Legal

Privacy Policy

Last updated: 19 June 2026  ·  Effective: 19 June 2026

Sobella is built around privacy. Your journal entries, sobriety data, and conversations with the AI companion are yours. We do not sell your data, we do not share it with advertisers, and we never will.

1. Who we are

Sobella ("Sobella", "we", "our", "us") is a mobile application and website operated by Richard Holmes, trading as Sobella, based in the United Kingdom.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Sobella iOS app or the sobella.app website. It applies to all users worldwide, with additional rights described below for users in the UK and European Economic Area (EEA).

Contact: For any privacy enquiries, write to us at support@sobella.app.

2. Information we collect

2.1 Information you provide directly

DataWhy we collect it
Email addressAccount creation and authentication
Display name / first nameTo personalise your experience (e.g. "Good morning, [name]")
Sobriety start dateTo calculate your streak and milestone notifications
Daily check-in responsesTo personalise AI companion messages and track your progress
Journal entriesStored privately so you can reflect over time
AI conversation messagesSent to our AI service to generate a response; not used for advertising or model training
Mood ratingsIncluded in your journal and visible only to you
Toolkit and custom toolsStored so your coping strategies persist between sessions

2.2 Information collected automatically

2.3 Information we do not collect

3. How we use your information

The table below sets out each purpose for which we process personal data, the lawful basis we rely on, and how long we keep that data. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

PurposeData involvedLegal basis (UK/EEA)Retention period
Creating and managing your account Email address, password (hashed), display name Performance of contract (Art 6(1)(b)) Until account deleted, then purged within 30 days
Processing your health-related data to provide the app's core features (sobriety tracking, mood logs, journal entries, check-in responses) Sobriety start date, mood ratings, journal entries, daily check-in responses Explicit consent (Art 9(2)(a)) — given at sign-up. You may withdraw this consent at any time by deleting your account or contacting us. Until you delete the data or your account, then purged within 30 days
AI companion responses Text of your messages and AI responses Performance of contract (Art 6(1)(b)) Your messages and AI responses are stored securely in Supabase and are visible only to you. Retained until you delete your account, then purged within 30 days. Anthropic's API data retention policy also applies (see Section 5).
Personalising your experience (greetings, streak count, toolkit tools) Display name, sobriety start date, toolkit content Performance of contract (Art 6(1)(b)) Until account deleted, then purged within 30 days
Sending check-in reminders and notifications (if enabled) Push notification token, notification preferences Consent (Art 6(1)(a)) — withdraw at any time in your device Settings Until you disable notifications or delete your account
Subscription and purchase management App user ID, purchase receipt data Performance of contract (Art 6(1)(b)) 7 years (legal and financial record-keeping requirement)
Detecting and preventing fraud or abuse Authentication logs, device information, session data Legitimate interests (Art 6(1)(f)) 90 days rolling
Improving the app through aggregate analytics Anonymised usage data (screens visited, session timing) — not linked to individuals Legitimate interests (Art 6(1)(f)) Indefinitely (anonymised — no longer personal data)
Complying with legal obligations Data as required by applicable law Legal obligation (Art 6(1)(c)) As required by the applicable law

Where we rely on legitimate interests, you have the right to object. We have assessed that our interests do not override your rights and freedoms in each case — we do not use legitimate interests as a basis for processing sensitive health data.

4. Third-party services and data processors

We use a small number of carefully selected third-party services to operate Sobella. Each acts as a data processor on our behalf and is bound by data processing agreements.

ServicePurposeData sharedLocation
Supabase Authentication, database, and serverless functions Account data, journal entries, check-ins, sobriety data EU (AWS eu-west-1)
Anthropic (Claude API) AI companion responses The text of your AI messages only (no account details). Sent via our server-side Edge Function — never directly from your device. USA (AWS)
RevenueCat Subscription and in-app purchase management App user ID and purchase receipt data. No payment card details are shared — Apple handles all payment processing directly. USA
Vercel Website hosting (sobella.app) IP address, browser type (standard server logs) Global CDN
OneSignal Push notification delivery Device push token and notification preferences USA
Resend Data export emails Your email address and exported data when you request a data download USA
Apple App distribution, in-app purchases, push notifications Governed by Apple's Privacy Policy USA

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising purposes, and we never share your journal entries or AI conversations with anyone.

5. AI companion

When you send a message to the Sobella AI companion, your message is transmitted to Anthropic's Claude API via a secure server-side proxy (Supabase Edge Function). Your message is used solely to generate a response to you. Anthropic's standard API usage terms apply; API data is not used to train Anthropic's models. Your messages and the AI's responses are stored in Supabase and are accessible only to you. They are deleted when you delete your account.

Important: The AI companion is not a medical professional, counsellor, or therapist. It is a supportive tool only. If you are in crisis, please contact a qualified professional or a crisis line (see Section 11).

6. Data retention

Specific retention periods for each category of data are set out in Section 3. In summary:

You can delete your account at any time from within the app (Settings → Delete Account). You may also request deletion of specific data without closing your account by contacting support@sobella.app.

Withdrawing health data consent: If you withdraw your explicit consent for health data processing (given at sign-up), we will stop processing that data and delete it. Note that withdrawing this consent will prevent us from providing the app's core features, as they depend on this data. You can do this by deleting your account or contacting us.

7. Your rights

All users may:

If you are located in the UK or EEA, you additionally have the right to:

We will respond to all rights requests within 30 days.

Authorized agents

You may designate an authorized agent to submit a rights request on your behalf. We may ask for proof of authorization and may also verify your identity directly before processing the request.

Appeals

If we decline your request, you may appeal our decision by emailing support@sobella.app with the subject line "Rights Request Appeal." We will respond within 30 days. If you are in the US and remain unsatisfied after the appeal, you may contact the attorney general in your state.

8. Children's privacy

Sobella is not intended for children under 17 years of age. We do not knowingly collect personal information from anyone under 17. If we become aware that we have collected personal information from a child under 17 without parental consent, we will delete it promptly. If you believe we may have information about a child, please contact us at support@sobella.app.

9. Data security and breach notification

We take security seriously. We implement the following measures to protect your data:

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to support@sobella.app.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, describing the nature of the breach, its likely consequences, and the steps we are taking to address it.

10. International data transfers

Your data may be processed in countries outside the UK and EEA, including the United States (Anthropic, RevenueCat, OneSignal, Resend, Vercel). Where we transfer data internationally, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or adequacy decisions.

11. Crisis resources

Sobella is a wellness companion, not a crisis service. If you are experiencing a mental health emergency or are in crisis, please contact:

12. Cookies and tracking (website)

The sobella.app website does not use advertising or tracking cookies. We do not run any third-party analytics scripts on this website. The only cookies that may be set are strictly necessary session cookies used by our hosting infrastructure (Vercel) for performance and security.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via a notice in the app or by email. The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of Sobella after a change constitutes acceptance of the updated policy.

14. California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional privacy rights.

Personal information we collect

In the past 12 months we have collected the following categories of personal information from California residents:

Your California rights

To exercise these rights, email support@sobella.app. We will verify your identity before processing the request. You may designate an authorized agent to submit a request on your behalf.

No sale of personal information

Sobella does not sell your personal information and has not done so in the past 12 months. We do not share your personal information with third parties for targeted or behavioural advertising.

15. Contact us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

Sobella Privacy
support@sobella.app

UK & EEA representative: Richard Holmes, Sobella — support@sobella.app

We aim to respond to all enquiries within 5 business days.