PRIVACY POLICY

Effective date: 2026-03-19 Last updated: 2026-04-19

Preamble: single-operator structure and no Data Protection Officer

Luminibus S.r.l.s. socio unico is a single-person company. The sole director and sole shareholder is the only natural person involved in operating the Service. No Data Protection Officer (DPO / RPD) has been designated, as none of the conditions of Article 37(1) GDPR are triggered at current scale; the internal memorandum recording this determination is available on request at privacy@selv-a.com. The privacy contact point is privacy@selv-a.com; the certified corporate email address (PEC) is luminibus@legalmail.it.

Where this document uses the first person plural (“we”, “us”, “our”), this is linguistic convention for readability and does not imply the existence of additional staff, a dedicated privacy team, a Data Protection Officer, or any third-party personnel beyond the Processors and AI Providers named in the relevant chapter.

Chapter 1: Purpose, scope, and who we are

1.1 Purpose

This Privacy Policy explains how Luminibus S.r.l.s. socio unico (“Selv-a”, “we”, “us”) collects, uses, discloses, and protects Personal Data when you (the user of the Service) access or use our AI-powered self-discovery and personal-reflection services (the “Service”). “You” means the natural person accessing the Service, whether as a visitor, a registered user, or a recipient of content shared with you.

1.2 Scope

This Policy applies to processing of Personal Data in connection with:

the Selv-a mobile application and any associated websites or landing pages
AI-powered features, personalization features, and safety systems
customer support communications
marketing communications
sharing features (including link sharing and group comparisons)
analytics, security, fraud prevention, and core service quality activities
cookies and similar technologies on our websites (see the Cookie Notice for details).

1.3 Definitions

Personal Data: information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

User Content: content you submit to the Service, including prompts, reflections, journal entries, answers to questions, mood check-ins, feedback and ratings you provide, and any profile photo you upload.

Outputs: content returned by the Service, including AI-generated responses, summaries, insights, and suggestions.

Controller: the entity that determines the purposes and means of processing Personal Data.

Processor: a third party that processes Personal Data on behalf of the Controller.

AI Providers: OpenAI and Anthropic, the third-party AI service providers currently used to generate Outputs and to support safety features.

1.4 Roles and responsibilities

Selv-a is the Controller for the processing described in this Policy, unless we explicitly state otherwise.

We select Processors and AI Providers, define processing instructions, and implement safeguards proportionate to the risks of the processing. Our Processors and AI Providers act on our instructions under written data-processing agreements.

Where you interact with third parties directly — for example Apple or Google for authentication or in-app purchases — those parties act as independent controllers under their own privacy policies for that interaction.

1.5 Contact

Company legal name: Luminibus S.r.l.s. socio unico (società unipersonale)

Registered office: Via Papa Giovanni XXIII, 8, 27052 Godiasco Salice Terme (PV), Italia

Codice fiscale / P. IVA: 03034600183

REA: PV 340161 — Registro delle Imprese di Cremona-Mantova-Pavia

Share capital: € 2.000,00

PEC: luminibus@legalmail.it

Support email: support@selv-a.com

Privacy email (rights requests): privacy@selv-a.com

Data Protection Officer: no DPO has been designated, as none of the conditions of Article 37(1) GDPR are triggered at current scale. All privacy requests should be addressed to privacy@selv-a.com, with optional escalation by certified email to luminibus@legalmail.it.

Chapter 2: What data we collect

2.1 Data you provide

A. Account and profile data

email address and login identifiers (including sign-in tokens issued by Apple Inc. and Google LLC, via Google Ireland Ltd. for users in the EEA/UK)
your display name (and surname, if you set one) used in your profile and on shared content
account settings and preferences
age and age-gate responses.

B. User Content

messages, prompts, and conversation inputs
journal entries, reflections, and free-text notes you write inside the Service
answers to questions (multiple choice, scales, open text)
mood check-ins and self-reporting fields
feedback, satisfaction ratings, and other quality signals you submit about Outputs
content you choose to share — including compare links, group comparison content, and AI-generated postcards (share cards). When you share a compare link as a registered user, the link transmits your display name (and surname if you set one) and your answers to the linked flow so the recipient can view them and compare with their own. Recipients can copy, forward, or screenshot this content, and it is out of your control once shared. Do not use sharing features for information you do not want disclosed
the profile photo you upload, if any.

