Privacy Policy

1. Who We Are

Everlight Love, Monika Laskus (“we,” “us,” or “our”), located at 85/70 ต.เกาะพะงัน Ko Pha-ngan District, Surat Thani 84280, Thailand, operates Everlight Love at everlightlove.com. For privacy questions, contact info@everlightlove.com.

This Policy applies to personal information we collect when you use the Service. It supplements, but does not replace, sector-specific notices in the Service (e.g. consent prompts during onboarding).

2. Information We Collect

We collect only what we need to operate the Service. Categories below align with the California Consumer Privacy Act (Cal. Civ. Code § 1798.140).

• Identifiers — email address, first name, account ID, IP address (collected by Clerk, Inc. for authentication and by our hosting provider for security).
• Customer records — payment confirmations, billing history (Stripe, Inc. processes card details; we receive only transaction IDs, last-4 digits, and amounts).
• Commercial information — products purchased, subscription status, usage credits remaining.
• Internet or other electronic activity — pages visited within the Service, feature interactions, error logs (for security and debugging).
• Sensory data — voice recordings IF you use the voice-input feature (transcribed by OpenAI Whisper, then deleted from the speech-to-text vendor; transcripts are retained as session content).
• Inferences — emotional themes detected by AI from your conversation, partner names you share, your self-rating across the 7 pillars, AI-generated Letters and weekly practices.
• Sensitive personal information (CCPA category) — the contents of your conversations may include information about mental and emotional well-being. We treat all conversation content as sensitive personal information and apply heightened protection.

3. How We Use Information

• Provide the Service — run conversations, generate the Letter from the Garden, deliver weekly practices.
• Process payments and prevent fraud — through Stripe.
• Communicate with you — transactional emails (account verification, receipts, password resets, weekly practice reminders).
• Improve the Service — using only aggregated, de-identified data; we do not train AI models on your conversation content.
• Comply with law — respond to lawful requests, enforce our Terms, prevent abuse.

4. Lawful Basis (For Users in the EEA, UK, and Switzerland)

• Performance of contract — to provide the Service you requested (GDPR Article 6(1)(b)).
• Consent — for any optional marketing emails or non-essential cookies; you may withdraw consent at any time (Article 6(1)(a)).
• Legitimate interests — for security, fraud prevention, and aggregated product analytics (Article 6(1)(f)).
• Legal obligation — for tax records and lawful information requests (Article 6(1)(c)).
• Where we process special categories of personal data (e.g. data revealing health), we rely on your explicit consent (Article 9(2)(a)) given when you sign up.

5. Who We Share Information With

We share personal information only with vendors that act as service providers / processors on our instructions. We do not sell personal information for monetary consideration. We do not “share” personal information for cross-context behavioural advertising as defined by California law.

• Clerk, Inc. (USA) — authentication, session management
• Stripe, Inc. (Delaware, USA) — payment processing
• Anthropic, PBC (USA) — AI conversation responses + Letter generation (Claude models). Contractually prohibited from training on customer data.
• OpenAI, L.L.C. (USA) — AI conversation responses + Whisper voice transcription + TTS. Zero-data-retention API tier where available.
• Google LLC (USA) — Gemini fallback model. Contractually prohibited from training on API data.
• ElevenLabs, Inc. (USA) — voice synthesis for the guide voice.
• Resend, Inc. (USA) — transactional email delivery.
• Vercel Inc. (USA) — application hosting and edge network.
• Cloudflare, Inc. (USA) — DDoS protection, CDN, DNS.
• Neon Inc. (EU region) — managed Postgres database.

6. International Data Transfers

Most of our vendors are based in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the U.S., we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, in each case incorporated into our agreements with those vendors. You may request a copy of the relevant transfer mechanism by emailing info@everlightlove.com.

7. Data Retention

• Account information — until you delete your account, then within 30 days from operational systems (longer in encrypted backups, deleted on rolling cycle).
• Conversation transcripts and Letters — for the life of your account, unless you delete a session manually. Deleted sessions are removed within 30 days from operational systems.
• Voice audio — deleted from speech-to-text vendor immediately after transcription; transcripts follow conversation retention.
• Payment records — 7 years (US IRS recordkeeping requirement; California Revenue and Taxation Code).
• Server and security logs — up to 90 days.
• Aggregated, de-identified analytics — kept indefinitely; cannot reasonably be re-associated with you.

