Privacy Policy

MoodSpan ("we," "us," or "our") operates the website moodspan.org(the "Site"). This Privacy Policy explains what information we collect, how we use it, and your choices regarding that information.

1. Information We Collect

Information you provide

• Account information — If you sign in with Google, we receive your name, email address, and profile picture from Google OAuth. We do not receive or store your Google password.
• Screening tool responses— If you complete a screening instrument (e.g., PHQ-9, GAD-7) while signed in, your scores are saved to your account so you can track them over time. Anonymous users' screener results are stored only in their browser (localStorage) and are never sent to our servers.
• Chat messages — Messages you send to Aura (our clinical assistant) are processed in real time to generate a response. We do not permanently store the content of your chat conversations.
• Feedback — Thumbs-up/down ratings you provide on Aura responses are logged to help us improve quality.

Information collected automatically

• Analytics — We use Vercel Analytics, which collects anonymous page-view data (page URL, referrer, browser type, country). Vercel Analytics does not use cookies and does not track individual users across sites.
• Rate-limiting data — We store a hashed version of your IP address temporarily to enforce per-IP rate limits on the chat API. This data is automatically deleted after a short retention window.
• Local storage— We use your browser's localStorage (not cookies) to remember your color-theme preference, anonymous screener results, and current conversation context. This data never leaves your device unless you are signed in and explicitly save screener results.

2. How We Use Your Information

• To provide and improve the Site and Aura assistant
• To display your screener history and longitudinal trends (signed-in users)
• To process subscription payments through Stripe
• To enforce rate limits and prevent abuse
• To analyze aggregate usage patterns (no individual tracking)

3. Third-Party Services

We share limited data with the following providers, each under their own privacy policies:

• Google OAuth — Authentication only. We receive your name, email, and profile picture.
• Stripe — Payment processing. Stripe collects your payment details directly; we never see or store your full card number.
• Groq— AI inference for Aura. Your chat messages are sent to Groq's API to generate responses. Groq processes data per their privacy policy.
• Vercel — Hosting and analytics. Anonymous page-view data is collected.
• Neon — Database hosting for account and screener data.
• Upstash — Redis hosting for rate limiting. Stores hashed IP addresses temporarily.
• Cloudflare — DNS and domain security.

We do not sell, rent, or trade your personal information to any third party.

4. Data Retention

• Account data — Retained as long as your account exists. You may request deletion at any time.
• Screener results — Retained as long as your account exists, or until you request deletion.
• Chat messages — Not permanently stored. Message content is discarded after response generation.
• Rate-limit records — Automatically expire within minutes.
• Analytics — Aggregated, anonymous data retained by Vercel per their policy.

5. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict certain processing
• Export your data in a portable format

To exercise any of these rights, email contact@moodspan.org. We will respond within 30 days.

6. Cookies

MoodSpan does not set tracking cookies. We use browser localStorage for preferences and session data (theme, screener results, conversation context). Vercel Analytics is cookie-free. Third-party services (Google OAuth, Stripe) may set their own cookies during authentication or checkout flows.

7. Security

We use HTTPS encryption for all data in transit, environment variable secrets for API keys, input validation and rate-limiting to prevent abuse, and standard security practices for data at rest. No system is perfectly secure — if you discover a vulnerability, please contact us at contact@moodspan.org.

8. Children

MoodSpan is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Site after changes constitutes acceptance of the revised policy.