Privacy Policy

1. Introduction

SunSeed ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered parenting coaching platform at sunseed.app (the "Service").

We comply with applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil's Lei Geral de Proteção de Dados (LGPD).

2. Data Controller

SunSeed is the data controller responsible for your personal data. For any privacy-related inquiries, contact us at:

3. Information We Collect

3.1 Information You Provide

• Account Information: Name, email address, and password when you create an account
• Payment Information: Payment card details (processed securely by Stripe; we do not store full card numbers)
• Conversation Data: Messages and questions you send to our AI coach
• Uploaded Images: Any images you voluntarily upload for analysis
• Communications: Emails or messages you send to our support team

3.2 Information Collected Automatically

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent on the Service
• IP Address: For security, fraud prevention, and analytics
• Cookies: Session cookies for authentication and preferences

3.3 Information from Third Parties

• Payment Processor: Transaction confirmation from Stripe
• Analytics: Aggregated usage data from Google Analytics

4. How We Use Your Information

We use your information for the following purposes:

• Provide the Service: Deliver AI coaching responses and maintain your conversation history
• Process Payments: Handle subscriptions, billing, and refunds
• Improve the Service: Analyze usage patterns to enhance features and user experience
• Communicate with You: Send transactional emails, updates, and support responses
• Ensure Security: Detect and prevent fraud, abuse, and unauthorized access
• Legal Compliance: Meet our legal and regulatory obligations

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your data based on:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interests: Improving our Service, preventing fraud, and ensuring security
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legal Obligation: Processing required by law

6. Data Sharing and Disclosure

We may share your information with:

• Service Providers: Third parties that help us operate the Service (hosting, payment processing, analytics)
• AI Processing: Conversation data is processed by AI systems to generate responses
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: For any other purpose with your explicit consent

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active, plus 30 days after deletion request
• Conversation History: Retained while your account is active; you can delete individual conversations
• Payment Records: Retained for 7 years for tax and legal compliance
• Usage Analytics: Aggregated data retained indefinitely; identifiable data for 26 months

8. Your Privacy Rights

8.1 All Users

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data (with some exceptions)
• Account Closure: Close your account at any time

8.2 EU/EEA Users (GDPR)

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time for consent-based processing
• Lodge Complaint: File a complaint with your local data protection authority

8.3 Brazilian Users (LGPD)

• Confirmation: Confirm whether we process your data
• Access: Access your personal data
• Correction: Correct incomplete or inaccurate data
• Anonymization: Request anonymization or blocking of unnecessary data
• Portability: Transfer data to another service provider
• Deletion: Delete data processed with your consent
• Information: Know which entities your data was shared with
• Revocation: Revoke consent at any time

8.4 California Users (CCPA)

• Know: Know what personal information is collected and how it's used
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of the sale of personal information (note: we do not sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all service providers
• Adequacy decisions where applicable

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing using bcrypt
• Regular security assessments and updates
• Access controls and authentication measures
• Rate limiting to prevent abuse

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We encourage you to use strong passwords and protect your account credentials.

11. Cookies and Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication and basic functionality
• Analytics Cookies: Google Analytics to understand how users interact with our Service
• Preference Cookies: Remember your language and display preferences

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

12. Children's Privacy

Our Service is intended for adults (18+) who are parents or caregivers. We do not knowingly collect personal information from children under 13 (or under 16 in the EU).

While parents may discuss their children during coaching sessions, we do not directly collect identifiable information from minors. If you believe we have inadvertently collected such information, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a notice on our Service. Your continued use after such notice constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, concerns, or to exercise your rights:

For EU users, you may also contact your local data protection authority if you have concerns about our data practices.