Privacy Policy

Seek within. Our Philosophy

Innate — operated by Lotus Audaz, Lda

Effective date: 28 April 2026

Last updated: 28 April 2026

Contact: hello@innate.love

1. Introduction

At Innate we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have.

Data Controller

Lotus Audaz, Lda

Rua Cândido dos Reis 112, 8600-681 Lagos, Portugal

hello@innate.love

This policy applies to users of the Innate mobile application and covers our compliance with:

  • The General Data Protection Regulation (GDPR) — EU Regulation 2016/679
  • The UK GDPR as incorporated into UK law by the Data Protection Act 2018 — for users in the United Kingdom
  • The California Consumer Privacy Act (CCPA) as amended by the CPRA — for California residents
  • The Lei n.º 58/2019 (Portuguese GDPR implementation law)

2. Data We Collect

2.1 Account Information

  • First name, last name, email address, password (hashed)
  • Profile avatar image (optional)
  • Account preferences and settings

2.2 Video Recordings Special Category Data

When you create a recording in Innate we collect:

  • The video file itself (stored securely in AWS S3)
  • The date, time, and duration of the recording
  • Life tags you attach (contextual labels about your situation)
  • Any prompts or challenges the recording responds to

2.3 Emotional & Mental Health Data Special Category Data

  • Emotion type and sub-emotions you self-select
  • Emotion intensity (on a 0–100 scale)
  • AI-detected emotions derived from your video (see Section 4)
  • Emotional statistics and patterns over time

2.4 Community & Social Data

  • Challenges you enrol in and your responses
  • Replies you make to other users' recordings
  • Content you choose to share publicly within the community

2.5 Technical & Device Data

  • Push notification device token
  • App version, device type, and operating system (via Expo)
  • Crash reports and error logs (via Sentry — see Section 5)
  • Session tokens (stored in encrypted device storage)

2.6 Authentication Data

If you sign in with Google: your Google email address, first name, and last name (we do not receive your Google password)

3. Legal Basis for Processing

(GDPR and UK GDPR)

The article references below apply equally to both the EU GDPR and the UK GDPR, which share identical article numbering.

Data Type Legal Basis
Account informationPerformance of contract (Art. 6(1)(b))
Video recordingsExplicit consent (Art. 6(1)(a) + Art. 9(2)(a))
Facial analysis (biometric)Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))
Emotional health dataExplicit consent (Art. 6(1)(a) + Art. 9(2)(a))
AI emotion analysisExplicit consent (Art. 6(1)(a) + Art. 9(2)(a))
Push notificationsConsent (Art. 6(1)(a))
Security & error loggingLegitimate interests (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))

You may withdraw any consent-based processing at any time (see Section 8). Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

4. AI Processing of Your Recordings

This section describes automated processing of special category data. Your explicit consent is required before this processing takes place.

When you record a video entry and consent to AI analysis, your recording is processed through the following pipeline:

4.1 AWS Rekognition (Facial Emotion Detection)

  • Your video is analysed by Amazon Web Services Rekognition
  • This service detects faces and identifies emotional expressions frame by frame
  • Only facial emotional signals are extracted — no persistent facial identity profile is created
  • Raw Rekognition data is not shared externally and is used solely to inform emotion classification

4.2 AWS Transcribe (Speech-to-Text)

  • The audio in your video is converted to a text transcript
  • This transcript is used as input for emotion analysis and is stored temporarily in AWS S3
  • Transcripts are linked to your recording and stored under your account

4.3 AI Emotion Classification (AWS Bedrock — Claude)

  • The facial analysis results and audio transcript are combined and processed by a large language model (Claude, provided by Anthropic via AWS Bedrock)
  • This model classifies your emotional state into one of eight categories: Joy, Peace, Love, Power, Fear, Anger, Grief, Apathy
  • The classified emotion is stored as your AI-detected emotion for that recording
  • No raw video content is sent to the language model — only structured analysis outputs

You can disable AI processing at any time in your App settings. This will prevent future AI analysis but will not retroactively delete results already generated.

