Privacy

Privacy Policy

Last updated: April 21, 2026

The short version

  • We collect your email, what you tell Dahlia, and payment info needed to run the product.
  • We never sell your data.
  • You can export or delete everything from settings at any time.
  • Your data is encrypted in transit and at rest.
  • Third-party processors handle specific functions: Anthropic (AI responses), OpenAI (voice), Stripe (payments), Supabase (database), Vercel (hosting).

1. What we collect

When you use Dahlia, we collect:

  • Account info: email address, optional display name, and authentication metadata.
  • Session content: the text of your messages to Dahlia and Dahlia's responses.
  • Voice recordings (premium only): temporary audio uploads for transcription. These are discarded after transcription and never stored.
  • Mood entries (optional): the numeric scores you submit before/after a session.
  • Usage metadata: session start/end times, message counts, tier, and similar operational data.
  • Memory summaries (Plus subscribers only): structured summaries of past sessions used to personalize future conversations.
  • Payment info: processed by Stripe. We never see your full card number.

2. How we use it

  • To generate Dahlia's responses in real time.
  • To maintain memory across sessions for Plus subscribers.
  • To enforce rate limits and abuse controls.
  • To process payments.
  • To improve the product in the aggregate, with no identifying information.
  • To contact you about your account or material changes to this policy.

3. Third-party processors

Dahlia uses these services to deliver the product. Each processes only the data it needs:

  • Anthropic — receives your message content to generate coaching responses. Subject to Anthropic's terms and privacy policy.
  • OpenAI — receives your audio (for transcription) and response text (for synthesis) when voice is enabled. Audio is not retained by OpenAI beyond processing per their API privacy terms.
  • Stripe — processes payments and stores payment methods. We receive only non-sensitive metadata (last 4 digits, customer ID).
  • Supabase — stores your account and session data with Row-Level Security, encrypted at rest.
  • Vercel — hosts the application. Request logs are retained for security and debugging.

4. How long we keep your data

Session messages and memory summaries are retained as long as your account is active, or until you delete them. If you delete your account, we delete your profile, sessions, messages, memory, and mood entries within 30 days. Backups are purged on our normal rotation (up to 90 days). Payment records may be retained longer for tax and accounting purposes as required by law.

5. Your rights

You can, at any time:

  • Export your data from account settings as a downloadable JSON file.
  • Delete individual sessions, memory entries, or your entire account.
  • Cancel a subscription at any time; memory is deleted when you do, unless you request otherwise.
  • Contact us at hello@dahlia.coach to request access, correction, or deletion of your data.

6. Children

Dahlia is not directed at children under 18 and we do not knowingly collect data from them. If we learn we have collected information from a child under 18, we will delete it.

7. California residents

If you're a California resident, the CCPA gives you the right to know what personal information we collect, to delete it, and to opt out of any sale (Dahlia does not sell personal information). Contact us to exercise these rights.

8. Crisis routing

If your message triggers our crisis detection regex, we return a static response routing you to 988 and do not send the message to the language model. The message is still saved as part of your session history. This detection is automated and designed to prevent the AI from attempting crisis intervention it is not equipped to provide.

9. Security

We use industry-standard encryption in transit (HTTPS/TLS) and at rest (Supabase Postgres encryption). No system is perfectly secure. Please use a strong, unique password for your account, and report any suspected account compromise to hello@dahlia.coach.

10. Changes to this policy

We may update this policy. Material changes will be announced in-app or via email with a reasonable notice period. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions, data requests, or concerns: hello@dahlia.coach

This document is a draft awaiting final legal review. It will be updated before Dahlia exits invite-only access.