Privacy policy
Version 2 — last updated 21 June 2026.
In short
- I collect cannabis-use information you give me. It is special category data under UK GDPR, processed only with your explicit consent.
- I use Anthropic's Claude to run conversations and digest them. I use Deepgram, ElevenLabs, Hume, Twilio, and Postmark only when you turn the matching feature on. Each handoff is named below.
- You can export, withdraw consent, or schedule deletion at any time from Account. Withdrawal triggers a 14-day grace window before permanent deletion.
Who I am
Clever Comms Ltd (UK) is the data controller for Bryn.
- Companies House number: {COMPANY_NUMBER — to be filled before launch}
- Registered office: {REGISTERED_OFFICE — to be filled before launch}
- ICO registration number: {ICO_REGISTRATION — apply at ico.org.uk and fill before launch}
- VAT: {VAT_NUMBER — if registered; otherwise omit}
- Contact for privacy questions: [email protected]
What data I hold
- Account profile: the email you sign in with, plus optional preferred name, pronouns, country, timezone, and the free-form "memory" note you choose to give me.
- Sessions (special category): conversational journal entries about your cannabis use — strain, device, dose, effects, and notes. Stored in Bryn's UK-hosted database.
- Action items: reminders, follow-ups, and dev-feedback items extracted from sessions.
- Consent ledger: a row per grant or withdrawal of every consent you've made, with timestamps and the wording version you agreed to. Used for audit, not analytics.
- Subject-rights events: a row per export, deletion request, or cancellation you've made. Same audit purpose.
- Voice (optional): when speech-to-text is enabled, microphone audio is streamed live to Deepgram for transcription. Bryn does not store the audio; only the transcript reaches Bryn's database.
- Phone (optional): when phone calls are enabled, Twilio's call metadata (number, time, duration, status) is logged in
phone_calls. Audio is processed in-call only. - Auth machinery: short-lived sign-in sessions and consumed magic-link tokens, kept only as long as needed to deliver authentication.
Lawful basis
| Processing | Article 6 basis | Article 9 basis |
|---|---|---|
| Storing cannabis-use data | 6(1)(a) consent | 9(2)(a) explicit consent |
| Sending text to Anthropic | 6(1)(a) consent | 9(2)(a) explicit consent |
| Speech-to-text via Deepgram | 6(1)(a) consent | 9(2)(a) explicit consent |
| Text-to-speech via ElevenLabs / Hume | 6(1)(a) consent | 9(2)(a) explicit consent |
| Phone calls via Twilio | 6(1)(a) consent | 9(2)(a) explicit consent |
| Magic-link sign-in email via Postmark | 6(1)(b) contract performance | n/a (no special category data sent) |
| Audit trail (consent ledger, rights events) | 6(1)(c) legal obligation (UK GDPR Art 7(1), Art 30) | n/a (no special category data sent) |
How I use AI processing
When you grant the AI text-processing consent, Bryn sends conversation text to Anthropic for four purposes:
- Live conversation — Claude generates Bryn's replies during a session.
- Mid-session digest — periodic background pass that updates a working summary and pulls out reminders / follow-ups / todos.
- End-of-session digest — the final summary that lands on the cannabis_session row.
- Memory update — after each session, Bryn updates the free-form personal note in your Account with any new factual context you surfaced. You can edit this note manually at any time.
No automated decisions producing legal or similarly significant effects are made about you (UK GDPR Article 22).
Processors and international transfers
Where any data is transferred outside the UK, the transfer relies on the UK Addendum to the EU Standard Contractual Clauses (or, where applicable, the UK International Data Transfer Agreement) under each provider's data processing addendum.
- Anthropic (Claude) — conversation text, system prompts, mid-session and end-of-session digest content, memory-update content. EU endpoint where available; otherwise routed via the UK Addendum to the EU SCCs. DPA.
- Deepgram (streaming speech-to-text) — engaged only when you enable voice input. Microphone audio streamed direct from your browser to Deepgram via a short-lived credential; Bryn never sees the audio. US infrastructure. DPA.
