Savage Buddha

Privacy Policy

Effective date: March 2, 2026

Last updated: March 2, 2026

Savage Buddha ("Savage Buddha," "we," "our," or "us") is built on the Second Sun platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our mobile and web applications and related services (the "Services").

1. Scope

This policy applies to data processed through the Savage Buddha apps and backend services, including authenticated web and mobile experiences, messaging, AI features, notifications, and subscription features.

2. Information We Collect

A. Information you provide directly

  • Account and profile data: name, email, phone number, role, timezone, profile settings.
  • Wellness and self-reported data: survey responses, journal/check-in entries, goals, activity, sleep, nutrition, and related wellness inputs.
  • Appointment and provider interaction data: appointment details, notes, and in-app communications.
  • Optional provider location data (for provider workflows), including consent flags and location fields where provided.
  • Support and contact communications.

B. Information collected automatically

  • Device and app data: platform type, push token, app/runtime metadata, and operational logs.
  • Auth/session data: token/session metadata and session validity markers.
  • Usage and feature telemetry used for product operation and improvement.
  • Messaging metadata and room/session metadata needed to run chat features.

C. Subscription and purchase data

  • Subscription status and entitlement metadata (for example active/inactive, trial state, expiration, platform).
  • RevenueCat identifiers (for example customer and app user IDs) used to reconcile subscription access.

D. AI feature inputs

  • Prompts/messages you submit to AI features.
  • Conversation context used to generate responses.
  • Embeddings and vector index records derived from content for retrieval features.

3. How We Use Information

We use information to:

  • Provide and operate the Services.
  • Authenticate users and secure accounts.
  • Deliver messaging, notifications, and communications.
  • Provide AI companion/coach and related AI features.
  • Support subscriptions, purchases, and entitlement checks.
  • Maintain safety, abuse prevention, and incident response.
  • Satisfy legal, compliance, and audit requirements.
  • Improve reliability, quality, and feature performance.

4. How Data Is Stored and Protected

  • In transit: network traffic is protected using HTTPS/TLS where applicable.
  • On mobile devices: local app database storage is encrypted at rest using SQLCipher; encryption keys are stored in platform secure storage (for example iOS Keychain / Android Keystore).
  • On web: sensitive auth/session keys are stored in session storage; non-sensitive values may use local storage.
  • Server-side: data is stored in managed infrastructure and accessed through role-based controls and service authentication.
  • Auditing: security/audit logging is implemented with PHI redaction logic in audit pathways.

No security method is perfect, but we use administrative, technical, and operational safeguards designed for healthcare-adjacent workflows.

5. AI Processing and Model Providers

When AI features are used, relevant input data may be processed by configured AI services to produce responses and embeddings. Current configured providers may include:

  • Google AI / Gemini (including Vertex-based capabilities)
  • Anthropic
  • OpenAI

AI outputs can be inaccurate or incomplete; you should not rely on them as medical diagnosis or emergency advice.

6. Service Providers and Data Sharing

We share data with subprocessors and infrastructure providers only as needed to operate the Services, including:

  • Google Cloud (hosting, storage, secrets, vector infrastructure)
  • RevenueCat (subscription/billing state)
  • Twilio (communications, verification, and configured telemedicine/video capabilities)
  • LiveKit (when enabled for realtime/media features)
  • Expo Push service (push notification delivery)
  • SendGrid (transactional email)
  • Matrix/Synapse stack components (in-app messaging features)
  • AI providers listed above

We may also disclose data:

  • To your authorized organization administrators/providers based on role and permission configuration.
  • To comply with legal obligations, lawful requests, or to protect rights, safety, and security.
  • In connection with corporate transactions as permitted by law.

We do not sell personal information for money.

7. Data Retention

We retain data for as long as needed for service operation, legal/compliance obligations, dispute resolution, and security.

Implementation-specific retention behaviors include:

  • Audit retention is configurable and may be set for long-term retention in production environments.
  • Messaging retention can be configured via room retention settings.
  • On account deletion from the app, account records are deactivated/anonymized (tombstoned) to preserve system integrity and compliance records; login access is disabled and certain key material is purged.

8. Your Choices and Rights

Depending on your location and relationship with us, you may have rights to:

  • Access or export your data.
  • Request deletion or correction.
  • Restrict or object to certain processing.
  • Withdraw consent where processing is consent-based.
  • Appeal rights decisions where required by law.

In-app controls currently include:

  • "Download My Data" export flow.
  • "Delete Account" flow.
  • Notification permission controls (device-level and in-app preferences).

You may also contact us to exercise privacy rights.

9. Important Notes About In-App Export and Deletion

  • Current in-app data export functionality returns core account profile and survey response data in JSON format.
  • Deletion is currently implemented as a deactivation/anonymization process rather than immediate hard deletion of all historical records.

10. International Transfers

Your information may be processed in jurisdictions other than your own, including where our infrastructure or subprocessors operate. We use contractual and technical safeguards designed to protect personal data during transfer and processing.

11. Children's Privacy

The Services are not intended for children under 13 without appropriate authorization. If you believe a child provided personal data improperly, contact us so we can take appropriate action.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and provide additional notice when required.

13. Contact Us

For privacy requests or questions, contact:

  • Privacy email: privacy@secondsunconnect.com
  • Support email: support@secondsunconnect.com

If you are using Savage Buddha through an organization, you may also contact your organization administrator for organization-specific privacy requests.