Privacy Policy

1. Scope, Role, and Interpretive Framework

This Privacy Policy explains how Rohy AI, operated by Everbright Ventures LLC ("Rohy AI," "we," "our," or "us"), collects, receives, uses, stores, analyzes, discloses, transfers, and otherwise processes information in connection with our websites, mobile experiences, software applications, APIs, hosted dashboards, conversational interfaces, AI-assisted journaling tools, personality and wellness insight features, upload workflows, and related services (collectively, the "Service"). This Policy applies except to the extent a separate written agreement expressly supersedes it. Capitalized terms not defined here have the meanings assigned in our Terms of Service.

The Service is designed for reflective, organizational, and informational use. It is not a hospital, physician practice, licensed mental-health provider, insurer, emergency-response service, or fiduciary adviser, and we do not represent that information processed through the Service is subject to any legal regime except as expressly stated by us in writing. Your use of the Service constitutes acknowledgment that privacy and data-handling obligations are allocated by this Policy, the Terms of Service, applicable product notices, and any additional disclosures we present at the point of collection.

2. Categories of Information We Collect

We may collect the following categories of information, depending on how you use the Service:

• Identifiers and account records: name, username, email address, authentication credentials, encrypted or hashed password data, subscription identifiers, customer support records, and account status information.
• User-submitted content: journal entries, text prompts, reflections, uploaded files, questionnaire responses, voice notes, transcriptions, persona instructions, shared insight cards, messages, and any other content you elect to submit.
• Sensitive and high-risk content you choose to provide: information that may reveal mental-health concerns, emotional states, habits, relationships, beliefs, medical history, or other intimate personal matters contained in your prompts, journals, or uploads.
• Derived, inferred, and model-generated data: emotional scores, summaries, pattern detection, inferred preferences, personality attributes, clinical markers (e.g., PHQ-9, GAD-7 scores), behavioral trends, and other analytical outputs produced from your inputs.
• Clinically Validated Scale Metadata: Scores, responses, and historical benchmarks derived from medical screening tools (Psychological Openness, Depression Severity, Mania screening, and Anxiety assessments).
• Transactional and commercial information: subscription tier, purchase history, renewal status, and billing metadata. We do not store complete payment card numbers on our own systems.
• Technical, device, and usage information: IP address, approximate location inferred from IP, browser and device characteristics, operating system, language settings, referring URLs, crash and diagnostics information, log data, timestamps, feature interaction data, and word-count or quota consumption metrics.
• Notification and messaging data: device tokens, push subscription endpoints, notification preferences, delivery metadata, and records associated with service reminders and account communications.
• Support and compliance records: communications with us, verification materials, abuse-prevention indicators, fraud signals, and records created to investigate misuse, safety incidents, or legal claims.

3. Sources of Information

We collect information directly from you, automatically from your devices and interactions, from integrated vendors that help us operate the Service, from payment and authentication providers, and from other persons when you use shared or collaborative features. We may also generate additional information internally through analysis, classification, aggregation, or inference.

4. Purposes of Processing

We may process information for the following business and commercial purposes:

• To create, authenticate, administer, and secure your account.
• To provide the Service, including journaling workflows, persona configuration, AI-assisted chat, pattern analysis, uploads, exports, and subscription features.
• To generate, store, and refine AI outputs, summaries, insights, and personalization features responsive to your use of the Service.
• To maintain service integrity, detect abuse, enforce plan limits, troubleshoot defects, and improve reliability, accessibility, and performance.
• To process payments, subscriptions, refunds, tax records, and related financial operations.
• To communicate with you regarding service operations, legal notices, updates, account status, security matters, and, where permitted, product announcements.
• To comply with law, defend rights, resolve disputes, investigate complaints, and establish, exercise, or defend legal claims.
• To create aggregated, de-identified, or otherwise non-personal information for analytics, security, research, and product development, provided such information is not used by us in a manner we represent as personal data.

5. AI Processing and High-Sensitivity Disclosures

Because the Service uses machine-learning and language-model systems, content you submit may be parsed, segmented, transformed, classified, summarized, scored, embedded, or otherwise processed by automated systems for response generation, personalization, safety review, and product functionality. These operations may produce outputs that are probabilistic, inferential, incomplete, or incorrect. You should not treat AI-generated content as medical, psychiatric, therapeutic, legal, financial, or crisis-intervention advice.