- ElevenLabs (text-to-speech) — engaged only when you enable voice output and pick an ElevenLabs voice. Text-only handoff (no audio in). US infrastructure. DPA.
- Hume (text-to-speech) — same as ElevenLabs but for the Hume voice option. US infrastructure.
- Twilio (phone calls) — engaged only when you enable phone modality. Call audio + metadata flows through Twilio's voice infrastructure. DPA.
- Postmark (transactional email) — magic-link sign-in messages and (optionally) export-ready notifications. Email content limited to those operational messages. US infrastructure. DPA.
Service worker and offline cache
When you install Bryn as an app or visit the site in a recent browser, a service worker runs in the background to make the app load instantly and degrade gracefully when you lose connection.
The service worker stores the following on this device:
- Static assets — CSS, JavaScript, the manifest, icons, and Google Fonts. Updated in the background; rotated on every app version change.
- Plain HTML pages for the cacheable routes (/, /shelf, /kit, /account, /dev, /onboarding, /privacy, /terms) once you've visited them while signed in. Used as a fallback when you're offline.
- Your journal pages (/history and individual session detail) only if you turn on "Keep my journal available offline on this device" on Account. Off by default. This is the cache that holds special-category data; it lives in the browser's Cache Storage API, scoped to my.bryn.day.
The cache is cleared when you sign out, when the app is updated to a new version, or when you uninstall / clear site data in your browser. No additional personal data leaves your device because of the service worker — it only changes what's stored locally.
If you'd rather Bryn never cache anything, leave the Account toggle off and the only thing on your device will be the static assets (CSS / JS / icons), which are public.
Cookies and operational email
Bryn uses one strictly necessary first-party cookie, bryn_sid, to keep you signed in after you click your magic-link email. It is HttpOnly, SameSite=Lax, and (in production) Secure. It is not used for analytics or advertising.
Strictly-necessary cookies are exempt from prior consent under PECR — no cookie banner is required for this single cookie. If analytics or third-party trackers are ever added, you'll be asked first.
Sign-in emails are operational necessity: without them, you cannot complete the authentication you initiated. They go via Postmark (lawful basis: Article 6(1)(b) contract performance). They do not contain special category data.
There are no analytics cookies, advertising cookies, third-party trackers, or browser localStorage / sessionStorage in use today.
Retention
- Sign-in sessions (
auth_sessions): kept for 30 days from last activity, then pruned by the nightly cleanup. - Magic-link tokens: consumed or expired tokens pruned 24 hours after consumption / expiry.
- Sessions, action items, notes, profile, free-form memory: kept until you ask me to delete them, or until your account is hard-deleted (after the 14-day grace window). Inactive accounts older than 24 months get a deletion-warning email and a 60-day window before automatic deletion.
- Consent ledger and subject-rights events: kept for 7 years after account deletion, as the audit-trail evidence Article 7 and Article 30 require. No personal data beyond user_id and the type/timestamp of the action.
- Phone-call metadata (
phone_calls): kept for 13 months, in line with operational call-detail-record norms. - Cleanup logs (
cleanup_runs): retained for 12 months for retention-enforcement evidence.
Your rights
Under UK GDPR you have the right to:
- Access — download everything I hold about you. Self-service: Account → Download my data.
- Rectification — correct anything that's wrong. Either edit it on Account directly, or email me.
- Erasure — schedule permanent deletion. Self-service on Account; 14-day grace window; cancel any time during the window.
- Restriction — pause processing for a specific reason. Email me.
- Withdrawal of consent — withdraw any consent at any time (Article 7(3)). On Account: per-feature toggle for the optional consents and a withdraw button for each foundational consent. As easy to withdraw as to give.
- Portability — the export above is machine-readable JSON.
- Object — to processing relying on legitimate interests. Email me.
- Complain — to the Information Commissioner's Office at ico.org.uk if you're unhappy with how I've handled your data.
Children
Bryn is for adults only. You self-attest at sign-up that you are 18 or older. If I become aware that an account belongs to a minor, I delete it.
Changes to this policy
If I make material changes I will email you a notice with the new version, and the old version remains available on request. Non-material changes (typos, clarifications) update the "last updated" date silently.