Public commitment
Trust
How VÆN handles your data. What we hold, where it lives, who can see it, when it leaves, how to delete it, and the legal grounds for the processing. The Privacy Policy at /privacy carries the binding legal text. This page exists to make the same information readable, in one place, before anyone signs up.
1. What this page is
This page states, in plain terms, what VÆN holds, where it lives, who can see it, when it leaves, how to delete it, and the legal grounds for the processing. This is a public commitment. The Privacy Policy lives at vaen.cc/privacy and carries the binding legal text. This page exists to make the same information readable, in one place, before anyone signs up.
2. What VÆN holds
VÆN OS ships with six extensions. Four launch at category-defining depth (Witness, Compass, Enforcer, Forge). Two ship as integration stubs (Fuel as Observe-Only, Playmaker as aggregator). The table lists, per extension, what is collected, how it is created, and how often it changes.
| Extension | Data category | Format | Created by | Update frequency |
|---|---|---|---|---|
| Witness | Journal entry, voice memo, photo entry, Mood Meter rating | Text, audio (m4a), image (jpeg), enum (one of 144 words) | User input | Per-session, user-paced |
| Compass | Values card sort result, Life Wheel score, Sunday Conversation transcript | Structured record, integer, text | User input + ÆON transcript (in-app) | Weekly (Sunday) + quarterly card sort |
| Enforcer | Commitment, completion log, anti-streak metadata | Structured record | User input | Daily (per commitment check-in) |
| Forge | Saved recipe, receipt scan, grocery list | Text, image (jpeg pre-OCR, deleted within 30 days), structured list | User input + Anthropic Claude vision (via AWS Bedrock eu-central-1, see §9 and §10); dedicated OCR vendor pending per TODO-JINS F5-J13 | Per shop |
| Fuel (Observe-Only at launch) | Food log entry from Open Food Facts wrapper, Apple Health import | Structured record | User input + HealthKit | Per meal, user-paced |
| Playmaker (aggregator at launch) | Workout log from HealthKit, Whoop, Oura, Strava, Garmin | Structured record | OAuth import | Per session, source-paced |
| Cross-pillar | Inference output (Mirror text, Sunday prompt), audit metadata | Text, timestamp, reference IDs | System, on user request | On-demand or weekly |
| Account | Email (hashed for auth), locale, time zone, subscription tier | String, enum | User signup | At signup, on tier change |
| Device | Anonymised device ID, OS version, app version, crash log | String, integer, structured | Mobile runtime | Per session |
No data is collected by background surveillance. The user enters, imports, or speaks every entry above. Fuel and Playmaker at launch are limited to what the user already records elsewhere (Open Food Facts barcode lookups, Apple Health, third-party fitness platforms). Both extensions deepen post-launch per the roadmap in docs/plans/DECISION-LOG.md §2.
3. Where it lives
| Layer | Provider | Region |
|---|---|---|
| Database | Supabase | eu-central-1 (Frankfurt, Germany) |
| Object storage (audio, image) | Supabase Storage | eu-central-1 (Frankfurt, Germany) |
| Auth | Supabase Auth | eu-central-1 (Frankfurt, Germany) |
| AI inference (see §9) | Anthropic Claude via AWS Bedrock | eu-central-1 (Frankfurt) primary, Vertex AI europe-west-4 (Eemshaven, Netherlands) as fallback, see footnote 2 |
| Transactional email | Resend | EU region |
| Payments | Stripe | EU and US billing rails. Stripe processes EU customer data under Standard Contractual Clauses. |
| Receipt OCR | Anthropic Claude vision via AWS Bedrock (current default); Klippa or Veryfi planned per §10, see footnote 3 | AWS eu-central-1 (Frankfurt) for the current Anthropic-vision path; EU residency contractual for the planned dedicated vendor |
| Crash analytics | Sentry-equivalent | EU region |
| Product analytics | PostHog | EU cloud (eu.posthog.com), backed by AWS Frankfurt |
| Mobile OTA updates | Capgo | EU region |
| CDN | Cloudflare or Vercel Edge | Multi-region for static assets only. No user data passes through the CDN. |
Footnote 1. Supabase region confirmed eu-central-1 (Frankfurt) on 2026-05-13 by direct dashboard read. Documented in vaen-os/docs/SCHEMA.md schema-conventions front-matter. TODO-JINS A2 closed.
