Data Retention Policy
Effective Date: 3rd February 2025
Last Updated: October 5th 2025
At Breezi, we are committed to protecting your privacy and ensuring your data is stored securely. This Data Retention Policy explains what data we collect, how long we store it, where it is stored, and what happens to data that is no longer needed.
Note: Breezi is a preventative mental wellness tool and not a clinical therapy service. We do not store diagnostic or clinical records. All processing is aligned with UK GDPR/EU GDPR. Breezi is not subject to HIPAA; however, we apply comparable safeguards (encryption, access control, audit logging).
1. What Data We Collect
- Account Information: Name, email address, and encrypted password.
- Session Data: User-entered reflections/notes, therapy chat logs, and AI-generated summaries. These are pseudonymised and linked to internal user IDs, not to directly identifying information connected to the account, unless the user writes identifiable personal information directly into the chat.
- Device & Technical Data: IP address (temporarily for fraud/abuse prevention), device type, operating system, app usage patterns, crash/error logs.
- Payment Metadata: Minimal non-financial transaction information (e.g., transaction date, amount, and status) received from secure payment processors such as Stripe, Apple, and Google. Breezi does not store or process any payment card data.
- Support Data: Messages and emails sent to Breezi’s support team.
2. How Long We Store Data
2.1 Account Information
- Active Accounts: Retained while your account remains active.
- Deleted Accounts: Account data is queued for deletion and removed within 90 days of a verified deletion request.
2.2 Chat Logs, Reflections & Session Summaries
Retained while the account is active to provide continuity and personalised support. Securely deleted within 90 days of account deletion.
2.3 Technical & Analytics Data
- Crash/Error Logs: Up to 180 days to diagnose issues and improve stability.
- Usage/Analytics (pseudonymised or anonymised): Up to 24 months for trend analysis and product improvement.
- System Access Logs (audit trails): Up to 24 months to ensure security, quality assurance, and regulatory inquiries.
2.4 Payment Metadata
Processed and stored by Stripe, Apple, or Google according to their own privacy and retention policies. Breezi retains limited non-financial metadata (e.g., transaction success/failure status, amount, timestamp) for up to 7 years to comply with tax and accounting obligations.
2.5 Support Communications
Retained for up to 24 months for quality assurance and dispute resolution.
3. Where Data is Stored
Data is hosted on secure cloud servers within the United Kingdom and European Economic Area (EEA). If limited processing occurs outside these regions (e.g., diagnostics or email delivery), Breezi uses GDPR-approved safeguards such as Standard Contractual Clauses (SCCs).
4. Backups & Disaster Recovery
- Encrypted Backups: Backups are encrypted at rest and in transit.
- Backup Retention Window: Backups are cycled and retained for up to 90 days.
- Restoration Tests: Backups are periodically tested for restorability.
- Deletion Propagation: When primary data is deleted, associated data is removed from backups during the next scheduled rotation (within 90 days).
5. What Happens to Data That is No Longer Needed?
- Permanently delete personal data from active systems within the timelines above.
- Anonymise data that can no longer identify users, which may be retained for research or app improvement.
- Ensure backup copies are removed on the next backup cycle (see Section 4).
6. Security of Retained Data
- Encryption: All data is encrypted in transit (HTTPS/HSTS) and at rest (database and backups).
- Pseudonymisation: Chat/session data is stored under internal user IDs and never linked to identifiable personal information connected to the account, unless the user has written such information in the chat.
- Access Control: Access is limited to authorised personnel using role-based permissions.
- Immutable Audit Logs: Access and changes are recorded in append-only audit logs retained for security oversight.
- Secure Export: Research or analytics exports are anonymised and auto-deleted within 30 days.
7. Limited Internal Access for Quality & Safety
To improve Breezi’s quality and ethical AI standards, a small number of authorised team members may access chat logs:
- Lead Developer & Project Manager – for system maintenance and technical troubleshooting.
- Qualified Mental Health Professionals – to audit Breezi’s conversational quality and guide improvements to its therapeutic functionality.
All access is strictly controlled, logged, and pseudonymised. Data is never associated with identifiable personal information connected to the account unless the user voluntarily writes such information in the chat.
8. Automated Processing
Breezi uses AI to create personalised summaries and suggestions based on user input. These outputs are for wellbeing support and self-reflection only, not clinical advice. Breezi does not make legally binding decisions based on automated processing.
9. Your Rights (UK & EEA)
Under UK GDPR/EU GDPR, you have the right to:
- Access: Request a copy of your personal data.
- Deletion: Request permanent removal of your personal data.
- Portability: Request a machine-readable copy of your data.
- Restriction/Objection: Ask us to limit or stop certain processing.
- Correction: Request correction of inaccurate or incomplete data.
To exercise your rights, contact support@talktobreezi.com. We aim to respond within 30 days.
10. Updates to This Policy
We may revise this Data Retention Policy periodically. The latest version will always be available on our website with the updated “Last Updated” date.
11. Contact
Email: support@talktobreezi.com
Website: talktobreezi.com
.png)