Privacy policy
Effective date: 6 June 2026 Version: v2026-06-06
This policy describes how Priors collects, processes, and stores personal data. It is written to be specific and operational rather than reassuring. If something here is unclear, write to the contact address in section 13 and we will answer in the same register.
Changes since v2025-06-15: Section 2 (Account data) updated to disclose that email may originate from a third-party identity provider when you sign in with Google. Section 5 expanded with a new "Identity providers" subsection naming Google. No change to legal bases, retention, or your rights.
1. Who we are
Priors is operated by Jessica Johanna Farrimond, a sole proprietor established in Portugal. She is the data controller for all processing described in this policy.
- Postal address: Rua Homens do Andor N.º 2A, 8100-670 Loulé, Algarve, Portugal
- Contact email: info@bioelectricrecovery.com
The contact email is shared with the related practice (Bioelectric Recovery) until the Priors domain has its own address. Mail sent there reaches the same controller.
2. What data we collect
Priors collects four categories of data. We describe each in terms of what it is, not what we hope you feel about it.
Account data. Email address, authentication identifier, sign-up timestamp, country of residence at sign-up. When you sign in with Google, your email and the identifier Google issues for your account are received from Google as part of the OAuth handshake. No other Google profile fields (name, avatar, contact list, etc.) are stored.
Friction events. The text you write describing specific interpersonal moments — what happened, who was involved, what was said. You control the content. Friction events frequently contain information about third parties (the subjects) who have not consented to being described. You are responsible for the legality of what you record about identifiable people.
Subject data. Names, relationship labels, life-context notes, and behavioral profiles you create for the people who appear in your friction events.
Derived analyses. Outputs produced by the analyzer in response to your captured events — type calibrations, recurring priors, predictions, strategy briefs, calibrated message variants, after-action notes.
Operational telemetry. Standard server logs (request times, error traces, source IP) retained briefly for debugging and security. We do not run third-party analytics and we set no non-essential cookies.
3. Legal bases per processing purpose
Article 6 of the GDPR requires a legal basis for each processing purpose. Ours:
| Purpose | Legal basis |
|---|---|
| Providing the service (account creation, sign-in, capture, analysis, storage, retrieval) | Contract (Art. 6(1)(b)) |
| Processing event content that may include sensitive information about you or third parties | Explicit consent for special category data (Art. 9(2)(a)) |
| Improving the analyzer using anonymized usage data | Consent (Art. 6(1)(a)) — optional, withdrawable |
| Sending occasional product update emails | Consent (Art. 6(1)(a)) — optional, withdrawable |
| Defending against legal claims (audit log retention) | Legitimate interests (Art. 6(1)(f)) |
Consent grants and withdrawals are recorded as immutable events. The exact wording you saw at sign-up is stored alongside each consent record, so we can show you what you agreed to at the time you agreed to it.
4. Special category data
The friction events you record may contain special category data under Article 9 — references to health, beliefs, sexual orientation, racial or ethnic origin, political opinions, trade-union membership, or biometric and genetic data — about you or about the people you describe.
We do not solicit this data. The structure of Priors is interpersonal incident analysis; sensitive details surface as a side effect of describing real situations honestly.
Processing of special category data is conditioned on your explicit consent at sign-up (Art. 9(2)(a)). You can withdraw this consent at any time, but doing so requires account deletion because the analyzer cannot operate on event content without it.
The analyzer receives event text in order to produce the analyses you request. The model processes the content during the request and we do not direct the provider to retain it for training. See section 5 for the provider's own policies.
5. Subprocessors and data residency
Priors uses two subprocessors. Both are bound by data processing agreements.
Supabase, Inc. (US-hosted) — provides the Postgres database, authentication, and storage that hold your account data, events, subjects, and derived analyses. For users in the EU/EEA, transfers to the United States are governed by Standard Contractual Clauses (SCCs). Once the EU/EEA operator count crosses 100, Priors will migrate to Supabase's EU region.
