Legal
Last updated: 2026-06-10 · Version 1.0
This policy explains what personal data Praxisloom collects, why, how it is protected, and the rights you hold over it. It applies to every user of the platform, regardless of subscription tier, including users who have signed up but never paid.
Praxisloom is a relational-intelligence platform operated by Praxisloom (operator entity details — Romanian SRL name and registration number — to be completed before public launch), referred to in this document as “we,” “us,” “Praxisloom,” or “the platform.”
If you have any questions about this Privacy Policy or how we process your personal data, contact us at hello@praxisloom.com or by mail to (registered postal address to be completed before public launch).
We are the data controller for the personal data we process about you in connection with your use of the platform. Where we use third-party service providers (Supabase, Vercel, Google for the Gemini AI API, our payment processor, and others listed in Section 8), those providers act as our data processors under signed Data Processing Agreements.
This policy describes:
We organize the data we collect into five categories. We collect only what is necessary to provide the service.
This is the most sensitive data we hold. It qualifies as Special Category Data (“emotional/psychological data”) under GDPR Article 9 and as “consumer health data” under Washington’s My Health My Data Act. We process this data only with your explicit consent, given separately during onboarding, and you can revoke consent and delete this data at any time.
This data is also Special Category under GDPR Art. 9 and is processed only with your explicit consent.
We do NOT collect: biometric data, voice recordings (the platform is text-only in v1), location data beyond country-level region for crisis-resource routing, contacts list, social-graph data, or any data from devices outside what you actively input.
For each purpose, we identify the lawful basis under GDPR Article 6 and (where applicable) Article 9.
| Purpose | Lawful basis (Art. 6) | Special category (Art. 9) |
|---|---|---|
| Provide the service you signed up for | Contract performance (6(1)(b)) | Explicit consent (9(2)(a)) for emotional data |
| Authenticate you and prevent unauthorized access | Legitimate interests (6(1)(f)) | n/a |
| Process payments and issue invoices | Contract performance (6(1)(b)) + legal obligation (6(1)(c)) | n/a |
| Send transactional emails (account verification, password reset, billing receipts) | Contract performance (6(1)(b)) | n/a |
| Send the weekly retrospective email (opt-in only) | Explicit consent (6(1)(a)) | Explicit consent (9(2)(a)) |
| Improve the AI’s responses (anonymized aggregates only) | Legitimate interests (6(1)(f)) | Explicit consent (9(2)(a)) |
| Match you with other users (Reunion Protocol, opt-in only) | Explicit consent (6(1)(a)) | Explicit consent (9(2)(a)) |
| Comply with legal obligations (tax, anti-fraud, response to lawful requests) | Legal obligation (6(1)(c)) | Substantial public interest (9(2)(g)) where applicable |
| Detect and respond to crisis disclosures | Vital interests (6(1)(d)) + legitimate interests (6(1)(f)) | Vital interests (9(2)(c)) |
We use Google’s Gemini AI to generate the platform’s responses. This is automated processing under GDPR Article 22. We have evaluated whether it constitutes “solely automated decision-making with legal or similarly significant effects” and concluded it does not — the AI generates reflective text and tactical suggestions, but does not make decisions affecting your legal status, employment, credit, insurance, or government benefits.
The matching algorithm (Reunion Protocol) uses similarity over architecture-coded data, gated by a Readiness Threshold computation. You explicitly opt in to the matching pool; you can withdraw at any time without penalty; and any match introduction can be passed without explanation. No automated decision is made that you cannot override.
We do not use AI for emotion recognition under EU AI Act terms. The platform classifies risk via lexicon-based text matching only (not facial-expression analysis, not voice tone, not biometric inference).
| Data category | Retention |
|---|---|
| Account & contact | Lifetime of the account + 30 days after deletion request |
| Subscription & payment | 7 years (Romanian/EU tax obligation) |
| Calibration / Foundation profile | Lifetime of the account; deleted within 30 days of account deletion |
| Conversation data | Lifetime of the account; you can delete individual messages or the full history at any time |
| Behavioral telemetry (live) | Session-only; never persisted across sessions |
| Behavioral telemetry (logs) | Lifetime of the account; deleted when you delete your account |
| Crisis-flagged turns | Held in your private conversation vault (same protections as your other conversation data); deleted when you delete your account |
| Backups | Up to 90 days after primary deletion; then permanently purged |
You can request deletion of all your data at any time (Section 7). For data we retain due to legal obligations (e.g., billing records), we retain only the specific records required by law and segregate them from active platform data.