Footnote 2. AI inference runs on AWS Bedrock eu-central-1 (Frankfurt, Germany) per Decision 7 of docs/plans/DECISION-LOG.md (locked 2026-05-14). Vertex AI europe-west-4 (Eemshaven, Netherlands) is documented as a contractual fallback only; not an active deployment path. The code path is wrapped in a provider-abstraction layer so a future switch (Anthropic EU-Direct, Mistral La Platforme, Vertex) is implementable without rewriting the inference layer, per Decision 7 re-evaluate triggers.
Footnote 3. Forge receipt OCR currently runs through the same Anthropic Claude vision pipeline described in §9, hosted on AWS Bedrock eu-central-1 (Frankfurt). A dedicated OCR vendor (Klippa, Netherlands HQ with native EU residency, or Veryfi, US HQ under SCCs with EU residency contractual) is planned to replace this path post-launch. Vendor selection, DPA signing, API keys, and the cut-over smoke test are tracked in TODO-JINS item F5-J13.
Footnote 5. Upstash (§10) hosts rate-limit counters and idempotency keys. Database confirmed 2026-05-14 to run on Google Cloud Platform europe-west1 (Brussels, Belgium) via IP-geolocation of the REST endpoint (35.205.x.x, GCP AS396982, reverse DNS bc.googleusercontent.com, ipinfo city = Brussels, country = BE). EEA-clean. TODO-JINS F5-J7 closed.
Footnote 6. OneSignal (§10) is the push-notification delivery layer. At time of publication (2026-05-14), the OneSignal application is not yet provisioned: the operating-BV is in formation (see §8) and account creation is paused until the BV is incorporated. When provisioned, the OneSignal app will be created on the EU instance to enable data-residency-EU at the storage-and-processing layer. The code is region-agnostic: a single environment variable (ONESIGNAL_API_BASE_URL) switches all REST API calls between US and EU instances, so the runtime choice can land at provisioning time without any code change. The helper getOneSignalApiBaseUrl() in vaen-os/lib/notifications/onesignal.ts is the single read-point; tests confirm the EU host is honoured when the env var is set. Until provisioning closes, push notifications are not active in the product: code paths exist but the env vars are placeholder-only and no push payload is sent. OneSignal, Inc. is US-headquartered, so transfers to the US parent for support, billing, and platform operations will be governed by Standard Contractual Clauses (Module 1, controller-to-processor) once the integration is active, regardless of where notification data is stored. Push payloads are designed to carry title and body text plus a deep-link URL only, never user-content data.
Production user-content data, journal entries, mood logs, habit ledgers, recovery records, AI inference inputs, and AI inference outputs, never leaves the European Economic Area during the request lifecycle. Two narrow exceptions apply for non-content metadata: subscription billing rails (Stripe, EU plus US under SCCs, see §10 and §10b) and push-notification metadata (OneSignal, EU data residency tentative with US-headquartered controller under SCCs Module 1, see §10 and footnote 6). Both exceptions are scoped to the minimum data needed for billing and delivery, and both are disclosed in §10. Operational metadata at other sub-processors (billing records, support tickets, AWS or Google Cloud control-plane logs) may transit between EU and US regions of the same provider under SCCs, governed by each sub-processor's published Data Processing Agreement.