Anthropic, PBC (US-hosted) — operates the Claude language models that produce the 5-layer analyses, recurring-prior detection, and other analyzer outputs. Event content is transmitted to Anthropic during the request and returned as a structured analysis. Anthropic's API terms govern their processing. Transfers are governed by SCCs.
Identity providers. When you choose to sign in with a third-party identity provider, that provider receives your sign-in request and shares your email back with us so we can identify your account. The identity provider remains the controller of the underlying account data they hold about you — we receive only the limited fields needed to authenticate the session.
- Google LLC (US-hosted) — Sign in with Google. Google receives the fact of your sign-in request to Priors and shares your email address and a stable Google account identifier back to us. Google's own privacy policy governs the data they hold about you outside this exchange. Transfers governed by SCCs.
We do not use any other subprocessor or identity provider. No third-party analytics, advertising, or cookie-based tracking is enabled.
6. Retention
| Data | Retention |
|---|---|
| Account, events, subjects, analyses | Until you delete your account |
| Consent log | Retained for the life of the account and 3 years after deletion, as required for accountability (Art. 5(2)) |
| Processing audit log | 3 years from the date of the operation, then deleted |
| Server-level database backups | 7 days (Supabase default) |
| Anonymized training contributions (if you consented) | Indefinitely once anonymized; no longer linkable to you and not subject to erasure requests |
Account deletion runs after a 7-day grace period. During that window the request can be cancelled from the settings page. After the grace period expires, your account data is hard-deleted from the live database. Backups containing your data roll off within 7 days of deletion under Supabase's default policy.
7. Your rights
Under the GDPR you have the following rights:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data.
- Restriction — require us to stop processing your data while keeping it stored.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdrawal of consent — for any consent-based processing, withdraw consent without affecting prior lawful processing.
- Lodging a complaint — with your local supervisory authority (see section 9).
The analyzer produces advisory pattern reads that you apply at your own discretion. Priors does not make automated decisions about you that produce legal effects or similarly significant decisions on your behalf.
8. How to exercise your rights
Most rights are exercisable directly inside the application at /dashboard/settings/privacy:
- Access and portability — export your full account data as a single structured JSON file.
- Erasure — schedule account deletion (7-day grace period; cancellable).
- Restriction — toggle processing restriction. While active, the analyzer will not run on your data.
- Consent withdrawal — toggle off optional consents (training contribution, product updates). Required consents (service provision, special category data) can only be withdrawn by deleting the account.
For rights that are not yet exposed in the application (for example, rectification of system-generated analyses), write to the contact address in section 13. We aim to respond within one month, as required by Art. 12(3).
9. Supervisory authority
The lead supervisory authority is Comissão Nacional de Proteção de Dados (CNPD), Portugal.
- Website: https://www.cnpd.pt
- Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal
If you live in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority. The CNPD will coordinate cross-border cases through the European Data Protection Board.
10. Cookies and tracking
Priors uses only essential cookies required to keep you signed in (the Supabase session cookie). We do not use third-party analytics, advertising networks, retargeting pixels, or any cookie-based tracking. There is no cookie banner because there is nothing non-essential to consent to. The session cookie is set by the authentication provider (Supabase) on sign-in and removed on sign-out.
11. Children
Priors is not intended for use by anyone under 18. We do not knowingly create accounts for minors. If you believe a minor has signed up, write to the contact address and we will delete the account.
12. Changes to this policy
We will update this policy when:
- A material change to processing occurs (new subprocessor, new purpose, change of legal basis).
- The text needs to be made clearer.
When the policy changes materially, the version identifier in the filename and in the consent log will change. You will be asked to acknowledge the new version on next sign-in if the change affects what you previously consented to. Prior versions remain attached to your historical consent records so you can always see what you agreed to at the time.
13. Contact
For any question about this policy, to exercise a right that is not yet self-serve, or to report a concern:
Email: info@bioelectricrecovery.com Post: Rua Homens do Andor N.º 2A, 8100-670 Loulé, Algarve, Portugal
We do not have a Data Protection Officer at the current operator count. We will appoint one when the user base, or the nature of the processing, crosses the threshold that would require it under Art. 37.