Privacy Policy
Last updated: June 17, 2026
Effective date: June 17, 2026
1. Who We Are
ConfluxMind is operated by ALPHAWAVE TECHNOLOGIES LIMITED, registered in the United Kingdom. We are building an AI companion that helps people practise emotional regulation skills.
- Data controller: ALPHAWAVE TECHNOLOGIES LIMITED, 32 Heol Cae Gurwen, Gwaun Cae Gurwen, Ammanford, Wales, SA18 1HG, United Kingdom.
- Contact: imre@confluxmind.com
- Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk
We process personal data under UK GDPR (the retained EU law version of the General Data Protection Regulation, as supplemented by the UK Data Protection Act 2018). When our Netherlands subsidiary is established, EU GDPR (Regulation 2016/679) will additionally apply to data processed through that entity.
2. What Data We Collect
2.1 Contact Form
When you use our contact form, we collect:
- Your name
- Your email address
- Your organization
- Your reason for inquiry
- Your message
We do not collect IP addresses, browser fingerprints, or device information through the contact form.
2.2 Website Analytics
We use privacy-first analytics that do not use tracking cookies and do not collect personal data. We do not use Google Analytics.
2.3 Cookies
We do not currently use tracking cookies. If we introduce cookies in future, we will update this policy and implement a consent mechanism before any non-essential cookies are set, in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).
2.4 Future: User Accounts and Conversations
When we introduce user accounts and conversation functionality, this policy will be updated to cover account data, conversation logs, and any derived data. Conversation storage will require your explicit consent. You will always be able to withdraw that consent and have your data deleted or anonymised.
3. Why We Process Your Data
| Data | Purpose | Legal Basis (UK GDPR) |
|---|---|---|
| Contact form submissions | To respond to your enquiry | Legitimate interest — Art. 6(1)(f) |
| Anonymised form data | To understand what people ask about and improve our product | Not personal data (Recital 26) — UK GDPR does not apply |
| Conversation data (future) | To provide the AI companion service | Consent — Art. 6(1)(a) |
4. How Long We Keep Your Data
Contact form submissions: We retain your name, email, and message for 12 months. After 12 months, we anonymise the data: your name and email are permanently deleted, and only the message text and submission date are retained. This anonymised data can no longer identify you and falls outside the scope of UK GDPR (Recital 26).
Conversation data (future): Retention period will be specified when this feature launches. You will be able to export or delete your data at any time.
5. Who Has Access to Your Data
5.1 Internal Access
Only the ConfluxMind founding team has access to contact form submissions. Access is limited to what is necessary to respond to your enquiry.
5.2 Third-Party Processors
We share your data with the following processors, each of which has a Data Processing Agreement (DPA) in place:
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Vercel | Website hosting and API routing | United States | Pro Plan DPA Included |
| DreamHost | Email routing (SMTP) | United States | DPA Included |
| Google (Workspace) | Email, internal tools, and Gemini AI API | United States | Workspace DPA + SCCs |
| Anthropic | AI model API (future) | United States | Commercial DPA + SCCs |
We do not sell your personal data to anyone. We do not share your data with advertisers.
6. International Data Transfers
Some of our processors are based outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:
- International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs: the UK-approved mechanisms for international transfers under UK GDPR.
- Standard Contractual Clauses (SCCs): where processors also serve our future Netherlands subsidiary under EU GDPR.
- UK-EU data flows: transfers between the UK and EEA are covered by the UK adequacy decision and do not require additional safeguards.
We do not transfer data to countries without adequate protection unless the above safeguards are in place.
7. Your Rights
Under UK GDPR, you have the following rights:
- Right of access (Art. 15): You can request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): You can ask us to correct inaccurate personal data.
- Right to erasure (Art. 17): You can ask us to delete your personal data. We will also offer anonymisation as an alternative if you prefer your data to be retained without identifying information.
- Right to restrict processing (Art. 18): You can ask us to limit how we use your data.
- Right to data portability (Art. 20): You can request your data in a machine-readable format (JSON or CSV).
- Right to object (Art. 21): You can object to processing based on legitimate interest. We will stop unless we have compelling grounds.
- Right to lodge a complaint: You can file a complaint with the ICO at ico.org.uk, or call their helpline on 0303 123 1113. If you are based in the EU, you may also contact your local supervisory authority.
To exercise any of these rights, email imre@confluxmind.com. We will respond within 30 days.
8. AI Disclosure
ConfluxMind uses artificial intelligence (AI) to power its companion. When you interact with the ConfluxMind companion, you are interacting with an AI system — not a human. This is disclosed clearly in the product interface, onboarding, and at the start of every conversation.
When our Netherlands subsidiary serves EU users, this disclosure will additionally comply with the EU AI Act (Article 50). The UK does not currently have equivalent AI-specific legislation, but we apply the same transparency standards across all markets.
The AI does not diagnose medical conditions, prescribe medication, or provide therapy. It is a wellness tool for practising emotional regulation skills.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data in transit
- Encryption at rest for stored personal data
- Access controls limiting data access to authorised team members
- Regular review of security measures
10. Children
ConfluxMind is not intended for children under 13 (the age threshold under the UK Data Protection Act 2018 and the Age Appropriate Design Code). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
Users aged 13–17 should inform a parent, guardian, or trusted adult that they are using this service.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new effective date. We encourage you to review this policy periodically.
12. Contact
For any questions about this privacy policy or your personal data:
- Email: imre@confluxmind.com
- Data controller: ALPHAWAVE TECHNOLOGIES LIMITED, 32 Heol Cae Gurwen, Gwaun Cae Gurwen, Ammanford, Wales, SA18 1HG, United Kingdom.
- Supervisory authority: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ico.org.uk | 0303 123 1113
