Privacy Policy

SASU Norndis, registered under SIREN 102 057 957, with its registered office at 60 Rue François Ier, 75008 Paris, France (hereinafter “Steadmind”, “we”, “us”).

Contact: contact@steadmind.app

Data Protection Officer (DPO): contact@steadmind.app

We collect the following categories of personal data:

• Account data: email address, display name, password (hashed)
• Onboarding data: GAD-7 questionnaire answers, anxiety manifestation descriptions, personal objective
• Timeline data: life events you enter (year, title, description, emotion, intensity)
• Analysis data: AI-identified core beliefs derived from your timeline
• Exposure data: challenges completed, anxiety ratings, duration, panic attack occurrences, personal notes
• Chat data: conversations with the AI companion
• Payment data: processed by Stripe — we do NOT store card numbers or payment details
• Technical data: device locale, timezone, app usage analytics (via PostHog)

Some of the data we process (anxiety questionnaires, exposure logs, chat conversations) may constitute health-related data under GDPR Article 9. We process this data based on your explicit consent, which you provide when accepting the disclaimer during onboarding.

Steadmind is NOT a medical device and does NOT provide medical diagnoses or treatment.

• To provide and personalize the Steadmind service (timeline analysis, exposure challenges, AI chat)
• To generate AI-powered insights about your anxiety patterns
• To track your progress and provide feedback
• To process payments via Stripe
• To send service-related communications (account verification, password reset)
• To improve the service through anonymized, aggregated analytics

Your data is sent to Anthropic (Claude API) for AI analysis. This includes timeline events, chat messages, and exposure context. Anthropic processes this data under their data processing agreement and does NOT use your data to train their models when accessed via the API.

AI-generated content (core beliefs, exposure challenges, chat responses) is stored in our database and associated with your account.

• Database: Supabase (PostgreSQL), hosted in the EU
• Application server: OVH VPS, France
• Authentication: Supabase Auth
• Payments: Stripe (PCI DSS compliant)
• Analytics: PostHog (self-hosted or EU cloud)

• Active accounts: data is retained as long as your account is active
• Account deletion: all personal data is permanently deleted within 30 days of your deletion request
• Chat sessions: retained for the duration of your subscription
• Payment records: retained for 10 years as required by French tax law

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Delete your account and all associated data (via Settings > Delete Account)
• Port your data in a machine-readable format
• Restrict or object to processing
• Withdraw consent at any time

To exercise these rights, contact us at contact@steadmind.app. We will respond within 30 days.

You may also file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.

We use:

• Locale cookie: stores your language preference (essential, no consent needed)
• Authentication tokens: stored by Supabase for session management (essential)
• Session storage: temporary chat session IDs (cleared on browser close)
• PostHog analytics: anonymous usage tracking (can be opted out)

We do NOT use advertising cookies or third-party tracking.

Steadmind is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of significant changes via the app or email. Continued use of Steadmind after changes constitutes acceptance.