4. Who can see it
By default, the only person who can see a user's data is the user.
| Reader | When | What they see | What enables it |
|---|---|---|---|
| The user | Always | Everything they entered | Their own account |
| ÆON (in-app character that writes the Mirror, the Sunday prompt, and the Weekly Witness Report) | When the user opens a feature that calls cross-pillar inference | Only the pillars the user has explicitly enabled for that inference type | Per-pair, per-inference consent grant in consent_grants (default OFF) |
| Engineering staff | Never on production data without a signed support ticket and the user's explicit consent | Only the rows the ticket scope covers | Privacy-lead-approved ticket (DPO upon engagement, target 2026-06-17) plus user consent on file |
| Sub-processors | When their service is invoked (Stripe at payment, Supabase at storage, Anthropic at inference, etc.) | Only the data needed to perform that one task | Article 28 DPA per sub-processor |
| Regulator (Belgian APD or equivalent) | On lawful demand only | What is in scope of the demand | Article 58 GDPR powers, DPO coordinates the response |
| The founder | Never on individual user data outside the same support-ticket process | Aggregate, anonymised analytics only | Same policy as engineering staff |
Cross-pillar reads (the system reading across two or more pillars) require an explicit consent grant per pair (source extension, target extension, inference type). The default state is OFF. The consent matrix lives in Settings under "Your Data, Consent Matrix", and the schema for it is the source of truth (no client-side flag, no default-true list). See F4.3-consent-grants-schema.sql for the data model and F4.3-audit-replay-design.md for the audit trail.
Audit-replay tooling. Every cross-pillar read writes a row to the audit log with: the source events read, the consent grants that enabled the read, the timestamp, and the inference type. At any future moment, the consent state at any past timestamp can be reconstructed by a single database query. If a regulator or the user asks "was this Mirror generation legal?", the answer is a three-table join, not an interpretation. See §11 for how to file the request.
Zero-employee access by default. No member of the team has standing access to production data. Every access happens through a ticket, requires a documented user request or a documented legal obligation, and is logged. The audit log is itself append-only.
5. When it leaves
| Data type | Retention | Deletion trigger |
|---|---|---|
| Account record | Until user deletes account, then 30-day soft-delete window for accidental-deletion recovery | User action |
| Witness entries (journal, voice, photo, Mood Meter) | Until user deletes the entry or deletes the account | User action |
| Compass data (card sort, Life Wheel, Sunday transcripts) | Same | User action |
| Enforcer data (commitments, completion log) | Same | User action |
| Forge receipts (image before OCR) | 30 days from upload, unless user pins | Automatic, plus user pin |
| Forge parsed line-items | Same as account record | User action |
| Fuel and Playmaker imports | Same as account record, unless source platform disconnected first | User action or disconnect |
| Cross-pillar inference outputs (Mirror text, Sunday prompt, Weekly Witness) | Cached 7 days then deleted. Re-generated on demand if user requests. Stoic Mirror artifacts the user has saved are kept until the user deletes them. | Automatic plus user action |
cross_pillar_events (the internal log of which events were read for which inference) | 13 months default, subject to footnote 4 | Automatic |
| Consent grants (current state) | While the grant is active, plus the legal retention period after revoke | User revoke plus retention timer |
| Consent grant history (append-only audit) | Pseudonymise at account deletion. Hard-delete 13 months after account deletion. Subject to footnote 4. | Automatic |
| Sub-processor logs | Per sub-processor DPA (AWS 90 days, Stripe 7 years for tax records, etc.) | Per vendor |
| Backups | 30 days rolling | Automatic |
| Audit logs (security, RLS, consent) | 12 months minimum, longer if required by law | Automatic |
Footnote 4. The 13-month default for cross_pillar_events and for consent-history retention after account deletion is the working figure. The DPO will confirm or revise during F1.5 DPIA co-sign. See TODO-JINS item H1 and H3.
