Privacy Policy

1. Who we are

• Iconbay Tech ("we," "us," "our"), doing business as Serin AI ("Service").
• Contact: admin@iconbay.net

2. Scope

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use Serin AI's websites, web apps, APIs, and related services offering AI-powered wellness coaching, chat sessions, and video agent experiences.

3. Summary of what we collect and why

• Account and profile data (e.g., email, name, preferences) to create and maintain your account.
• Email verification tokens to verify your email address during account registration.
• Wellness and sensitive data you choose to provide (e.g., assessments, chat messages, mood tracking, journal entries, AI-generated reflections and summaries) to deliver coaching features—processed with your explicit consent.
• Usage, device, and analytics data (e.g., pages viewed, events) to improve the Service and troubleshoot.
• Payment and subscription metadata (via Stripe) to process subscriptions and manage billing.
• AI content and prompts shared with model vendors (OpenAI) and video agent vendor (D‑ID) to generate responses and videos.
• User memories and context shared with Supermemory.ai to provide persistent, long-term memory across sessions.
• Email communications sent via SendGrid for account verification, welcome messages, and password reset functionality.

4. Not medical care; special category data

• Serin AI provides wellness support and self-help tools. It is not a medical or mental health care service, and does not diagnose, treat, or cure any condition.
• In some jurisdictions (e.g., EU/UK), certain information you provide (e.g., mood, assessments, journal entries) may be considered "special category" or sensitive data. We process such data with your explicit consent to provide the Service. You can withdraw consent at any time (see Your Rights), though doing so may limit features.

5. Information we collect

A. Information you provide

• Account and profile: email, password (stored as a hash), display name, basic profile fields (e.g., first/last name), preferences (time zone, language), email verification status, and optionally phone and emergency contact information.
• Wellness features:
  • Chat content, messages, session context, and AI responses.
  • Mental health assessments (e.g., PHQ-9, GAD-7), treatment goals, progress tracking.
  • Mood entries (scales for mood, energy, anxiety), sleep info, triggers/notes.
  • Journaling (titles, content, tags, AI-generated reflections, and insights).
  • Journal summaries (daily, weekly, monthly, yearly AI-generated reports with highlights, themes, mood trends, and patterns).
  • Safety plans and crisis notes (if you choose to provide them).
• Subscriptions: plan selection, membership status, and limited billing metadata (we do not store full card details; payments are processed by Stripe).
• Support requests and feedback.

B. Information collected automatically

• Usage and device information: IP address, date/time, user agent, pages viewed, referrer/UTM parameters, clicks, feature usage.
• Cookies and similar technologies:
  • Consent management via Cookiebot.
  • Analytics via Google Analytics (gtag.js).
  • Essential session/local storage (e.g., auth tokens) for secure access.

C. Information from service providers

• Payment status/metadata from Stripe (e.g., subscription ID, plan, renewal dates).
• AI outputs and status from OpenAI and D‑ID (e.g., generated replies, talk/video IDs).
• Email delivery status and metadata from SendGrid (e.g., delivery confirmations, bounce information).
• Memory storage and retrieval confirmations from Supermemory.ai for context persistence.

6. How we use your information

• Provide and improve the Service: account management, authentication, email verification, chat and video features, wellness tracking, journal reflections and summaries, troubleshooting, and product analytics.
• Generate AI responses and video sessions: send prompts/content to our AI and video vendors (OpenAI, D‑ID) to deliver requested outputs, including personalized journal reflections and periodic summaries.
• Maintain context and memory: store and retrieve your interactions with Supermemory.ai to provide persistent, personalized experiences across sessions.
• Communications: send transactional emails via SendGrid including account verification, welcome messages, password resets, and service notifications.
• Personalization: tailor content and experience based on your preferences, history, and patterns identified in your usage.
• Payments: process subscriptions, billing, refunds, and fraud prevention via Stripe.
• Security and abuse prevention: detect, prevent, and investigate misuse.
• Legal: comply with law, enforce terms, and protect rights, property, and safety.

Legal bases (EEA/UK):

• Contract: to provide the Service you request.
• Consent: analytics cookies; processing special category/sensitive data for wellness features; marketing (if any).
• Legitimate interests: security, service analytics in aggregated/de‑identified form, and product improvement.
• Legal obligations: tax, accounting, regulatory requirements.
• Vital interests: where we reasonably believe it's necessary to help prevent harm (e.g., if you proactively share imminent risk information; see crisis note in Section 17).

