Privacy Policy

Last Updated: 1st August 2025

1. Introduction

Brightloaf Ltd trading as brightloaf ("Brightloaf", "we", "our", or "us") respects your privacy and is committed to protecting it through our compliance with this policy. This policy describes:

The types of information we may collect or that you may provide when you download, register with, access, or use the Brightloaf mobile application ("App")
Our practices for collecting, using, maintaining, protecting, and disclosing that information
How we use AI technology to personalise your experience
Your rights regarding your personal data under UK GDPR

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, do not download, register with, or use this App. By downloading, registering with, or using this App, you agree to this privacy policy.

This Privacy Policy should be read alongside our Data Processing Agreement and Terms and Conditions.

1.1 Safety Notice

Your safety is our priority. By using Brightloaf, you acknowledge that:

This App is designed for mental health support and education for adults aged 18 and over
It is not suitable for emergency or crisis support
You will seek appropriate emergency care if needed through:
- 999 (Emergency)
- NHS Crisis: 111, option 2
- Samaritans: 116 123
We collect and process your data to provide personalised mental health support and education, not crisis care

2. Information We Collect and How We Collect It

We collect information from and about users of our App directly from you when you provide it to us and automatically when you use the App.

2.1 Account and Registration Information

When you download, register with, or use this App, we collect:

Personal Information:

Name, email address, phone number
Date of birth (for age verification - 18+ only)
Account preferences and settings
Profile information and accessibility requirements

Registration Data:

Information provided during account creation
Age verification confirmation
Service preferences and settings
Contact preferences and communication settings

2.2 Counselling Session Data

Session Information:

Audio and video recordings of all counselling sessions (temporarily stored for 90 days)
Session duration, attendance, and completion status
Pre-session notes and background information you provide
Post-session feedback and ratings
Crisis intervention records (if applicable)

Health and Wellbeing Data:

Mental health information disclosed during sessions
Progress tracking and outcome measurements
Crisis risk assessments and safety planning
Therapeutic notes and session summaries
Mood tracking and self-assessment data

2.3 Personalised Psychoeducation Data

Learning and Engagement Data:

Content accessed, read, and completed in educational modules
Time spent on different psychoeducational materials
Reading patterns, preferences, and engagement levels
Content ratings, reviews, and feedback submissions
Learning progress tracking and milestone achievements
Quiz results, self-assessments, and interactive content responses
Bookmark and favourite content selections

Platform Engagement Analytics:

Login frequency, duration, and usage patterns
Session booking behaviour and preferences
Platform navigation and feature utilisation
Response times and engagement with notifications
Device usage patterns and accessibility preferences
Dropout patterns and re-engagement metrics

2.4 AI Processing Data

AI Personalisation Information:

Anonymised data submitted to Large Language Models (OpenAI: ChatGPT and Anthropic Claude)
Anonymised content preferences and learning patterns processed by AI systems
Interaction patterns with AI-generated recommendations and content
AI processing logs and response quality metrics
User feedback on AI-generated personalisation and recommendations

Important: Only completely anonymised data (with all personal identifiers removed) is processed by external AI systems. No personal health information is ever shared with AI providers.

2.5 Automatic Information Collection

Usage Details:

Traffic data, location data, logs, and communication data
Resources you access and use on or through the App
Platform performance and error logs
Feature adoption and user journey analytics

Device Information:

Device's unique device identifier, IP address
Operating system, browser type, mobile network information
Device's telephone number (if provided)

2.6 Communication Data

When you provide your phone number or contact us, we may collect:

SMS and communication records
Customer support communications
Records and copies of correspondence (including email addresses and phone numbers)
Your responses to surveys for research purposes

3. How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information, to:

3.1 Core Service Delivery

Provide you with the App and its contents
Facilitate and record counselling sessions
Manage your subscription and access to educational materials
Process payments (via Stripe - we do not store payment details)
Provide customer support and technical assistance

3.2 Personalised Experience & AI-Enhanced Content Delivery

Create personalised psychoeducational content recommendations using AI systems
Utilise Large Language Models (OpenAI: ChatGPT, Anthropic Claude) to generate tailored content suggestions
Process anonymised user data through AI to improve personalisation algorithms
Adapt content difficulty and pace to your learning style using machine learning
Provide AI-generated personalised insights based on your engagement patterns
Customise the platform experience using AI-powered recommendation engines

3.3 Quality Assurance & Safety

Monitor session quality for professional standards
Ensure counsellor competency and supervision
Implement crisis intervention protocols when necessary
Safeguard vulnerable users and maintain duty of care
Investigate complaints and resolve service issues

3.4 Service Improvement & Platform Development

Analyse completely anonymised data to improve platform functionality
Develop new features and therapeutic approaches
Understand user needs and preferences through usage analytics
Improve psychoeducational content based on engagement data
Conduct research and development using de-identified data only

3.5 Communication & Support

Send service-related notifications and updates
Share educational content and wellbeing resources
Notify you of important changes to our services
Send appointment reminders and trial-related communications
Marketing communications (with your consent only)

3.6 Legal & Regulatory Compliance

Meet professional counselling standards and regulations
Comply with safeguarding and duty of care obligations
Respond to legal requests and court orders
Protect against fraud and abuse
Maintain records for audit and inspection purposes

4. Data Sharing & Recipients

We may disclose aggregated information about our users, and information that does not identify any individual or device, without restriction.