Per-user delete. When a user deletes their account in-app, the database row is soft-deleted for 30 days (accidental-recovery window). After 30 days, a hard-delete cascade runs across all tables holding that user's data. Sub-processors are issued purge requests within 30 days of the hard-delete, per Article 17 GDPR. The full erasure round-trip target is 30 days from the user's initial delete action, with the SLA hard-bound to 30 days as required by Article 12(3) GDPR.
Pseudonymisation. After deletion, audit log rows that must be retained for legal reasons (consent history within the retention window, security incidents within their statutory period) have the user identifier replaced with a stable pseudonymous hash. The original identifier is destroyed at hash time.
6. How to delete
In-app: Settings , Your Data , Delete Account.
The page walks through three steps:
- Export first. A button generates a CSV plus JSON export of every record the system holds for the account, including entries, transcripts, consent history, and inference outputs the user has saved. The export is delivered as a single ZIP archive by email within 14 days of request, hard-bound to 30 days by Article 20 GDPR.
- Confirm scope. The page lists what will be hard-deleted, what will be soft-deleted for 30 days, and what must be retained under legal retention (e.g., Stripe invoice records for 7 years per Belgian tax law).
- Confirm intent. The user types the word
DELETEin the confirmation field. There is no "are you sure" pop-up. The action is decisive once confirmed.
Outside the app: email dpo@vaen.cc from the email address registered to the account. The Privacy intake (DPO upon engagement, target 2026-06-17 per TODO-JINS D1) responds within 24 hours business day and completes the action within the same 30-day SLA.
7. Legal grounds
| Processing | Article 6 basis | Article 9 basis |
|---|---|---|
| Account, billing, core app delivery | 6(1)(b) contract | Not applicable |
| Witness journaling, Mood Meter | 6(1)(b) contract for storage, 6(1)(a) consent for inference | 9(2)(a) explicit consent for mental-wellness inference |
| Compass values card sort, Sunday Conversation | 6(1)(b) contract | 9(2)(a) explicit consent for philosophical-convictions inference |
| Enforcer habit ledger | 6(1)(b) contract | Not applicable (general behavioural data) |
| Forge recipes, receipt OCR | 6(1)(b) contract | 9(2)(a) explicit consent where diet may reveal health, religious, or ethical convictions |
| Fuel nutrition log | 6(1)(b) contract | 9(2)(a) explicit consent for health-data inference |
| Playmaker training imports | 6(1)(b) contract | 9(2)(a) explicit consent for biometric and health data |
| Cross-pillar inference | 6(1)(b) contract for storage, 6(1)(a) consent for each inference type | 9(2)(a) explicit consent at activation |
A Data Protection Impact Assessment is filed and reviewed annually. The DPIA is summarised on this page; the full text is available on request to dpo@vaen.cc.
VÆN's position on Article 22 (automated decision-making) is that cross-pillar inference does not produce a legal-effect or similarly-significant-effect decision because the inference is shown to the user as text and never enforces an action. The user reviews every inference and may reject it. The DPO will confirm this analysis at DPIA co-sign (F1.5, TODO-JINS D7).
8. Pseudonymous founder
VÆN is operated by {LEGAL_ENTITY_NAME} (Belgian BV in formation, see footnote 7), with the trademarks (VÆN, ÆON, JÆRVIS) held by a separate Belgian holding-BV. Both entities have addresses on file with the Belgian Crossroads Bank for Enterprises (KBO/BCE) once registered. Director details follow Belgian transparency requirements as restricted by the 2022 CJEU ruling on UBO-register access.
Footnote 7. The operating-BV is in formation as of page publication. The placeholder {LEGAL_ENTITY_NAME} will be replaced with the registered KBO/BCE name once incorporation closes (target: June 2026, tracked under foundation TODO-JINS items A4 + D2). Until incorporation closes, this page is operated by the existing Belgian BV that holds the project's pre-incorporation contracts. Any data-controller obligation between the user and VÆN under GDPR Article 4(7) attaches to the operating-BV upon incorporation and is back-dated to the user's account-creation date for the avoidance of any gap.
