Privacy Policy

1. Introduction

Mental Machina LLC ("we," "our," "us") operates Building Better ("BB," "the App," "our Services"), a behavioral intelligence platform for mental health monitoring and support.

This Privacy Policy describes:

What personal and health data we collect
How we use, store, and protect your information
Your rights and choices regarding your data
How to contact us with privacy concerns

By using Building Better, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use our Services.

Who We Are:

Mental Machina LLC
Data Controller & Processor
Email: privacy@buildingbetterai.com

2. Information We Collect

We collect different types of information to provide and improve our mental health intelligence services.

2.1 Account & Identity Information

When you create an account, we collect:

Data Type	Examples	Purpose
Email Address	user@example.com	Authentication, account recovery, service notifications
Display Name	First name (optional)	Personalization
Password	Encrypted hash only	Account security (we never store plain text passwords)
Account Preferences	Notification settings, theme	Service customization

2.2 Mental Health & Behavioral Data

⚠️ Sensitive Health Data: This information is treated with the highest level of security and confidentiality under applicable health privacy laws.

We collect the following health-related information to provide risk intelligence:

Mood & Emotional State

Self-reported mood scores (1-10 scale)
Emotional states (happy, anxious, sad, neutral, etc.)
Mood intensity ratings
Contextual notes ("I felt anxious before the meeting")
Timestamps of mood entries

AI Conversation Data

Text messages sent to our AI assistant
AI responses and recommendations
Conversation timestamps and session length
Topics discussed (automatically categorized)
Crisis keyword detection flags (for safety features)

Note: Conversations are analyzed to improve service quality and detect crisis situations. We use Anthropics's API with strict data processing agreements.

Behavioral Patterns

App usage frequency (opens per day/week)
Feature engagement (which tools you use most)
Session duration and time of day patterns
Life skills module completion rates
Streak data (consecutive days of use)

Crisis Indicators

Keywords or phrases suggesting distress (e.g., "suicidal thoughts")
Sudden changes in mood patterns
Engagement with crisis resources

Safety First: If our system detects crisis language, we immediately display 988 Suicide & Crisis Lifeline resources. This detection is automated and designed to save lives.

2.3 Technical & Device Information

We automatically collect technical data to ensure the App functions properly:

Device Information: Device type (iPhone 14, iPad Pro), iOS version, screen size
Unique Identifiers: Anonymous device ID (for analytics), Firebase Installation ID
IP Address: Approximate location (city/state level, not precise GPS)
App Performance Data: Crash reports, error logs, load times
Analytics Data: Page views, button clicks, feature usage (via Firebase Analytics)

2.4 Payment Information (Premium/Enterprise Only)

If you subscribe to a paid plan:

Payment Method: Processed by Stripe (we do NOT store full card numbers)
Billing Information: Name, billing address, transaction history
Subscription Status: Plan type, renewal date, payment status

Security: All payment processing is handled by Stripe (PCI-DSS Level 1 compliant). We only receive a tokenized reference to your payment method.

2.5 Enterprise Account Data

For users with employer-provided access:

Organization Name: Your company/organization
Access Code: Unique code linking you to your organization
Work Email Domain: Used to verify organizational membership
Aggregated Usage: Your employer receives ONLY anonymized, aggregate metrics (never individual data)

2.6 Data We Do NOT Collect

To protect your privacy, we do NOT collect:

❌ Precise GPS location (we don't track where you are)
❌ Contact lists or address books
❌ Photos, camera, or microphone access (unless you explicitly share)
❌ Phone numbers or SMS messages
❌ Social media credentials
❌ Biometric data (Face ID/Touch ID stays on your device)
❌ Third-party app data

3. How We Use Your Information

3.1 Primary Purposes (Core Services)

Provide Mental Health Services

Process AI conversations and generate supportive responses
Track mood patterns and identify trends
Deliver personalized life skills recommendations
Generate wellness reports and analytics
Detect crisis situations and provide emergency resources

Account Management

Authenticate your identity when you log in
Send password reset emails
Process subscription payments and renewals
Manage your account settings and preferences

Safety & Crisis Prevention

Monitor conversations for crisis keywords
Automatically display 988 Lifeline resources when needed
Identify patterns suggesting mental health decline
Provide proactive intervention recommendations

3.2 Secondary Purposes (Service Improvement)

Product Development & Improvement

Analyze usage patterns to improve features
Train AI models for better response quality
Identify bugs and performance issues
Test new features with beta users

Communication

Send transactional emails (password resets, subscription confirmations)
Notify you of important service updates or security alerts
Provide customer support responses
Send optional wellness tips (you can opt out)

Marketing: We do NOT send promotional emails without your explicit consent. All marketing communications include an unsubscribe link.

