Privacy Policy
Last updated: 2026-04-19.
DRAFT , pending counsel review. This Privacy Policy is a DRAFT pending counsel review. It describes intended practices and is not yet effective. Do not rely on it for legal decisions.
1. Introduction
This Privacy Policy explains what personal data Lucidity, Inc. (“Lucidity,” “we,” “us”) collects when you use the Lucidity mobile app, website (lucidity.today), or Academy program, how we use that data, who we share it with, and what rights you have. It is written in plain English wherever possible. Where a term has a specific legal meaning under the EU / UK General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act as amended by the CPRA (“CCPA”), we have preserved that meaning intentionally.
This Policy is incorporated by reference into our Terms of Service.
Controller: Lucidity, Inc., [registered address TBD]. Data Protection Officer: dpo@lucidity.today.
2. Data We Collect
We collect data in six categories:
2.1 Account data , your email address, hashed password, display name, account-tier status, and the date you created your account. For Academy enrollees we also collect your legal name, billing address, and any admissions-form answers.
2.2 Content you create, your journal entries, reflection responses, decision-journal entries, notes, tags, goals, and any file attachments. This is the most sensitive category of data in the product, and we treat it accordingly (see §10 Security).
2.3 Usage data, events like “opened Morning Intent,” “completed lesson X,” session duration, feature flags, and device-level diagnostics. This is collected through our self-hosted PostHog analytics (see §13 Cookies & Analytics).
2.4 Device data , device model, operating-system version, app version, language and timezone, crash telemetry, and an anonymous device identifier.
2.5 Assessment responses , answers to baseline and recurring psychological instruments (calibration task, Mindful Attention Awareness Scale, emotion-granularity task, PHQ-9, GAD-7, C-SSRS, and VIA Character Strengths when licensed).
2.6 AI Coach conversations, the text of conversations you have with the AI Coach, the model's responses, and metadata about those turns (timestamps, model version, token counts).
What we do NOT collect. We do not collect payment card numbers (Stripe does); we do not collect contact lists, photo libraries, or location data; we do not use Meta, Google, TikTok, or any other ad-network pixels anywhere on the website or in the app.
3. How We Use Data
We use the data we collect to:
- provide, maintain, and improve the Services;
- sync your content across your devices;
- generate your weekly synthesis, pattern letters, and personalized reminders;
- route the relevant text to Anthropic’s Claude model running inside AWS Bedrock when you invoke the AI Coach, under the data-handling arrangement described in §10;
- monitor for safety events (including crisis-language detection) and route to our on-call clinician when required;
- process payments through Stripe;
- send transactional email (account confirmation, payment receipts, program reminders) through Resend;
- diagnose crashes and performance issues via Sentry;
- produce aggregate, de-identified statistics about Service usage (for example, “X% of users who finish Foundations improve calibration”);
- enforce our Terms and protect the Services from abuse; and
- comply with legal obligations.
We do not sell personal data. We do not share personal data with advertising networks. We do not use your data to train third-party AI models.
4. Legal Bases (GDPR Article 6)
For users in the EU / UK / EEA we rely on the following legal bases:
| Use | Article 6 basis |
|---|---|
| Provide the Services you asked for (account, sync, AI Coach, billing) | 6(1)(b) performance of a contract |
| Safety monitoring (crisis detection), fraud prevention, security | 6(1)(f) legitimate interests + 6(1)(d) vital interests for acute crisis response |
| Aggregate / de-identified analytics to improve the Services | 6(1)(f) legitimate interests |
| Transactional email and service-critical notifications | 6(1)(b) performance of a contract |
| Marketing email (newsletter) | 6(1)(a) consent , you opt in and can withdraw any time |
| Compliance with legal obligations (tax, accounting, law enforcement requests) | 6(1)(c) legal obligation |
Assessment responses that constitute special-category data under Article 9 (for example, PHQ-9 answers that reveal mental-health information) are processed on the basis of your explicit consent (Article 9(2)(a)), which we collect before the instrument is presented and which you may withdraw at any time.
5. Sharing and Subprocessors
We share personal data only with service providers (“subprocessors”) that help us operate the Services, and only to the extent necessary for them to do so. All subprocessors are bound by a Data Processing Agreement requiring them to process data only on our instructions, maintain appropriate security, and honor deletion requests.
A public list is maintained at /subprocessors and includes: Anthropic (AI), Stripe (payments), Fly.io (hosting), Vercel (website), Resend (transactional email), Sentry (crash reporting), PostHog (self-hosted analytics), VIA Institute (character strengths licensing), and Typeform (assessments + application forms).
