Privacy Policy

Effective date: [EFFECTIVE_DATE] Last updated: [LAST_UPDATED_DATE]

At a glance. CBT Quest is a privacy-first journaling app. Your journal entries, transcripts, and AI reflections never leave your device in stored form. Voice audio is briefly routed through our server for transcription and AI analysis, then deleted. On our servers we keep only a pseudonymous device identifier and anonymous crash diagnostics. CBT Quest is not a medical device, not therapy, and not a crisis service — see our Terms of Use and the Crisis Resources section before using the app in distress.

If you are a resident of Washington State or Nevada, please additionally read our separate Consumer Health Data Privacy Policy, which governs how we handle mental-health-indicative content under state health-data laws.

1. Who We Are

CBT Quest (the "app") is published by [PUBLISHER_LEGAL_NAME], a natural person resident in Poland, operating as a sole individual ("we", "our", "the publisher", "the controller"). The publisher is the data controller for all processing described in this Policy for the purposes of:

• Regulation (EU) 2016/679 (the "GDPR")
• the United Kingdom General Data Protection Regulation ("UK GDPR")
• the Swiss Federal Act on Data Protection ("revFADP")
• Brazil's Lei Geral de Proteção de Dados (LGPD)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25
• Australia's Privacy Act 1988
• Japan's Act on the Protection of Personal Information (APPI)
• the California Consumer Privacy Act as amended by the CPRA ("CCPA")
• each other comprehensive privacy law applicable to your processing.

Contact:

• Postal address: [PUBLISHER_POSTAL_ADDRESS], Poland
• Privacy requests: privacy@cbt.quest
• Legal notices: legal@cbt.quest

Our lead supervisory authority is the President of the Polish Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warszawa, kancelaria@uodo.gov.pl).

1.1 UK Representative

Because the publisher has no UK establishment and processes the data of UK residents, we have appointed a representative under Article 27 UK GDPR. UK residents and the UK Information Commissioner's Office may address us via:

• [UK_REPRESENTATIVE_NAME]
• [UK_REPRESENTATIVE_ADDRESS], United Kingdom
• [UK_REPRESENTATIVE_EMAIL]

1.2 No Data Protection Officer

Our processing does not meet the criteria of Article 37 GDPR for mandatory DPO appointment. All privacy enquiries are handled by the controller directly.

2. What We Do Not Retain on Our Servers

We do not retain or store on our servers, and we have no ability to access:

• Your journal entries, transcripts, AI analysis results, or any text you write or speak. All such content is stored exclusively on your device in an AES-256 SQLCipher-encrypted database, with the encryption key protected by your device's Secure Enclave and, optionally, Face ID or a PIN.
• Audio recordings beyond the ephemeral processing window described in Section 4. The maximum retention is 24 hours and exists only as a safety mechanism for failed device acknowledgments; in practice audio is deleted within seconds of a successful response.
• Your name, email address, phone number, account credentials, or any other directly identifying information.
• Location data, GPS signals, or precise geolocation.
• Browsing history, cross-site or cross-app activity, or advertising identifiers.

We do not sell or share your personal information with third parties for advertising, marketing, or monetary consideration. We do not disclose personal information to any party for cross-context behavioural advertising. We do not train AI models of our own on your data, and our AI providers are contractually required not to train on your data either.

3. What We Do Retain on Our Servers

About the device identifier. The device identifier is a stable per-installation value. It is not linked to your name, email, phone number, social accounts, or advertising identifiers, and we do not combine it with data from other apps or websites. Under GDPR Recital 26 and equivalent laws (e.g. CCPA Cal. Civ. Code § 1798.140(v)(1)(A)), an identifier that can single out a single device or installation is pseudonymous personal data, not anonymous. The rights described in Section 9 apply to it.

4. How We Process Audio for AI Analysis

When you tap Analyse on a voice entry, the following occurs:

1. Your device uploads the audio file to our server over an encrypted TLS 1.3 connection.
2. Our server immediately forwards the audio to Deepgram for speech-to-text transcription and forwards the resulting transcript to Anthropic's Claude API for CBT-structured analysis.
3. The analysis result is returned to your device and stored only on your device.
4. Once your device acknowledges receipt, the audio file is deleted from our server. Any orphan audio is permanently purged within 24 hours.
5. Neither the transcript nor the AI analysis is stored on our server at any point.

After deletion no copy of your audio exists on our servers.

