Willow LabsPrivacy Policy
This policy describes what data we collect when you use the «Willow Labs» app (the «Service»), how we process and store it, and what rights you have. We comply with GDPR (EU), UK GDPR, CCPA (California), PIPEDA (Canada), LGPD (Brazil) and 152-FZ (Russia).
1. Who we are
Data controller: Willow Labs Inc., 2261 Market Street #4729, San Francisco, CA 94114, USA. EU representative and DPO: dpo@willowlabs.app. For privacy questions — privacy@willowlabs.app.
2. What data we collect
Account (email/Apple/Google ID, nickname, age, country), conversation content (texts, voice if enabled, screening results, AI memory), technical info (device model, OS version, IP for ≤30 days, crash logs without content), subscription status from Apple/Google. We don't receive card numbers.
3. Legal bases (GDPR Art. 6, 9)
Contract — to provide the Service. Consent — to process health data. Legitimate interest — security, fraud prevention, quality improvement. Legal obligation — court-ordered disclosure.
4. Retention
Conversation content — by default 12 months, you can shorten to 7 days or enable «forget immediately». Account — while active; after deletion — fully erased within 30 days. Anonymised metrics — no expiry (no link to identity).
5. Who we share data with
Cloud providers (Supabase EU) — under DPA. Language model providers — via proxy, no personal identifiers. Payment platforms (Apple, Google) — for subscription confirmation. We don't share with — advertising networks, data brokers, for targeting.
5a. Data sharing with live therapists (coming to Premium)
Connection to a live therapist through the app is currently in development. Once the feature launches in the Premium tier, and you give explicit consent via the «Share AI summary» toggle in booking settings, the therapist will receive before each session a single paragraph of patterns, themes and progress — auto-generated by AI from your history. The therapist will not see the content of your AI conversations. Consent is revoked in one click. Without your consent — we share nothing.
6. International transfers
When transferring data outside EEA we use Standard Contractual Clauses (SCC) of the European Commission and/or Adequacy Decisions of recipient countries.
7. Security
Encryption at-rest: AES-256. In-transit: TLS 1.3. 2FA for the team, least-privilege access. Annual penetration test, bug-bounty program.
8. Your rights
Depending on jurisdiction, you have rights to: access copies of your data, correct inaccuracies, deletion, restriction of processing, objection, withdraw consent, not be subject to automated decisions, file a complaint with a supervisory authority. All available in settings or by request to privacy@willowlabs.app. Response within 30 days.
9. Children and teens
The Service is not intended for those under 16. For 16-18 users in jurisdictions that require it, parental consent is needed.
10. Crisis situations
Willow Labs is not an emergency service. In life-threatening situations call emergency numbers: 112 (EU), 911 (US/CA), 8-800-2000-122 (RU). If AI detects crisis signals, we offer hotlines and help connect with loved ones.
11. Cookies and tracking
In mobile apps — only the platform-provided device identifier for crash analytics. The website uses one technical cookie to remember language. No advertising or marketing trackers.
12. Policy changes
We notify of material changes 30 days in advance via email and in-app. Last update date — at the top of this document.