Privacy Policy

AKA AI ("we," "us," or "the Company") is committed to protecting the privacy of your personal information. This Privacy Policy describes how we collect, use, store, share, and transfer personal information in connection with MindMuse (the "Service"), a mental-health journaling and AI companion service operated by AKA AI.

This Policy is designed to comply with Korea's Personal Information Protection Act (PIPA), Japan's Act on the Protection of Personal Information (APPI), the EU/UK General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), the Washington My Health My Data Act (MHMDA), and Section 5 of the FTC Act.

1. Scope and Sensitive-Data Notice

The Service collects information about your emotional state, sleep, medication, journal entries, and chat messages and analyzes them with AI. These categories constitute sensitive / special-category personal information under multiple laws:

• Korea PIPA Article 23: "민감정보"
• Japan APPI: "要配慮個人情報" (special-care-required personal information)
• California CPRA: "Sensitive Personal Information"
• Washington MHMDA: "Consumer Health Data"
• EU GDPR Article 9: "data concerning health"

We obtain separate, explicit consent before processing such data and never use it for purposes other than those disclosed.

2. Information We Collect

2.1. Account Information

• Email address, password (hashed)
• For Google sign-in: Google account identifier, email, name, profile picture URL
• Display name
• IP address, User-Agent, country code (for consent-audit logs and security)

2.2. Sensitive Data You Provide

• Journal entries (emotions, thoughts, events, free-form text)
• Muse Chat messages (full conversation)
• Sleep records (bedtime, first-wake, wake-up time)
• Medication records (medication name, quantity, time taken, notes)
• AI analysis output (head / heart / belly scores, keywords, insight text)

2.3. Automatically Collected

• Access logs (session IDs), error logs, usage statistics
• Approximate location (country-level, inferred from IP) for consent routing

2.4. Connect Community Content

When you use the Connect community, we collect the following. Connect content is created with the intent of being shared with other signed-in Users, so the items in this section are treated as published Content rather than sensitive personal information.

• Post, comment, and reply text (title, body, category)
• Reactions (likes) — target post/comment ID and timestamp
• Reports — target post/comment ID, reason enum, free-text note, and resolution result
• Moderation audit trail — admin actions and timestamps

We do not collect government-issued identifiers (social security numbers, passport numbers, etc.).

3. Purposes of Processing

4. Processors and Cross-Border Transfers

4.1. Sub-Processors

4.2. Cross-Border Transfer Disclosure

When you use AI analysis, chat, or medication-record features, the following information is transferred to Google infrastructure located in the United States or other Google data-center regions.

4.2.1. Journal and chat AI analysis (Vertex AI Gemini)

4.2.2. Medication-name lookup (Vertex AI Search)

When you enter a medication record and the medication is not yet present in our database or local cache, the medication-name string you entered is sent to Google Vertex AI Search to be matched against the public-website index of the Korean Health Insurance Review & Assessment (health.kr).

We have executed Google Cloud's Data Processing Addendum (DPA) and rely on Standard Contractual Clauses (SCCs). The "customer data is not used for training foundation models" commitment applies to Vertex AI. See Google's Vertex AI data governance documentation.

4.3. Your Choice

You may decline or revoke AI-analysis consent at any time. In that case, your journals and chats will not be sent to Vertex AI (Gemini), but AI analysis and Muse Chat features will be unavailable.

If you do not use the medication-record feature, no medication-name data is sent to Vertex AI Search. Even when you do use it, medications already matched in our database or local cache are never transferred, and for the same normalized medication name a transfer only occurs on the very first lookup.

4.4. Connect Community Content and External Transfers

Unlike journals and chats, Connect posts, comments, reactions, and reports are not transmitted to Google Vertex AI or any other external AI provider, and are not used for AI analysis or model training. The data in this section does not leave the sub-processor infrastructure listed in §4.1.

5. Retention and Deletion

6. Security Measures

• Encryption at rest: All sensitive fields (journal, chat, analysis, medication) are encrypted at the application layer with AES-256-GCM before being stored in the database.
• Plaintext exception for Connect content: Connect posts and comments are content that you intentionally publish to other signed-in Users, and so for search, listing, and moderation reasons they are stored in plaintext. Avoid including identifying information, contact details, diagnostic labels, or anything else you wish to keep private.
• Encryption in transit: All client ↔ server ↔ AI-provider traffic is encrypted via TLS 1.2+.
• Access control: The database is not directly exposed to public networks; all data access is mediated by the authentication and authorization layer of our application server. Per-user data (journals, chats, analysis output, medication records, etc.) is filtered server-side by the authenticated user identifier so that only the owning user can read it. Connect content, by design, is visible to all signed-in Users; designated administrators ("admins") may additionally view reported posts and comments within their moderation scope.
• Key management: Encryption keys are stored in the hosting environment's secret manager, isolated from source control, and operated under a policy that supports scheduled and emergency rotation.
• Data-minimization: We collect only what is necessary to operate the Service.