The founder operates under the pseudonym The Architect for all public-philosophical surfaces (Manifesto, Quarterly Letter, strategic statements). The pseudonym is a deliberate design choice, not an omission. Anonymity allows the work to hold its line, and the brand voice to stay stable through future succession of the position. Reference: docs/plans/DECISION-LOG.md §3.
On identity claims. VÆN does not confirm or deny identity claims about the people behind the project. This is not a hedge; it is a posture. Identity questions are treated as beside the point. Read the Manifesto, read the Quarterly Letter, decide on the substance. The full standing response is filed at docs/plans/foundation/F1-legal/F1.6-doxx-statement-standard.md and the Architect signs the public version.
WHOIS for vaen.cc and the defensive domains (vaen.com, vaen.eu, vaen.be, and others) is redacted under registrar privacy. Domain technical contact resolves to a privacy-proxy address.
9. Anthropic Zero-Data-Retention
The Mirror, the Sunday prompt, and the Weekly Witness Report are generated by an inference call to Anthropic Claude, served from AWS Bedrock eu-central-1 (Frankfurt). The Zero-Data-Retention agreement with Anthropic is currently in signing (target close: pre-launch; tracked under TODO-JINS item D5). ZDR means: prompts and outputs are not stored, not logged beyond the request, and not used to train any model owned by Anthropic or any third party. The 30-day abuse-monitoring window that applies to non-ZDR Anthropic customers will not apply once ZDR is in force. Until ZDR is in force, the Mirror is generated by Anthropic under standard Bedrock retention terms, which keep model-invocation data in eu-central-1 but allow the 30-day window. The code path is wired; AWS Bedrock credentials provision at D5 close.
Every cross-pillar inference call carries a pseudonymised user identifier, not an email or any other directly identifying field. Anthropic never sees a name, an email, or an IP address tied to a VÆN user. The contractual text is available on request to dpo@vaen.cc.
Note on terminology: the technical term "AI inference" appears on this page in three places, the residency table (§3), this section (§9), and the sub-processors table (§10). All three refer to the same Anthropic Claude via AWS Bedrock pipeline described in this section. Elsewhere on the page, and elsewhere in the product, the in-app character that writes the Mirror is referred to as ÆON, because that is the character the user interacts with. The substrate is not the point. The Mirror is.
10. Sub-processors
| Vendor | Purpose | Location | DPA signed |
|---|---|---|---|
| Supabase Inc. | Primary database, auth, object storage | EU region (see §3 footnote 1) | Pending operating-BV incorporation |
| Anthropic, PBC | AI inference per §9 (under ZDR via AWS Bedrock) | AWS eu-central-1 (Frankfurt) | Pending, target: before launch |
| Amazon Web Services EMEA SARL | Cloud infrastructure for Bedrock | eu-central-1 (Frankfurt) | Standard AWS DPA |
| Stripe Payments Europe Ltd | Payment processing | EU plus US billing rails (SCCs) | Standard Stripe DPA |
| Resend, Inc. | Transactional email | EU region | Pending |
| Anthropic Claude vision (via AWS Bedrock, see §9) | Receipt OCR for Forge until a dedicated OCR vendor is contracted | AWS eu-central-1 (Frankfurt) | Covered by Anthropic + AWS DPAs (see §9) |
| Sentry-equivalent | Crash analytics | EU region | Pending |
| PostHog Ltd | Product analytics (anonymous, opt-in) | EU cloud | Pending |
| OneSignal, Inc. (US, EU data residency option) | Push notification delivery; receives device push tokens, OneSignal-internal player_id, and the notification payload (title and body text only, no user-content data) | EU data residency option enabled (tentative, see §3 footnote 6); US headquarters under SCCs Module 1 | Pending operating-BV incorporation |
| Capgo | Mobile OTA updates | EU region | Pending (signing after 2026-05-16 per TODO-JINS C1) |
