Privacy Policy

How we collect, use, and protect your personal data under UK GDPR

Last updated: February 2026

Introduction

This Privacy Policy explains how Reframer ("we", "our", or "us") collects, uses, and protects your personal data when you use our web application.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

Data Controller

The data controller responsible for your personal data is:

Reframer

United Kingdom

For data protection enquiries, please contact us at: privacy@reframer.app

What Data We Collect

Account Information

  • Email address (for authentication and account management)
  • OAuth provider account information (when you sign in with Google or Apple)
  • Name and profile picture (if provided by your OAuth provider)

Reframing Content (Special Category Data)

  • Negative thoughts and concerns you share
  • Identified cognitive distortions
  • Reframed perspectives you develop
  • AI-generated feedback and suggestions

Special Category Data: Your reframing content may include data about your mental health and emotional state, which is classified as "special category data" under UK GDPR. We process this data only with your explicit consent (Article 9(2)(a)). You provide this consent before first use of the reframing workflow.

Technical Information

  • Session data (for authentication)
  • Error logs (for debugging and service improvement)
  • IP address and browser information (for security purposes)

Legal Basis for Processing

Account and Service Delivery

We process your account information under contractual necessity - it is essential to provide you with our reframing service.

Reframing Content (Special Category Data)

We process your reframing content under explicit consent (UK GDPR Article 9(2)(a)). Before using the reframing workflow, we ask you to provide clear, informed consent to the processing of this sensitive data. You can withdraw consent at any time by deleting your account in Settings, which will permanently remove all your data.

Security and Error Monitoring

We process technical data under legitimate interests - to maintain service security, prevent abuse, and improve service quality.

How We Use Your Data

We use your personal data to:

  • Provide and maintain your account
  • Generate AI-powered feedback and suggestions for your reframing work
  • Store your reframes so you can access them later
  • Communicate with you about your account or service updates
  • Detect and prevent security issues or abuse
  • Improve our service quality and user experience

We will never sell your personal data to third parties or use it for marketing purposes without your explicit consent.

AI Processing

This app uses AI guided by cognitive behavioural therapy (CBT) techniques to help you reframe your thoughts. It is not a human therapist and may occasionally get things wrong.

When you use the reframing workflow, your thoughts are sent to our AI provider (OpenAI) for processing. Here is what you should know:

  • Your data is not used to train AI models
  • AI suggestions are generated in real-time. API data may be retained by our AI provider for up to 30 days for safety monitoring, then deleted.
  • The AI is not a therapist and its suggestions should not replace professional advice

Third-Party Data Processors

To provide our service, we share your data with the following trusted third-party processors who are bound by data processing agreements:

OpenAI (ChatGPT API)

Purpose: AI-powered feedback generation

Your reframing content is sent to OpenAI to generate personalized feedback. OpenAI does not use your data to train their models. Data is processed in accordance with OpenAI's Privacy Policy.

AWS (Amazon Web Services)

Purpose: Cloud hosting and database

Our application and database are hosted on AWS infrastructure in the EU/UK region. All data is encrypted at rest and in transit.

Google / Apple (OAuth Providers)

Purpose: Optional authentication

If you choose to sign in with Google or Apple, we receive only your email address, name, and profile picture (if provided). We do not access any other data from these services.

Sentry

Purpose: Error monitoring and debugging

Error logs and session replay data are sent to Sentry to help us identify and fix technical issues. These may incidentally include page content visible at the time of an error. We do not intentionally send your thoughts or reframes to Sentry.

All processors are GDPR-compliant and located in the UK/EU or have appropriate safeguards in place for international data transfers.

Data Retention

We retain your data for the following periods:

  • Account data: Until you delete your account
  • Reframing content: Until you delete your account or individual reframes
  • Error logs and session replays: Up to 90 days for debugging purposes
  • After account deletion: We delete your account and associated personal data immediately when you delete your account. Encrypted backups may retain limited information for up to 90 days as part of routine backup rotation, or longer only where we have a legal obligation to retain certain records

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to restrict processing: Limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent for special category data processing at any time (this will result in account closure as we cannot provide the service without this data)

How to exercise your rights

You can export all your data or delete your account at any time from the Settings page. Account deletion permanently removes all your data including thoughts, reframes, and account information.

Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures:

  • Data is encrypted in transit (HTTPS/TLS via our hosting provider)
  • Secure session management and authentication via NextAuth.js
  • Access controls on routes that store or retrieve your personal data
  • Automated vulnerability scanning in our development pipeline
  • Error monitoring to detect and respond to issues

Contact Us & Complaints

To exercise any of your rights or for data protection enquiries, please contact us:

Email

privacy@reframer.app

We will respond to all requests within 30 days as required by UK GDPR.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk/make-a-complaint

Helpline: 0303 123 1113

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by email or through a prominent notice on our website.

The "Last updated" date at the top of this page shows when the policy was last revised.