Privacy Statement
Ardgour Support (“Ardgour,” “we,” “us,”) provides an AI-enabled counselling companion. This Privacy Statement explains how we collect, use, and share information when you interact with our marketing site at ardgour.app, our application at account.ardgour.app, background reminder worker, and related communications (collectively, the “Services”). Contact our privacy team at [email protected].
1. Data We Collect
- Account & Profile Data: Name, email, hashed password, phone number, timezone (if provided), support-contact details, subscription tier, notification preferences, and Stripe customer/subscription identifiers.
- Session Content: Conversation transcripts, summaries, themes, homework, reminders, distress levels, outreach logs, and analytics derived from your usage.
- Audio Uploads: Voice recordings you submit for transcription (temporarily processed through OpenAI’s transcription API).
- Support Outreach Records: Logs of emails and SMS we send to your trusted contacts, including timestamps, message templates, and delivery status.
- Usage & Device Data: IP address, approximate location inferred from IP, browser type, device identifiers, referral URLs, and in-app events gathered through our frontend and reminder worker.
- Log & Diagnostic Data: Server logs, error traces, and performance metrics that help us troubleshoot and secure the Services.
- Marketing Site Analytics: Page views, session duration, and referral data collected through Google Analytics 4 (GA4) using the tag ID G-TYPLGN9C39.
- Support Communications: Messages you send to [email protected].
2. How We Use Data
- Operate, personalise, and improve the Services.
- Generate AI conversations, summaries, reminders, and support-contact prompts.
- Authenticate users, manage sessions, and prevent suspicious or unauthorised activity.
- Process payments and subscriptions through Stripe.
- Deliver transactional communications such as session summaries, reminders, and escalation notices through SendGrid and ClickSend.
- Analyse aggregated usage to refine features, fix bugs, and develop new services.
- Recommend reminders, outreach, or plan upgrades by analysing automated distress scores and session context.
- Send product updates or marketing communications where you have opted in (you can unsubscribe at any time).
- Comply with legal obligations, enforce terms, and respond to lawful requests.
3. Automated Decision-Making & Profiling
Distress scoring, reminder scheduling, and outreach suggestions are driven by automated analysis of recent conversations and account context. These decisions help prioritise nudges and recommendations but do not carry legal or similarly significant effects. You may request human review or opt out of automated outreach suggestions by contacting [email protected].
4. Legal Bases (GDPR/UK GDPR)
Where applicable, we rely on (i) performance of a contract, (ii) legitimate interests in securing and improving the Services, (iii) consent for optional analytics or outreach, and (iv) compliance with legal obligations.
5. Sharing & Processors
We share data with service providers who process information on our behalf:
- Hosting and infrastructure (e.g., AWS or equivalent) for servers and databases.
- OpenAI for chat completions and speech-to-text processing. Data submitted to OpenAI is handled per their API terms.
- Stripe for payments and subscription management.
- SendGrid for email delivery.
- ClickSend for SMS reminders and outreach.
- Google Analytics 4 for marketing site analytics.
- Law enforcement or crisis responders if required to prevent imminent harm or comply with legal obligations.
We do not sell personal data. We may update our sub-processor list as the Service evolves; material changes will be reflected in this statement and, where legally required, communicated to affected customers before taking effect.
6. International Transfers
Data may be processed in countries other than your own (including the United States, European Union, and Australia). We rely on contractual safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms, and we assess processor privacy practices before onboarding them.
7. Retention
We retain information only for as long as needed to provide the Services or meet legal duties:
- Account & billing records: Stored while your account is active and up to 30 days after deletion, then archived for up to 7 years if required for taxation, accounting, or dispute resolution.
- Session transcripts & reminders: Stored while your account remains active; deleted within 30 days of profile deletion unless retention is required for safety or legal reasons.
- Support outreach logs: Retained for 24 months to audit delivery issues and prevent duplicate outreach.
- Analytics & diagnostics: Aggregated or anonymised metrics may be kept indefinitely to understand service performance. Raw server logs are typically purged within 180 days.
- Audio buffers: Discarded after transcription when supported by the OpenAI API processing the upload.
8. Security
We protect data with HTTPS encryption in transit, encrypted storage for databases and backups, stored-password hashing using bcrypt, least-privilege access controls, and infrastructure monitoring. Staff access is limited to personnel who need it to operate the Service. No system is perfectly secure; report suspected incidents to [email protected] and we will investigate and notify affected users and regulators where required by law.
9. Your Rights
Depending on your jurisdiction, you may request access, correction, deletion, restriction, portability, or object to processing. Use in-app controls or email [email protected]. We may verify your identity before fulfilling requests. If you are in the European Economic Area or United Kingdom you can complain to your local data protection authority or the UK Information Commissioner’s Office. In Australia you may contact the Office of the Australian Information Commissioner.
10. Cookies & Local Storage
The marketing site uses GA4 first-party cookies (which typically persist for up to 14 months) to measure traffic. You can disable analytics cookies through your browser settings or Google’s opt-out tools. The application stores authentication tokens in local storage for session continuity. You can clear tokens by logging out or clearing browser storage. We currently do not respond to Do Not Track signals.
11. Children
The Services are not directed to children under 18. If we discover data was collected from a minor without consent, we will delete it.
12. Changes
We may update this Privacy Statement. The “Last updated” date indicates the latest version. Material changes may be communicated by email or in-app notifications.
13. Contact
For privacy questions, data access requests, or complaints, contact [email protected]. If you believe your rights have been infringed, you may lodge a complaint with your local data protection authority.