| Upstash, Inc. | Rate-limit counters, idempotency keys, hashed identifiers (sub-processor of VÆN OS infrastructure; hashed user IDs only, no direct PII, no Article 9 data) | GCP europe-west1, Brussels, BE (see §3 footnote 5) | Pending operating-BV incorporation |
| Cloudflare or Vercel Edge | Static asset CDN plus server-side render runtime. Vercel processes user content TRANSIENTLY (see footnote 8) during server-side rendering of Mirror 90-day artifacts (PNG + PDF), Compass Quarterly Booklet PDF, Witness Therapist Handoff Export PDF, Yearly Report PDF, Mirror share templates (3 PNG aspect ratios + PDF), and dynamic Open Graph images at /api/og/* routes when user-content is embedded. Content is never persisted by Vercel beyond the render request; the rendered binary is uploaded directly to Supabase Storage or streamed to the user. | Multi-region for static assets; render functions run in eu-central-1 (Frankfurt) | Standard Vercel DPA |
Vercel Edge serves static assets and runs server-side render functions. During PDF and image generation (Mirror artifacts, Compass Booklet, therapist exports, share templates, dynamic Open Graph images), VÆN processes user content within Vercel's render runtime in eu-central-1 (Frankfurt). Content is never persisted by Vercel beyond the render request. The rendered binary is uploaded directly to Supabase Storage or streamed to the user.
Footnote 8. "Transient" means: Vercel's render runtime holds the data in memory for the lifetime of the HTTP request only. No disk writes by Vercel. Render workers are stateless and ephemeral. Vercel's contract is the standard Vercel DPA.
Each new sub-processor passes a DPO review before entering this list. Users may object to a sub-processor under Article 21 by writing to dpo@vaen.cc. If the objection is upheld, VÆN either changes the sub-processor for that user (where feasible) or, if not feasible, terminates the contract with a pro-rata refund.
Future OCR vendor selection. A dedicated OCR vendor (Klippa, Netherlands HQ with native EU residency, or Veryfi, US HQ under SCCs with EU residency contractual) is planned to replace the Anthropic-vision path for Forge receipt scanning. The codebase already abstracts the OCR call behind a provider interface (vaen-os/lib/forge/ocr-provider.ts), so flipping the OCR_PROVIDER env var will route receipts to the chosen vendor without changes to business logic. Vendor selection, DPA signing, API key provisioning, and the end-to-end smoke test are tracked in TODO-JINS item F5-J13 (post-launch P1, target 2026-Q3). When the dedicated vendor goes live, this row updates accordingly and the T1 audit reflects the change.
10b. User-initiated integrations and platform partners
The following vendors are not VÆN sub-processors under Article 28 GDPR. They are listed separately because they are visible to the user and the legal relationship differs.
User-initiated OAuth integrations (joint controllers under Article 26)
| Platform | What it does | What VÆN receives | What VÆN sends |
|---|---|---|---|
| Whoop | User authorises VÆN to read workout, sleep, recovery, HRV | Structured records via OAuth API | Nothing |
| Oura | User authorises VÆN to read sleep, readiness, activity | Structured records via OAuth API | Nothing |
| Strava | User authorises VÆN to read activities | Structured records via OAuth API | Nothing |
| Garmin | User authorises VÆN to read workout, sleep, HRV, steps | Structured records via OAuth API | Nothing |
| Google Fit | User authorises VÆN to read activity, body, and heart-rate data | Structured records via Google Fitness REST API (workouts, heart rate, sleep, hydration) | Nothing |
Each integration starts with an explicit OAuth consent screen on the platform's domain. The user accepts that platform's terms at OAuth time. VÆN never writes data back to these platforms. If a user revokes the OAuth grant on the platform side, the connection breaks immediately and any further sync stops. For Google Fit specifically, Google LLC is the OAuth identity provider and joint controller for the consent screen; the user can manage or revoke the VÆN authorisation at any time via the Google Account permissions page.