4.1 Legal basis — special-category health data

The content of a voice recording made inside a CBT journaling product may reveal information about your mental or physical state. Under Article 4(15) GDPR this is "data concerning health" and falls within the special categories listed in Article 9(1). Our lawful bases are:

• Article 9(2)(a) GDPR — your explicit consent, collected in-app the first time you enable voice analysis. You must tap an affirmative "I understand — enable voice analysis" control; consent is logged against your pseudonymous device identifier with a timestamp.
• Article 6(1)(a) and 6(1)(b) GDPR — your consent and/or the performance of the subscription service you have requested.

You may withdraw consent at any time (Article 7(3) GDPR) in Settings → Privacy → "Disable voice analysis". Withdrawal does not affect the lawfulness of processing carried out before withdrawal. The offline-only features of the app (on-device recording, note-keeping, tagging) continue to work without consent.

4.2 Voice is not used for biometric identification

Your voice is processed only for speech-to-text transcription. We do not generate a voiceprint, speaker-identification template, or any other biometric identifier as defined by the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) or equivalent laws. Our processors are contractually prohibited from creating or retaining any such templates. See Section 12 for the Illinois-specific BIPA notice.

5. Service Providers and International Transfers

We use the following providers. Each has signed a data processing agreement with us under Article 28 GDPR (and equivalent laws) and is contractually bound to process your data only on our documented instructions, without retention beyond the stated window, and without training AI models on it.

5.1 Residual-risk disclosure for US transfers

We acknowledge that US surveillance law (notably Section 702 of the US Foreign Intelligence Surveillance Act and Executive Order 12333) may permit US government access to data held by US recipients in ways that are not fully equivalent to European safeguards, notwithstanding the Data Privacy Framework. We have minimised this residual risk by:

1. Transferring only transient audio/transcripts that are deleted at the end of each request;
2. Not including any direct identifiers (name, email, phone) in the payload;
3. Using TLS 1.3 in transit;
4. Designing the app so that no copy of journal content is ever retained on any server.

You may request a copy of the safeguards in place for any transfer by emailing privacy@cbt.quest.

5.2 Sub-processors

A current list of sub-processors is maintained at staging.cbt.quest/legal/subprocessors. We provide at least 15 days' prior notice of any new sub-processor via that page, in line with our contractual commitments to users.

5.3 If you do not consent to transfers

You can use the app in offline-only mode without enabling voice analysis. In that mode no audio, transcript, or analysis leaves your device, and no international transfer occurs.

6. On-Device Storage

All journal entries, voice recordings made locally, transcripts received back from the server, and AI analysis results are stored exclusively on your device in an AES-256 SQLCipher-encrypted database. The encryption key is held in your device's Secure Enclave and may, at your option, be additionally gated behind Face ID or a PIN. We have no ability to access, recover, or restore this data. If you lose your device, reset your PIN, or uninstall the app without using the export feature, your on-device data is unrecoverable.

7. No Advertising, No Data Sales, No AI Training

• We do not show advertising inside the app.
• We do not sell your personal information or share it for cross-context behavioural advertising as those terms are defined in the CCPA (Cal. Civ. Code §§ 1798.140(ad), (ah)).
• We do not process your data for targeted advertising.
• We do not permit Deepgram, Anthropic, or any other processor to use your audio, transcripts, or analyses to train artificial-intelligence models. This commitment is reflected in our contracts with each provider.
• We do not build our own AI models trained on your content.

8. Children and Teen Users

CBT Quest is intended for users aged 16 and over. We do not knowingly provide the app to anyone under 16. This minimum age applies regardless of a lower digital-consent age in your local jurisdiction, because mental-health-adjacent content warrants additional care for minors.

The App Store age rating for CBT Quest is 17+.

• In EU Member States where the Article 8 GDPR digital-consent age is below 16, users at or above the local age may use the app under their own consent only if they are also 16 or older; below 16 the app is not offered at all.
• For users in the United Kingdom and other jurisdictions whose digital-consent age is 13, the 16-year minimum established here still applies.
• For users in jurisdictions with a higher statutory threshold (e.g. Brazil — 18 for minors under LGPD, South Africa — 18 under POPIA), that higher threshold applies.

If you are a parent or legal guardian and believe a minor has used the app, email privacy@cbt.quest and we will delete the associated device record.