The /subprocessors page lists each vendor's purpose, region, DPA status, and , for Anthropic , the status of our Zero Data Retention addendum.
We may also disclose personal data when required by law (subpoena, court order, valid legal process) or to protect the rights, property, or safety of our users or others. We publish a transparency report annually summarizing the number and type of such requests.
6. International Transfers
Some of our subprocessors (including Anthropic, Stripe, Fly.io, Vercel, Sentry, Resend, and Typeform) are located in or process data in the United States. When we transfer personal data out of the EU / UK / EEA we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or an equivalent lawful mechanism. Copies are available on request at dpo@lucidity.today.
7. Data Retention
We keep personal data only as long as we need it:
| Category | Default retention |
|---|---|
| Account data | Life of the account + 90 days after closure (for billing and dispute windows) |
| Content you create (journals, reflections, decisions) | Life of the account; deleted within 30 days of account closure, plus up to 35 days in backups |
| Usage data (PostHog) | 12 months, then aggregated / anonymized |
| Device data + crash telemetry (Sentry) | 90 days |
| Assessment responses | Life of the account; deleted with account |
| AI Coach conversations | Life of the account on our servers; AWS Bedrock does not log invocations by default and Anthropic does not receive the prompts on this path (see §10) |
| Billing records (Stripe) | 7 years , required by tax law |
| Security / abuse logs | 12 months |
Backups are encrypted; deletion requests propagate to backups on the normal backup-rotation cycle (within 35 days).
8. Your Rights
GDPR (Articles 15 – 22)
If you are in the EU / UK / EEA you have the right to:
- Access (Art. 15): ask what data we hold about you and receive a copy;
- Rectification (Art. 16): correct inaccurate or incomplete data;
- Erasure (Art. 17):ask us to delete your data (“right to be forgotten”);
- Restriction (Art. 18): ask us to pause processing while a dispute is resolved;
- Portability (Art. 20): receive your data in a structured, machine-readable format;
- Object (Art. 21): object to processing based on legitimate interests;
- Automated decisions (Art. 22): not be subject to solely automated decisions with legal or similar significant effect (we do not make such decisions about you);
- Withdraw consent at any time, without affecting the lawfulness of prior processing; and
- Lodge a complaint with your local data-protection authority.
CCPA / CPRA (California)
California residents have parallel rights to:
- know what personal information we collect, use, disclose, and (in principle) sell;
- request deletion;
- request correction;
- request the specific pieces of personal information collected;
- opt out of the sale or “sharing” of personal information (we do not sell or share for cross-context behavioral advertising, so there is nothing to opt out of, but the toggle exists);
- limit the use of sensitive personal information; and
- not be discriminated against for exercising these rights.
How to exercise your rights
Submit a request through the intake form at Data Subject Request or email privacy@lucidity.today. We will acknowledge within 10 days and respond within 30 days (extendable by up to 60 days for complex requests, with notice). We verify your identity before acting by (i) confirming control of the account email, and (ii) re-authenticating you if you are logged in.
The /dsr flow handles access, export, erasure, rectification, and portability. Erasure fans out to our Postgres databases, Anthropic conversation logs, Sentry, PostHog, Stripe customer data (where legally permitted), and backups on the normal rotation.
9. Security
We treat your content , especially journals and AI Coach conversations , as sensitive data and protect it accordingly. Our current posture is summarized at /security. In particular:
Your journal is encrypted on your device and stored encrypted on our servers. When you use the AI coach, the relevant text is decrypted on your device and sent to Anthropic’s Claude model running inside AWS Bedrock. AWS processes the prompt under its standard data handling terms and does not log invocations by default; Anthropic does not receive the prompts on this path.
This is notend-to-end encryption , when you invoke the AI Coach, plaintext leaves your device under TLS to AWS Bedrock, where Anthropic’s Claude model runs as a hosted service. AWS acts as our AI processing provider; Anthropic does not directly receive the prompts. The data flow is diagrammed below.
Additional controls include TLS 1.2+ in transit, encrypted Postgres storage at rest, role-based access on a least-privilege basis, hardware-backed secret storage on devices (iOS Keychain / Android Keystore), comprehensive audit logging, and a 72-hour incident-response clock (see /security).
SOC 2 attestation is in progress. We are targeting a Type I report in Q2 of our commercial operation and a Type II report approximately month 14, following a 6–12 month observation window. We will not claim Type II status until a Type II report is actually in hand.
