Privacy Policy
Version: 3
Last Updated: 14th June 2026
1. Introduction
Brightloaf Ltd trading as brightloaf (“brightloaf”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data responsibly and transparently.
This Privacy Policy explains:
- what personal data we collect
- how we use it
- how we protect it
- your rights
This policy applies to all users of the brightloaf mobile application, website, and related services worldwide.
By using the App, you agree to this Privacy Policy.
2. Who We Are
Brightloaf Ltd is the data controller responsible for your personal data.
Contact: [email protected]
Address:
Brightloaf Ltd
167–169 Great Portland Street
5th Floor
London, W1W 5PF
3. Important Safety Note
brightloaf supports emotional wellbeing and reflection. It is not an emergency or crisis service.
If you are in immediate danger or feel unable to keep yourself safe, contact local emergency services or crisis support in your country.
4. Information We Collect
4.1 Account Information:
- Name
- Phone number (optional)
- Account settings
We ask you to confirm you are 18 or over when creating an account. We do not collect date of birth.
4.2 Subscription and Payment Data:
Payments are processed via:
- Apple App Store
- Google Play
- Stripe
We do not store full card details.
We receive limited billing data needed to manage subscriptions.
4.3 Therapy Session Data (UK Users):
Where therapy is available:
- Pre-session notes
- Session attendance
- Therapist notes
- Optional post-session summaries
- Feedback
This may include sensitive mental health information.
4.4 Session Recordings:
Sessions may be recorded for:
- Quality assurance
- Supervision
- Safeguarding
Recording is optional and can be turned off in app settings.
Recordings:
- Are securely stored
- Accessed only by authorised staff
- Deleted after 90 days
4.5 Glow AI Data:
Glow provides:
- Daily check-ins
- Personal insights
- Optional post-session summaries
To generate these, the text and information you enter into Glow is sent to a third-party AI provider for processing. We do not attach your account identifiers (such as your name or email) to this input. However, because you can write freely, your input may itself contain personal information, including information relating to your mental health.
For this reason, we do not treat Glow data as anonymous. We treat it as pseudonymised special category (health) data and protect it accordingly.
The AI provider processes your input on our behalf, only to generate your insight or summary, under data-processing terms that restrict how the data may be used. The provider may be located outside the UK; where that is the case, the safeguards in Section 9 apply.
4.6 App Usage Data:
We collect information about how you use the App:
- Features used
- Session bookings
- Time spent
- Interactions with content
This helps us improve the service. See Section 17 for how app analytics are handled.
4.7 Technical Data:
We may collect:
- IP address
- Device type
- App version
- Log data
4.8 Communications:
If you contact us:
- Support emails
- Feedback
- Survey responses
may be stored.
4.9 The Pulse Engagement Data:
For The Pulse content feature, we store engagement data tied to your individual account, including which items you have read and which you have “liked”.
Unlike the aggregate app analytics described in Section 17 (which are not tied to you individually), this engagement data is personal data associated with your account.
5. How We Use Your Data
We use your data to:
- Provide the App and Services
- Manage subscriptions
- Facilitate therapy sessions
- Generate Glow insights
- Improve features
- Ensure safety and quality
- Communicate updates
- Meet legal obligations
We do not sell your data.
6. Communications
We may send you communications via:
- Push notifications
These may include:
- Service messages (booking confirmations, reminders, account updates)
- Marketing and promotional content
Marketing messages via WhatsApp are sent only with your consent. You can opt in via the dedicated WhatsApp checkbox when you sign up, and you can withdraw your consent at any time by opting out in the Profile section of the App.
You can manage your other communication preferences in the App settings or by following the unsubscribe instructions in any message. Service messages essential to your use of the App may still be sent where necessary.
7. Legal Basis for Processing
We rely on:
- Contract (to provide the service)
- Legitimate interests
- Consent (where required)
- Legal obligations
- Vital interests (where there is risk to life or serious harm)
Where we process special category data (such as mental-health information arising from therapy sessions and from Glow), we rely on an additional condition under Article 9 of the UK GDPR. This is your explicit consent for optional features such as Glow, and the provision of health or social care for therapy services delivered by registered professionals. Where there is a risk to life or of serious harm, we may also rely on vital interests.
8. Data Sharing
We share data only where necessary.
8.1 Therapists:
Assigned therapists receive relevant information for sessions.
8.2 Supervision and Quality Teams:
Limited access for safeguarding and quality monitoring.
8.3 Service Providers:
We use trusted providers for:
- Hosting
- Payments
- Video/audio
- AI processing for Glow (see Section 4.5)
8.4 Legal and Safeguarding:
We may share data where required by law or to protect life.
9. International Transfers
Some of our providers, including the AI provider used for Glow, are located outside the UK. This means your personal data — including the special category data described in Section 4.5 — may be transferred and processed outside the UK.
We use safeguards such as:
- Standard contractual clauses
- Secure infrastructure
- Limited access controls
10. Data Retention
We retain data only as long as necessary.
Typical retention:
- Account data: while active
- Therapy notes: 7 years from last session, as our standard retention period for clinical records, aligned with the limitation period for potential claims
- Recordings: 90 days
- Payment records: per tax law
- Anonymised analytics: longer-term
11. Automated Decision-Making
Glow uses automated systems to generate insights and recommendations based on your check-ins.
Glow outputs are informational only. No significant decisions are made solely by automated means. You are always free to disregard Glow suggestions and make your own choices about your wellbeing.
12. Your Rights
Depending on your location, you may have the right to:
- Access your data
- Correct it
- Delete it
- Restrict processing
- Object
- Data portability
- Withdraw consent
13. How to Exercise Your Rights
Contact: [email protected]
We may need to verify your identity. We will respond within 30 days.
14. Children’s Data
brightloaf is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.
If you are under 18, please do not use the App or provide any personal information.
If we become aware that we have collected data from someone under 18, we will delete it promptly.
Note: If you voluntarily share information about children (for example, in a check-in or therapy session), this is treated as part of your personal data and handled in accordance with this policy.
15. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect, use, and share
- The right to request deletion of your personal information
- The right to opt out of the sale of personal information (we do not sell your data)
- The right to non-discrimination for exercising your rights
To exercise these rights, contact [email protected] .
16. Security
We use appropriate security measures including:
- Encryption
- Restricted access
- Secure infrastructure
- Regular reviews
No system is completely secure, but we take protection seriously.
17. Cookies and Analytics
Our app and website behave differently.
App: The app does not use cookies. We use PostHog in anonymised mode to understand aggregate usage patterns and statistics (the usage data described in Section 4.6). This is product analytics and is not tied to your individual identity.
Website: Our public-facing website uses cookies. When you visit, you will see a consent banner where cookies are categorised and can be managed individually.
18. Data Breaches
If a breach occurs that risks your rights, we will notify regulators and affected users where required.
19. Changes to This Policy
We may update this policy from time to time.
Material changes will be communicated via the App or email.
20. Complaints
Contact us first at [email protected] .
You may also contact your local data protection authority. In the UK this is the Information Commissioner’s Office (ICO).