Privacy Policy

Serai (“we”, “us”) respects your privacy. This Privacy Policy describes how we collect, use, share, and protect personal data when you use the Serai mobile application and related services, and how you can exercise your rights, including under the EU/UK General Data Protection Regulation (“GDPR”) where it applies.

1. Data controller

The controller responsible for your personal data in connection with Serai is the Serai operating entity identified in-app or in your purchase documentation. For privacy requests, contact: privacy@getserai.com.

2. Data we collect

Depending on how you use Serai, we may process:

• Account and profile: name, email address, date of birth, language or preferences you provide.
• Wellness and app activity: mood and energy logs, journal-style inputs you choose to save, and related timestamps.
• Chat content: messages you send to the AI assistant and related context needed to generate replies.
• Cycle and pregnancy-related data: information you optionally enter for cycle awareness or related features.
• Device and push notifications: push notification tokens and basic device/app identifiers needed to deliver notifications and maintain security.
• Subscription and billing (via stores or Paddle): transaction identifiers, plan status, and limited billing metadata—we do not store full payment card numbers on our servers when payments are handled by platforms.
• Analytics: product usage events processed in a form intended to support improvement (e.g. aggregated or pseudonymous analytics via Amplitude).
• Support and communications: content of emails or in-app messages you send us.

3. Purposes and legal bases (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases:

• Contract: providing Serai, subscriptions, and features you request.
• Legitimate interests: securing the service, debugging, analytics that are not overridden by your rights, and communicating service updates, where permitted.
• Consent: optional features, marketing where required, or non-essential cookies/analytics where we ask for consent.
• Legal obligation: compliance with applicable law.

Some data you provide may be considered special category or sensitive in nature (e.g. health-related context). We process such data only to deliver the wellness features you use, with appropriate safeguards, and not for unrelated marketing.

4. How we share data (subprocessors)

We use trusted service providers who process data on our instructions. These include:

• OpenAI – processing chat content to generate AI responses.
• Supabase – authentication, database, and backend infrastructure.
• Firebase – push notifications and related Google infrastructure as configured.
• RevenueCat – subscription status and in-app purchase management.
• Paddle – web payments and related customer billing where applicable.
• Amplitude – product analytics (including aggregated or pseudonymous usage).

Providers may be located outside your country; where GDPR applies, we use appropriate safeguards (such as Standard Contractual Clauses) when required.

5. Retention and data storage periods

We keep personal data only as long as needed for the purposes described in this policy, including legal, accounting, and dispute resolution requirements. The following retention periods apply unless a longer period is required by law:

• Account data: retained while your account is active, plus 30 days after a deletion request is processed.
• Chat content: kept for a 12-month rolling window (older messages are deleted or anonymised as part of routine retention).
• Cycle and health-related data: deleted immediately when your account is deleted, subject to limited backup technical delays described below.
• Analytics: anonymised after 90 days where technically feasible.
• Backup systems: residual copies may persist for up to 60 days after deletion before being overwritten.

When you delete your account, we delete or anonymise associated personal data in line with the above, subject to limited exceptions (e.g. legal holds).

6. Cookie policy

We use essential cookies only as needed to operate the website and app-related services (for example, session or security). We do not use advertising or tracking cookies without your consent where consent is required by law.

7. California residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (“CCPA”), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal data. To exercise your rights, contact privacy@getserai.com.

8. Health and cycle data

Health and cycle data you provide is processed solely to deliver the features you request (such as wellness tracking and personalised support within the app). This data is never sold, never used for advertising, and never shared with third parties except as required to operate the service (for example, secure hosting or AI processing as described in this policy).

9. AI and your conversations

Your conversations with the AI are processed by OpenAI to generate responses. We do not use your personal conversations to train AI models. OpenAI’s data processing and retention terms apply to their processing; see OpenAI’s policies for details.

10. Your rights

Depending on your location, you may have the right to:

• Access, correct, or update your personal data.
• Request erasure (“right to be forgotten”) where applicable.
• Restrict or object to certain processing.
• Data portability for data you provided, where technically feasible.
• Withdraw consent where processing is consent-based.
• Lodge a complaint with a supervisory authority (in the EEA, your local data protection authority).

Deleting your account in the app (where available) is intended to remove your profile and associated content from active systems; you may also email privacy@getserai.com for account and data-deletion requests.

11. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit and access controls. No method of transmission or storage is 100% secure; we work to protect your data responsibly.

12. Children

Serai is not directed at children below the minimum age required in your region. We do not knowingly collect personal data from children in violation of applicable law.

13. Changes

We may update this policy from time to time. We will post the revised version and update the “Last updated” date. Where required, we will provide additional notice.

14. Contact

Privacy questions and requests: privacy@getserai.com

Last updated: March 2026