4.1 Your Assigned Counsellors

Session recordings and notes for therapeutic purposes
Pre-session information and background context
Progress tracking and outcome measurements
Crisis intervention and safety planning information

4.2 Clinical Supervision Team

Session recordings for quality assurance and professional development
Performance monitoring and standards compliance
Training and supervision of counsellors
Clinical oversight and professional guidance

4.3 Platform Operations Team

Technical support and troubleshooting assistance
Account management and billing enquiries
Customer service and complaint resolution
Platform maintenance and security monitoring

4.4 External Service Providers

Stripe: Secure payment processing (we do not store your payment details)
Cloud Hosting: Secure data storage within UK/EU infrastructure
Communication Platforms: Video/audio session technology providers
Analytics Providers: Anonymised usage analytics only
AI Service Providers: Large Language Models (OpenAI: ChatGPT, Anthropic Claude) for personalisation using anonymised data only

4.5 Professional Bodies & Regulators

Professional counselling bodies (BACP, UKCP, HCPC) where required
Information Commissioner's Office (ICO) for data protection compliance
Health and safety regulators for safeguarding purposes
Court orders and legal proceedings where mandated

4.6 Emergency Services In crisis situations, we may share necessary information with:

NHS emergency services
Police or emergency responders
Mental health crisis teams
Safeguarding authorities

We never sell your personal data to third parties or use it for unauthorised commercial purposes.

5. Counsellor Qualifications and Standards

5.1 Professional Qualifications

All counsellors providing services through Brightloaf are qualified professionals who:

Hold registration with recognised UK professional bodies (BACP, UKCP, HCPC)
Maintain professional indemnity insurance (minimum £1,000,000 coverage)
Have completed our specialised two-day training programme in short-session therapy
Undergo regular clinical supervision and quality monitoring
Complete ongoing professional development (minimum 30 hours annually)

5.2 Professional Standards

Our counsellors:

Follow BACP/UKCP/HCPC ethical guidelines and professional standards
Maintain appropriate professional boundaries and confidentiality
Participate in regular clinical supervision as required
Meet our minimum client satisfaction rating of 3.5/5.0
Are subject to regular quality assurance monitoring

5.3 Selection Process

Our rigorous selection process ensures all counsellors:

Meet our high professional standards
Have relevant experience and qualifications
Understand and comply with our data protection requirements
Are committed to the short-session therapy model

6. Data Retention Periods

We retain different types of data for specific periods in accordance with professional guidelines and legal requirements:

6.1 Session Data

Session recordings: Automatically deleted after 90 days for quality assurance purposes
Clinical notes & assessments: Retained for 7 years in accordance with professional counselling guidelines
Crisis intervention records: Retained as required for safety and legal purposes

6.2 Account Information

Account data: Retained while your account remains active
Financial records: Retained for 7 years for tax compliance (processed via Stripe)
Inactive accounts: Deleted within 30 days of account closure (unless legal hold applies)

6.3 Psychoeducational Content Data

Learning progress: Stored for continuity while subscription is active
Content ratings and feedback: Retained for 2 years for improvement purposes
Quiz and assessment results: Retained for 1 year after completion
Personalised recommendations: Deleted within 6 months of subscription cancellation

6.4 Platform Engagement Analytics

Login patterns and session booking: Retained for 18 months
Individual user journey data: Deleted within 12 months of account closure
AI processing logs: Retained for 6 months then anonymised
Anonymised usage analytics: Retained indefinitely for research

7. Your Rights Under UK GDPR

7.1 Right of Access (Article 15)

Request a copy of all personal data we hold about you
Information about how and why we process your data
Details of who we share your data with
Response provided within one month of request

7.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data
Update your account information and preferences
Immediate correction of critical inaccuracies

7.3 Right to Erasure (Article 17)

Request deletion of your personal data in certain circumstances
Account closure and complete data removal
Note: May be limited by professional record-keeping requirements

7.4 Right to Restrict Processing (Article 18)

Limit how we use your data in specific situations
Temporary suspension of processing activities

7.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format
Transfer your data to another service provider

7.6 Right to Object (Article 21)

Object to processing based on legitimate interests
Opt out of direct marketing communications

