PRIVACY POLICY

1. INTRODUCTION AND SCOPE

This Privacy Policy ("Policy") describes how Expresso Inc., a Delaware C Corporation ("Amber," "we," "us," or "our"), collects, uses, processes, stores, shares, and protects your personal information when you access or use our website located at https://www.ambermind.ai and our artificial intelligence-powered emotional support services (collectively, the "Service").

We are committed to protecting your privacy and maintaining the confidentiality of your personal information. This Policy explains your privacy rights and how applicable privacy laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), and other applicable United States federal and state privacy laws, apply to our processing of your personal information.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to the collection, use, and processing of your personal information as described in this Privacy Policy. If you do not agree with our privacy practices, please do not use our Service.

This Policy applies to all users of our Service, regardless of their geographic location, though specific rights and protections may vary based on applicable local laws and regulations.

2. DATA CONTROLLER AND CONTACT INFORMATION

Data Controller: For the purposes of applicable data protection laws, including GDPR, Kuhu Singh serves as the Data Controller for all personal information collected and processed through our Service.

Contact Information: If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

• Email: kuhu@ambermind.ai
• Data Controller: Kuhu Singh
• Company: Expresso Inc.
• Website: https://www.ambermind.ai

We are committed to responding to all privacy-related inquiries within thirty (30) days, or within the timeframes required by applicable law, whichever is shorter. For urgent privacy matters or data protection concerns, please clearly indicate the nature of your request in the subject line of your email.

3. INFORMATION WE COLLECT

Account Registration Information:

When you create an account with our Service, we collect the following personal information:

• Full Name: We collect your complete legal name as provided during registration to personalize your experience and maintain accurate account records.
• Email Address: Your email address serves as your primary account identifier and our primary method of communication with you regarding your account, service updates, and important notifications.
• Password Information: We collect and securely store your encrypted password to enable secure access to your account. We do not store passwords in plain text and use industry-standard encryption methods to protect this information.
• Referral Source Information: We collect information about how you discovered our Service through our "Where did you hear about us?" field during registration. This helps us understand our user acquisition channels and improve our marketing efforts while maintaining your privacy.

Conversation Data:

We automatically collect and store all conversations between you and our AI system. This includes:

• Message Content: The complete text of all messages you send to our AI system and all responses generated by our AI technology.
• Conversation Metadata: Technical information about your conversations, including timestamps, message frequency, conversation duration, and session information.
• Conversation History: We maintain a complete record of your interactions with our AI system, which is accessible to you through your personal history tab within your account dashboard.

Technical and Usage Information:

We automatically collect certain technical information when you use our Service:

• Device Information: Information about the device you use to access our Service, including device type, operating system, browser type and version, and screen resolution.
• Connection Information: Your IP address, internet service provider, and general geographic location (city and country level, not precise location).
• Usage Analytics: Information about how you interact with our Service, including pages visited, features used, time spent on the Service, and navigation patterns.
• Performance Data: Technical performance metrics such as page load times, error reports, and system performance indicators.

4. HOW WE USE YOUR INFORMATION

Service Provision and Account Management:

We use your personal information primarily to provide, maintain, and improve our AI-powered emotional support services. Your name and email address enable us to create and manage your account, authenticate your identity, and provide personalized access to your conversation history. Your conversation data is processed by our AI system to generate appropriate responses and maintain context throughout your interactions.

Communication and Support:

We use your email address to send you important account-related communications, including account verification emails, password reset instructions, subscription confirmations, billing notifications, and customer support responses. We may also send you service updates and important changes to our Terms of Service or Privacy Policy as required by law.

Service Improvement and Development:

We analyze conversation patterns and usage data in an aggregated and anonymized manner to improve our AI technology, enhance user experience, and develop new features. This analysis helps us understand common user needs and improve the quality and relevance of AI responses while maintaining individual privacy.

Billing and Subscription Management:

For Premium tier subscribers, we use your information to process payments, manage subscriptions, send billing confirmations, and handle subscription-related inquiries. Payment processing is handled by our third-party payment processor, Stripe, Inc.

Legal Compliance and Safety:

We may use your information to comply with applicable laws, regulations, and legal processes, respond to lawful requests from public authorities, protect our rights and interests, investigate potential violations of our Terms of Service, and ensure the safety and security of our Service and users.

Research and Analytics:

We conduct internal research and analytics using aggregated and anonymized data to understand user behavior patterns, measure service effectiveness, and generate insights that help us improve our Service. Individual users cannot be identified from this aggregated data.

5. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Union and other jurisdictions where GDPR applies, we process your personal information based on the following legal grounds:

• Contractual Necessity: We process your account information, conversation data, and payment information as necessary to perform our contract with you and provide the Service you have requested. This includes account creation, service delivery, conversation storage, and subscription management.
• Legitimate Interests: We process certain information based on our legitimate interests in operating and improving our Service, preventing fraud, ensuring security, and conducting business analytics. These interests are balanced against your privacy rights, and we ensure that our legitimate interests do not override your fundamental rights and freedoms.
• Consent: Where required by law, we obtain your explicit consent for certain processing activities, particularly for marketing communications and optional features. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legal Obligation: We process personal information when necessary to comply with applicable legal obligations, including data protection laws, financial regulations, and law enforcement requests.