Depending on your country of residence, you have some or all of the following rights:
To exercise any of these rights, email hello@praxisloom.com with your request. We will respond within 30 days. Account deletion and a full machine-readable data export are also available directly from your account settings.
To exercise: same channel — hello@praxisloom.com.
The platform processes “consumer health data” as defined under MHMDA. You have:
To exercise: hello@praxisloom.com.
Virginia, Colorado, Connecticut, Utah, Texas, and other states with consumer privacy laws afford similar rights. We honor them under one unified process. Contact: hello@praxisloom.com.
We use the following providers under signed Data Processing Agreements. Each is contractually bound to process your data only for the purposes we direct. We do not sell, share, or syndicate your data for marketing or advertising purposes — ever.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Vercel | Application hosting | Runtime processing of platform data | US, EU |
| Supabase | Database, authentication, storage | All persisted data; encrypted at rest at the infrastructure layer | EU (Frankfurt) |
| Google (Gemini AI) | AI text generation and embedding | Conversation messages + system prompts at runtime | US |
| Payment processor | Payment processing — NOT yet active (no billing in the current release; this row will name the processor and data when paid plans launch) | None collected today | — |
| Resend | Transactional email | Email address, message content | US |
| Cloudflare | DNS, DDoS protection | IP-level metadata only | Global |
For data transferred outside the EEA (notably to Google for AI processing), we rely on the European Commission’s Standard Contractual Clauses and Google’s adequacy commitments under their Data Processing Addendum.
You can request the current list of sub-processors and our DPAs at any time via hello@praxisloom.com.
We employ technical and organizational measures appropriate to the sensitivity of the data we process. These include:
We are a small team and do not currently maintain SOC 2 or ISO 27001 certifications. We will pursue certifications as we scale or when required by enterprise customers. In the meantime, our security posture is documented and continuously improved; we welcome scrutiny.
We use only the cookies and browser storage required to run the platform:
We do NOT use advertising cookies, cross-site tracking, analytics pixels, Google Analytics, or Facebook Pixel. We do not sell or share your data with advertising networks or data brokers. This is a structural commitment, not a temporary marketing position.
Most browsers let you view, delete, or block cookies. If you block the strictly necessary authentication cookies, you will not be able to sign in.
Praxisloom is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. The platform requires age verification at onboarding. If we discover that a user is under 18, we will delete their account and all associated data.
If you believe a minor has registered, contact hello@praxisloom.com immediately.
If you describe a situation involving imminent harm to yourself or another person while using the platform, our system will surface region-aware crisis resources (per our internal Crisis & Safety Protocol). Those turns are held in your own private conversation vault — under the same row-level protections as the rest of your conversation data, so the platform can keep continuity of care across that session — and are deleted when you delete your account. We do not keep a separate identity-stripped review log.
We do this under the GDPR lawful basis of “vital interests” (Art. 6(1)(d) and 9(2)(c)).
We are not a crisis intervention service. The platform’s role in a crisis is to surface information; if you are in immediate danger, contact emergency services or a crisis hotline directly — see our crisis resources page. Do not rely on the platform alone.
We will notify you of material changes by email at least 30 days before the new policy takes effect. Non-material changes (typo fixes, formatting) take effect immediately.
The current effective version is shown at the top of this document.
For privacy-related questions, requests, or complaints:
We have not appointed a formal Data Protection Officer at this time (we are below the GDPR Article 37 thresholds). The founder acts as the privacy point of contact and responds personally to data requests.
For EU/EEA users: you can lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) at dataprotection.ro or with your local national authority.