7.7 Rights Related to Automated Decision-Making (Article 22)

Information about AI-powered personalisation
Right to human review of automated decisions
Right to challenge AI-generated recommendations

8. How to Exercise Your Rights

8.1 Contact Methods

Email: hello@brightloaf.com (preferred method)
Post: Brightloaf Ltd trading as brightloaf, 167–169 Great Portland Street, 5th Floor, London, W1W 5PF
Online: Through your account settings for certain requests

8.2 Response Timeframes

Standard requests: Responded to within one month
Complex requests: May be extended by two months with explanation
Emergency situations: Immediate response for crisis situations

8.3 Identity Verification To protect your privacy, we may require verification of your identity before processing requests.

9. Data Security

9.1 Technical Safeguards

End-to-end encryption for all session recordings and communications
Secure data storage with multiple layers of protection
Regular security audits and penetration testing
Multi-factor authentication and access controls
Automated backup and disaster recovery systems

9.2 Mental Health Data Protection Your mental health data receives enhanced protection:

Encryption at rest and in transit using industry-standard protocols
Restricted staff access on need-to-know basis
Separate secure storage for clinical notes
Regular security audits and compliance assessments
No sharing with third parties except when legally required

9.3 AI Data Security

Only completely anonymised data is processed by AI systems
No personal identifiers or health information shared with AI providers
Standard Contractual Clauses with all AI service providers
Regular audits of AI data processing activities

10. International Data Transfers

10.1 UK/EU Processing

Primary data processing occurs within the United Kingdom
EU data centres used for backup and redundancy
Full adequacy protection under UK GDPR

10.2 AI Service Provider Transfers Where transfers to AI service providers (OpenAI: ChatGPT, Anthropic Claude) are necessary:

Only completely anonymised data is transferred
Standard Contractual Clauses implemented
Additional safeguards for any data processing
Prohibition of personal health data submission to AI models

11. Cookies and Tracking Technologies

To improve your experience and ensure the security and functionality of our platform, we use the following strictly necessary cookies:

11.1 Essential Cookies

.AspNetCore.Antiforgery.{uid}

Domain: app.brightloaf.com
Purpose: Anti-forgery token to prevent CSRF attacks
Duration: Session-based

.AspNetCore.Identity.Application

Domain: app.brightloaf.com
Purpose: User authentication and session management
Duration: Session-based

.AspNetCore.Mvc.CookieTempDataProvider

Domain: app.brightloaf.com
Purpose: Temporary data storage across requests
Duration: Session-based

ASLBSA / ASLBSACORS

Domain: app.brightloaf.com
Purpose: Load balancing and session consistency
Duration: Session-based

UMB_SESSION

Domain: app.brightloaf.com
Purpose: Session data management
Duration: Session-based

12. Your Choices About Data Collection and Use

12.1 Tracking Technologies

You can set your browser to refuse cookies, though this may affect functionality
You can adjust cookie preferences in your device settings

12.2 Marketing Communications

You can opt-out of promotional emails through your account settings
You can unsubscribe from marketing communications at any time
Contact hello@brightloaf.com to adjust communication preferences

12.3 AI Personalisation

AI-powered personalisation is integral to our service and cannot currently be disabled
Future opt-out capabilities may be developed as the platform evolves
You can provide feedback on AI recommendations through the platform

13. Data Breach Procedures

13.1 Our Response

24/7 monitoring for potential data breaches
Immediate containment and assessment procedures
ICO notification within 72 hours (where required)
Individual notification without undue delay if high risk

13.2 Support for You

Dedicated support for affected individuals
Clear communication about any incidents
Assistance with any resulting issues
Regular updates during incident resolution

14. Changes to Our Privacy Policy

14.1 Updates

We may update this privacy policy from time to time
Material changes will be communicated via email and platform notification
30 days notice for significant changes affecting your rights
Continued use constitutes acceptance of updates

14.2 Version Control

Current version clearly marked with last updated date
Historical versions available upon request
Regular review and updates to reflect legal changes

15. Contact Information

15.1 General Enquiries For questions about this privacy policy and our privacy practices:

Email: hello@brightloaf.com

Postal Address: Brightloaf Ltd trading as brightloaf 167–169 Great Portland Street, 5th Floor London, W1W 5PF

Business Hours: Monday to Friday, 9am to 6pm GMT

15.2 Data Protection Matters For specific data protection enquiries: hello@brightloaf.com

16. Supervisory Authority

16.1 Regulatory Complaints You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)

Website: www.ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

16.2 Internal Resolution We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at hello@brightloaf.com.

Thank you for trusting Brightloaf with your personal information. We're committed to protecting your privacy while providing innovative, personalised mental health support.

Brightloaf Privacy Policy