7. Cookies and analytics

• Consent management: We use Cookiebot to capture and honor your consent preferences.
• Analytics: Google Analytics measures usage and performance. Data may include IP (truncated where supported), device info, and events. You can manage consent via our consent banner or your browser settings.
• Essential cookies/local storage: used for authentication and security and cannot be switched off.

8. How we share information

We do not sell your personal information. We disclose information to:

• Hosting and infrastructure providers: AWS (RDS for PostgreSQL database; S3 for media content), and deployment/hosting platforms such as Vercel (frontend) and Render (API).
• AI vendor(s): OpenAI to generate chat responses, journal reflections, and periodic summaries. Messages, journal entries, and context that you provide may be processed to produce outputs you request.
• Memory and context provider: Supermemory.ai to store and retrieve your chat messages, journal entries, and related context for persistent memory across sessions. This enables the Service to maintain awareness of your history and provide personalized experiences.
• Video agent vendor(s): D‑ID to synthesize videos/avatars from your prompts and AI outputs. D‑ID may use text‑to‑speech providers as part of their service.
• Email service provider: SendGrid to deliver transactional emails including account verification, welcome messages, password resets, and service notifications.
• Payments: Stripe processes payments and stores card data; we receive limited billing and subscription metadata.
• Analytics: Google Analytics to understand usage patterns.
• Service providers: email/communications, logging, and support tools (as applicable).
• Legal and safety: when required by law, lawful requests, to enforce our terms, or to protect rights, property, and safety.
• Business transfers: in mergers, acquisitions, or asset sales, data may be transferred consistent with this Policy.

Vendor references:

• Amazon Web Services (hosting, storage, database)
• Vercel and Render (hosting/deployment)
• OpenAI (AI API for chat, reflections, and summaries)
• Supermemory.ai (memory and context storage)
• D‑ID (video agent/avatars)
• SendGrid (email delivery)
• Stripe (payments)
• Google Analytics (analytics)

Refer to each vendor's privacy documentation for details on their processing.

9. International data transfers

We may transfer and process data in the United States and other countries that may not provide the same level of data protection as your home jurisdiction. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) and implement technical/organizational measures to protect your data.

10. Data retention

• Account data: retained while your account is active. If you request deletion, we generally delete or anonymize your data within 30 days, with backups and logs retained for a limited period (e.g., up to 90 days) for security, integrity, and legal compliance.
• Wellness content (assessments, chat, mood entries, journal entries, reflections, and summaries): retained to provide ongoing services and history; deleted or anonymized upon request, subject to legal obligations and backup cycles.
• Email verification tokens: automatically expire after 24 hours and are deleted after use or expiration.
• Third-party service data: data stored with Supermemory.ai is retained according to their retention policies and our service configuration; you may request deletion through us.
• Payment records: retained as required for financial and tax compliance.

We may retain de‑identified or aggregated data.

11. Security

We implement administrative, technical, and physical safeguards, including:

• Encryption in transit (TLS) and encryption at rest for databases.
• Password hashing (e.g., bcrypt).
• Role-based access controls and least-privilege access.
• Input validation and audit trails.

No method is 100% secure; we cannot guarantee absolute security.

12. Your rights

Depending on your location, you may have the right to:

• Access, correct, or delete your personal data.
• Port your data to another service.
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

To exercise rights, contact privacy@serin.ai. We may request verification and may be unable to fulfill some requests where we have overriding legal obligations.

13. EEA/UK additional information

• Controller: Iconbay Tech (contact above).
• Legal bases: see Section 6.
• Special category data: processed only with your explicit consent or other permitted basis; you may withdraw consent at any time (some features may stop working).

14. California (CPRA) and other U.S. state privacy rights

A. Categories of personal information collected (past 12 months)

• Identifiers (e.g., email, IP address), account credentials (password hash).
• Internet/activity data (usage, device, pages viewed).
• Commercial info (subscription plan details).
• Geolocation data (approximate via IP).
• Sensitive personal information you provide (e.g., wellness and mental health‑related entries, assessments, journal content).

B. Purposes for collection

Provide and improve the Service, security, billing, analytics, and compliance (see Section 6).

C. Disclosures for business purposes

Service providers and processors listed in Section 8.

D. Sale/share

We do not sell your personal information. We do not knowingly "share" personal information for cross‑context behavioral advertising beyond analytics necessary to operate and improve our services. You can manage analytics cookies via Cookiebot.

