theProject.

Privacy Policy

Last updated: May 17, 2025

1. Our Core Commitment


Your data is yours—always. We build every workflow, feature and business process around the principle that information never moves anywhere without your clear, informed permission. We will never sell, rent, barter or otherwise disclose your personal data for third-party advertising purposes.

We apply a privacy-by-design methodology across our code base, internal procedures and vendor evaluations. Whenever a new feature is proposed, the first checkpoint is: “Can we deliver the value without collecting more data?” If the answer is no, we collect only the minimum required and make the data path fully transparent to you.

2. What We Collect & Why

2.1 Identity & Contact

  • Name & Username
  • Email & Phone
  • User Uploaded Profile & Other User Provided Profile Options

Used to create and secure your account, send notices you consent to and respond to support requests.

2.2 Technical & Usage

  • IP address & device data (browser, OS, time-zone)
  • Interaction data (pages visited, feature usage, crash logs)

Collected via first-party analytics to keep our platform secure, detect fraud and improve performance. Analytics cookies are opt-in only.

2.3 Content You Provide


When you upload files, submit forms or chat with our AI assistants, we store the content so that the service can function (e.g. show past chat history). We retain user-generated content for the life of the account unless you delete it or request erasure. This lifetime retention enables long-term projects and audit trails.

3. “Hello, Friend" Our Breakthrough Product


Hello, Friend. is an AI-driven conversational tool designed for coaching and mental-wellness purposes. Because highly personal data can surface in the conversation, we enforce additional rules:

  • End-to-End Encryption Chat content is encrypted in transit and at rest. Only you—and the model processing pipeline—can view the text.
  • Safeguards for Crisis Language If the model detects credible indications of self-harm, suicide, violent extremism or child exploitation, the session is immediately interrupted and you are provided with local emergency contacts. No automatic law-enforcement reporting occurs unless required by jurisdictional law.
  • No Users Under 18 We reserve the right to refuse or terminate service for anyone under 18. Accounts identified as being operated by minors are deleted, consistent with the Children’s Online Privacy Protection Act (COPPA) and international equivalents.
  • Lifetime Storage with Control Chat logs stay available for as long as your account exists, so you can track personal progress over years. You can delete any or all logs at any time from the in-app dashboard; deletion is irreversible.

4. Your Control Panel


Inside every product we ship you will find a dedicated “Privacy” tab allowing you to:

  • Download Data Export your entire dataset in JSON or CSV.
  • Delete Data Erase individual items or wipe your whole account.
  • Granular Consents Toggle analytics, marketing emails, beta-feedback, etc.

5. Lawful Bases for Processing


We rely on one of the following:

  • Consent When you explicitly opt in (e.g. newsletter, analytics).
  • Contract When data is required to deliver or improve a feature you requested.
  • Legal Obligation Where regulators mandate retention (e.g. tax records).
  • Vital Interest Limited to crisis-response scenarios described above.

6. Security Practices


  • TLS 1.3 for all connections.
  • AES-256 encryption at rest within ISO 27001-certified data centres.
  • MFA-only administrative access with Just-in-Time credentials.
  • Quarterly vulnerability scans and semi-annual external penetration tests.
  • Continuous audit logging stored on append-only, tamper-evident infrastructure.

7. Retention & Deletion


We store personal data only while your account is active or as needed to comply with legal obligations. Encrypted off-site backups are rotated every 30 days; analytics logs are anonymised after 14 days. When you delete data, we propagate the deletion through live replicas and backups within 30 days.

8. UK & EU Compliance


We adhere to the UK GDPR, EU GDPR, the proposed EU AI Act and the UK Digital Information Bill. Data for UK/EU users is processed exclusively inside the EEA/UK, and any onward transfer relies on Standard Contractual Clauses (SCCs) and supplementary measures.

9. Children & COPPA


Our services are not directed to children under 13, and we do not knowingly collect data from anyone under that age. If we learn that a child under 13 has provided personal information, we will delete it immediately. For certain products—including Hello, Friend.—we reserve the right to refuse service to anyone under 18 due to the sensitive nature of AI-based mental-wellness content.

10. Your Rights


  • Access, correct or delete your data.
  • Port your data to another controller in a machine-readable format.
  • Restrict or object to processing.
  • Withdraw consent at any time (without affecting lawful processing before withdrawal).
  • Lodge a complaint with your local data-protection authority.

11. Contact


Email: privacy@bytheproject.com
Phone: (484) 894-2519
Data Protection Officer: Tristan Smith