccurate information.
Data portability
You can request your data in a machine-readable format.
These are your rights under UK GDPR. Exercise them by contacting [email protected].
How long data is kept
Account and profile: Kept while your account is active.
Check-ins and sessions: Kept while your account is active so you can review past sessions.
System logs: Typically up to 180 days.
Support communications: Up to 24 months after resolution.
When you delete your account, data is removed from active systems. Backups cycle out on their normal schedule.
International transfers
We aim to keep data in UK/EU regions. However, some providers (like AI inference) may process data in the US.
When international transfers occur, we use appropriate safeguards (Standard Contractual Clauses) to protect your data.
What about AI training?
This is a common concern: is your data being used to train AI?
Our position: We don’t use your content to train models. We configure our providers to opt out of using API data for training where possible.
The AI providers (DeepInfra, Google Cloud, Groq) have their own policies. We select providers with privacy-respecting policies and configure them accordingly.
We’re not building AI from your data. We’re using AI to serve you.
The privacy trade-off
Let me be honest about the inherent trade-off:
More personalisation requires more data. The more you share, the more relevant your sessions. If you want the AI to address your specific interview anxiety, you need to tell it about your interview anxiety.
Less sharing means less personalisation. You can use generic check-ins (“feeling stressed”). You’ll get helpful but generic content.
You choose your comfort level. The system works across that spectrum.
Our philosophy
We believe:
- Data minimisation. We collect what’s needed for the service, not more.
- Purpose limitation. We use data for what we said we’d use it for.
- User control. You can delete, access, and control your data.
- Transparency. We explain what we do in plain language.
We’re not a free app supported by data exploitation. We’re a service that works for you, funded by those who choose to pay.
Questions we get
“Can I use the app without sharing much?”
Yes. You can use minimal check-ins. Sessions will be less personalised but still helpful.
“Who at InTheMoment can see my check-ins?”
Access is limited to those who need it for service operation and support. We don’t casually browse user data.
“What if I shared something I regret?”
You can delete your account, which removes your data. For specific deletion requests, contact us.
“How do I trust this?”
We’re a UK company, subject to UK GDPR, with enforceable legal obligations. We’ve detailed our practices in our Privacy Policy. Trust is built through consistent behaviour — we aim to earn it.
The bottom line
AI meditation requires sharing some personal information. There’s no way around this if you want personalised content.
At InTheMoment:
- We collect what’s needed for the service
- We protect it with appropriate security
- We don’t sell it or use it for advertising
- We don’t train AI on your data
- You control deletion and access
- We’re transparent about our practices
Your mental health data is sensitive. We treat it with appropriate care.
Read our full Privacy Policy at inthemoment.app/privacy-policy for complete details. Questions? Email [email protected].
Ready to experience personalised meditation with privacy protection? Get started with two free sessions per day — your data, your control.