If you submit sensitive or special-category information, you instruct us to process that information for the purposes reasonably necessary to provide the features you invoke. We ask that you avoid uploading information you do not want processed by third-party infrastructure providers acting on our behalf. If you are in danger or experiencing a medical or mental-health emergency, do not rely on the Service; contact emergency services or an appropriately licensed professional immediately.

6. Disclosure of Information

We do not sell your personal information for money. We may disclose information in the following circumstances:

• Service providers and processors: hosting, database, authentication, analytics, communications, customer support, AI infrastructure, and payment vendors that process information on our behalf under contractual restrictions.
• Corporate transactions: in connection with a proposed or completed financing, merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction, subject to customary confidentiality protections.
• Legal compulsion and rights protection: where required by law, subpoena, court order, or where we reasonably believe disclosure is necessary to investigate fraud, protect safety, or defend against legal claims.
• Provider-Directed Sharing: When you intentionally share high-fidelity mind reports, longitudinal trends, or medication logs with a Psychiatrist, Psychologist, or Parent/Guardian through the Service's clinical sharing interface.
• Consent-based disclosures: any other disclosure you authorize or direct.

We may also disclose aggregated or de-identified information that does not reasonably identify you, provided we maintain measures designed to prevent reidentification where required by applicable law.

7. Legal Bases and Jurisdiction-Specific Rights

Depending on the jurisdiction in which you reside, our processing may rest on one or more legal bases, including performance of a contract, legitimate interests, compliance with law, and consent. Residents of certain jurisdictions may have rights to request access, correction, deletion, portability, or restriction, to object to certain processing, or to withdraw consent where consent is the applicable legal basis. We may need to verify your identity before honoring a request and may deny or limit requests where permitted by law, including where an exception applies.

If applicable law grants you a right to appeal a privacy-rights decision, you may do so by replying to our response or contacting support@rohy.ai with the subject line "Privacy Appeal." If you are authorized to act on behalf of another person, we may require proof of that authority before processing the request.

8. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to maintain accounts, provide features, preserve business and tax records, resolve disputes, enforce agreements, and comply with law. Retention periods vary according to the nature of the data, sensitivity of the information, the risk of harm from unauthorized use or disclosure, operational necessity, and legal obligations. Even after deletion requests, certain information may persist in backups, logs, or legally required archives for a limited period, after which it will be deleted or anonymized in the ordinary course.

9. Security

We maintain administrative, technical, and organizational safeguards designed to protect information against unauthorized access, destruction, loss, alteration, or disclosure. Those safeguards may include encryption in transit, role-based access controls, environment segregation, credential controls, logging, and vendor-management procedures. No security measure is infallible, and we do not warrant that the Service will be immune from breach, interception, or compromise. You are responsible for maintaining the secrecy of your login credentials and for using the Service in a reasonably secure manner.

10. Cookies, Local Storage, and Similar Technologies

We and our service providers may use cookies, pixels, local storage, SDKs, and similar technologies to remember preferences, maintain sessions, measure usage, secure the Service, and support performance diagnostics. You may be able to manage certain technologies through browser or device settings, but disabling them may materially impair functionality.

11. Children and Age Restrictions

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are between 13 and the age of majority in your jurisdiction, you may use the Service only with the involvement and consent of a parent or legal guardian and only where such use is lawful. If we learn that we have collected personal information from a child in a manner inconsistent with applicable law, we will take commercially reasonable steps to delete that information.

12. International Transfers

We are based in the United States, and your information may be transferred to, stored in, and processed in the United States or other jurisdictions whose data-protection laws may differ from those of your place of residence. Where required, we take measures designed to support lawful transfer mechanisms and appropriate handling standards.

13. Changes to This Policy

We may revise this Privacy Policy from time to time. If we make material changes, we may provide notice by updating the date above, posting a notice through the Service, or using another method reasonably calculated to inform users where required by law. Your continued use of the Service after the effective date of a revised Policy signifies your acknowledgment of the updated terms, to the extent permitted by law.

14. Contact Us

Questions, requests, appeals, and notices relating to this Privacy Policy may be sent to support@rohy.ai. You may also review our more specific disclosure framework in the Data Disclosure Agreement.