Privacy Policy

Effective Date: August 4, 2025

Controller: JJR Technical Services LLC

1. Information We Collect

CategoryDetails
Account InfoPhone number, verification logs, timezone, user preferences
Journal ContentSMS responses (free-form text, mood ratings, optional metadata like sentiment score)
Usage AnalyticsClient‑side and server‑side interaction logs, IPs, browser/user agent via PostHog and Google Analytics/Tag Manager
Payment DataSubscription and invoicing info handled by Stripe (we do not see card data). We store your Stripe customer/subscription identifiers.
AI MetadataSummaries such as topics, sentiment, depth, and (if indicated) suicide risk for safety routing and personalization.
Safety & ModerationAutomated flags (e.g., moderation and static validation results) and whether follow‑up is needed. We also record if your account is restricted due to repeated violations.
Messaging LogsDelivery and scheduling metadata for outbound SMS (no carrier secrets), and basic logs about inbound messages (timestamps, from/to, body length).

2. How We Use Data

  • To deliver prompts at your preferred time; store and let you retrieve your entries.
  • To generate personalized prompts, optionally using AI tools like OpenAI. Adhering to their data handling procedures, your data is encrypted and retained no longer than 30 days unless legally required.
  • To improve functionality and reliability, using PostHog and Google Analytics (you may opt out at any time if in the EEA/UK).
  • For service support and account administration.
  • To help keep users safe: we run automated checks to detect self‑harm content and policy violations. We may contact you (e.g., sharing 988 Lifeline info) and limit or suspend accounts for repeat violations.

3. International Data Transfers

Data is stored in U.S. cloud servers. For EEA/UK users, we rely on Standard Contractual Clauses or similar safeguards when transferring personal data to ensure compliance with GDPR.

4. Data Retention & Deletion

  • Journal entries and account data are retained until you request deletion.
  • You may download or export your entries anytime in CSV or PDF format.
  • Upon deletion request, data is removed from active systems expeditiously and from backups within 30 days.

5. Your Privacy Rights

For California (CCPA/CPRA) Consumers

  • Right to Know/Access categories and data we've collected about you.
  • Right to Delete your personal data.
  • We currently do not "sell" personal data as defined under CCPA. We may share data with processors but not for independent marketing.

For EEA/UK Users (GDPR Rights)

  • Right to Access and receive a portable copy of your data.
  • Right to Rectification or Erasure ("Right to be forgotten") per Article 17 of GDPR.
  • Right to Restrict or Object to our processing, if we rely on legitimate interests.
  • Right to Data Portability, allowing transfer of your personal data to another provider in structured format per Article 20 GDPR.

To exercise any of these rights, contact privacy@sidekick.com.

6. Sensitive Journal Content

Your entries may include personal thoughts or mental health reflections. We treat these as confidential. However, we cannot guarantee safety from third-party access to your device or phone carrier. We recommend not including highly sensitive personal information if that poses risks.

7. Security Measures

Sidekick employs industry-standard safeguards, including encryption in transit and at rest, access controls, and vulnerability testing. We do not sell your data to third parties or for advertising purposes.

8. Children's Privacy

We do not knowingly collect data from anyone under 18. If we learn that such data has been captured, we will delete it promptly.

9. Changes to this Policy

Material changes will be notified via SMS or email at least 30 days in advance. Your continued use after the effective date constitutes acceptance.

Need Assistance?

Contact Sidekick at:

📧 privacy@sidekick.com

📍 JJR Technical Services LLC, 16192 Coastal Highway, Lewes, DE 19958