9. Your Rights

Even though we deliberately hold as little data as possible, you retain the full set of data-subject rights under applicable privacy law. Where we hold no data linked to you, the answer may simply be "we hold no data" — but you still have the right to ask, and we must tell you.

9.1 Rights available to you

• Right of access (GDPR Art. 15, CCPA § 1798.110, PIPEDA Principle 9, LGPD Art. 18, etc.) — request a copy of the device-level records we hold.
• Right to rectification (GDPR Art. 16, CCPA § 1798.106) — correct inaccurate metadata.
• Right to erasure / deletion (GDPR Art. 17, CCPA § 1798.105) — delete the device record linked to your installation. Uninstalling the app also deletes your local content; we cannot recover it.
• Right to restriction of processing (GDPR Art. 18).
• Right to data portability (GDPR Art. 20, CCPA § 1798.130) — receive a machine-readable copy of your device-level metadata.
• Right to object (GDPR Art. 21) — to processing based on legitimate interests.
• Right not to be subject to a solely automated decision with legal or similarly significant effects (GDPR Art. 22) — our AI reflection is advisory only and produces no such decisions (see Section 11).
• Right to withdraw consent at any time (GDPR Art. 7(3)).
• Right to limit the use of Sensitive Personal Information (CCPA § 1798.121) — see Section 13 for how this applies here.
• Right to lodge a complaint with a supervisory authority (GDPR Art. 77, and equivalents elsewhere) — see Section 9.4 for the relevant authorities.
• Right to non-discrimination — we will not deny service, charge different prices, provide different quality, or retaliate against you for exercising any privacy right.

9.2 How to exercise your rights

Email privacy@cbt.quest from any address and include your Device Verification Code (an 8-character code shown in the app under Settings → Privacy → Data Controls). We use the code to verify a request without requiring you to hold an account.

• Add [CCPA], [GDPR], [MHMDA], [APPEAL] or similar in the subject line if you want to invoke a specific regime.
• We aim to respond within 30 days and will, in any event, respond within the statutory maximum (45 days under CCPA, one month under GDPR Art. 12(3), 30 days under Washington MHMDA, etc., extendable once where the law permits).

9.3 Appeal

If we decline your request, reply to our denial within 60 days. We will respond to the appeal within 60 days. If we still deny, you may complain to the competent supervisory authority (see 9.4).

9.4 Competent supervisory authorities

• European Economic Area — Urząd Ochrony Danych Osobowych (UODO, Poland, our lead authority), uodo.gov.pl. You may alternatively complain to the DPA in your EU Member State of residence.
• United Kingdom — Information Commissioner's Office, ico.org.uk.
• Switzerland — Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
• Brazil — Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd.
• Canada — Office of the Privacy Commissioner, priv.gc.ca; Quebec — Commission d'accès à l'information, cai.gouv.qc.ca.
• Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
• Japan — Personal Information Protection Commission (PPC), ppc.go.jp.
• South Africa — Information Regulator, inforegulator.org.za.
• Korea — Personal Information Protection Commission, pipc.go.kr.
• California — California Privacy Protection Agency, cppa.ca.gov. Other US states: your state Attorney General's office.

10. How Long We Keep Information

Journal entries, transcripts, and AI analyses are not retained server-side at any point.

11. Automated Decision-Making and AI Transparency

The AI analysis produced by the app is designed as a reflection aid, not a decision. It does not grant or deny access to any service, does not make legal determinations about you, and does not have similarly significant effects as defined in Article 22 GDPR. Article 22 therefore does not apply. You retain all decision-making authority over your own thoughts, behaviour, and care.

11.1 EU AI Act Article 50 disclosure

Because you are interacting directly with an AI system, and in compliance with Article 50(1) of Regulation (EU) 2024/1689 (the "EU AI Act", binding transparency obligations from 2 August 2026):

• CBT Quest is an AI-enabled system that you interact with directly. Your voice is transcribed by an automated speech-recognition system (Deepgram) and analysed by a general-purpose AI language model (Anthropic Claude). You are not speaking with a human at any point.
• The structured reflection the app returns is AI-generated content. It is visibly marked as such in the app.
• General-purpose AI models can produce inaccurate, incomplete, or inappropriate output (sometimes called "hallucination"). Output may contradict itself, miss context, or mischaracterise what you said.
• The AI has no memory of your history with the app, no knowledge of who you are, no clinical background, and no context beyond the single recording in the current session.
• Where technically feasible, AI-generated text is marked in a machine-readable form in accordance with Article 50(2).