C. Support and communications

messages you send to support
survey responses, feedback, bug reports, and related metadata.

2.2 Data collected automatically

A. Device and technical data

device type or model, operating system version, app version, language, time zone
crash logs, diagnostics, and performance data. We use Sentry (Functional Software, Inc.) for crash reporting and performance monitoring. Sentry receives crash logs, stack traces, device information, and user identifiers to help us diagnose and fix issues. On our website we also use Vercel Speed Insights (Vercel Inc.) to measure Core Web Vitals and navigation performance.

B. Usage and event analytics

feature usage, screens viewed, clicks, session metadata
performance metrics and error telemetry.

Across our website (all pages, including the /download landing page), we use Vercel Analytics (provided by Vercel Inc.) to collect cookieless page-view counts, navigation performance (Core Web Vitals), approximate location derived from IP address, and device and browser information. Vercel Analytics does not use cookies and does not track individual users across sites. Vercel does not persist raw IP addresses. See vercel.com/docs/analytics/privacy-policy.

On the dedicated /download landing page, we do not set cookies or local-storage identifiers for analytics. If anonymous measurement is enabled for that page, we limit it to cookie-free page views and first-party app-store badge clicks, and we suppress that measurement when the page-level opt-out is present or when the browser sends a supported privacy signal such as Global Privacy Control (GPC).

In the Selv-a mobile application, Google Analytics for Firebase (provided by Google LLC) is disabled by default and is activated only if you opt in through the app's separate mobile analytics control. Where active, Firebase Analytics collects app usage events, screen views, session metadata, device information, and may receive a pseudonymous user identifier and user properties (such as subscription tier) to help us understand feature usage patterns. Firebase Analytics does not receive your name, email address, or the content of your reflections. At launch, this measurement does not use the Apple IDFA or Android advertising ID (AAID). See policies.google.com/privacy.

C. Network data

IP address, approximate region derived from IP, timestamps, and log files.

D. Advertising identifiers and App Tracking Transparency

At launch, Selv-a does not access the Apple IDFA or Android advertising ID (AAID), and the app does not currently prompt for App Tracking Transparency. The separate mobile analytics control described above governs Firebase Analytics collection without enabling advertising-identifier access.

If we later introduce a feature that requires access to IDFA or AAID, we will request any required device permission first, update this Policy before activation, and describe that feature and its legal basis separately.

2.3 Data from third parties

Apple or Google authentication claims (for example stable account identifier and email relay where provided).

B. App stores and payment platforms

subscription status, purchase confirmations, renewal status, refunds, chargeback or fraud flags. We do not receive your full payment card number when you pay through Apple In-App Purchase or Google Play Billing. These platforms share only transaction identifiers, receipt data, and subscription or renewal status with us.

C. Website campaign and referrer data

campaign and referrer metadata captured on our website, where you arrived via a marketing link and consented to analytics.

2.4 Device biometric authentication

If you use Face ID, Touch ID, or an equivalent device feature, the biometric authentication is performed on your device by the operating system provider. Selv-a does not receive your biometric template. We receive only an authentication result (for example a success token) through the relevant device authentication flow.

Selv-a does not process biometric data within the meaning of Art. 9(1) GDPR. We never receive, store, or use biometric templates for identification, and we do not perform biometric identification on any content.

If you upload a profile photo, that image is stored as ordinary Personal Data for account personalisation. Profile photos are not processed by any facial-recognition, biometric-identification, or AI system. They are not special category data within the meaning of Article 9 GDPR.

Chapter 3: How we use your data

We use Personal Data for the following purposes:

3.1 Provide the Service

create and manage accounts
store your preferences and history
generate Outputs and provide self-discovery features
generate personalised Outputs by retrieving relevant prior User Content (for example earlier reflections, mood patterns, and trait scores) through internal semantic search, as explained in Chapter 5
enable sharing features that you initiate.

