Privacy Policy

Version v1 · Last updated:

SEIRU

Privacy Policy

Mobile Application for Emotional Support with Artificial Intelligence

Version 1.0 | March 2026

Developed by Esteban Herrera Clavería

Contact: esteban@seiru.app

Table of Contents

1. Introduction

This Privacy Policy describes how Esteban Herrera Clavería, independent developer ("the Developer", "we", "us"), collects, uses, stores, protects, and shares the personal information of the user ("you", "the User") when using the Seiru mobile application ("the Service", "the Application").

Guiding principle: Data related to mental health and emotional well-being constitutes the most sensitive category of personal data. Seiru treats this responsibility with the utmost seriousness.

This Policy is an integral part of Seiru's Terms and Conditions of Use. By using the Service, you accept the practices described in this Policy. In case of discrepancy between language versions, the Spanish version shall prevail.

1.1 Data Controller

Name: Esteban Herrera Clavería

Email: esteban@seiru.app

Website: https://www.seiru.app

Country of Residence: Japan

2. Data We Collect

Seiru collects only the data necessary to provide the Service. Below are the categories of data collected:

2.1 Account Data

Data

Purpose

Legal Basis

Username

Identification within the app and personalization

Contract Performance

Email

Authentication, account recovery, communications

Contract Performance

Password (Argon2id hash)

Secure authentication. Never stored in plain text.

Contract Performance

Language and country

Cultural localization, crisis resources, therapeutic framework

Contract Performance

Guardian class

Personalization of the RPG experience

Contract Performance

2.2 Emotional Wellness Data

IMPORTANT: This data is treated as sensitive data in all jurisdictions.

Data

Purpose

Retention

Mood (1-5) and emotional tags

Daily check-in, Kingdom visualization, progress tracking

12 months maximum

Conversation history

Guardian continuous memory, conversational context

12 months maximum

User profile (AI summary)

Personalization, continuity between sessions

While account is active

Session summaries

Long-term memory (Adventurer/Hero tier)

12 months maximum

Cultural notes

Adaptation of Guardian's communication style

While account is active

2.3 Usage and Progress Data

  • Streak data, accumulated XP, unlocked achievements.
  • Use of the streak protection shield.
  • Completed therapeutic exercises.
  • Frequency and duration of application use.

2.4 Technical Data

  • Device type, operating system, and version.
  • Application version.
  • IP addresses (for consent logging and security; not used for precise geolocation).
  • Error and performance logs (without conversation content).

2.5 Data We Do NOT Collect

Seiru does NOT collect:

  • Real name (unless the user chooses it as their username).
  • Physical address or precise GPS location.
  • Phone number.
  • Financial information (payments are processed entirely through Apple/Google).
  • Biometric data.
  • Device contacts, photos, files, or other phone data.
  • Social media data or third-party integrations.

3. How We Use Data

3.1 Processing Purposes

  • Service provision: Generate Guardian responses, maintain continuous memory, personalize the RPG Kingdom, provide adapted therapeutic exercises.
  • Crisis detection: Analyze messages in real-time to identify risk signals and display localized emergency resources.
  • Service improvement: Analysis of aggregated and anonymized usage patterns to improve features, fix bugs, and optimize the experience.
  • Communications: Send service-related notifications (updates, Terms changes, habit reminders if enabled).
  • Security: Prevent unauthorized access, detect fraudulent activity, protect system integrity.
  • Legal compliance: Respond to legal requirements, protect developer and other users' rights.

3.2 What We Will NEVER Do with Your Data

Irrevocable commitments:

  • We will NEVER sell personal or mental health data to third parties.
  • We will NEVER share conversation content with advertisers or data brokers.
  • We will NEVER use mood status or conversation data for advertising targeting.
  • We will NEVER create user profiles for sale to third parties.
  • We will NEVER use your data to train our own AI models or third-party models without your explicit independent consent.

4. Third-Party Data Sharing

Seiru shares data exclusively with service providers necessary for Application operation:

Provider

Purpose

Data Shared

Location

OpenAI

AI processing (chat, crisis, profile)

Conversation messages, profile context

USA

Google Cloud (Cloud SQL, Cloud Run)

Hosting, database, application execution

All service data

Tokyo, Japan (asia-northeast1)

Upstash (Redis)

Cache and task queue

Temporary session data (no conversations)

Variable (global provider)

Google AdMob

Advertising (Traveler tier only)

Device identifiers, technical data. NO mental health data.

Variable

RevenueCat

Subscription management

Subscription status, user identifier

USA

Apple App Store / Google Play Store

Distribution, payments

Transaction data (managed by Apple/Google)

Variable

Each provider is subject to their own privacy policies and data processing agreements. The developer selects providers that offer adequate data protection guarantees.

OpenAI API: As of the date of this Policy, OpenAI states in its API terms that data sent through the API is not used to train its models unless the user explicitly opts in. Seiru does NOT opt in.

5. Data Storage and Security

5.1 Data Location

Primary data is stored on Google Cloud servers in the asia-northeast1 (Tokyo, Japan) region. Conversations processed by OpenAI transit temporarily through servers in the United States in accordance with OpenAI's data processing policy.

5.2 Security Measures

Seiru implements the following technical and organizational security measures:

  • Encryption in transit: TLS 1.3 for all communication between the application and servers.
  • Encryption at rest: Database encryption provided by Google Cloud SQL.
  • Password hashing: Argon2id, currently the most robust standard available.
  • Authentication: JWT tokens with configurable expiration.
  • Rate limiting: Usage limits by tier to prevent abuse.
  • Consent logging: Each consent is logged with timestamp, IP address, and accepted document version.
  • Cloud KMS: Planned for additional encryption of critical crisis-related data.
  • Anonymization: presidio-analyzer planned for PII anonymization before logging.