E. Your rights (California and similar state laws)

• Right to know/access, delete, correct, and portability.
• Right to opt out of sale/share (not applicable as described).
• Right to limit use/disclosure of sensitive personal information (we only use sensitive data you provide to deliver the requested wellness features).
• Non-discrimination for exercising your rights.

Submit requests to privacy@serin.ai.

15. Children's privacy

Our Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children in those age groups. If you believe a child has provided us personal information, contact admin@iconbay.net to request deletion.

16. Payments

We use Stripe to process payments. Stripe collects and processes payment information in accordance with its policies. We receive limited billing/subscription metadata (e.g., customer ID, plan, status) and do not store full payment card numbers.

17. Crisis and safety

If you indicate imminent risk of harm or provide emergency contact details, we may, in good faith, use information you provided to help connect you with emergency resources, consistent with applicable law and our legal bases (e.g., vital interests). Serin AI is not an emergency service. If you are in crisis, contact local emergency services immediately.

18. AI and content processing disclosures

• OpenAI: We send necessary prompts and context (e.g., parts of your chats, journal entries, or session history) to generate the responses, reflections, and summaries you request. OpenAI processes data as our service provider. Please review OpenAI's privacy and data handling practices for details on retention and safety systems.
• Supermemory.ai: To provide persistent memory and context awareness, we store your chat messages, journal entries, and related metadata with Supermemory.ai. This enables the Service to retrieve relevant past interactions and provide personalized, context-aware responses. Data is stored with user-specific isolation tags. Please review Supermemory.ai's privacy documentation for details on their data handling practices.
• D‑ID: To create video agent experiences, we may send AI text outputs and your prompts to D‑ID, which may utilize text‑to‑speech providers to synthesize audio. Please review D‑ID's privacy documentation for retention/processing details.
• SendGrid: We use SendGrid to deliver transactional emails. SendGrid processes your email address and message content solely to deliver emails on our behalf. Please review SendGrid's privacy policy for details on their data handling practices.
• Safety filtering and abuse prevention: Our vendors may run automated safety checks to prevent misuse and improve platform security.

19. Managing your preferences

• Consent and cookies: Use our Cookiebot banner/settings to manage analytics and other non‑essential cookies.
• Email preferences: If applicable, use in‑message links or email privacy@serin.ai.
• Account and data controls: Submit data requests to privacy@serin.ai.

20. Data retention for deleted accounts

When you delete your account or request erasure:

• We delete or anonymize personal data within a reasonable period (typically 30 days), except where retention is required for legal/regulatory reasons or technical backups with limited retention.
• De‑identified data may be retained.

21. Third-party links

Our Service may link to third-party websites/services. Their privacy practices are governed by their own policies.

22. Changes to this Policy

We may update this Policy from time to time. We will post the new effective date at the top and, if changes are material, provide additional notice (e.g., in‑app notice or email). Your continued use of the Service after changes become effective constitutes acceptance.

23. Contact us

• Email: admin@iconbay.net
• If you reside in the EEA/UK, you may also contact your local data protection authority.

California Notice at Collection

• Categories collected: Identifiers; Internet/activity data; Commercial info; Approximate geolocation; Sensitive personal information you provide (wellness/mental-health‑related content).
• Business/commercial purposes: Provide the Service, personalization, security, analytics, billing, compliance.
• Retention: See Section 10.
• Sale/share: We do not sell your personal information and do not knowingly share for cross‑context behavioral advertising beyond analytics governed by your Cookiebot preferences.
• Your rights: Know, access, delete, correct, opt‑out (where applicable), limit use of sensitive personal information; see Section 14.

Regional Addenda (if needed)

• EEA/UK Addendum: Includes SCCs/transfer impact assessments as applicable.
• Canada/Quebec Addendum: Rights under PIPEDA/Law 25.
• Australia Addendum: APPs alignment.

(Contact us to enable region‑specific terms.)

Implementation notes for your website/app

• Display this Privacy Policy at /privacy or /privacy-policy and link it in the footer and onboarding flow.
• Ensure Cookiebot banner is active and configured to block GA until consent.
• Provide in‑product controls or a simple form for access/deletion requests and consent withdrawal.
• Add a dedicated contact page and update contact details and company legal name/address above.
• Publish a separate Terms of Service and acceptable use policy, and link them in the footer and onboarding.