Privacy Policy

Effective date: 29 September 2025

Who we are: Arintelli (a UK company) ("we", "us", "our")

Email: [email protected]

We built InTheMoment to help you check in with yourself and get personalised meditation guidance. This policy explains what we collect, why we collect it, who we share it with, how long we keep it, and the choices you have.

We're a data controller under the UK GDPR and the Data Protection Act 2018. If you live in the EEA, the EU GDPR may also apply.

Short version (human-readable)

  • The app is 13+.
  • Your check-ins are private and used to personalise your meditations.
  • If you share wellbeing/health info, we'll ask for explicit consent.
  • We host in the UK where possible (Vercel/Supabase), and use DeepInfra, Google Cloud, Groq to generate content. Transfers are safeguarded.
  • Plausible provides cookieless analytics; no ad tracking.
  • You can delete your account any time; we'll remove your data from active systems.
  • You have full GDPR rights and can contact us at [email protected].

1) Who can use the service

Our service is for people aged 13 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us data, contact us and we'll delete it.

2) What data we collect

Data you provide

Account & profile: email, display name, password (hashed), optional profile details you add (e.g., age band, preferences).

Check-ins & sessions: free-text "check-in" conversations (what you did, how you feel, wellbeing notes) and AI-generated meditation scripts and summaries.

Feedback & support: ratings, comments, or messages you send to us.

Special category (sensitive) data. Your check-ins may include information about wellbeing or mental health. We only process this with your explicit consent (see Section 5).

Data collected automatically

Device & usage: IP address, device and browser type, app/version, pages and features used, timestamps.

Authentication: if you sign in with OAuth (e.g., Google or Apple), we receive your basic profile info (typically name and email) from that provider.

Analytics (privacy-friendly)

We use Plausible Analytics in cookieless mode. It does not set cookies or use persistent identifiers. We see aggregated stats (e.g., page views), not personal profiles.

3) Why we use your data (legal bases)

PurposeExamplesLegal basis
Provide the serviceSign in, run check-ins, generate meditation sessions, play audioContract (Art. 6(1)(b))
Process wellbeing dataUsing your check-in content to tailor sessionsExplicit consent (Art. 9(2)(a))
Improve and secure the serviceAggregated analytics (Plausible), debugging, preventing abuse (Cloudflare), uptime monitoringLegitimate interests (Art. 6(1)(f))
Communicate with youAccount emails, service notices, supportContract / Legitimate interests
Legal, compliance & taxRecord-keeping, responding to lawful requestsLegal obligation (Art. 6(1)(c))

You can use the app without entering sensitive details. If you choose to include wellbeing/health information in check-ins, we'll ask you for explicit consent for that processing and you can withdraw it at any time in Settings or by contacting us.

4) How your data flows through our systems (processors)

We use trusted providers to operate the app. They act as our data processors and only process data under our instructions.

Hosting & storage

  • Vercel (app hosting) – UK/EU region where available.
  • Oracle Cloud Infrastructure (VPS) (server/API hosting).
  • Supabase (Postgres database, auth & file storage) – UK region.
  • Cloudflare (DNS/CDN/WAF). Cloudflare processes IPs for security and performance.

AI inference (to generate your sessions)

DeepInfra, Google Cloud, and Groq. Your check-in content and session context are sent to these providers to generate the meditation guidance and related outputs.

Authentication

OAuth providers (e.g., Google / Apple) if you choose social sign-in. They are separate controllers for their own services and share basic profile info with us.

Analytics

Plausible Analytics (cookieless, aggregated analytics; no cookies or persistent IDs).

We keep a current list of key processors in this policy. We may update providers as the service evolves; material changes will be reflected here.

5) Special category data & your consent

Information about health or mental wellbeing is special category data under GDPR. We will only process this data if you choose to provide it and give explicit consent (e.g., a clear toggle/checkbox).

You can withdraw consent at any time from Settings or by emailing us. We will stop processing this data and (unless we must keep it for legal reasons) delete it from our systems.

You can also choose not to include sensitive details in check-ins.

6) International transfers

We aim to host in the UK/EU (e.g., Supabase UK). Some providers (e.g., DeepInfra, Google Cloud, Groq, Vercel, Cloudflare) may process data outside the UK/EEA (e.g., in the United States).

When we transfer data internationally, we rely on appropriate safeguards, such as the European Commission/UK Standard Contractual Clauses (SCCs) and provider commitments. You can contact us for information about these safeguards.

7) How long we keep data (retention)

We keep personal data only as long as needed for the purposes above, then delete or anonymise it.

  • Account & profile: kept while your account is active.
  • Check-ins & session content: kept while your account is active so you can review past sessions.
  • Support communications: typically up to 24 months after resolution.
  • System & security logs: typically up to 180 days.
  • Backups: rotate on a schedule; data is deleted as backups expire.

You can delete your account at any time from your profile. We'll delete or anonymise your personal data from active systems within a reasonable period (typically up to 30 days). Some data may persist briefly in encrypted backups until those cycle out.

8) Security

We take appropriate technical and organisational measures to protect your data, including: encryption in transit (HTTPS), provider-level encryption at rest, access controls (role-based and least-privilege), database row-level security for user data separation, secret management, and monitoring. No security programme is perfect; we continuously improve our safeguards.

If we become aware of a personal data breach that poses a risk to you, we will notify you and (where required) the ICO within 72 hours.

9) Your rights

Under UK/EU data protection law you can:

  • Access a copy of your data.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to processing in certain cases.
  • Data portability (receive certain data in a machine-readable format).
  • Withdraw consent at any time (this won't affect past processing).
  • Lodge a complaint with the ICO (see Section 12).

To exercise your rights, contact us at [email protected]. We may need to verify your identity. We aim to respond within one month.

You can also self-serve: delete your account from your profile (this removes your data from our active systems), and manage any consent toggles in Settings.

10) Cookies & similar technologies

  • Essential: we use strictly necessary cookies/secure storage for sign-in and security. These do not require consent.
  • Analytics: we use Plausible Analytics in cookieless mode; it does not set cookies or use persistent identifiers.
  • No advertising or session-recording cookies.

If we introduce any non-essential cookies in future, we will ask for your consent before they run and will update this policy.

11) AI, profiling & automated decision-making

We use AI (via DeepInfra, Google Cloud and Groq) to generate meditation content and guidance based on your inputs.

This is personalisation, not automated decision-making producing legal or similarly significant effects under GDPR Article 22.

We do not sell your data.

We do not use your content to train our own models. We configure providers, where possible, to opt-out of model training and long-term retention for our API data.

If this changes, we will update this policy and (where required) ask for your consent.

12) Contact & complaints

Data controller: Arintelli
Email: [email protected]

If you're unhappy with how we handle your data, please contact us first. You also have the right to complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk or 0303 123 1113.

13) Changes to this policy

We'll update this policy when needed. If changes are material, we'll let you know (e.g., in-app notice or email). The latest version will always be available at https://inthemoment.app/privacy-policy.