Research & Behavioral Science

Conduct aggregate analysis of mental health trends
Publish research findings using de-identified data
Contribute to behavioral science literature
Validate effectiveness of interventions

De-Identification: All research uses data stripped of personal identifiers. You will NEVER be identifiable in published research.

3.3 Enterprise Features (For Organizational Accounts)

If your employer provides access to BB:

Aggregate Dashboards: Your organization receives team-wide wellness trends (e.g., "20% of users report improved mood this month")
Anonymized Insights: Hot topics, common stressors, engagement metrics
ROI Metrics: Overall utilization rates and satisfaction scores

🔒 Privacy Protection: Your employer NEVER receives:

❌ Individual mood scores or entries
❌ Personal AI conversations
❌ Identifiable behavioral data
❌ Information linking metrics to specific employees

All enterprise analytics are aggregated and anonymized. We use statistical techniques to prevent re-identification (e.g., minimum group size of 10 users).

3.4 Legal & Compliance Purposes

Comply with legal obligations (subpoenas, court orders)
Enforce our Terms of Service
Detect and prevent fraud or abuse
Protect our rights, property, and safety
Respond to emergency situations (e.g., imminent harm)

4. Legal Basis for Processing (GDPR Compliance)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) requires us to identify the legal basis for processing your data.

Legal Basis	What It Means	Examples
Consent (Article 6(1)(a))	You explicitly agree to our data processing	Creating an account, opting into marketing emails
Contract Performance (Article 6(1)(b))	Processing necessary to provide our Services	Processing mood data, generating AI responses
Legitimate Interests (Article 6(1)(f))	Our business needs that don't override your rights	Fraud prevention, service improvement, analytics
Legal Obligation (Article 6(1)(c))	Required by law	Responding to subpoenas, tax compliance

For Special Category Data (Health Data): We rely on your explicit consent (Article 9(2)(a)) and processing for healthcare purposes (Article 9(2)(h)) where applicable.

You have the right to withdraw consent at any time by deleting your account or contacting us at privacy@buildingbetterai.com.

5. Data Sharing and Disclosure

🚫 We Do NOT Sell Your Data

Mental Machina LLC does not sell, rent, or trade your personal information or health data to third parties for their marketing purposes. This is a core principle of our business.

We share data only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We work with trusted third-party companies to operate our Services. These companies are contractually bound to protect your data and use it only for providing services to us.

Service Provider	Purpose	Data Shared	Location
Firebase (Google Cloud)	Database, authentication, analytics	Account info, mood data, usage analytics	USA (with GDPR compliance)
Railway	AI model hosting	Conversation text (encrypted)	USA
Anthropic	AI conversation processing	User messages (no personal identifiers)	USA
Stripe	Payment processing	Email, payment method, billing address	USA (PCI-DSS Level 1)

All service providers are contractually bound to protect your data and use it only for providing services to us. Anthropic Claude processes conversations but does not train on your data per their enterprise policy.

Standard Contractual Clauses (for EU data transfers)
Data security requirements
Data deletion obligations
Prohibition on unauthorized use

5.2 Enterprise Clients (Aggregate Data Only)

If you access BB through your employer:

What Employers Receive: Aggregated, anonymized team metrics (e.g., "Overall team engagement increased 15%")
What Employers NEVER Receive: Individual names, conversations, mood scores, or identifiable data
Minimum Group Size: Reports require at least 10 users to prevent re-identification

5.3 Legal Requirements & Public Safety

We may disclose your information without your consent if required by law or to protect safety:

Legal Process

Valid subpoena or court order
Government or regulatory requests
Law enforcement investigations

Transparency: We will notify you of legal requests unless prohibited by law. We challenge overly broad requests.

Emergency Situations

Imminent threat of serious harm to you or others
Contacting emergency services (911) if necessary
Child abuse or neglect reporting (as required by law)

Good Faith Belief: We only disclose data in emergencies when we have a good faith belief that it's necessary to prevent harm.

5.4 Business Transfers

If Mental Machina LLC is acquired, merged, or sells assets:

Your data may be transferred to the new entity
We will notify you via email at least 30 days in advance
The new entity must continue to honor this Privacy Policy
You have the right to delete your account before the transfer

5.5 With Your Consent

We may share data for other purposes with your explicit consent (e.g., participating in a research study, third-party integrations you authorize).