3.2 Security and integrity

prevent abuse, fraud, and unauthorized access
enforce Terms and content restrictions
monitor, investigate, and protect system security.

3.3 Safety features

run automated safety checks on User Content and Outputs
detect signals that may indicate self-harm risk and provide safety resources (see Chapter 8).

We remain the Controller for safety processing. We may rely on signals provided by AI Providers, but responsibility for detection, response, and user notice rests with Selv-a.

3.4 Service quality, troubleshooting, and safety assurance

product development, troubleshooting, and quality assurance using operational records, diagnostics, and aggregated or pseudonymised usage data
maintaining core routing and service reliability
maintaining and testing safety systems.

3.5 Communications

send transactional messages (service notices and security alerts)
respond to support requests.

3.6 Marketing and promotions

send newsletters and promotional messages where permitted
tailor marketing content and communications
measure campaign effectiveness.

3.7 Legal and corporate

comply with legal obligations and defend legal claims
respond to lawful requests
support financing, acquisition, merger, or reorganization activities consistent with Chapter 6.

3.8 Your responsibilities

You are responsible for the content you submit and for ensuring it does not violate laws or third-party rights.

Where the GDPR or UK GDPR applies, we rely on the following legal bases. Users covered by other frameworks (for example the Swiss FADP) may have analogous rights — contact privacy@selv-a.com.

4.1 Contract (Art. 6(1)(b))

Processing strictly necessary to deliver account services and core functionality you sign up for: account creation and authentication, payment processing for subscriptions you have purchased, push and transactional email delivery for service-state messages (e.g., receipts, password resets), and storage of the artefacts you create yourself (journal entries, mood entries, quiz answers — without any wellbeing-inference processing). Wellbeing inference, personality profiling, mood pattern detection, and AI-generated insights are NOT performed under contract necessity; they require explicit Art. 9(2)(a) consent under §4.5 and may be withdrawn at any time without affecting your account or core service.

4.2 Legitimate interests (Art. 6(1)(f))

Processing for security, fraud prevention, abuse detection, service-reliability diagnostics, and operational integrity. Each legitimate-interest basis is supported by a documented Legitimate Interest Assessment in our consolidated LIA register at `docs/legal/lia-register.md`, covering: (a) generic safety logging without wellbeing-content scanning, (b) Sentry crash logs, (c) Render server access logs, (d) Vercel and Cloudflare edge logs. You may object at any time on grounds relating to your particular situation by emailing privacy@selv-a.com; we will assess the objection under Art. 21 GDPR and either stop the processing or demonstrate compelling legitimate grounds that override your interests.

Processing where we present you with a separate, granular consent choice, including:

certain marketing communications where consent is required
optional personalisation, measurement, and recommender settings
optional mobile app analytics through Firebase Analytics, which remains off until you opt in through the app
any future access to your device's advertising identifier (IDFA/AAID), if we introduce a feature that requires it and ask separately through App Tracking Transparency or equivalent mechanisms
processing of special category data as described in §4.5.

You may withdraw consent at any time in Settings; withdrawal takes effect on new processing and does not affect the lawfulness of processing carried out before withdrawal.

4.4 Legal obligation (Art. 6(1)(c))

Processing necessary to comply with legal obligations, including: accounting and tax records (Italian D.P.R. 633/1972 and art. 2220 c.c. — 10-year retention); response to lawful access requests from competent authorities; consumer-defence retention for proof of consent under Codice del Consumo art. 49 and 59(o) (the right-of-withdrawal waiver record under §4.6 of our Terms — see PA-16 in our ROPA); proof of age-gate confirmation under art. 7 GDPR.