Do not rely on AI-generated output for medical, psychological, legal, or financial decisions. See our Terms of Use §4 for the full AI disclaimer.

11.2 For users in Quebec

Under Section 12.1 of Quebec Law 25, you have the right to be informed of (i) the principal personal information used in the automated processing, (ii) the principal factors and parameters leading to the result, and (iii) the opportunity to request correction of the personal information used. Because the automated processing takes only the text transcription of your audio recording as input and returns output directly to your device, the principal information used is your transcript, and correction is achieved by re-recording.

12. Notice to Illinois Residents — Biometric Information

CBT Quest records voice audio for the sole purpose of speech-to-text conversion via Deepgram. We do not generate a voiceprint, speaker-identification template, or any biometric identifier as defined by the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14). Our processors are contractually prohibited from creating or retaining any such templates.

Out of an abundance of caution, we provide the following BIPA-form notice; your affirmative in-app consent to voice analysis acts as your written release under 740 ILCS 14/15(b):

• Purpose. Speech-to-text transcription and AI-powered CBT reflection only.
• Retention and destruction schedule. Audio is deleted from our servers immediately upon device acknowledgment of analysis, with a maximum retention cap of 24 hours. No audio is retained thereafter. No voiceprints are ever generated.
• Disclosure. Audio is disclosed only to Deepgram (transcription) and never to any party for identification purposes.
• Withdrawal. You may revoke consent at any time in Settings → Privacy → "Disable voice analysis", after which no further audio will be transmitted.

If you do not consent, you may continue to use CBT Quest in text-only mode, which never uploads audio.

13. Notice to California Residents

This section describes how the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively the "CCPA") applies to our processing.

13.1 Categories of personal information we collect

13.2 Sources and disclosures

We collect all data directly from you (your device). We disclose categories for business purposes only to the service providers listed in Section 5.

13.3 No sale or share; no targeted advertising

We do not sell personal information, do not share personal information for cross-context behavioural advertising, and do not process personal information for targeted advertising, as those terms are defined in the CCPA. We have not done so in the preceding 12 months and have no intent to do so.

13.4 Sensitive Personal Information — right to limit

Under 11 CCR § 7027(l)(1), a business is not required to offer a right to limit the use and disclosure of Sensitive Personal Information ("SPI") if it uses such information only for purposes enumerated in that regulation. We use SPI solely to perform the service you have requested (speech-to-text transcription and AI-powered CBT reflection). We do not use SPI to infer characteristics about you and we do not retain it after the service is complete. If you disagree with this categorisation, email privacy@cbt.quest with [CCPA-LIMIT] in the subject; we will confirm that we already do not use your SPI beyond the permitted purposes.

13.5 Retention

See Section 10.

13.6 Global Privacy Control

Our website at staging.cbt.quest recognises the Global Privacy Control ("GPC") signal as a valid opt-out of sale and share. Because we do not sell or share, the signal does not change our behaviour but is acknowledged.

13.7 Rights, workflow, appeal, and non-discrimination

See Section 9.

13.8 California CMIA

Consistent with our treatment of voice content as health-indicative information, we follow the safeguards expected of a "provider of health care" under Cal. Civ. Code § 56.06 (CMIA, as amended by AB 2089 (2022) and AB 254 (2023)). We do not disclose medical information without your authorisation other than as described in this Policy.

13.9 Minors

We do not knowingly collect personal information from anyone under 16 (see Section 8). We do not sell or share personal information of consumers under 16 in any case.

14. Notice to Other US-State Residents

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Montana, Oregon, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Nebraska, Maryland, Minnesota, Kentucky, or Rhode Island, you have rights under your state's comprehensive privacy law comparable to California's:

• Right of access, deletion, correction, and data portability — see Section 9.
• Opt-out of sale, targeted advertising, and profiling with legal or similarly significant effects — not applicable; we do not engage in any of these.
• Opt-in consent for processing sensitive data — we obtain your affirmative in-app consent before transmitting audio to our AI service providers. Consent is recorded against your pseudonymous device identifier and may be withdrawn at any time.
• Appeal — see Section 9.3.

Nevada and Washington residents: additional rights apply under our separate Consumer Health Data Privacy Policy, which you should read alongside this Policy.

