Privacy Policy

Last Updated: October 7, 2024

At Dr. Tunnel, we take your privacy and the confidentiality of your therapeutic conversations seriously. This Privacy Policy explains how we collect, use, protect, and share your information when you use our AI therapy application.

1. Information We Collect

Personal Information

  • Account Information: Email address, username (if provided), and device identifiers
  • Profile Information: Optional demographic information you choose to share
  • Conversation Data: Messages you send to Dr. Tunnel and AI responses
  • Usage Information: App interaction patterns, session frequency, and feature usage

Technical Information

  • Device Information: Device type, operating system, app version
  • Connection Data: IP address, network type, and connection timestamps
  • Analytics Data: App performance metrics, error reports, and crash logs

Health Information

  • Mental Health Conversations: Discussions about emotions, thoughts, and mental wellness
  • Self-Reported Information: Mood states, stress levels, and wellness goals you share
  • Usage Patterns: Therapy session frequency and engagement metrics

2. How We Use Your Information

Primary Purposes

  • Therapy Services: Provide personalized AI therapy responses and guidance
  • Account Management: Maintain your account, preferences, and usage history
  • Safety and Security: Protect against misuse, fraud, and security threats
  • Service Improvement: Enhance AI responses, fix bugs, and develop new features

Secondary Purposes

  • Research (Anonymized): Improve mental health AI with aggregated, non-identifiable data
  • Legal Compliance: Meet regulatory requirements and legal obligations
  • Communication: Send important service updates and safety information

3. AI Model Usage and Data Sharing

🤖 AI Processing Notice

Dr. Tunnel uses third-party AI services (including OpenRouter and various AI model providers) to generate therapeutic responses. Here's how your data is handled:

Data Sent to AI Providers

  • Conversation Content: Your messages and conversation history are sent to AI models
  • Context Information: Previous conversation context to maintain therapeutic continuity
  • No Personal Identifiers: We do not send your name, email, or other identifying information

AI Provider Commitments

  • OpenRouter: Committed to not training models on user data
  • Model Providers: We only work with providers who agree not to use therapy conversations for training
  • Encryption: All data is transmitted using industry-standard encryption

Data Processing Safeguards

  • AI conversations are processed in real-time and not stored by most providers
  • We use data processing agreements (DPAs) with all AI service providers
  • Regular security audits of our AI provider partners

4. Data Protection and Security

Technical Safeguards

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Data Minimization: We collect only necessary information for service provision
  • Secure Infrastructure: Cloud services with SOC 2 Type II certification

Organizational Safeguards

  • Employee Training: Regular privacy and security training for all team members
  • Incident Response: Comprehensive breach notification and response procedures
  • Regular Audits: Quarterly security assessments and vulnerability testing

5. Third-Party Services

AI and Infrastructure Partners

  • OpenRouter: AI model routing and management
  • Cloud Hosting: Secure data storage and application hosting
  • Analytics Services: App performance monitoring (anonymized data only)

Data Sharing Limitations

  • We never sell your personal information
  • We never share identifiable information for marketing purposes
  • Third parties are contractually bound to protect your data
  • All sharing is limited to service provision and improvement

6. Your Rights and Choices

Access and Control

  • Data Access: Request a copy of your personal information
  • Data Correction: Update or correct inaccurate information
  • Data Deletion: Request deletion of your account and associated data
  • Data Portability: Export your conversation history in a readable format

Privacy Controls

  • Conversation Deletion: Delete individual conversations or all history
  • Account Deactivation: Temporarily disable your account
  • Communication Preferences: Opt out of non-essential communications

How to Exercise Rights

To exercise any of these rights, contact us at privacy@drtunnel.app or through the app's settings. We'll respond within 30 days.

7. Data Retention

Retention Periods

  • Conversation Data: Retained until you delete or 3 years of inactivity
  • Account Information: Retained while your account is active
  • Technical Logs: Automatically deleted after 90 days
  • Deleted Data: Permanently removed within 30 days of deletion request

Legal Retention

We may retain certain information longer if required by law, for safety reasons, or to protect our legal rights.

8. Children's Privacy (COPPA Compliance)

🔞 Age Restrictions

Dr. Tunnel is designed for users aged 17 and older. We do not knowingly collect information from children under 13.

COPPA Protections

  • No collection of personal information from children under 13
  • Age verification required during account creation
  • Parents can contact us to delete any child's information discovered
  • No targeted advertising to children

Teens (13-16)

  • Parental consent may be required in some jurisdictions
  • Enhanced privacy protections for teen users
  • Crisis resources specifically for young people

9. Health Information (HIPAA Considerations)

⚕️ HIPAA Status

Dr. Tunnel is not a covered entity under HIPAA, as we are not a healthcare provider, health plan, or healthcare clearinghouse. However, we implement HIPAA-level protections for your health information.

Health Data Protections

  • Confidentiality: Mental health conversations treated with highest confidentiality
  • Security: HIPAA-level technical safeguards for health information
  • Access Controls: Strict limitation on who can access health-related data
  • Audit Trails: Comprehensive logging of all health data access

Health Information Sharing

  • We do not share health information except as required by law
  • Emergency situations may require disclosure to prevent harm
  • Aggregated, anonymized data may be used for research

10. Cookies and Tracking

Cookie Usage

  • Essential Cookies: Required for app functionality and security
  • Analytics Cookies: Anonymous usage statistics (opt-out available)
  • No Advertising Cookies: We do not use cookies for advertising tracking

Tracking Technologies

  • Local Storage: App preferences and session data stored locally
  • Device Analytics: Anonymous app performance monitoring
  • No Cross-Site Tracking: We do not track users across other websites

11. International Users

Data Transfers

  • US-Based Services: Data primarily processed in the United States
  • Adequacy Protections: Transfer mechanisms comply with applicable laws
  • EU Users: GDPR rights respected regardless of data location

Regional Compliance

  • GDPR (EU): Full compliance with European data protection laws
  • CCPA (California): California Consumer Privacy Act protections
  • Local Laws: Additional compliance with applicable regional privacy laws

12. Changes to This Policy

Notification Process

  • Email Notification: Material changes sent to registered email addresses
  • In-App Notice: Prominent notification within the application
  • Website Update: Current policy always available at drtunnel.app/privacy
  • 30-Day Notice: Advance notice before material changes take effect

Your Options

If you don't agree with policy changes, you may delete your account and stop using our services. Continued use after changes indicates acceptance.

13. Contact Information

Privacy Inquiries

Email: privacy@drtunnel.app

Support: support@drtunnel.app

Response Time: Within 3 business days for privacy requests

Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@drtunnel.app

Mailing Address

Dr. Tunnel Privacy Team
[Address to be provided]
United States

🚨 Emergency Situations

This privacy policy does not apply to emergency situations where disclosure may be necessary to prevent imminent harm. If you're in crisis, please contact emergency services immediately.