User Content you submit may include special category data — in particular information that reveals health-related or mental-wellbeing information. We treat this data under three distinct Art. 9 conditions, each used only for the narrow purpose stated:

(a) Explicit consent (Art. 9(2)(a)) — for personality profiling, mood tracking, and AI-powered self-discovery insights. Each of these is collected through a separate, clearly identified, off-by-default consent action:

Personality profiling — processing your responses to personality assessments to generate trait scores, comparing them across time, and using them to personalise AI-generated reflections.
Mood tracking — processing your mood check-ins, self-reported emotional states, and related notes to track patterns over time, generate mood summaries, and surface related self-discovery insights.
AI-powered self-discovery insights — processing your reflections, journal entries, and other User Content through AI Providers (OpenAI and Anthropic) to generate personalised insights, reframes, guided reflections, and self-discovery content, as described in Chapter 5.
You may register and use Selv-a's account-level features without granting any of these consents. Granting one does not require granting the others. You may withdraw any of them at any time in Settings; withdrawal takes effect on new processing, does not terminate your account, and does not affect other features. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

(b) Vital interest (Art. 9(2)(c)) — used **only** in the narrow case of an apparent imminent risk to life, where our deterministic safety circuit-breaker (`apps/backend/api/src/shared/ai/circuitBreaker.js`) returns a static crisis-resource refusal without sending the input to any AI Provider. We do not use vital interest as a general-purpose basis: it covers solely the moment in which we surface crisis numbers (112, 1500, 19696, Telefono Amico 02 2327 2327) and stop AI processing of the message.

(c) We do not rely on Art. 9(2)(b), 9(2)(d), 9(2)(e), 9(2)(f), 9(2)(g), 9(2)(h), 9(2)(i), or 9(2)(j) for any of our processing.

If you do not want us to process special category data, do not grant the relevant consent under (a) and do not submit such data through the Service.

Chapter 5: AI processing, training, and human review

5.1 AI transparency

Selv-a is an AI-based service. Core features — including guided reflections, personalised insights, and safety checks — are powered by AI systems. We inform you when you are interacting with an AI system and when content is AI-generated, in line with Article 50 of the EU AI Act.

5.2 Data sent to AI Providers

To generate Outputs and operate safety checks, we may send to AI Providers:

the minimum parts of your User Content and relevant retrieved context necessary for the feature you are using
structured metadata needed for routing and safety (for example language, feature type, and subscription-tier metadata that determines which AI model handles your request — Free-tier requests may be routed differently from Pro-tier requests, using the same providers)
safety classifier signals where applicable.

**Important: User Content may include Personal Data if you enter it. Do not include sensitive information — such as identification numbers, passwords, financial data, or third-party personal data — that you do not want processed by our AI Providers.**

5.3 De-identification and minimization approach

Where feasible, we reduce direct identifiers in data sent to AI Providers (for example removing an email address or account ID from payload fields). However:

free-text content may still contain Personal Data if you include it; and

“de-identified” does not necessarily mean “anonymous” under applicable laws, especially for rich text.

We treat such content as potentially Personal Data under Art. 4(1) GDPR and apply the same safeguards.

5.4 Internal AI and service improvement

Selv-a does not use User Content for non-essential internal AI or service-improvement activities such as prompt tuning, model evaluation, or content-level QA sampling. We may use aggregated, non-content metrics (for example feature usage counts, completion rates, and anonymised satisfaction signals such as thumbs-up or thumbs-down) to benchmark providers and improve quality under Art. 6(1)(f) legitimate interests. We do not send User Content to AI Providers for these benchmarking purposes.

We may still process User Content where necessary to provide the requested feature, maintain safety and security, investigate abuse or incidents, troubleshoot technical problems, or comply with law. If we later introduce content-level improvement processing, we will update this Policy and provide any required notice or choice before that change takes effect.

5.5 AI Provider training and retention

Selv-a currently uses OpenAI and Anthropic as AI Providers under commercial terms and data-processing clauses. Under the current commercial setup, inputs and outputs sent to those AI Providers are not used to improve provider models unless Selv-a explicitly enables a separate feedback or sharing setting.

If we enable provider-side sharing, add a provider with materially different model-improvement terms, or otherwise change this posture, we will update this Policy and any required notices before or when the change takes effect.