5. Third Parties We Share Data With

We do not sell your personal data. We share data with the following third-party processors only to the extent necessary to provide the Service:

Third Party Purpose Data Shared Location
Amazon Web Services (AWS)Hosting, storage, database, AI processing (Rekognition, Transcribe, Bedrock), email (SES), monitoring (CloudWatch)All dataEU (Ireland, eu-west-1)
Sentry (Functional Software Inc.)Crash reporting and error monitoringError logs, app state, limited user contextUSA (SCCs / IDTAs apply)
Google LLCSign-in via Google OAuthEmail, name (if you use Google sign-in)USA (SCCs / IDTAs apply)
Expo (Expo Inc.)Push notificationsDevice push tokenUSA (SCCs / IDTAs apply)

All third-party processors are bound by data processing agreements and are required to process data only on our instructions.

6. International Data Transfers

Our primary infrastructure is hosted on AWS eu-west-1 (Ireland), within the European Economic Area (EEA).

Some third-party processors (Sentry, Google, Expo) are based in the United States. Where data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place:

For EU users:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
  • Adequacy decisions where applicable

For UK users:

  • International Data Transfer Agreements (IDTAs) approved by the UK Secretary of State under the Data Protection Act 2018
  • UK adequacy regulations where applicable

The UK has been granted an adequacy decision by the European Commission, meaning transfers of personal data from the EU to the UK are permitted without additional safeguards. Data stored on our EU-based infrastructure (AWS Ireland) is therefore accessible to UK users without restriction.

7. Data Retention

We retain your personal data only for as long as necessary. Full details are in our Data Retention Policy, summarised here:

Data Category Retention Period
Account informationDuration of account + 30 days post-deletion
Video recordingsDuration of account + 30 days post-deletion
AI emotion analysis resultsDuration of account + 30 days post-deletion
Audio transcriptsDuration of account + 30 days post-deletion
Error logs (Sentry)90 days
Server logs (CloudWatch)1 year
Anonymised/aggregated analyticsIndefinitely (cannot be linked to you)

8. Your Rights

(GDPR and UK GDPR)

If you are located in the EU/EEA or the United Kingdom, you have the following rights:

  • Right of access — you can request a copy of all personal data we hold about you
  • Right to rectification — you can correct inaccurate data
  • Right to erasure — you can request deletion of your data ("right to be forgotten")
  • Right to restriction — you can ask us to pause processing of your data
  • Right to data portability — you can request your data in a machine-readable format
  • Right to object — you can object to processing based on legitimate interests
  • Right to withdraw consent — you can withdraw any consent at any time without affecting prior processing
  • Right not to be subject to automated decision-making — the AI emotion analysis described in Section 4 informs your personal experience but does not produce legal or similarly significant effects

To exercise any right, contact us at hello@innate.love with the subject line "Data Rights Request". We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority:

  • Portugal / EU: CNPD (Comissão Nacional de Proteção de Dados) — www.cnpd.pt
  • United Kingdom: ICO (Information Commissioner's Office) — www.ico.org.uk

9. Your Rights

(CCPA — California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to know — what personal information we collect, use, disclose, and sell
  • Right to delete — request deletion of personal information we hold about you
  • Right to correct — request correction of inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioural advertising
  • Right to limit use of sensitive personal information — you can limit our use of sensitive personal information (including health data, biometric data, and precise geolocation) to what is necessary to provide the Service
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

Categories of personal information collected (CCPA categories):

  • Identifiers (name, email)
  • Internet or other electronic network activity (app usage, crash logs)
  • Audio/visual information (video recordings)
  • Biometric information (facial analysis data)
  • Health information (emotional and mental wellness data)
  • Inferences drawn from personal information (AI emotion classifications)

We do not sell personal information as defined under the CCPA.

To exercise your CCPA rights, contact us at hello@innate.love with the subject line "CCPA Privacy Request".

10. Children's Privacy

Innate is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at hello@innate.love and we will delete the account and all associated data promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit
  • AES encryption at rest (AWS managed keys) for databases and file storage
  • Authentication tokens stored in encrypted device storage (Expo Secure Store)
  • AWS Secrets Manager for all service credentials
  • Web Application Firewall (AWS WAFv2) protecting our API
  • Access controls and IAM policies limiting who can access what data
  • VPC network isolation for database and backend services

Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly to hello@innate.love.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this document indicates when the most recent changes were made.

13. Contact & Complaints

Data Controller

Lotus Audaz, Lda

Rua Cândido dos Reis 112

8600-681 Lagos, Portugal

hello@innate.love

EU Supervisory Authority

CNPD

Comissão Nacional de Proteção de Dados

Rua de São Bento, 148-3°, 1200-821 Lisboa

www.cnpd.pt

UK Supervisory Authority

ICO

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

www.ico.org.uk