Haven
Back to Haven

Privacy Notice

Last updated: April 2026

This Privacy Notice describes how Janine Nicoll ("we", "us", "our"), an individual sole proprietor operating Haven (the "Service"), collects, uses, and protects your personal data. We act as the data controller for the personal data described below.

Haven is built around emotional wellbeing, and we treat your data with the same care.

1. Personal data we collect

Account data

  • Email address and password (for authentication)
  • Display name, avatar URL (optional, if you choose to add them)
  • Account creation and last login timestamps

Content you create

  • Mood journal entries (emoji, label, optional note)
  • Saved moments (affirmations, reflections you bookmark)
  • Conversations with the AI companion (your messages and the responses)

Usage data

  • Daily counters for AI messages and affirmations (used to enforce free-tier limits)
  • Subscription status and tier (free or Sanctuary)
  • Basic technical metadata (browser type, IP address, timestamps) for security and abuse prevention

Payment data

When you subscribe to Sanctuary, payment is processed by Paddle, our Merchant of Record. We do not collect or store your card details. Paddle provides us with limited information (a customer ID, subscription status, billing period) so we can grant or revoke access. See Paddle's Privacy Policy for how they handle payment data.

2. How we use your data

  • To provide the Service: store your journal, companion conversations, and saved moments; generate personalized affirmations; manage your subscription
  • To enforce fair use: track daily usage against free-tier limits
  • To keep the Service secure: detect and prevent fraud, abuse, and unauthorized access
  • To support you: respond to questions and refund requests
  • To improve the Service: aggregated, de-identified usage analysis (we do not read individual journal entries or companion conversations for product analytics)
  • To meet legal obligations: tax, accounting, and compliance requirements

3. Legal bases for processing

For users in the EEA/UK, our legal bases are:

  • Contract performance: to provide the Service you signed up for (account, journal, companion, subscription)
  • Legitimate interests: security, fraud prevention, improving the Service
  • Legal obligation: tax and accounting records
  • Consent: for any optional marketing emails (you can withdraw consent at any time)

4. AI companion and affirmations

Your AI companion messages and mood inputs are sent to a third-party AI provider (currently Google Gemini, via the Lovable AI Gateway) to generate responses. These messages are used to generate the response you receive and are not used to train the underlying AI models.

5. Who we share data with

We share personal data only with the following categories of recipients:

  • Hosting and infrastructure: Lovable Cloud (Supabase) for database, authentication, and serverless functions
  • AI processing: Lovable AI Gateway / Google for companion and affirmation responses
  • Merchant of Record: Paddle, for sale of subscriptions, payment processing, tax compliance, invoicing, and subscription management
  • Email delivery: providers we use to send transactional emails (e.g., password reset, receipts)
  • Professional advisers: legal and accounting advisers, where necessary
  • Authorities: when required by law, court order, or to protect our rights

We do not sell your personal data to anyone.

6. International transfers

Some of our service providers (including Paddle and Google) operate outside your country of residence, including in the United States. Where applicable (e.g., for users in the UK/EEA), transfers rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

7. Data retention

  • Account data, journal entries, saved moments, companion history: kept while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
  • Usage counters: kept for 90 days for abuse prevention.
  • Payment and billing records: retained by Paddle per their policy and by us for 7 years for tax purposes.
  • Support correspondence: kept for up to 3 years.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to erasure")
  • Restrict or object to certain processing
  • Receive a copy of your data in a portable format
  • Withdraw consent at any time (where consent is the basis)
  • Lodge a complaint with your local data protection authority (UK: ICO; EEA: your national supervisory authority)

To exercise any of these rights, email us at NicollLMFT@gmail.com. We will respond within 30 days.

9. Security

We use appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS), encrypted database storage, role-based access controls, and row-level security rules. No system is perfectly secure — if we ever discover a breach affecting your data, we will notify you and the appropriate authorities as required by law.

10. Cookies and similar technologies

Haven uses essential cookies and local browser storage to keep you signed in and to remember preferences (e.g., theme, last selected breathing pattern). We do not use advertising cookies or third-party tracking pixels for marketing.

11. Children's privacy

Haven is intended for adults (18+). We do not knowingly collect personal data from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Material changes will be communicated through the Service or by email. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions, requests, or complaints, contact: NicollLMFT@gmail.com.