Privacy Policy
This policy describes what data we collect when you use the «Willow Labs» app (the «Service»), how we process and store it, and what rights you have. We comply with GDPR (EU), UK GDPR, CCPA (California), PIPEDA (Canada), LGPD (Brazil) and 152-FZ (Russia).
1. Who we are
Data controller: Willow Labs, Nicaragua 6045, L901, Palermo Hollywood, Buenos Aires, Argentina. EU representative and DPO: dpo@willowlabs.app. For privacy questions — privacy@willowlabs.app.
2. What data we collect
Account (email/Apple/Google ID, nickname, age, country), conversation content (texts, voice if enabled, screening results, AI memory), technical info (device model, OS version, IP for ≤30 days, crash logs without content), subscription status from Apple/Google. We don't receive card numbers.
3. Legal bases (GDPR Art. 6, 9)
Contract — to provide the Service. Consent — to process health data. Legitimate interest — security, fraud prevention, quality improvement. Legal obligation — court-ordered disclosure.
4. Retention
Conversation content — by default 12 months, you can shorten to 7 days or enable «forget immediately». Account — while active; after deletion — fully erased within 30 days. Anonymised metrics — no expiry (no link to identity).
5. Who we share data with
Cloud providers (Supabase EU) — under DPA. Language model providers — via proxy, no personal identifiers. Payment platforms (Apple, Google) — for subscription confirmation. We don't share with — advertising networks, data brokers, for targeting.
5a. Data sharing with live therapists (coming to Premium)
Connection to a live therapist through the app is currently in development. Once the feature launches in the Premium tier, and you give explicit consent via the «Share AI summary» toggle in booking settings, the therapist will receive before each session a single paragraph of patterns, themes and progress — auto-generated by AI from your history. The therapist will not see the content of your AI conversations. Consent is revoked in one click. Without your consent — we share nothing.
6. International transfers
When transferring data outside EEA we use Standard Contractual Clauses (SCC) of the European Commission and/or Adequacy Decisions of recipient countries.
7. Security
Encryption at-rest: AES-256. In-transit: TLS 1.3. 2FA for the team, least-privilege access. Annual penetration test, bug-bounty program.
8. Your rights
Depending on jurisdiction, you have rights to: access copies of your data, correct inaccuracies, deletion, restriction of processing, objection, withdraw consent, not be subject to automated decisions, file a complaint with a supervisory authority. All available in settings or by request to privacy@willowlabs.app. Response within 30 days.
9. Children and teens
The Service is strictly 18+. We are not intended for anyone under 18, with no parental-consent exception.
10. Crisis situations
Willow Labs is not an emergency service. In life-threatening situations call emergency numbers: 112 (EU), 911 (US/CA), 8-800-2000-122 (RU). If AI detects crisis signals, we offer hotlines and help connect with loved ones.
11. Cookies and tracking
In mobile apps — only the platform-provided device identifier for crash analytics. On the website: an essential cookie remembers your language and consent choice. After you click «Accept» in the cookie banner, we additionally load Google Analytics 4 (anonymized visit counter), Microsoft Clarity (heatmaps and session-replay) and AdRoll (retargeting on third-party sites you already visit). Decline at any time and these scripts are not loaded. Conversation content with the AI is never sent to any of these tools.
12. Policy changes
We notify of material changes 30 days in advance via email and in-app. Last update date — at the top of this document.