Even when provider-side model improvement is disabled, AI Providers may still retain certain API data for abuse monitoring, application state, or legal compliance according to the provider's platform settings and endpoint behaviour. We use configurations intended to minimise unnecessary retention, but retention characteristics may vary by endpoint and provider.

**Selv-a does not currently claim OpenAI Zero Data Retention or Modified Abuse Monitoring.**

We do not promise that third parties cannot attempt re-identification unless and until we have strong, specific contractual and technical guarantees supporting that claim.

5.6 Human review

We may review User Content and Outputs:

for safety escalations
to investigate abuse, misuse, security incidents, or technical faults
when required by law or to protect users, the Service, or our rights
to establish, exercise, or defend legal claims.

Human review is limited to authorised personnel and vendors bound by confidentiality, with logged access and least-privilege controls.

We may share Personal Data with:

6.1 Processors and vendors

hosting, databases, logging, and content delivery networks (including Supabase Inc. for database hosting, authentication, and file storage (profile photos are stored in Supabase Storage, Ireland); Render Services, Inc. for backend API hosting; Vercel Inc. for website hosting and CDN; Cloudflare Inc. for DNS, CDN, and SSL/TLS; and Upstash, Inc. for serverless Redis caching and rate limiting, with data stored in the EU — Ireland)
analytics, advertising measurement, and crash reporting providers (including Google Analytics and Google Tag Manager by Google LLC for website analytics and tag management — see policies.google.com/privacy; Meta Pixel by Meta Platforms, Inc. for advertising measurement and conversion tracking — see facebook.com/privacy/policy; Sentry by Functional Software, Inc. for error tracking, crash reports, and performance monitoring — see sentry.io/privacy; Vercel Analytics by Vercel Inc. for cookieless /download landing-page performance and visitor measurement — see vercel.com/docs/analytics/privacy-policy; Vercel Speed Insights by Vercel Inc. for Core Web Vitals and navigation performance measurement across the website — see vercel.com/docs/speed-insights; and Microsoft Clarity by Microsoft Corporation for website session replay and heatmap analytics where activated — see privacy.microsoft.com/privacystatement; and Google Analytics for Firebase by Google LLC for opt-in mobile app usage analytics and event measurement — see policies.google.com/privacy)
email delivery and communications systems (including Postmark by ActiveCampaign LLC for transactional and marketing email delivery)
push notification services (Expo Push Service by 650 Industries Inc., which routes to Apple Push Notification service (Apple Inc.) and Google Firebase Cloud Messaging (Google LLC) for delivery to your device)
consent management platforms (Cookiebot by Cybot A/S for cookie-consent management on our website)
internal safety and operations tooling (email-based alert routing through our transactional email provider, which may receive limited user identifiers in the context of safety escalations)
customer support tools.

6.2 AI Providers

OpenAI and Anthropic, to generate Outputs and perform safety processing as described in Chapter 5.

Apple Inc. and Google LLC (via Google Ireland Ltd. for users in the EEA/UK) for authentication.

6.4 App stores and payment providers

Apple (App Store) and Google (Play Store) process in-app purchases and subscriptions as independent controllers under their own privacy policies. We share transaction identifiers and subscription status with them to confirm purchases, renewals, and related billing events.

6.5 Professional advisors

Lawyers, auditors, insurers, and consultants, where necessary.

6.6 Authorities and legal recipients

Where required by law, court order, or where necessary to protect rights, safety, and security.

6.7 Corporate transactions

Potential investors, acquirers, merger partners, and their advisors under confidentiality and with appropriate safeguards.

6.8 Vendor requirements

We require vendors to process Personal Data under written agreements and implement appropriate technical and organizational safeguards.

Chapter 7: International data transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or another adequate jurisdiction, we rely on the safeguards listed in the table below (Annex A — Transfer Register). The Annex mirrors the corresponding entries in our public Records of Processing Activities (ROPA) and is updated whenever a vendor, hosting region, or transfer mechanism changes.