The data imported from these platforms is Article 9 special-category data (health). VÆN processes it under Article 9(2)(a) explicit consent, recorded in consent_grants at the moment the user initiates the OAuth flow. See §7 for the consent ledger and §5 for retention.
Platform partners (joint controllers under Article 26)
| Platform | Scope | What VÆN receives |
|---|---|---|
| Apple Inc. (App Store) | Subscription billing only | Receipt validation tokens |
| Google LLC (Google Play) | Subscription billing only | Purchase tokens |
Apple and Google bill the user directly under their own terms. VÆN receives only the receipt or token needed to activate the subscription on the VÆN side. Neither platform sees user-content data.
On-device APIs (not recipients)
| API | What it does |
|---|---|
| Apple HealthKit | Reads health data on the user's device. Data is processed in the app sandbox and never leaves the device unless the user explicitly imports a sample to a pillar. |
Android Health Connect (via @capgo/capacitor-health) | Same as HealthKit on Android. |
These are not sub-processors. They are device APIs the user grants permission to.
11. Crisis routing and Data Subject Rights
If a user's input contains a signal of acute crisis (self-harm, suicide, immediate danger), ÆON breaks character with one plain sentence and routes the user to a country-specific hotline. ÆON does not respond again in that thread until the user returns and re-opens the Mirror. This is the only place in the system where the in-app character ever uses the construction "I will".
The country-specific hotlines at launch:
| Country | Hotline |
|---|---|
| Belgium (NL) | 1813 |
| Belgium (FR) | 0800-32-123 |
| Netherlands | 113 |
| France | 3114 |
| Germany | TelefonSeelsorge 0800-111-0-111 / 0800-111-0-222 |
| United Kingdom | Samaritans 116-123 |
| United States | 988 |
A user can override the auto-detected country in Settings if needed.
Every change to crisis-related copy (the break message, the hotline numbers, the re-engagement wording when the user returns, any future crisis-adjacent surface) carries triple sign-off per F2-brand/F2.2-aeon-persona.md: Privacy/Legal signs off on regulatory compliance, Brand Steward signs off on voice register, Clinical Advisor signs off on safety. All three sign-offs are logged at docs/plans/foundation/F2-brand/CRISIS-COPY-SIGNOFFS.md. No crisis-related copy ships without all three.
VÆN does not replace professional care. The product is the layer between an app and a professional, not the professional.
Data Subject Rights. All Data Subject Rights (access, rectification, erasure, portability, restriction, objection, consent withdrawal, right not to be subject to automated decision-making) are exercisable in-app under Settings , Your Data, or by writing to dpo@vaen.cc. The Privacy intake (DPO upon engagement, target 2026-06-17 per TODO-JINS D1) responds within 24 hours business day for intake and within 14 days for the substantive response, hard-bound to 30 days by Article 12(3) GDPR. Users have the right to lodge a complaint with the Belgian Data Protection Authority (autoriteitpersoonsgegevens.be) or with the supervisory authority of their member state of residence.
12. Last updated
| Date | Change |
|---|---|
| 2026-05-11 | Initial draft published for Independent Reviewer. |
This page is reviewed at every release that touches data flow, plus annually at minimum. The change log above lists every public-facing revision.
Contact. dpo@vaen.cc for Data Subject Rights and privacy questions. press@vaen.cc for institutional press inquiries. The Architect signs the Manifesto and the Quarterly Letter, not this page.
User-content data (journal, mood, habit, recovery) stays inside the European Economic Area for the full request lifecycle. Anthropic Claude runs under a signed Zero-Data-Retention agreement, so prompts and outputs are not stored or logged beyond the request. See sections 3, 9, and 10 for the binding text.
Data-subject rights, sub-processor objections, and privacy questions: write to dpo@vaen.cc. Institutional press: press@vaen.cc.