6. Data Security Measures

We implement industry-leading security practices to protect your sensitive mental health data:

6.1 Encryption

In Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption (same as online banking)
At Rest: All database records are encrypted using AES-256 encryption (military-grade)
Passwords: Hashed using bcrypt (never stored in plain text)

6.2 Access Controls

Role-Based Access: Employees have access only to data necessary for their role
Principle of Least Privilege: Default deny, explicit grant
Multi-Factor Authentication: Required for all administrative access
Audit Logs: All data access is logged and monitored

6.3 Infrastructure Security

Firewall Protection: Network-level security on all servers
Intrusion Detection: Automated monitoring for suspicious activity
Regular Backups: Encrypted backups stored in geographically distributed locations
Disaster Recovery: Tested recovery procedures

6.4 Organizational Security

Employee Training: Annual security and privacy training
Background Checks: For employees with data access
Confidentiality Agreements: All employees sign NDAs
Zero-Knowledge Architecture: Minimal data exposure by design

6.5 Security Assessments

Penetration Testing: Quarterly third-party security audits
Vulnerability Scanning: Automated weekly scans
Code Reviews: Security-focused code review process
Incident Response Plan: 24-hour breach notification protocol

Security Breach Notification: In the unlikely event of a data breach affecting your personal information, we will notify you within 72 hours via email and in-app notification, including:

What data was affected
Steps we're taking to address the breach
Actions you can take to protect yourself

6.6 Limitations

No System is 100% Secure: While we implement industry best practices, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but commit to:

Continuous improvement of security measures
Transparent communication about risks
Prompt response to security incidents

7. Data Retention

We retain your data only as long as necessary to provide Services or comply with legal obligations.

Data Category	Retention Period	Reason
Active Account Data	Duration of account lifetime	Provide ongoing services
Inactive Accounts	24 months of inactivity	After 2 years, we may delete inactive accounts (with email notice)
Deleted Accounts	30 days	Grace period for account recovery, then permanent deletion
Backup Copies	90 days	Backups automatically expire after 90 days
Aggregated Analytics	Indefinitely	De-identified data used for research (no personal identifiers)
Legal Hold Data	As required by law	Litigation, regulatory investigations
Transaction Records	7 years	Tax and financial compliance

7.1 Account Deletion

When you delete your account:

Immediate: Your account is deactivated and inaccessible
Within 30 Days: All personal data is permanently deleted from production systems
Within 90 Days: All backup copies are purged
Retained: De-identified aggregate data may be retained for research

Cannot Be Undone: Account deletion is permanent and cannot be reversed. Download your data before deleting if you want to keep it.

8. Your Privacy Rights

You have significant control over your personal data. Here's how to exercise your rights:

8.1 Rights for All Users

✅ Right to Access

Request a copy of your personal data

In-App: Settings → Privacy → Download My Data
Email: privacy@buildingbetterai.com (subject: "Data Access Request")
Format: JSON file with all your data
Response Time: Within 30 days

✏️ Right to Correction

Update inaccurate or incomplete information

In-App: Settings → Account → Edit Profile
Email us to correct data you cannot change yourself

🗑️ Right to Deletion

Permanently delete your account and data

In-App: Settings → Account → Delete Account
Email: privacy@buildingbetterai.com (subject: "Account Deletion")
Timeline: Deleted within 30 days
Exception: We may retain de-identified aggregate data for research

📤 Right to Data Portability

Export your data in machine-readable format

In-App: Settings → Privacy → Export Data
Format: JSON (can be imported to other services)
Includes: Mood logs, conversation history, life skills progress

🚫 Right to Opt-Out

Control specific data collection

Analytics: Settings → Privacy → Disable Analytics
Marketing Emails: Click "Unsubscribe" in any email
Push Notifications: Device Settings → BB → Notifications

8.2 Additional Rights for EEA/UK Users (GDPR)

⛔ Right to Object

Object to processing based on legitimate interests

Email: privacy@buildingbetterai.com
We will stop processing unless we have compelling legitimate grounds

⏸️ Right to Restriction

Request temporary restriction of processing

Available during disputes about data accuracy or lawfulness
We will store but not process your data during restriction

🔄 Right to Withdraw Consent

Withdraw consent for health data processing

Does not affect lawfulness of past processing
May prevent us from providing certain services

📋 Right to Lodge Complaint

File complaint with supervisory authority

Contact your local data protection authority
List of authorities: EDPB

8.3 How to Exercise Your Rights

To submit a privacy request:

Email privacy@buildingbetterai.com
Include "Privacy Request" in subject line
Provide your account email and specify your request
We may ask for identity verification (to protect your data)
We will respond within 30 days (or as required by law)

No Fee: We do not charge a fee for privacy requests unless they are manifestly unfounded, excessive, or repetitive.

9. International Data Transfers

Building Better is operated from the United States. If you are located outside the U.S., your data may be transferred to and processed in the United States and other countries where our service providers operate.