10. AI Processing via AWS Bedrock
When you invoke the AI Coach, the Pattern Letter generator, the Red Team, or any other AI feature, the relevant text is decrypted on your device and sent over TLS to Anthropic’s Claude model running inside AWS Bedrock, our AI processing subprocessor, which hosts Claude Sonnet 4.6 as a managed service.
Under this routing:
- AWS is our data processor, governed by the AWS Data Processing Addendum and AWS’s Service Terms for Bedrock;
- AWS does not log invocations by default. Lucidity does not opt into Bedrock’s Model Invocation Logging;
- Anthropic does not receive the prompts on this path. Anthropic Claude models run as a hosted service inside Bedrock;
- the content is not used to trainany model, per AWS Bedrock’s Service Terms and Anthropic’s own commitment for models served via Bedrock.
Our AWS account is provisioned and the AWS DPA is accepted; Bedrock model access for Claude Sonnet 4.6 and Claude Haiku 4.5 is configured. AI Coach features are gated off paid tiers until the Plan B mobile app ships the production integration. Architecture details are published on /subprocessors.
Lucidity retains the conversation history on our own encrypted servers so that you can see, search, and export it, and so that the AI Coach can reference recent context. You can delete any conversation at any time from the app.
11. Age and Children
The Services are intended for users aged 16 and older. We affirm your age at signup with a self-declaration checkbox. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us information, contact us at privacy@lucidity.today and we will delete it.
Users between 13 and 16 in jurisdictions where parental consent is required under GDPR Article 8 are not eligible for accounts at this time.
12. Cookies and Analytics
The Lucidity website uses a minimal set of cookies and a self-hosted PostHog instance for product analytics. We do not use Google Analytics, Meta Pixel, TikTok Pixel, or any other third-party ad or analytics tracker. PostHog is configured with IP anonymization and does not set cross-site cookies.
You can opt out of non-essential analytics from our cookie banner. Doing so does not affect your use of the Services.
13. Changes to this Policy
We may update this Policy from time to time. If we make a material change, we will notify you at least 30 days before it takes effect, either by email or by an in-app notice. The current version and its effective date are always at the top of this page.
14. Contact
For any question or complaint about this Policy or our data practices, contact:
- Data Protection Officer: dpo@lucidity.today
- Privacy requests (DSR): /dsr or privacy@lucidity.today
- Security: security@lucidity.today
- EU representative (Article 27): TBD , to be appointed before public EU launch
- UK representative: TBD , same timeline
You also have the right to lodge a complaint with your local supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.
15. Data-Flow Diagram
This section describes exactly where your journal content exists in plaintext, where it is encrypted, and what happens when you use the AI Coach. It is a companion to the Security section above and our /security page. It is intended to be honest, not reassuring: if it isn't encrypted at a given step, we say so.
Our encryption posture, stated plainly:
Your journal is encrypted on your device and stored encrypted on our servers. When you use the AI coach, the relevant text is decrypted on your device and sent to Anthropic’s Claude model running inside AWS Bedrock. AWS processes the prompt under its standard data handling terms and does not log invocations by default; Anthropic does not receive the prompts on this path.
This is notend-to-end encryption. When you invoke the AI Coach, plaintext leaves your device under TLS to AWS Bedrock, where Anthropic’s Claude model runs as a hosted service. The diagram below shows exactly where.
Where plaintext exists , summary
| Step | Location | Plaintext? | Persisted? |
|---|---|---|---|
| 1 | Your device (UI memory) | Yes | No , cleared when app closes |
| 2–6 | Lucidity API + Postgres + backups | No | Ciphertext only |
| A–C | Your device (AI Coach prompt assembly) | Yes | No |
| D–F | Lucidity API (forwarding to AWS Bedrock) | Yes, transiently in RAM | Not persisted |
| G | AWS Bedrock (Anthropic Claude, hosted) | Yes, transiently | Not logged by default; Anthropic does not receive the prompts on this path |
| H | Lucidity API (storing conversation history) | Yes in RAM, then re-encrypted | Ciphertext at rest |
| J–K | Your device | Yes | Encrypted at rest |
Why we don't claim end-to-end encryption
True end-to-end encryption would require the AI model to run entirely on your device, so the prompt never leaves in plaintext. We don't ship that today. Our on-device option (a distilled model in “private-only” mode) is a research roadmap item, not a shipping product.
Rather than misstate what we do, we document the model precisely , including the places where plaintext exists , and we put contractual and technical controls (AWS Bedrock with Bedrock Model Invocation Logging disabled, no training on prompts, short-lived in-RAM handling) around those places.