7. Your Rights

You may exercise the following rights at any time:

• Access, rectification, erasure, restriction of processing
• Account deletion via Settings → Delete Account (wipes all your data)
• Withdraw consent via Settings → Consent Management
• Data portability (structured export) — for users covered by GDPR, APPI, or CPRA

Requests may be submitted through in-app Settings or by emailing info@akaintelligence.com. We will respond within 10 business days after verifying identity.

8. Children's Privacy

We do not knowingly collect personal information from children under 14 (Korea), 16 (EU/EEA), 13 (US — COPPA), or 16 (Japan — APPI guidance). If we become aware of such collection, we will delete the account promptly.

9. Crisis Resource Display

When the journal, chat, or Connect post/comment text you submit contains signals related to a personal crisis (such as self-harm or suicide), we display professional-resource and crisis-hotline information on screen at the time the text is saved (or sent). This detection runs on your device, and the result is not stored on our servers and is not separately recorded on your device. This display is informational only and is not a substitute for medical diagnosis or intervention. Because the feature relies on simple keyword-based automated text analysis, it does not guarantee detection of every crisis signal.

For Connect community content, we operate a keyword-based prioritization filter to protect other Users. Posts or comments that match the filter, or that are reported by another User, are prioritized in the admin moderation queue, and admins may take guidance, hide, or remove actions as appropriate. During this review, admins can see only the reported content and the author's identifier; they do not access the author's private journals, chats, or analysis output.

We do not disclose these signals to third parties (insurers, employers, etc.). We will respond to lawful law-enforcement requests only in accordance with applicable law.

10. Cookies

We use the minimum number of cookies required for login and consent management:

• Authentication session cookie: maintains login state
• Transient consent cookie (mm_pending_consents): passes consent selections to the social-login callback (≤10 minutes)
• Theme/language preferences: stored in localStorage (not cookies)

We do not use third-party analytics or advertising cookies such as Google Analytics.

11. Additional Notices for US Residents

11.1. California (CPRA)

California residents have the right to limit the use of Sensitive Personal Information, opt out of sale/sharing, and to non-discrimination. We do not sell personal information nor share it for cross-contextual behavioral advertising.

11.2. Washington (My Health My Data Act)

We treat your mental-health data as "Consumer Health Data" under MHMDA and obtain a Valid Authorization through our AI-analysis consent flow. You may withdraw authorization at any time.

11.3. FTC Section 5

We strive to maintain consistency between this Policy and our actual data practices and follow the FTC's 2023 guidance on mental-health apps.

12. Additional Notices for Japanese Users

For "要配慮個人情報" we obtain separate explicit consent as required by the APPI. Because not all countries where Google LLC operates data centers are listed as "equivalent countries" by Japan's Personal Information Protection Commission (PPC), cross-border transfers to those locations are made under consent-based transfer (APPI Art. 28) with the following reference information:

• Major destination countries and their privacy frameworks:
  • United States: No comprehensive federal privacy law; state laws (California CPRA, Washington MHMDA, etc.) apply.
  • EU member states / United Kingdom: GDPR / UK GDPR apply (Japan's PPC recognizes the EU and the UK as equivalent jurisdictions).
  • Japan / Republic of Korea: Each country's domestic privacy law applies.
  • Other Google data-center countries: Local privacy laws apply. See Google Cloud locations for the current list of regions.
• Recipient safeguards: Google LLC maintains certifications including ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II, and has executed the EU Standard Contractual Clauses (SCCs) and Google Cloud Data Processing Addendum (DPA).

13. EEA / UK Users

Our lawful bases under GDPR and UK GDPR are:

• Performance of a contract (Art. 6(1)(b)): account, journaling, chat storage
• Explicit consent (Art. 6(1)(a) & Art. 9(2)(a)): AI analysis (health data), marketing
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention

Transfers outside the EEA / United Kingdom (to the United States and other countries where Google LLC operates data centers, as determined by Google's global routing policy) rely on Google Cloud's EU Standard Contractual Clauses (SCCs) and the Google Cloud Data Processing Addendum (DPA), supplemented where required by additional safeguards (encryption, access controls). Where data is processed in countries that have not received an Adequacy Decision, Google's global security certifications (ISO 27001 / 27017 / 27018, SOC 2 Type II) serve as additional safeguards. You may lodge a complaint with your local supervisory authority.

14. Contact and Redress

• Data Protection Officer: AKA AI Privacy Team
• Email: info@akaintelligence.com
• Address: 100 Cheonggyecheon-ro, Signature Tower (West), 9th fl, Jung-gu, Seoul, Republic of Korea, 04542
• Response time: within 10 business days

You may also contact the following authorities:

• Korea: Personal Information Dispute Mediation Committee (1833-6972), Korea Internet & Security Agency (118), Cyber Crime Unit of the National Police Agency (182)
• Japan: Personal Information Protection Commission (+81-3-6457-9849)
• EU/EEA: Your country's Data Protection Authority
• US: Federal Trade Commission (FTC), your State Attorney General

15. Changes to This Policy

We will notify you through in-app notices and email at least 7 days before an update takes effect (30 days if the change materially affects you). Material changes may require renewed consent.