Annex A — Transfer Register

Processor	Hosting country	Transfer mechanism	DPF certified	Residual risk
OpenAI Ireland Ltd. (EEA contracting entity) / OpenAI OpCo, LLC	USA	SCCs Module 2 in DPA (Section 4); EO 14086 redress mechanism	No	LOW (TIA v2 of 2026-04-19)
Anthropic, PBC	USA	SCCs Module 2 in DPA (Section I + Schedule 3); EO 14086 redress mechanism	No	LOW (TIA v2 of 2026-04-19)
Supabase, Inc. (database in Ireland eu-west-1)	EU (Ireland)	N/A — data stored in EU; SCCs in Supabase legal pack as fallback	N/A	N/A
Postmark (ActiveCampaign LLC)	USA	SCCs Module 2 in terms-incorporated DPA	No	MEDIUM (accepted; see ROPA §3 paragraph note)
Sentry (Functional Software, Inc.)	EU (since 2026-04-07)	N/A — EU residency. Pre-2026-04-07 historical events under SCCs Module 2 + DPF, fully expired by 2026-05-07.	DPF verified	LOW
Render Services, Inc. (Frankfurt eu-central-1)	EU	N/A — data stored in EU	N/A	N/A
Upstash, Inc. (Redis in Ireland eu-west-1)	EU	N/A — data stored in EU	N/A	N/A
Vercel, Inc.	USA (origin) + global edge	DPF + SCCs in DPA	Yes	LOW
Expo (650 Industries, Inc.)	USA	DPF + SCCs in ToS	Yes	LOW
Apple Inc. (App Store IAP, Sign in with Apple)	USA	Independent controller for IAP; SCCs / DPF for OAuth relay	Yes	LOW
Google LLC (Play Billing, OAuth, Firebase Analytics, GA4/GTM)	USA	Independent controller for billing; SCCs + DPF for processor activities	Yes	LOW
Meta Platforms Ireland Ltd. + Meta Platforms, Inc. (Pixel — joint controller)	EEA + USA	Joint-controller arrangement (Art. 26 GDPR) + DPF + SCCs Module 1	Yes (Meta US)	MEDIUM (consent-gated; see joint-controllership notice)
TikTok Information Technologies UK Ltd. + TikTok Technology Ltd. (Ireland) — joint controller	UK + Ireland; ByteDance group ultimate	Joint-controller arrangement (Art. 26 GDPR) + SCCs Module 1; Project Clover supplementary measures; PRC-access residual risk disclosed	No	MEDIUM (consent-gated; deactivation commitment within 30 days if EDPB/Garante issues binding adverse finding)
Microsoft Corporation (Clarity)	USA	DPF + SCCs	Yes	LOW
Cloudflare, Inc.	USA + global edge	DPF + SCCs	Yes	LOW
Cookiebot (Cybot A/S)	EU (Denmark)	N/A — EEA	N/A	N/A

8.1 Not an emergency service

Selv-a is not an emergency service and is not a suicide prevention hotline.

8.2 What we do if safety signals are detected

If our safety systems detect content that may indicate distress or concerning patterns, we may:

present support resources and guidance
encourage contacting emergency services
encourage contacting qualified professionals.

8.3 No guarantee of detection or intervention

We do not guarantee that we will detect any particular risk or that any intervention will occur.

8.4 Disclosures to third parties

We generally do not contact third-party hotlines or authorities as part of the Service. If we ever implement a feature that contacts third parties in limited scenarios, we will do so only where lawful, proportionate, and operationally reliable, and we will update this Policy before or when that feature is introduced.

Chapter 9: Data retention

We retain Personal Data only as long as necessary for providing the Service, maintaining security, complying with legal obligations, resolving disputes, and enforcing agreements. Where multiple retention windows could apply to the same record, the longest mandatory window prevails (typically the 10-year accounting record under Italian D.P.R. 633/1972).

9.1 Standard retention periods (unless law requires longer)

Account data (email, password hash, profile attributes): retained for the life of the account. After deletion, the account enters a 30-day soft-deletion window and is fully deleted or anonymised within 30 days, unless longer retention is required for legal claims, fraud prevention, or compliance.

