Open Heart Sessions

Last updated: March 2025

Privacy Policy

Open Heart Sessions is built on the principle that you should be able to seek emotional support without sacrificing your privacy. This policy explains what we collect, why we collect it, and how we protect it.

What we collect

  • Display name — a name you choose. It does not have to be real.
  • Mood and topic selection — used only to find a compatible match. Not stored long-term.
  • Messages — retained for moderation and safety review. Conversations are deleted 30 days after they end.
  • Device and session data — IP address, browser type, and timestamps for fraud prevention and abuse detection.
  • Payment information — processed entirely by our PCI-DSS certified payment provider. We never see or store your card details.

What we do not collect

  • Your real name, unless you choose to share it in conversation
  • Your email address (optional — only needed to recover your account)
  • Location data beyond country-level inferred from IP
  • Social profile links or external account data

How we use your data

We use data only to:

  • Match you with an appropriate conversation partner
  • Moderate messages for harmful content via Vibe Guard (AI-assisted, not human-read by default)
  • Prevent fraud, abuse, and platform manipulation
  • Process credit purchases and refunds
  • Send you optional notifications (e.g. low credits) if you have opted in

We do not sell your data. We do not use your data for advertising.

Data retention

  • Conversation messages: deleted 30 days after the conversation ends
  • Account data: retained while your account is active
  • Payment records: retained for 7 years for legal/tax compliance
  • Moderation logs: retained for 90 days

Your rights

You have the right to request a copy of your data, correct inaccurate data, or request deletion of your account and associated data. To exercise any of these rights, contact us at privacy@openheartsessions.com.

Deletion requests are processed within 30 days. Some data may be retained for legal compliance obligations even after account deletion.

Third-party services

  • Supabase — database and authentication infrastructure (EU/US data centres)
  • Payment processor — payment processing (PCI-DSS compliant)
  • OpenAI — message moderation via Vibe Guard (data is not used to train OpenAI models)

Changes to this policy

We will notify you of any material changes via an in-app notification before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.