15. Notices to Users Outside the EU/UK/US

15.1 Brazil (LGPD)

We rely on Article 11(II)(a) LGPD (consent for sensitive personal data) for voice processing. You have the rights listed in Art. 18 LGPD and may complain to the Autoridade Nacional de Proteção de Dados.

15.2 Canada (PIPEDA and Quebec Law 25)

We obtain meaningful consent for processing sensitive personal information. Quebec residents: a Privacy Impact Assessment under s. 3.3 of Law 25 has been completed in respect of the cross-border transfers described in Section 5.

15.3 Australia (Privacy Act 1988)

Voice recordings and derived transcripts may constitute "sensitive information" under APP 3.3 and are collected only with your consent. Cross-border disclosure under APP 8 is covered by the transfer mechanisms in Section 5.

15.4 Japan (APPI as amended 2022)

Audio content may constitute "special care-required personal information" under Art. 2(3) APPI; we rely on your opt-in consent. For Art. 28 purposes, we transfer data to Deepgram and Anthropic located in the United States; information about the US personal-data protection system and the measures taken by us and our processors is available on request.

15.5 Korea (PIPA), Turkey (KVKK), Israel (PPL), South Africa (POPIA)

We process health-related personal information only with your explicit consent and apply equivalent safeguards to those described above.

15.6 India (DPDPA 2023)

We process your personal data under s. 6 DPDPA on the basis of your consent; you have rights under s. 11–13. Full DPDP Rules are being phased in through 2027; we will update this Policy as each rule takes effect.

15.7 Not offered in certain markets

CBT Quest is not offered to users in Russia, Belarus, Cuba, Iran, North Korea, Crimea, or the Donetsk, Luhansk, Kherson, and Zaporizhzhia occupied regions of Ukraine, due to applicable sanctions, localisation laws, and commercial considerations (see Terms of Use §12). We do not knowingly collect personal data from users in those markets.

16. Security

We protect your data using:

• AES-256 SQLCipher encryption for all on-device journal content; encryption key in the iOS Secure Enclave, optionally gated by Face ID or a PIN.
• TLS 1.3 for all network transit.
• Zero Data Retention contracts with Deepgram and Anthropic covering the audio and transcript pipeline.
• Least-privilege access: the publisher does not retain credentials that would permit access to individual device records on sub-processor systems.

No security measure is perfect. If you believe you have discovered a vulnerability, email security@cbt.quest.

17. Data Breach Notification

If a personal-data breach occurs that is likely to result in a risk to your rights, we will:

• Notify our lead supervisory authority (UODO) within 72 hours of becoming aware of it, as required by Article 33 GDPR. Equivalent notifications will be made to competent authorities in other jurisdictions as applicable (including Wash. RCW 19.255, Cal. Civ. Code §§ 1798.82 and 56.06, LGPD Art. 48, APPI Art. 26, POPIA s. 22, Quebec Law 25 s. 3.5, and others).
• Notify affected users without undue delay where the risk is high (GDPR Art. 34), via an in-app notice and a public advisory at staging.cbt.quest/legal/security.

Because we do not store journal content on our servers, no breach of our servers can expose your journal content, transcripts, or analyses.

18. Changes to This Policy

We may update this Policy as the app and the law evolve. We will notify you of material changes at least 30 days before they take effect, via an in-app notice and a banner on this page. Where a change adversely affects you and your consent is required by applicable law, we will request it affirmatively before the change applies to you. Previous versions are archived at staging.cbt.quest/legal/privacy-policy/archive.

19. Contact

CBT Quest is operated by [PUBLISHER_LEGAL_NAME], a sole individual residing at [PUBLISHER_POSTAL_ADDRESS], Poland.

• General privacy inquiries: privacy@cbt.quest
• California CCPA requests: same address, [CCPA] in subject
• Washington MHMDA / Nevada Consumer Health Data requests: see the Consumer Health Data Privacy Policy
• EU / UK / Swiss GDPR data-subject requests: privacy@cbt.quest
• UK Representative (UK GDPR Art. 27): [UK_REPRESENTATIVE_EMAIL]
• Security disclosures: security@cbt.quest
• Legal notices and service of process: legal@cbt.quest, with duplicate hard copy to [PUBLISHER_POSTAL_ADDRESS], Poland.

This Policy is published at staging.cbt.quest/legal/privacy-policy. © [YEAR] CBT Quest. All rights reserved.