User Content (journal entries, mood entries, quiz answers, AI-generated insights): retained until you delete it or delete your account. After account deletion, deleted or anonymised within 30 days, subject to §9.2 below.

Profile photos (Supabase Storage `avatars` bucket): retained until you replace the photo or delete your account. After account deletion, deleted within 30 days as part of the standard account purge.

Authentication tokens: refresh tokens are valid for 7 days from issuance and are then automatically purged. Access tokens are short-lived (15 minutes). Token-denylist entries (Upstash) are retained for the JWT lifetime.

Backups (Supabase database backups): up to 90 days. Deletion requests propagate to the live database within 30 days; backup expiry takes the residual record out of scope within a further 60 days.

Security logs and access logs (Render, Cloudflare): typically up to 12 months; up to 24 months for high-risk security events. See LIA register `docs/legal/lia-register.md` §3 + §4.

Crash logs and diagnostics (Sentry): up to 30 days (Sentry Developer plan retention, EU residency since 2026-04-07).

Vercel access logs: up to 12 months (Vercel default; matches the disclosure in our Cookie Notice).

Mobile app analytics (Firebase Analytics): 2 months. Collection is off by default and only enabled under a separate `mobile_analytics` opt-in.

Guest session state (Upstash, EU): purged on session expiry; quiz / mood / flow metadata held under a 2-hour TTL; rate-limit counters under shorter TTLs.

AI Provider edge retention (OpenAI, Anthropic): up to 30 days at the provider edge for abuse monitoring. We do not enable feedback sharing, evaluation, or fine-tuning. We have not requested Zero Data Retention at this pass; if and when ZDR is granted by the provider, we will update this section.

Support tickets and customer communications: typically up to 24 months after closure.

Accounting and tax records (payments, invoices, subscription records — PA-6): 10 years where required by Italian law (D.P.R. 633/1972 art. 39; c.c. art. 2220).

Marketing consent / suppression records (Postmark): the suppression record (bounce, complaint, unsubscribe) is retained for 5 years from the last event under a single rule shared with transactional suppression. Marketing consent itself terminates on withdrawal or after 24 months of inactivity, whichever is first.

DSAR fulfilment metadata (PA-15): 24 months from request (audit-trail necessity); the generated archive itself is held under a signed URL and deleted within 7 days.

Compliance evidence (PA-16): `AgeGateEvent` 5 years (defence window for Codice Civile art. 2 capacity claim); `WithdrawalWaiverConsent` 10 years (co-extensive with the underlying IAP record).

DPA / processor records and ROPA history: as long as the processing is active, plus 5 years.

9.2 Deletion limitations

Where data has been incorporated into aggregated analytics, security records, or other operational records, complete removal may not be technically feasible. In those cases we apply reasonable measures to remove direct identifiers and restrict further use.

Where law requires longer retention (in particular accounting, tax, and consumer-defence records), the legal-obligation window prevails and the record is restricted to authorised access.

Chapter 10: Security

We use technical and organizational measures appropriate to risk, including:

access controls and least privilege
encryption in transit (TLS) for all client–server and server–vendor traffic
encryption at rest with our storage processors (Supabase, Upstash, and equivalent)
monitoring, logging, and incident response processes.

Limitations: Full end-to-end encryption is not compatible with typical AI processing workflows for all features, because content must be processed to generate Outputs.

Chapter 11: Your rights and choices

If the GDPR or the UK GDPR applies to your data, you have the rights set out below. We respond to verifiable requests within one calendar month under Art. 12(3) GDPR; we may extend by two further months for complex or numerous requests, and we will notify you of any extension within the first month with the reasons.

11.A Right of access (Art. 15 GDPR)

You may request confirmation of whether we are processing your Personal Data and, if so, a copy of that data along with the categories of recipients, the retention period applied, and the source where the data was not collected directly from you.

11.B Right to rectification (Art. 16 GDPR)

You may request correction of inaccurate Personal Data and completion of incomplete data. Profile fields can be edited directly in Settings; for fields you cannot edit yourself, contact privacy@selv-a.com.

