Privacy Policy

1) Who we are & contact

Controller / Processor roles. Thymia may act as controller or processor depending on the context:

• Controller for information you share via the app’s contact/support flows; biometric data we collect via the app to provide Ember features and (if you choose) for research; and any information you provide to our customer services.
• Processor where Ember integrates with certain customer-provided systems, as applicable.

You have the right to complain to the UK Information Commissioner’s Office (ICO) or your local data protection authority. We’d appreciate the chance to resolve concerns first — please contact the DPO.

2) What data we collect

Data you provide

• Account details: name, gender, date of birth.
• Diary content: the voice conversation you choose to have with our AI agent (see “Voice recordings” below).

Data we collect automatically

• Technical & usage data: IP address, device model/OS, app version, time zone and location settings, diagnostics, and usage events needed to operate and secure the app.
• Network: Ember requires an active internet connection to function.

Permissions

• Microphone: required to conduct the voice conversation with the AI agent.

Voice recordings for biomarker analysis

• When you use voice features, Ember captures brief voice snippets (up to ~30 seconds) and transmits them securely to thymia’s servers for vocal biomarker analysis.
• Deletion: these voice recordings are deleted by thymia once analysis is complete.

Aggregated data

We may create aggregated or anonymised statistics for research or to improve our services. Aggregated data is not considered personal data unless it can be used to identify you; if combined with personal data, we treat it as personal data.

If you fail to provide data

Where we need personal data by law or to provide the service and you do not provide it, we may not be able to deliver parts of the app.

3) How we use your data (purposes & legal bases)

We only use your data where we have a lawful basis under GDPR:

• Provide and maintain the service (operate the app, voice features, and biomarker insights). Legal basis: performance of a contract (Art. 6(1)(b)).
• Account management (create/manage your profile). Legal basis: performance of a contract (Art. 6(1)(b)).
• Vocal biomarker analysis to deliver wellness-related features. Legal basis: your explicit consent (Art. 6(1)(a) and, for special categories, Art. 9(2)(a)).
• Improve our AI and services (only if you opt in). Legal basis: your explicit consent (GDPR accountability principle recorded).
• Security, fraud prevention, diagnostics. Legal basis: legitimate interests (Art. 6(1)(f)).
• Legal compliance (e.g., lawful requests). Legal basis: legal obligation (Art. 6(1)(c)).

Marketing

You’ll only receive marketing from us where you’ve requested information or obtained services and not opted out. We obtain your express opt-in consent before sharing your data with any third party for their marketing. You can opt out at any time via the message footer or by contacting us.

Automated processing

As you submit voice data, automated processing by AI algorithms generates scores. This automated processing does not produce legal or similarly significant effects for you.

Change of purpose

We’ll only use your data for the purposes collected unless we reasonably consider another compatible purpose; otherwise, we’ll notify you and explain the legal basis.

4) Where your data is stored & international transfers

Your basic account information (name, gender, date of birth) and voice snippets for analysis are stored/processed on thymia infrastructure in accordance with GDPR.

If we transfer data outside the UK/EEA, we ensure an adequate level of protection using: (i) adequacy decisions; and/or (ii) Standard Contractual Clauses (as amended). Contact the DPO for details of the specific mechanisms used for any transfer.

5) How long we keep your data

• Voice recordings: deleted by thymia once analysis is complete.
• Account information: retained while your account is active and deleted or anonymised within a reasonable period after closure, unless needed longer for legal, regulatory, accounting, or dispute reasons.
• Diagnostics/logs: retained only as long as necessary for troubleshooting and security.

In some circumstances we may anonymise data (so it can no longer be associated with you) for research/statistics; we may use this information indefinitely.

6) Sharing your data

• Service providers (processors): including thymia for hosting/analysis. They act under contract and may not use data for their own purposes.
• Business changes: if we undergo a merger, acquisition or asset transfer, your data may be used as set out in this policy by the new owner.
• Legal reasons: to comply with law or protect rights, safety, and security.
• No selling of personal data: we do not sell your personal data.

7) Your rights (EU/UK GDPR)

You may have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data (“right to be forgotten”)
• Restrict processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent where processing is based on consent (without affecting prior lawful processing)

We may request information to verify your identity. We aim to respond within one month; complex/multiple requests may take longer and we’ll keep you updated. If a request is manifestly unfounded/repetitive/ excessive, we may charge a reasonable fee or refuse to act.

To exercise your rights, contact data.protection@thymia.ai or support@thymia.ai. You can complain to the ICO at ico.org.uk. Thymia Ltd ICO registration: ZA776402.

EU/EEA data subjects may contact our GDPR EU Representative: Gabrielle Powell (gabrielle@thymia.ai).

8) Children

Ember is intended for users aged 13+ (or the age of majority in your jurisdiction, whichever is greater). We do not knowingly collect personal data from children under this age without verified parental consent. If we learn we’ve collected such data, we’ll delete it as soon as possible.

9) Security

We implement appropriate technical and organisational measures to protect your data and limit access to those with a business need, under confidentiality. Examples include account authentication, secure hosting, and encrypted payment channels where applicable. We maintain procedures for suspected data breaches and will notify you/authorities where legally required.

Information about our compliance with ISO 27001, GDPR Data Protection Law and HIPAA is available on request.

10) Cookies & tracking

The Android app does not use browser cookies. If we use strictly necessary SDKs or analytics for stability/diagnostics, they are configured in a privacy-preserving way and do not rely on your voice submissions or scores for marketing or profiling.

11) Payments

Ember currently does not collect or store payment card details. If in-app purchases are offered, they are processed by Google Play Billing.

12) Changes to this policy

We keep this policy under regular review. Material changes will be communicated in-app or on our website. Your continued use of Ember after changes take effect signifies acceptance.

13) Contact

Questions or requests? Email data.protection@thymia.ai or support@thymia.ai.

Platform & Permissions Summary

• Platform: Android (Google Play)
• Network: Internet connection required
• Permissions: Microphone (to conduct voice conversations with the AI agent)

Governing law & jurisdiction

This policy is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over disputes arising from it.