9.1 Transfer Mechanisms

For transfers from the EEA/UK to the U.S., we rely on:

Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements
Google Cloud Adequacy: Firebase/Google Cloud has GDPR compliance certifications
Data Processing Addendums: Signed with all international service providers

9.2 Data Protection Standards

Regardless of where your data is processed, we maintain the same high level of protection described in this Privacy Policy, including:

Encryption in transit and at rest
Access controls and authentication
Contractual obligations with third parties
Your privacy rights (access, deletion, etc.)

10. Children's Privacy (COPPA Compliance)

Age Requirement: 18+

Building Better is NOT intended for individuals under 18 years of age. We do not knowingly collect personal information from minors.

10.1 What If a Minor Uses BB?

If we discover that a user is under 18:

We will immediately delete their account and all associated data
We will notify the email address on the account
No data will be retained

10.2 Parental Notice

If you are a parent or guardian and believe your child has provided us with personal information:

Contact us immediately at privacy@buildingbetterai.com
Subject line: "Minor Account Deletion"
We will delete the account within 48 hours

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.1 California Rights

Right to Know

Request disclosure of:

Categories of personal information collected
Categories of sources
Business purpose for collection
Categories of third parties we share with
Specific pieces of personal information we hold

Right to Delete

Request deletion of your personal information (subject to certain exceptions)

Right to Opt-Out of Sale

We do NOT sell personal information. We have not sold personal information in the past 12 months and do not plan to in the future.

Right to Non-Discrimination

We will NOT discriminate against you for exercising your privacy rights (e.g., denying service, charging different prices)

Right to Correct Inaccurate Information

Request correction of inaccurate personal information

Right to Limit Use of Sensitive Personal Information

Limit use of sensitive personal information to purposes necessary for providing services

11.2 How to Exercise California Rights

Email: privacy@buildingbetterai.com
Subject: "California Privacy Request"
Toll-Free Number: [If you establish one]
Response Time: 45 days (may extend to 90 days for complex requests)

11.3 Verification

To protect your privacy, we will verify your identity before fulfilling requests by:

Matching information you provide to data we have on file
Requesting confirmation via your registered email address

11.4 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide:

Proof of written authorization signed by you
Verification of their own identity

11.5 California "Shine the Light" Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share your information for third-party direct marketing.

12. Cookies and Tracking Technologies

We use limited tracking technologies to provide and improve our Services.

12.1 Types of Cookies We Use

Cookie Type	Purpose	Can You Disable?
Essential Cookies	Authentication, security, session management	❌ Required for app to function
Analytics Cookies	Firebase Analytics (usage patterns, crash reports)	✅ Yes, in Settings → Privacy
Performance Cookies	App performance monitoring	✅ Yes, disables automatically with analytics

12.2 What We Do NOT Use

❌ Third-party advertising cookies
❌ Social media tracking pixels
❌ Cross-site tracking
❌ Retargeting/remarketing cookies

12.3 Firebase Analytics

We use Firebase Analytics (Google) to understand app usage:

Data Collected: App opens, feature usage, screen views, session duration
Purpose: Improve user experience, identify bugs
Opt-Out: Settings → Privacy → Disable Analytics
Google's Policy: Google Privacy Policy

12.4 Browser Cookies (Website Only)

Our website (buildingbetterai.com) uses minimal cookies:

Session Cookies: Maintain login state (expires when you close browser)
Preference Cookies: Remember your settings (e.g., theme)

12.5 Managing Cookies

In-App: Settings → Privacy → Analytics
Browser: Adjust browser settings to block cookies (may affect functionality)
iOS: Settings → Privacy → Tracking → Disable "Allow Apps to Request to Track"

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 How We Notify You

For Material Changes:

📧 Email notification to your registered address
📱 In-app notification
🏠 Prominent notice on our website
⏰ 30 days' notice before changes take effect

For Minor Changes:

Update "Effective Date" at top of this page
No additional notification required

13.2 Your Options

If you do not agree to updated terms:

Stop using the App
Delete your account before changes take effect
Contact us with concerns at privacy@buildingbetterai.com

Continued use after the effective date constitutes acceptance of the new Privacy Policy.

13.3 Version History

We maintain a history of policy changes:

v1.0 (January 19, 2025): Initial privacy policy

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries

Email: privacy@buildingbetterai.com
Subject Line: "Privacy Inquiry"
Response Time: Within 30 days

Data Protection Officer

Mental Machina LLC
Data Protection Officer
Email: dpo@buildingbetterai.com

General Support

Email: support@buildingbetterai.com
Website: Support Center

EEA/UK Representative

[If you establish EU operations, designate a GDPR representative here]