Serenity AI Privacy Policy

Last Updated: March 7, 2026

This Privacy Policy explains how Serenity AI ("Serenity", "we", "our", "us") processes personal data when you use our mobile application and related services.

If you do not agree with this Policy, please do not use the app.

1. Scope

This Policy applies to Serenity AI mobile app features, including:

  • account and sign-in services,
  • CBT/check-in and progress features,
  • chat and optional voice input,
  • subscriptions and entitlement checks,
  • notifications, analytics, and crash diagnostics.

2. Data Controller

Serenity AI is the data controller for personal data processed through the app, except where third-party providers act as independent controllers for their own services.

3. Data We Process

We process the following categories of data, depending on how you use the app:

3.1 Account and identity data

  • Firebase Authentication identifiers (for example: UID).
  • Sign-in method data (Google, email/password, phone, anonymous).
  • Optional profile information such as display name, email, phone-linked identity, and profile photo URL.

3.2 App usage and wellness data

  • Onboarding selections and preferences.
  • Check-ins, quiz/session responses, progress summaries, streaks, and selected goals.
  • Program data (including optional program-specific tracking where used).
  • Notification preferences (timing, reminder settings, quiet hours, coaching tone).

3.3 Chat and AI data

  • Chat messages and related context used to generate responses.
  • Companion/persona and routing metadata required for chat continuity and safety behavior.
  • If you use voice input, speech-to-text transcript text is handled as chat input.

3.4 Subscription and purchase status data

  • Subscription tier, entitlement status, and related metadata from RevenueCat and/or your app store.
  • We do not collect or store full payment card details in the app.

3.5 Diagnostics and telemetry (optional)

  • Analytics events (for example: feature usage, routing/performance events).
  • Crash diagnostics and error traces.
  • Consent/audit events for privacy-setting changes and data actions.

Diagnostics and analytics collection is controlled by your privacy settings.

3.6 Device and technical data

  • Basic device/app technical signals needed for app operation and reliability.
  • Connectivity/sync status and background task status needed to maintain app behavior.

4. Permissions We Request

Depending on platform and feature usage, Serenity may request:

4.1 Microphone

  • Android: RECORD_AUDIO
  • iOS: NSMicrophoneUsageDescription

Purpose: optional voice input for chat.

4.2 Speech recognition (iOS)

  • iOS: NSSpeechRecognitionUsageDescription

Purpose: convert speech to text for chat input.

4.3 Notifications

  • Platform notification permissions (including push/local notification authorization).

Purpose: reminders, check-ins, and app notifications that you enable.

4.4 Camera (iOS declaration)

  • iOS: NSCameraUsageDescription

Purpose: profile-photo related functionality where available.

You can deny or revoke permissions in your device settings at any time.

5. How Voice Input Works

When you tap the microphone button in chat:

  • the app requests microphone access at runtime,
  • audio is used to transcribe your speech into text,
  • transcription may be performed by platform speech services or on-device Sherpa ONNX voice components depending on your settings/device availability,
  • the resulting text is inserted into chat input and then treated as normal chat content.

Serenity does not intentionally store raw microphone recordings as part of chat history. Chat text (including voice transcription text) may be stored as described in this Policy.

6. How AI Processing Works

Serenity supports both on-device and cloud AI paths.

6.1 On-device processing

If you use local/on-device models, prompts and responses are processed locally on your device.

6.2 Cloud processing

If cloud AI is selected or required by your configuration, relevant chat content (for example prompt text, message context/history, and language settings) may be sent to configured providers, such as:

  • Serenity API endpoints,
  • OpenAI,
  • Google Gemini,
  • Anthropic Claude,
  • OpenRouter,
  • Ollama endpoint configured by you.

Use of third-party AI providers is subject to their privacy terms and data handling practices.

7. Legal Bases for Processing

Where required by applicable law (for example GDPR/UK GDPR), we rely on:

  • Contract/performance: to provide core app functionality you request.
  • Consent: for optional analytics, crash reporting, certain data-sharing settings, and device permissions.
  • Legitimate interests: for security, abuse prevention, service integrity, and troubleshooting.
  • Legal obligations: where required by law.

8. Data Sharing and Processors

We share data only as needed to operate services, including with:

  • Firebase (Authentication, Firestore, Analytics, Crashlytics, Messaging),
  • RevenueCat (subscription/entitlement services),
  • AI providers selected/configured in app settings,
  • app store/payment platforms for billing and purchase processing,
  • service providers that support core infrastructure and app operations.

We do not sell personal data.

9. Storage, Sync, and Security

9.1 Local storage

The app uses local storage (including SharedPreferences and Hive). Chat secure boxes are encrypted with a key managed through platform secure storage where available.

9.2 Cloud storage

Certain account/profile/progress/sync data may be stored in cloud services (for example Firestore) based on app features and sync behavior.

9.3 Security controls

We use technical and organizational safeguards intended to protect personal data. No method of transmission or storage is completely secure, so absolute security cannot be guaranteed.

10. Data Retention

We keep data only as long as necessary for the purposes in this Policy, including:

  • while your account is active,
  • as needed to provide requested services,
  • as needed for legal, security, and operational requirements.

Retention periods may vary by data type and provider.

11. Your Choices and Rights

Depending on your location, you may have rights to:

  • access personal data,
  • request correction,
  • request deletion,
  • request export/portability,
  • object to or restrict certain processing,
  • withdraw consent (where processing is based on consent).

In-app controls include:

  • analytics toggle,
  • crash reporting toggle,
  • anonymous/research sharing toggle,
  • data export action,
  • data deletion action,
  • permission controls via device settings.

12. International Transfers

Your data may be processed in countries other than your own, including countries where our service providers operate. We implement reasonable safeguards intended to support lawful transfers where required.

13. Children and Age-Restricted Content

Serenity includes adult-oriented wellness content and includes age-confirmation handling for adult-content surfaces. If you are under the age required by your local law for such content, do not use those features.

If we learn that personal data was collected from a child in violation of applicable law, we will take steps to delete it.

14. External Links and Third-Party Services

The app may link to third-party services, policies, or websites. We are not responsible for third-party privacy practices. Review their privacy notices before using those services.

15. Changes to This Privacy Policy

We may update this Policy from time to time. We will update the "Last updated" date when changes are made. Your continued use of the app after updates means you accept the revised Policy.

16. Contact

For privacy questions, rights requests, or complaints, contact us via the official support channels published in-app or on our official website.

17. Language Notice

Serenity supports many languages. This Privacy Policy may be translated for convenience. In case of conflict between translations, the English version controls unless local law requires otherwise.