5.3 Retention Periods

Data Type

Retention Period

After Account Deletion

Account data

While account is active

Deletion within 30 days

Conversation history

Maximum 12 months

Immediate deletion

Mood status data

Maximum 12 months

Immediate deletion

Profile and AI summaries

While account is active

Deletion within 30 days

Progress data (XP, streaks)

While account is active

Immediate deletion

Consent logs

5 years (legal requirement)

5-year legal retention

Technical logs (no PII)

90 days

Normal 90-day cycle

Backups

90 days maximum

Purged in 90-day cycle

6. User Rights

Regardless of your jurisdiction, Seiru grants all users the following rights:

6.1 Universal Rights

  • Access: Request a copy of all personal data Seiru holds about you.
  • Rectification: Correct inaccurate or incomplete personal data.
  • Erasure: Request complete deletion of your account and all associated data.
  • Portability: Receive your data in a structured, commonly used, and machine-readable format (JSON).
  • Consent withdrawal: Withdraw your consent at any time, resulting in account deletion.
  • Objection: Object to the processing of your data for specific purposes.
  • Restriction: Request temporary restriction of data processing.

6.2 How to Exercise Your Rights

To exercise any of these rights:

  • Within the app: Settings > Privacy > [corresponding option]
  • By email: esteban@seiru.app with subject "Privacy Rights Request"

Response timeframes:

  • General requests: thirty (30) calendar days.
  • Deletion requests: thirty (30) calendar days.
  • Security or crisis-related requests: forty-eight (48) hours.

We will verify your identity before processing any request by confirming the email address associated with your account.

6.3 Conversation Deletion

The User may delete individual conversations directly from the application (immediate logical deletion, physical purge in the next maintenance cycle). Deletion of conversations also removes corresponding messages from the context used by the Guardian.

7. International Data Transfers

Since Seiru operates in multiple countries and uses global service providers, your data may be transferred to countries other than your country of residence. Transfers are carried out in accordance with:

  • EU/EEA: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, or equivalent mechanisms.
  • Japan: In accordance with Article 28 of the APPI, with required safeguards for international transfers.
  • United Kingdom: Standard Contractual Clauses as per UK GDPR, where applicable.
  • Other countries: User's explicit consent and/or applicable legal mechanisms per jurisdiction.

The main cross-border data flow is between Japan (primary storage in Google Cloud Tokyo) and the United States (AI processing by OpenAI).

8. Minors

Seiru is not directed to minors under thirteen (13) years of age and does not intentionally collect personal data from minors under that age.

For users between thirteen (13) and their jurisdiction's digital age of consent (for example, 16 years in much of the EU), use requires verifiable consent from a parent, mother, or legal guardian.

If the developer detects that a minor under 13 has created an account:

  • The account will be disabled immediately.
  • All associated data will be deleted within a maximum of forty-eight (48) hours.
  • If the parent or guardian is identified, they will be notified of the situation.

Advertising and minors: Seiru does not direct personalized advertising to minors. Traveler tier ads shown to users under 18 are contextual (not profile or behavior-based).

9. Cookies and Similar Technologies

Seiru is a native mobile application and does not use traditional web cookies. However:

  • Local storage: The application uses device local storage for authentication tokens, user preferences, and cache data for offline functionality.
  • Google AdMob: The AdMob SDK (Traveler tier only) may use device advertising identifiers in accordance with its own policies.
  • Website (seiru.app): Seiru's website may use essential and analytics cookies. Consent will be requested where legislation requires it.

10. Security Breach Notification

In the event of a security breach affecting personal data:

  • Affected users: Will be notified by email and/or in-app notification without undue delay, and in any case within seventy-two (72) hours of becoming aware of the breach.
  • Data protection authorities: Will be notified in accordance with timeframes established by applicable law (72 hours per GDPR, equivalent timeframes in other jurisdictions).
  • Notification content: Nature of the breach, affected data, measures taken, recommended measures to the user, contact information for inquiries.

11. Changes to This Policy

The developer may update this Privacy Policy periodically. When substantial changes are made:

  • The User will be notified through notice within the application and/or by email.
  • At least fifteen (15) days will be provided to review changes before they take effect.
  • The user's new acceptance will be recorded with updated timestamp.
  • For changes requiring new explicit consent (for example, new processing purposes), such consent will be requested independently.

The version history of this Policy will be available at https://www.seiru.app/privacy/history.

12. Contact and Complaints

For any inquiry, request, or complaint related to this Privacy Policy:

Email: esteban@seiru.app

Recommended subject: "Privacy — [type of request]"

Response time: Five (5) business days for general inquiries; thirty (30) days for rights requests.

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your jurisdiction:

  • EU: Data Protection Authority of your country of residence.
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • Japan: Personal Data Protection Commission (PPC) — ppc.go.jp
  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • Mexico: National Transparency Institute (INAI) — home.inai.org.mx
  • Argentina: Public Information Access Agency (AAIP) — argentina.gob.ar/aaip
  • Chile: Transparency Council — consejotransparencia.cl
  • Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
  • Philippines: National Privacy Commission (NPC) — privacy.gov.ph

Last Updated: March 2026

Document Version: 1.0