6. DATA SHARING AND DISCLOSURE

No Sale of Personal Information:

We do not sell, rent, lease, or otherwise monetize your personal information to third parties for commercial purposes. This commitment applies to all users regardless of their geographic location and is fundamental to our business model and values.

No Unauthorized Sharing:

We do not share your personal information with third parties for their marketing purposes or any other commercial use without your explicit consent. Your conversations with our AI system remain private and confidential.

Limited Third-Party Service Providers:

We may share certain personal information with trusted third-party service providers who assist us in operating our Service, but only to the extent necessary for them to provide their services to us. These service providers include:

• Payment Processing: Stripe, Inc. processes subscription payments on our behalf. When you subscribe to our Premium tier, your payment information is transmitted directly to Stripe and processed according to their privacy policy and security standards. We do not store your payment card information on our servers.
• Technical Infrastructure: We may use cloud hosting services, content delivery networks, and other technical service providers to ensure reliable and secure operation of our Service. These providers only receive the minimum information necessary to provide their technical services.

Legal and Regulatory Compliance:

We may disclose personal information when required by law, regulation, or legal process, including:

• Law Enforcement Requests: We may disclose information in response to valid legal requests from law enforcement agencies, courts, or other governmental authorities when required by applicable law.
• Legal Proceedings: We may disclose information in connection with legal proceedings, investigations, or regulatory inquiries where disclosure is legally mandated or necessary to protect our rights.
• Safety and Security: We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of our users, investigate fraud, respond to security incidents, or protect our rights and property.

Business Transfers:

In the event of a merger, acquisition, sale of assets, or other business transfer, personal information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this Policy.

7. DATA RETENTION AND STORAGE

Conversation Data Retention:

We retain your conversation history indefinitely while your account remains active, allowing you to access your complete interaction history through your account dashboard. This permanent storage enables continuity in your AI interactions and allows you to review previous conversations for personal reference.

Account Information Retention:

We retain your account registration information (name, email, password, referral source) for as long as your account remains active and for a reasonable period thereafter to comply with legal obligations and resolve any potential disputes.

Post-Account Deletion:

When you delete your account, we remove your personal information from our active systems within thirty (30) days. However, we may retain certain information for longer periods when required by law, regulation, or legitimate business purposes, including:

• Legal Compliance: Information required to be retained under applicable laws, regulations, or legal obligations.
• Financial Records: Billing and payment information may be retained for up to seven (7) years to comply with financial recordkeeping requirements.
• Aggregated Data: We may retain anonymized and aggregated data that cannot be used to identify individual users for research and service improvement purposes.

Data Storage Security:

All personal information is stored on secure servers with appropriate technical and organizational security measures. We use industry-standard encryption for data transmission and storage, implement access controls to limit data access to authorized personnel, and regularly review our security practices.

Geographic Storage:

Your personal information may be stored and processed in data centers located in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

8. YOUR PRIVACY RIGHTS

Universal Rights:

Regardless of your location, you have certain fundamental rights regarding your personal information:

• Right to Access: You may request access to the personal information we hold about you, including your account details and conversation history. You can view most of this information directly through your account dashboard.
• Right to Deletion: You may request deletion of your personal information and account at any time. You can delete your account through your account settings or by contacting us at kuhu@ambermind.ai.
• Right to Correction: If any of your personal information is inaccurate or incomplete, you may update it through your account settings or request corrections by contacting us.
• Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format for transfer to another service provider.

GDPR Rights (EU Residents):

If you are located in the European Union or other jurisdictions where GDPR applies, you have additional rights:

• Right to Restriction: You may request restriction of processing of your personal information under certain circumstances, such as when you contest the accuracy of the data or object to processing.
• Right to Objection: You may object to our processing of your personal information based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates GDPR requirements.

CCPA/CPRA Rights (California Residents):

If you are a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: You may request information about the categories and specific pieces of personal information we collect, use, disclose, and sell about you, as well as the business purposes for such processing.
• Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt-out of the sale of your personal information, though we do not sell personal information as defined by CCPA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights, including by denying goods or services, charging different prices, or providing different quality of services.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you.

Exercising Your Rights:

To exercise any of these rights, please contact us at kuhu@ambermind.ai with a clear description of your request. We will verify your identity before processing your request and respond within the timeframes required by applicable law.

9. INTERNATIONAL DATA TRANSFERS

Global Operations:

As we operate globally and serve users in multiple jurisdictions, your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States where our primary servers are located.

Adequate Protection:

When we transfer personal information from the European Union to countries outside the EU, we ensure that adequate protection is provided through appropriate safeguards, including:

• Standard Contractual Clauses: We implement Standard Contractual Clauses approved by the European Commission to ensure adequate protection for personal data transfers to countries without adequacy decisions.
• Adequacy Decisions: Where possible, we transfer data to countries that have been deemed to provide adequate protection by the European Commission.
• Additional Safeguards: We implement additional technical and organizational measures to ensure the security and protection of transferred personal information.

