Privacy Policy
Last updated: March 5, 2026
Mikita Pupko (“we,” “us,” or “our”) operates the MoodStride mobile application and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service.
MoodStride is a Cognitive Behavioral Therapy (CBT) support tool. Because the Service processes sensitive mental-health information, we hold ourselves to a high standard of data protection.
1. Data Controller
Mikita Pupko, an individual acting as the data controller. Contact: work.pupko@gmail.com
2. What Data We Collect
2.1 Account Data
When you create an account we collect:
- Email address — used for authentication and account recovery.
- Display name (optional) — shown within the app and, if you choose, to your therapist.
- Preferred locale — your language preference (English or Russian).
2.2 CBT & Mental-Health Data
The core of MoodStride is your private CBT diary. When you create entries we store:
- Thought records — free-text descriptions of situations, beliefs, and behavioral reactions.
- Emotions — emotion labels and intensity scores (1–100) selected or extracted from your entries.
- Mood & energy scores — numerical self-assessments (0–100).
- Context tags — optional categories you assign to entries (e.g., “work,” “social”).
- Entry dates and timestamps.
2.3 Voice & AI Processing Data
If you use MindFlow (voice-to-thought-record):
- Audio transcripts — your spoken input is transcribed and sent to our AI extraction pipeline. Raw transcripts are retained for up to 90 days for quality and accuracy improvements, then automatically deleted.
- AI extraction outputs — structured beliefs, emotions, and situations extracted from your transcript. You review and approve all outputs before they are saved to your diary.
- Refinement data — records of what you confirmed, edited, or removed during the review step.
We do not store raw audio files. Transcription happens on-device or via a secure third-party speech-to-text provider, and only the resulting text is sent to our servers.
2.4 Therapist-Patient Relationship Data
If you choose to connect with a therapist through MoodStride:
- Alliance status — whether a therapist connection is pending, active, or ended.
- Access policy — what level of access you have granted (full, date range, or selected entries) and any entries you have excluded.
- Invitation metadata — tokens and timestamps related to the connection process.
2.5 Usage & Operational Data
- Feature usage counts — for example, how many MindFlow extractions you have used in a billing period.
- Analytics — we use Plausible Analytics on our website, a privacy-friendly, cookie-free analytics service that does not track individual users.
- Access logs — when a therapist views your data, we log the timestamp, which entries were accessed, and the therapist’s identity for your protection.
2.6 Waitlist Data
If you sign up for the waitlist before the Service is generally available, we collect your email address, self-reported role, and referrer/UTM parameters.
3. Legal Bases for Processing
We process your data on the following legal bases:
- Contract performance — processing your account data and CBT entries is necessary to provide the Service you signed up for.
- Legitimate interest — operational data (usage counts, access logs) helps us maintain, secure, and improve the Service.
- Consent — voice processing via MindFlow and any optional data sharing with a therapist occur only with your explicit, informed consent, which you may withdraw at any time.
4. How We Use Your Data
We use your data to:
- Provide the Service — store your diary entries, display mood trends, and enable guided CBT exercises.
- Power MindFlow — transcribe your voice, extract structured thought records via AI, and present them for your review.
- Enable therapist connections — share the specific entries you approve, under the access policy you control.
- Improve quality — analyze aggregate, de-identified usage patterns and AI extraction accuracy.
- Communicate with you — send account-related emails (verification, security alerts) and, if you opted in, product updates.
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for their own marketing purposes.
5. Data Sharing & Third Parties
We share personal data only in the following circumstances:
| Recipient | Purpose | Data shared |
|---|---|---|
| Supabase (AWS infrastructure) | Database hosting & authentication | All stored data (encrypted at rest) |
| AI model provider (e.g., Anthropic, OpenAI) | MindFlow extraction pipeline | Transcript text only — no account identifiers are sent |
| Speech-to-text provider | Voice transcription | Audio data (transient, not stored by provider beyond processing) |
| Sentry | Crash reporting & error monitoring | Device info, OS version, app state at time of crash — no personal identifiers or diary content |
| OAuth authentication (optional sign-in method) | Email address and basic profile info via Google’s OAuth consent flow | |
| Plausible Analytics | Website analytics | Anonymized page views — no personal data |
| Your therapist | Clinical collaboration | Only the entries and data you explicitly grant access to |
We require all sub-processors to maintain appropriate security measures and to process data only as instructed by us.
6. Where Your Data Is Stored
Your data is stored on Supabase Cloud infrastructure hosted on Amazon Web Services (AWS). Servers are located in the United States. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
If you are located in the European Economic Area (EEA), Russia, or another jurisdiction with data-transfer restrictions, your use of the Service constitutes consent to the transfer of your data to the United States. We implement appropriate safeguards in accordance with applicable law.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Diary entries (thought records, emotions, mood scores) | Until you delete the entry or your account |
| Raw transcripts & AI pipeline data | 90 days, then automatically deleted |
| Access logs | Retained for the duration of an active therapist alliance, then 12 months after the alliance ends |
| Waitlist data | Until you are admitted to the Service or request removal |
When you delete your account, all your personal data is permanently erased within 30 days, except where retention is required by law.
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Data portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to limit how we process your data.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — revoke consent for MindFlow processing or therapist data sharing at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at work.pupko@gmail.com. We will respond within 30 days.
9. Patient-Controlled Access
A core principle of MoodStride is that you control who sees your data. If you connect with a therapist:
- You choose the access level: full, date range, or selected entries.
- You can exclude specific entries at any time.
- You can end the alliance at any time, immediately revoking all therapist access.
Your therapist cannot access your data without an active alliance and the access policy you have set.
10. Security
We implement the following security measures:
- Encryption at rest (AES-256) and in transit (TLS 1.2+).
- Therapist session notes are encrypted at the application level (AES-256-GCM) with keys managed via a cloud Key Management Service.
- Row-level security policies ensure that only you can access your diary data, and only authorized therapists (with an active alliance) can access data you have shared.
- Supabase Auth handles authentication with secure password hashing and email verification.
No system is 100% secure. If we become aware of a security breach affecting your data, we will notify you in accordance with applicable law.
11. Children’s Privacy
MoodStride is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the app. The “Last updated” date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
For privacy-related questions or to exercise your rights:
Mikita Pupko Email: work.pupko@gmail.com