Privacy & GDPR

Your data is yours. Here's what we collect, how we protect it, and how you stay in control.

What we collect

  • Email, account name, password (bcrypt-hashed — never readable).
  • Your tool conversations, mood/energy/focus scans.
  • If cycle tracker on: cycle dates, daily check-ins.
  • Minimal technical data: language, timezone, subscription status.

How we protect it

  • HTTPS everywhere (TLS 1.2+). Zero plaintext traffic.
  • Bcrypt-hashed passwords with salt — non-reversible.
  • Signed JWT auth tokens + versioning (password reset invalidates all old tokens).
  • MongoDB private, never publicly exposed.
  • Security headers enabled: X-Frame-Options, X-Content-Type, HSTS, etc.
  • Auto-purge of data after 6 months of inactive subscription.
  • No data resale to third parties. Ever.

Third parties

  • Stripe — payments (EU/US, PCI-DSS compliant).
  • Resend — transactional emails (EU).
  • Emergent LLM (Anthropic Claude / OpenAI) — only conversation text, never your email or identity.
  • Google — Calendar and Gmail (read-only), only if you connect your account. Details in the section below.

AI Coach privacy (Cathy & mascots)

Frequent question: "Are my chats with Cathy private? Can someone steal them?" Here is the precise answer:

🔒 Storage

  • Conversations are stored in a private MongoDB, never publicly exposed.
  • Each message is tied to your account only (via your user_id) — only you, logged in with your password, can access them.
  • All traffic is encrypted with HTTPS / TLS 1.2+ (bank-grade).

🤖 When you write to Cathy, where does the text go?

  1. Your message goes encrypted to the Copilote TDAH server.
  2. The server forwards only the text (no email, name or ID) to Anthropic Claude via Emergent (GDPR-compliant).
  3. Claude generates the reply and returns it to you.
  4. Anthropic does NOT store your messages to train its models (no-training clause on the API used).

🛡️ Protection against theft

  • Bcrypt-hashed + salted password → cannot be reversed, even by the team.
  • Signed + versioned JWT auth: a password reset instantly invalidates all old sessions.
  • No resale, no commercial sharing to third parties. Ever.
  • Auto-purge after 6 months of inactive subscription.

🚨 Honest disclosure: no system is 100% invulnerable

Like any internet app, a massive breach remains theoretically possible. Avoid sharing in Cathy ultra-sensitive data you wouldn't write in a private journal (passwords, card numbers, protected work secrets). Cathy is designed to listen on ADHD, emotions, mental load — that's her territory.

Google data (Calendar & Gmail)

If you choose to connect Google (Calendar for scheduling, Gmail for the Subscription Radar), here is exactly what we do:

  • 📅 Calendar: read free/busy, write blocks (only when you explicitly confirm).
  • 📧 Gmail: read-only (gmail.readonly), only to detect your subscriptions (Netflix, Spotify, etc.). No email is sent or modified on your behalf.
  • 💾 Storage: we only store strictly necessary metadata (service name, amount, unsubscribe link). We NEVER store email content.
  • 🤖 No Google data is used to train or improve AI models (human or otherwise).
  • 🚫 No resale, sharing, or transfer of your Google data to third parties beyond the technical subprocessors listed above.
  • ✋ You can revoke access anytime (Profile → Google Connections → Disconnect) or directly from https://myaccount.google.com/permissions

Official disclosure (Google API Services User Data Policy):

« PARENThèse TDAH (Le Copilote TDAH)'s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. »

Your GDPR rights

Anytime:

  • Access — export below.
  • Rectification — edit your profile in settings.
  • Erasure — delete account below (irreversible).
  • Portability — JSON export.
  • Questions: parenthese.tdah@gmail.com

PARENThèse TDAH — Coach TDAH. Data controller in Belgium. Last update: Feb 25, 2026.