Privacy Policy

1. Who We Are

AfterLight is operated by Umbrella Research. We are the data controller responsible for your personal data. If you have any questions about how we handle your data, please contact us at privacy@umbrella-research.org.

2. What Data We Collect

3. How We Use Your Data

We process your data for the following purposes:

• Account management and authentication — Legal basis: Contract performance (Art. 6(1)(b) GDPR) • Memory reflection and AI-generated responses — Legal basis: Contract performance (Art. 6(1)(b) GDPR) • Embedding generation for semantic memory search — Legal basis: Contract performance (Art. 6(1)(b) GDPR) • Session management via essential cookies — Legal basis: Contract performance (Art. 6(1)(b) GDPR) • Contact form processing — Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) • Newsletter communications (only with your consent) — Legal basis: Consent (Art. 6(1)(a) GDPR) • Abuse prevention and rate limiting — Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) • Anonymous analytics (only with your consent) — Legal basis: Consent (Art. 6(1)(a) GDPR)

4. AI Processing

AfterLight uses AI (powered by OpenAI) to generate reflective responses based on the memories you share. Your memory descriptions and conversation messages are sent to OpenAI's API for processing. Under OpenAI's API terms, this data is not used to train their models. AI-generated responses are clearly labeled as such throughout the application. Ben is an AI companion — not a real person.

5. Third-Party Processors

We use the following third-party services to provide AfterLight:

• OpenAI (United States) — AI response generation and embedding creation. Protected by Standard Contractual Clauses (SCCs). API data is not used for model training. • Google Cloud (EU, europe-west1, Belgium) — Hosting, database, and secret management. All persistent data remains in the EU. • Cloudflare (Global) — CAPTCHA verification (Turnstile). No personal data is stored by Cloudflare through this service. • Google Analytics (Global) — Anonymous usage analytics. Only active when you consent to analytics cookies. IP addresses are anonymized. Data is processed globally by Google but contains no personally identifiable information.

6. Data Residency

All persistent user data (accounts, memories, embeddings, materials, consent records) is stored in the European Union (Google Cloud SQL, Belgium). When you interact with Ben, conversation content is transmitted to OpenAI servers in the United States for processing, but is not stored by OpenAI under their API data usage terms. If you consent to analytics, anonymous and aggregated usage data is processed globally by Google Analytics — this data contains no personally identifiable information.

7. Data Retention

We retain your data for the following periods:

• Account data — Until you delete your account • Memories, groups, and relations — Until you delete them or delete your account • Sessions — 30 days from creation • Email verification tokens — 24 hours • Password reset tokens — 1 hour • Contact form submissions — 12 months • Website chat conversations — 30 minutes (in-memory only, not persisted)

8. Your Rights

Under the GDPR, you have the following rights:

• Right of access — You can export all your data from the Settings page. • Right to erasure — You can delete your account and all associated data from the Settings page. • Right to rectification — You can edit your memories at any time through conversation with Ben. • Right to data portability — You can download your data as a JSON file from the Settings page. • Right to lodge a complaint — You have the right to complain to your local data protection supervisory authority.

To exercise any of these rights, use the in-app features or contact us at privacy@umbrella-research.org.

9. Cookies

AfterLight uses a single essential cookie (afterlight_session) for authentication. This cookie is strictly necessary for the service to function and does not require consent under the ePrivacy Directive. Analytics cookies (Google Analytics GA4) are only set if you explicitly consent via the cookie banner. We do not use tracking, advertising, or social media cookies. For more details, see our Cookie Policy.

10. Security

We take the security of your data seriously. All connections use HTTPS encryption. Passwords are hashed with bcrypt. Session cookies are HTTP-only and Secure. Data at rest is encrypted via Google Cloud SQL encryption. Access to production systems is restricted to authorized team members.

11. Children

AfterLight is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when it was last revised. If we make material changes, we will notify registered users via email or through a notice in the application.

13. Contact

For any questions about this Privacy Policy or our data practices, contact us at privacy@umbrella-research.org.