8. Your Privacy Rights

Depending on where you live, you have the rights described below. To exercise any right, email info@everlightlove.com from the address associated with your account, or use Account → Privacy in the app. We respond within 45 days (CCPA) or one month (GDPR), with one extension where allowed.

8a. California Residents (CCPA / CPRA)

• Right to Know — what personal information we have collected, used, disclosed, and sold/shared in the last 12 months.
• Right to Delete — request deletion of your personal information, subject to legal exceptions.
• Right to Correct — fix inaccurate personal information.
• Right to Opt Out of Sale or Sharing — we do not sell or share for cross-context behavioural advertising, so this right is satisfied by default. We do not use targeted advertising cookies.
• Right to Limit Use of Sensitive Personal Information — we already limit use of sensitive PI to providing the Service; you can confirm by emailing us.
• Right to Non-Discrimination — we will not deny service, charge different prices, or provide different quality if you exercise your rights.
• Authorized Agents — you may designate an agent to make a request on your behalf. We will verify the agent’s authority before acting.
• Disclosures for the prior 12 months: we collected the categories listed in Section 2 above; we disclosed identifiers, customer records, commercial information, and sensitive PI to the service providers listed in Section 5; we did not sell or share personal information.

8b. EEA, UK, and Swiss Residents (GDPR / UK GDPR)

• Right of access — receive a copy of your personal information.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion (“right to be forgotten”).
• Right to restrict processing — pause our use of your data while a dispute is resolved.
• Right to data portability — receive your conversations and Letters in a machine-readable format (JSON export).
• Right to object — object to processing based on legitimate interests.
• Right not to be subject to automated decision-making with legal effects — the Service does not make legally significant automated decisions about you. AI outputs are advisory.
• Right to withdraw consent — withdraw at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority — your local data-protection authority (e.g. CNIL in France, ICO in the UK, UODO in Poland at uodo.gov.pl).

9. Children’s Privacy (COPPA)

The Service is not directed to and is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it promptly. Parents or guardians who believe their child has provided personal information should email info@everlightlove.com.

If you are between 13 and 17, you may use the Service only with verifiable consent from a parent or legal guardian.

10. Security

• TLS 1.3 encryption in transit on every request.
• Database encrypted at rest with AES-256.
• Passwords are never stored in plain text — Clerk uses bcrypt hashing.
• Production access is restricted to a small number of administrators with multi-factor authentication and audit logging.
• Regular automated backups; backup encryption keys rotated periodically.
• Vendor security reviews before integration; production webhooks signed and verified.
• No security system is perfect. If you suspect unauthorized access, email info@everlightlove.com immediately.

11. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and notify affected users without undue delay where required by applicable U.S. state law (e.g. California Civil Code § 1798.82).

12. Cookies and Tracking

We use only the cookies essential for the Service to function — chiefly Clerk’s authentication session cookie and a cookie to remember your language preference. We do not use advertising cookies or third-party analytics that build a profile of you. The cookie banner shown on first visit confirms this minimal-essential-only approach.

13. Do Not Track

Some browsers send a “Do Not Track” signal. Because the Service does not engage in cross-site tracking and does not respond differently to DNT, we treat all users the same regardless of DNT setting.

14. Changes to This Policy

We will notify you by email and an in-app banner at least 14 days before any material change to this Policy takes effect. Non-material changes (e.g. clarifications, typo fixes) take effect on posting. The “Effective” date at the top reflects the most recent change.

15. Contact and Complaints

Privacy questions, rights requests, or complaints — email info@everlightlove.com.

California residents may also contact the California Attorney General’s office (oag.ca.gov/privacy). EEA and UK residents may complain to their national data-protection authority.

Data Protection Officer: Monika Laskus, email: info@everlightlove.com. Given that the Service may involve processing of special categories of personal data (Art. 9(1) GDPR — information concerning users' emotional and psychological state disclosed during sessions), the Data Controller voluntarily designates herself as Data Protection Officer to provide a single point of contact for all data-protection matters. All inquiries, rights requests, and incident reports may be directed to the email above; this contact applies to all jurisdictions.