11.C Right to erasure (Art. 17 GDPR)

You may delete your account from Settings → Privacy → Danger Zone, which triggers a 30-day soft-deletion window followed by full deletion or anonymisation, subject to §9.2 above. You may also request erasure of specific records by emailing privacy@selv-a.com.

11.D Right to restriction (Art. 18 GDPR)

You may request that we restrict processing where (a) you contest the accuracy of the data, (b) the processing is unlawful and you oppose erasure, (c) we no longer need the data but you need it to establish, exercise or defend legal claims, or (d) you have objected under Art. 21 and the balancing test is pending. Submit restriction requests to privacy@selv-a.com.

11.E Notification obligation (Art. 19 GDPR)

Where we have rectified, erased, or restricted Personal Data on your request, we will notify each recipient to whom we disclosed the data unless the notification is impossible or involves disproportionate effort. On request we will tell you which recipients we notified.

11.F Right to data portability (Art. 20 GDPR)

You may request and download a copy of the data you provided to us, in a structured, commonly used, machine-readable format (JSON), through Settings → Privacy → Export my data. Where the in-app export is not available, contact privacy@selv-a.com.

11.G Right to object (Art. 21 GDPR) — important

This right deserves emphasis: where processing is based on legitimate interests (Art. 6(1)(f); see §4.2) you may object at any time on grounds relating to your particular situation, and we must stop unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the establishment, exercise or defence of legal claims. For direct marketing purposes, you may object at any time and we will stop without any balancing test (use the unsubscribe link in any marketing email or contact privacy@selv-a.com).

11.H No automated decision-making with legal or significant effects (Art. 22 GDPR)

We do not take any decision producing legal effects concerning you or similarly significantly affecting you that is based solely on automated processing, including profiling. Personalised AI-generated reflections, mood summaries, and personality insights are not determinative of access to the Service, eligibility for any feature, pricing, or access to credit, employment, or healthcare; they are presented for self-reflection only and are reviewed and adjusted by you. If we ever introduce a processing operation that meets the Art. 22 threshold, we will obtain your explicit consent in advance and provide a clear human-review pathway by emailing privacy@selv-a.com.

11.I Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on consent (including Art. 9(2)(a) special-category consents — personality profiling, mood tracking, AI-powered insights, mobile analytics, marketing), you may withdraw your consent at any time in Settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

11.J Right to lodge a complaint (Art. 77 GDPR)

You may lodge a complaint with the Italian Garante per la protezione dei dati personali (Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it; modulistica online for reclami), with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement, or with another competent authority. We would appreciate the opportunity to address your concerns first by emailing privacy@selv-a.com.

11.1 Controls

Export: Settings → Privacy → Export my data. The exported archive is a JSON file containing your account data, User Content, and consent history.

Deletion: Settings → Privacy → Danger Zone → Delete account. Triggers the 30-day soft-deletion window described in §9.1.

Marketing preferences: unsubscribe links in newsletters and in-app controls; suppression record retained for 5 years per §9.1.

Restriction (Art. 18) and objections (Art. 21) other than direct-marketing: submit to privacy@selv-a.com.

11.2 How to exercise rights

Submit verifiable requests to privacy@selv-a.com. We may request additional information to verify your identity and protect your account. We respond within one calendar month and may extend by two further months for complex or numerous requests, as permitted by Art. 12(3) GDPR. The 30-day commitment in this Chapter is the maximum window for routine requests; we aim to acknowledge receipt within 5 business days.

Chapter 12: Children and age requirements

The Service is intended for users aged 17 and older. We do not knowingly allow users under 17 to create accounts.

Chapter 13: Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide notice (for example by email or in-app notice) before they take effect where required.

Chapter 14: Contact and complaints

Please contact support@selv-a.com if you have any questions or concerns not already addressed in this Policy.

Alternatively, you can write to us at privacy@selv-a.com.

You also have the right to lodge a complaint with your local supervisory authority..

Privacy built for calm, not for tracking.