Legal Compliance:

All international transfers comply with applicable data protection laws, including GDPR requirements for lawful transfers and appropriate safeguards.

10. SECURITY MEASURES

Technical Safeguards:

We implement comprehensive technical security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data transmission between your device and our servers is encrypted using industry-standard SSL/TLS protocols. Personal information stored on our servers is encrypted at rest using advanced encryption standards.
• Access Controls: We implement strict access controls ensuring that only authorized personnel can access personal information, and only to the extent necessary for their job functions.
• Authentication Systems: Multi-factor authentication and strong password requirements protect against unauthorized account access.
• Network Security: Our systems are protected by firewalls, intrusion detection systems, and regular security monitoring to prevent unauthorized access.

Organizational Safeguards:

We maintain organizational policies and procedures to ensure the security and confidentiality of personal information:

• Employee Training: All employees receive regular training on data protection principles, security practices, and privacy requirements.
• Data Minimization: We collect and process only the personal information necessary for the purposes outlined in this Policy.
• Regular Audits: We conduct regular security audits and assessments to identify and address potential vulnerabilities.
• Incident Response: We maintain incident response procedures to quickly identify, contain, and remediate any security incidents.

Limitation of Security:

While we implement robust security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protection for your personal information.

11. CHILDREN'S PRIVACY

Age Restrictions:

Our Service is not intended for children under the age of sixteen (16) years in most jurisdictions, and under eighteen (18) years for independent use. We do not knowingly collect personal information from children below the applicable age limits without appropriate parental consent.

Parental Consent:

In jurisdictions where we permit use by minors aged 16-17 with parental consent, we implement additional safeguards:

• Verification Procedures: We require verified parental consent before allowing minors to create accounts or use our Service.
• Limited Data Collection: We collect only the minimum information necessary to provide the Service to minor users.
• Enhanced Protection: We apply additional privacy protections and restrictions for accounts created by or for minor users.

Inadvertent Collection:

If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will delete such information promptly upon discovery.

COPPA Compliance:

For any users under 13 years of age in the United States, we comply with the Children's Online Privacy Protection Act (COPPA) requirements, though our Service is generally not directed to such young users.

12. CHANGES TO THIS PRIVACY POLICY

Policy Updates:

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Policy, we will provide notice through appropriate means.

Notification Methods:

We will notify users of material changes to this Privacy Policy through:

• Email Notification: Registered users will receive email notification of material changes at least thirty (30) days before the changes take effect.
• Website Notice: Prominent notice will be posted on our website homepage and within user account dashboards.
• Service Notifications: In-app notifications may be used to inform users of significant privacy-related changes.

Effective Date:

Any changes to this Privacy Policy will become effective on the date specified in the updated Policy. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

Material Changes:

We consider changes to be material if they significantly affect your privacy rights, expand our data collection practices, or change how we use or share your personal information.

13. LEGAL COMPLIANCE AND REGULATORY FRAMEWORK

Multi-Jurisdictional Compliance:

Our privacy practices are designed to comply with applicable privacy laws and regulations across the jurisdictions where we operate, including:

• United States Federal Law: We comply with applicable federal privacy laws, including sector-specific regulations and FTC guidelines for data protection and consumer privacy.
• State Privacy Laws: We comply with state-specific privacy laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other applicable state privacy regulations.
• European Union GDPR: Our practices comply with the General Data Protection Regulation (GDPR) for users in the European Union and other jurisdictions where GDPR applies.
• International Standards: We follow internationally recognized privacy frameworks and best practices to ensure comprehensive protection for all users.

Regulatory Cooperation:

We cooperate with privacy regulators and supervisory authorities in accordance with applicable law and respond to regulatory inquiries and investigations as required.

Compliance Monitoring:

We regularly review and update our privacy practices to ensure ongoing compliance with evolving privacy laws and regulations.

14. DATA BREACH NOTIFICATION

Incident Response:

In the event of a data breach or security incident that affects your personal information, we maintain comprehensive incident response procedures to minimize impact and ensure appropriate notification.

Notification Timeline:

We will notify affected users of any material data breach within seventy-two (72) hours of becoming aware of the incident, or as otherwise required by applicable law.

Regulatory Notification:

We will notify relevant regulatory authorities of data breaches within the timeframes required by applicable law, including within 72 hours under GDPR where required.

Notification Content:

Data breach notifications will include information about the nature of the breach, types of information involved, steps taken to address the incident, and recommendations for protecting your information.

15. CONTACT INFORMATION AND QUESTIONS

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us using the following information:

• Primary Contact: kuhu@ambermind.ai
• Data Controller: Kuhu Singh
• Company: Expresso Inc.
• Website: https://www.ambermind.ai

Response Timeline: We are committed to responding to all privacy-related inquiries within thirty (30) days of receipt, or within shorter timeframes as required by applicable law.

Supervisory Authority Contact: EU residents may also contact their local data protection authority if they have concerns about our privacy practices that cannot be resolved through direct contact with us.