← Back

Privacy Notice

Last updated: 14 April 2026

My Gratitude is a small, intentionally private service for sharing a gratitude practice with one person you invite. This notice explains what we collect, why, and what rights you have.

Who we are

The service is operated by the makers of My Gratitude. For any privacy question or request, write to info@mygratitudes.com. For the purposes of the UK GDPR and EU GDPR, we are the data controller for the information described here.

What we collect

  • Account data: your display name, email address, and (optionally) a profile photo and passkey credentials.
  • Gratitude recordings: the video and audio you record during a session, and any sign-off or opener videos you choose to save.
  • Session metadata: pairings, session timestamps, clip durations, and which clips your partner has watched.
  • Technical data: a session cookie containing a signed JWT so you stay logged in; optional push-notification subscriptions if you enable reminders.

We do not knowingly collect any data from children under 16. If you believe a child has registered, please contact us and we will delete the account.

Why we process it (legal basis)

  • Contract (Art. 6(1)(b) GDPR): to provide the service you signed up for — storing your recordings so your chosen partner can watch them.
  • Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): you consent to recording your voice and likeness when you tick the box at registration and when you start each session.
  • Legitimate interests (Art. 6(1)(f)): security, abuse prevention, and keeping the service running. We do not profile you and we do not use any of this data for advertising.

What we don't do

  • We do not sell or rent your data.
  • We do not use your recordings to train AI models, and we do not share them with any third party other than the processors listed below.
  • We do not run advertising or behavioural analytics.
  • We do not use your face or voice to identify you. Passkeys rely on your device's own biometrics, which never leave your device.

Who processes data on our behalf

  • Railway — application hosting (EU region where available).
  • Cloudflare R2 — video storage.
  • Resend — transactional email for magic-link sign-in.

Each of these providers is bound by a data-processing agreement and processes data only on our instructions. Some are based outside the UK/EU, in which case transfers rely on Standard Contractual Clauses.

How long we keep it

  • Recordings and session metadata: kept while your account is active. Individual sessions can be deleted from the session page.
  • Magic-link tokens: single-use, 15-minute lifetime, stored as SHA-256 hashes.
  • Notification logs: up to 90 days for deliverability debugging.
  • Account data: kept until you delete your account; then removed or anonymised as described below.

Your rights

Under UK/EU GDPR you can ask us to access, correct, delete, or export your data, and to restrict or object to processing. The fastest route for most people:

  • Delete your account yourself from Settings. This removes your recordings and personal data; the account row is anonymised where it is still referenced by a partner's session history.
  • Email info@mygratitudes.com for access, correction, export, or any other request. We aim to reply within 30 days.
  • You have the right to lodge a complaint with your local data protection authority (in the UK, the ICO at ico.org.uk).

Security incidents

If we become aware of a personal-data breach that is likely to affect your rights, we will notify the relevant supervisory authority within 72 hours and contact affected users by email.

Changes

If we make material changes to this notice we will email registered users before the changes take effect.