Draft. This document is a working draft and has not yet had professional legal review. It will be finalised before public launch.

Mum — Privacy Policy

DRAFT for legal review — not legal advice. Replace every [[placeholder]] and have a qualified lawyer adapt this to each launch region's privacy law (e.g. GDPR / UK GDPR / Australian Privacy Act / applicable US state laws).

Effective date: [[EFFECTIVE DATE]] Who is responsible (controller): [[LEGAL ENTITY]] Contact / privacy requests: [[CONTACT EMAIL]]

This policy explains what information Mum handles, where it lives, and your choices. Mum is built to collect as little as possible and to keep your information on your own device.

1. The short version

Your check-ins, notes, journal entries, pathway progress, and conversation history are stored only on your own device (in your browser's local storage). We do not keep our own copy.
When you use the AI chat, the recent conversation and limited personalisation are sent through our backend to our AI provider, Anthropic, only to generate Mum's reply. Our backend does not store your conversations.
We do not sell your data, ever.
You can export or delete everything from Settings at any time.
Mum is for adults (18+).

2. What information Mum handles, and where it stays

Stored on your device only (we never receive it): - Profile you set up: a name or nickname, your region (used to show the right crisis resources), the themes/goals you pick, and your tone preference. - Your daily check-ins (mood, energy, an optional note). - Your pathway progress and any journal reflections you write. - Your habits and their daily history, and any evening "one good thing" notes. - Your conversation history with Mum.

If you clear your browser data, uninstall, or use "delete everything", this information is gone — we have no separate copy to restore.

3. What leaves your device, and why

When you send a message in the AI chat, the following is transmitted through our backend proxy to Anthropic solely to generate Mum's reply: - the recent messages in that conversation; - your first name and tone preference (for personalisation), if set; and - a short, length-capped "memory" summary that is assembled on your device from data already stored there (your themes/goals and recent check-in notes/reflections), so replies have continuity.

Notes on this: - Our backend proxy does not store your messages or this summary; it forwards the request, adds Mum's instructions and the secret AI key, returns the reply, and keeps only minimal, non-content operational logs (see §5). - Anthropic processes the request under its own terms to produce the reply. (Lawyer to confirm: Anthropic's data-handling/retention terms, whether a Data Processing Agreement is required, and how to disclose any provider-side retention.) - If you only use offline features (check-ins, pathways, journaling, the "steady minute" tool) without the AI chat, no message content leaves your device for those actions.

4. Crisis-screening

To help keep you safe, text you enter (chat messages, and check-in/journal notes) is automatically screened for language that may indicate crisis or risk, so Mum can show human help resources. This screening has two layers: a keyword check that runs on your device, and — for chat — a server-side model-based check via our AI provider. Screening is a limited safeguard, not a clinical assessment, and is not monitored by a human in real time. (Lawyer to confirm how to characterise this processing and whether it is "special category"/sensitive data under the applicable regime, and the lawful basis.)

5. Our backend proxy logs

Our backend (a serverless function) may keep minimal operational logs needed to run the Service securely — for example, timestamps, coarse request metadata, rate-limit counters keyed to an IP address, and error diagnostics. These are used to prevent abuse and fix problems, not to profile you, and we aim to exclude message content from logs. (Lawyer to confirm retention period and lawful basis; engineering note: keep content out of logs.)

5b. Payments and Premium (only if you subscribe)

If — and only if — you buy Mum Premium, a payment is handled by our payment provider Stripe, who receives your billing details (e.g. email and card data); we never see or store your card details. To know that your subscription is active, we keep a minimal entitlement record on our backend: a Premium licence code, the email associated with the purchase, and the subscription's status and renewal date. This record is never linked to, and never contains, your on-device content — your check-ins, notes, journal entries, and conversations stay on your device and are not connected to your payment in any way. If you never subscribe, we hold no such record. (Lawyer to confirm provider terms, lawful basis, retention, and the data-processing relationship.)

6. What we do NOT do

We do not sell or rent your personal information.
We do not show third-party advertising in Mum.
We do not use your conversations to build advertising profiles.

7. Your choices and rights

Access / export: export your data from Settings at any time.
Delete: delete everything from Settings at any time.
Region rights: depending on where you live, you may have additional rights (access, correction, erasure, objection, portability, complaint to a regulator). To exercise them, contact [[CONTACT EMAIL]]. (Lawyer to insert the specific rights and response timelines for each launch region, and the relevant supervisory authority.)

8. Children

Mum is for adults 18 and over. We do not knowingly collect information from anyone under 18. If you believe someone under 18 has used Mum, contact [[CONTACT EMAIL]].

9. Security

The AI key is held only as an encrypted server-side secret, never in your browser or in the app's files. Access to the backend requires an app access code and is rate-limited. No system is perfectly secure; you are responsible for securing your own device, where your data lives. (Lawyer/engineering: before public launch, add per-user accounts and durable rate limiting; define encryption and retention for any future server-stored data.)

10. International transfers

Generating an AI reply may involve processing by Anthropic in another country. (Lawyer to insert the appropriate transfer mechanism and disclosures for each launch region.)

11. Changes to this policy

We may update this policy. If changes are material, we will take reasonable steps to notify you (for example, in-app). The "effective date" shows the current version.

12. Contact

Privacy questions or requests: [[CONTACT EMAIL]].

DRAFT — prepared to assist a qualified lawyer's review. Not legal advice; must be adapted to the privacy law of each launch region before use.