Privacy Policy — AndThen, Inc.

1) Scope

This Privacy Policy explains how AndThen, Inc. (“AndThen,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you use our AI-powered, mostly audio-based interactive experiences and related services (the “Service”).

2) California Notice at Collection

We collect the categories of personal information described below for the purposes described in Section 6. We retain personal information as described in Section 11. We do not “sell” personal information as defined by the California Consumer Privacy Act (CCPA/CPRA), nor “share” it for cross-context behavioral advertising. You can exercise your rights as described in Section 14.

3) Personal Information We Collect

• Identity and Contact: name, display name, email address, phone (if provided), profile photo, account IDs, SSO identifiers.
• Authentication and Account Data: login tokens, access/refresh tokens, role/entitlements, settings, preferences.
• Audio and Voice Data: voice recordings, transcripts, timestamps, speaker labels (if used), background audio that may be captured during sessions.
• Content and Interaction Data: prompts, messages, gameplay logs, choices, in-app events, ratings, feedback, support communications.
• Telemetry and Device Data: IP address, device identifiers, OS/browser, app version, session IDs, crash logs, diagnostics, latency, usage statistics.
• Inferences and Derived Data: embeddings, features, similarity scores, sentiment tags, safety/abuse signals, model outputs.
• Payment Data: billing info and transaction metadata processed by our payment providers (we do not store full payment card numbers).
• Marketing Data: communication preferences, campaign attribution, event participation.
• Geolocation Data: coarse location inferred from IP; precise location only if you opt in.

4) Sources of Personal Information

• Directly from you (e.g., submitted content, support).
• Automatically through the Service (e.g., telemetry, cookies).
• From third parties (e.g., SSO providers like Google, payment processors, analytics, AI vendors processing your content on our behalf).

5) Cookies and Similar Technologies

We use cookies, SDKs, pixels, and local storage for authentication, security, preferences, analytics, debugging, feature measurement, and limited marketing. You can control cookies via your browser or device settings; disabling may impact functionality.

6) How We Use Personal Information

• Provide, operate, secure, and troubleshoot the Service.
• Record, transcribe, analyze, and review audio interactions.
• Develop, evaluate, and improve models, features, and user experience.
• Detect, investigate, and prevent security incidents, fraud, and abuse.
• Personalize content and experiences.
• Analytics, research, and aggregated reporting.
• Communicate with you (e.g., updates, support, marketing where permitted).
• Comply with legal obligations and enforce terms.

7) Legal Bases for Processing (EEA/UK/Swiss)

• Performance of a contract (to provide the Service).
• Legitimate interests (e.g., security, product improvement, analytics).
• Consent (e.g., marketing emails, certain cookies, recording where required).
• Compliance with legal obligations.

8) Disclosures of Personal Information

We disclose personal information to:

• Service Providers/Processors: hosting/cloud, storage, analytics (e.g., product analytics, crash reporting), speech-to-text, text-to-speech, content moderation, and model inference providers.
• Payment and Billing Partners: to process transactions.
• Authentication/SSO Partners: e.g., Google, to authenticate and manage accounts.
• Professional Advisors and Auditors.
• Authorities and Legal: to comply with law, protect rights, or prevent harm.
• Business Transfers: in connection with a merger, acquisition, financing, or sale of assets.

We require processors to protect personal information and process it only on our instructions.

9) Google SSO and Google API Data

• When you choose “Sign in with Google,” we receive your Google account basic profile information (e.g., name, email, profile image) as permitted by you. We do not access other Google data unless you explicitly grant access.
• If we access Google user data via Google APIs, we comply with the Google API Services User Data Policy (including the Limited Use requirements). We do not transfer Google user data to third parties except as necessary to provide or secure the Service, comply with law, or with your consent.

10) Audio, Voice, and Potential Biometric Information

• We record and process audio to provide the Service (e.g., gameplay, gamified conversations, transcripts).
• We do not create or store biometric identifiers (such as voiceprints) for the purpose of uniquely identifying you unless we clearly request consent and comply with applicable biometric laws (e.g., Illinois BIPA, Texas CUBI). If enabled, we will provide a separate notice and consent, and specify retention and deletion practices.
• You are responsible for notifying and obtaining consent from all participants before recording.

11) Data Retention

• During alpha/beta, we may retain data for extended periods to support debugging, evaluation, security, research, and improvement.
• We retain personal information only as long as necessary for the purposes described, to comply with legal obligations, resolve disputes, and enforce agreements.
• We may anonymize or aggregate data and may retain such data indefinitely.

12) Data Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data. No method of transmission or storage is 100% secure.

13) International Data Transfers

We may transfer, store, and process information in the United States and other countries. Where required, we use approved safeguards such as Standard Contractual Clauses. By using the Service, you understand your data may be processed outside your country.

14) Your Privacy Rights

Depending on your location, you may have rights to:

• Access, correct, or delete personal information.
• Port your data.
• Object to or restrict processing; withdraw consent where processing is based on consent.
• Opt out of targeted advertising, sales, and certain profiling (where applicable).
• Appeal a denial of your request (for certain U.S. states).

How to exercise: Email hello@andthen.chat. We may require verification. Authorized agents may submit requests where permitted by law.

15) Marketing Preferences

You can opt out of marketing emails by using unsubscribe links or contacting us. We may still send transactional or service messages.

16) Do Not Track

We do not respond to DNT signals. We will honor legally required opt-out mechanisms where applicable.

17) Children's Privacy

We do not knowingly collect personal information from children under 13. If you believe a child provided us data, contact us to request deletion.

18) Automated Decision‑Making

We use automated processing to generate content and improve experiences. We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate human review and required legal basis.

19) Changes to this Policy

We may update this Policy. The “Effective date” indicates the latest revision. Material changes will be notified via the Service or email where appropriate.

20) Contact Us; DPO/Representative