Ready to understand yourself better?
Start free. No credit card required.
Coming soon
Coming soon
Last updated: March 29, 2026
SimplyHere is a mental wellness companion. We take your privacy extremely seriously because we understand the sensitive nature of the information you share with us. This policy explains what we collect, how we protect it, and your rights.
SimplyHere is designed to meet the data protection requirements of healthcare environments. While we are not a covered entity under HIPAA, we voluntarily implement HIPAA-aligned security controls including field-level encryption, audit logging, access controls, and data retention policies. When SimplyHere is deployed through a healthcare organization, we will enter into a Business Associate Agreement (BAA) as required.
Account information: Your email address (encrypted with XChaCha20-Poly1305 and stored as an HMAC-SHA256 blind index — we never store your email in plaintext), full name (encrypted), and password (hashed with BCrypt using per-user salts — never stored in plaintext). These are required to create and secure your account.
Wellness data: Check-ins, journal entries, goals, untangle entries, PHQ-9 and GAD-7 assessment scores, sleep diary entries, AI chat messages, safety plan information, and wisdom notes that you choose to enter. This data is yours.
Device information: Device type, app version, and operating system for crash reporting and support. IP addresses are encrypted in audit logs for security purposes. We also store push notification tokens if you enable notifications. We do not collect location data.
AI-derived data: SimplyHere's AI generates insights from your wellness data, including mood trend summaries, cognitive distortion detection in untangle entries, cross-feature pattern observations, and a persistent therapeutic summary of themes across your conversations. These AI-derived insights are stored encrypted alongside your other wellness data and are used to personalize your experience.
Subscription data: If you subscribe to SimplyHere Premium, your subscription status and billing period are managed through your app store. We receive confirmation of your subscription status but do not receive or store your payment method details, credit card numbers, or billing address. Payment processing is handled entirely by Apple or Google.
Encryption at rest: All sensitive personal data — including journal entries, check-ins, assessment scores, sleep diary entries, chat messages, untangle entries, and safety plans — is individually encrypted at the field level using XChaCha20-Poly1305 encryption before being stored in our database. Even in the event of a database breach, your data would be unreadable without the encryption keys.
Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2/1.3 encryption.
Password security: Passwords are hashed using BCrypt with per-user salts and are never stored in plaintext.
Access controls: Your data is accessible only to you through your authenticated account. Our team cannot read your encrypted wellness data.
Audit logging: All access to your data is logged in compliance with HIPAA § 164.312(b) requirements. Audit logs record what data was accessed, when, and by which system process. Audit logs are retained for 7 years and do not contain your actual wellness data content.
Data retention: Your wellness data (check-ins, journals, untangle entries, assessments) is retained for 3 years from creation to support long-term trend analysis. Conversations are archived at 6 months (messages removed, summary and metadata preserved) and fully deleted at 2 years. Notifications are deleted after 90 days. Wisdom notes, goals, and safety plans are retained until you delete them. Audit logs are retained for 7 years per HIPAA requirements. All retention periods are enforced automatically by our background data retention service.
Infrastructure: SimplyHere is hosted on Google Cloud Run (US region) with MongoDB Atlas as the database provider. Both services provide enterprise-grade physical security and compliance certifications.
AI chat and insights: Your chat messages, check-in data, journal entries, and untangle entries are processed by Google's Gemini AI (Gemini 2.5 Flash for conversations, Gemini 2.5 Flash-Lite for insights and analysis) through the Google Cloud Vertex AI platform to generate responses, detect patterns, identify cognitive distortions, and create personalized insights. Data is sent over encrypted TLS connections. Google's Vertex AI data processing terms prohibit Google from using your data to train their models, and Vertex AI is covered under the Google Cloud Business Associate Agreement (BAA) for HIPAA-regulated workloads.
What the AI sees: When you use the chat companion, the AI receives your recent check-ins, journal snippets, untangle patterns, active goals, and a therapeutic summary of themes from your past conversations. This context helps the AI provide relevant, informed support. The AI does not have access to your full historical data — only a compressed summary. If you have selected condition focus areas (such as anxiety, depression, or bipolar), the AI receives behavioral guidelines for those conditions but does not reference your conditions by name unless you bring them up first.
What the AI does NOT see: The AI cannot access your password, email address, or any data belonging to other users. If you are part of an organization, the AI cannot access other members' data. AI-generated responses are not reviewed by humans at SimplyHere or at Google.
No selling of data: We do not sell, rent, trade, or share your personal data or wellness data with advertisers, data brokers, analytics companies, or any third party for marketing purposes. We will never monetize your data. Our revenue comes exclusively from subscriptions.
No ads: SimplyHere does not display advertisements. We do not use third-party analytics that track individual users.
Transactional email: We use Amazon Simple Email Service (SES) to send transactional emails only — verification codes, password resets, and account notifications. SES does not have access to your wellness data.
Error monitoring: We use Sentry to collect anonymous crash reports (stack traces, device model, OS version) to fix bugs. No personal health information (PHI) is sent to Sentry. These reports do not contain your wellness data, journal content, chat messages, or any other personal information.
Export your data: You can download all your data at any time from Settings → Export my data. Your data is provided in a machine-readable JSON format.
Delete your account: You can permanently delete your account and all associated data from Settings → Delete my account. This action is irreversible and removes all check-ins, journal entries, goals, chat history, untangle entries, assessments, sleep diary, safety plans, wisdom notes, wellness surveys, notifications, and anchor responses. Deletion cascades across all data collections.
Share my progress: You can generate a summary of your wellness journey to share with someone you trust — a care provider, a doctor, or anyone in your corner. This is entirely opt-in and initiated only by you — it is never shared automatically.
Correction: If you believe any of your account information is inaccurate, you can update it directly in Settings. Wellness data (check-ins, journals, etc.) can be edited or deleted individually within the app.
Data portability: Your exported data is provided in standard JSON format, readable by any software. We do not lock your data into proprietary formats.
Security controls: You can enable or disable two-factor authentication (TOTP-based) and manage trusted devices from the Security section in Settings.
GDPR rights (EU/EEA residents): If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object. Our legal basis for processing is your consent (provided at registration) and our legitimate interest in providing the service. To exercise your GDPR rights, contact us at support@simplyhere.app or use the in-app data export and deletion features.
CCPA rights (California residents): If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. Since we never sell personal information, the right to opt out is already satisfied. You will not receive discriminatory treatment for exercising your rights. To exercise your rights, contact us at support@simplyhere.app or use the in-app data export and deletion features.
SimplyHere is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at support@simplyhere.app and we will promptly delete the account and all associated data.
If SimplyHere is deployed through a university or health system for use by individuals aged 13–17, parental or guardian consent may be required depending on the jurisdiction and the organization's policies. The deploying organization is responsible for obtaining any required consent.
When SimplyHere is provided through an organization (referred to as "your group" within the app) such as a university, health system, or employer, the organization may have access to anonymized, aggregate engagement metrics — such as how many users completed check-ins this week or the average number of untangle entries per user. Organizations cannot access any individual user's wellness data, journal entries, chat messages, untangle entries, check-in data, or other personal content.
Your organization may see: the number of active users, feature adoption rates (e.g., percentage of users who completed an untangle session), average engagement frequency, and aggregate satisfaction scores. Your organization cannot see: anything you wrote, anything the AI said to you, your check-in data, your goals, your safety plan, or any content that could identify your specific experience.
Students register with their personal email address and an invite code provided by their institution. The university never receives individual student email addresses or personal data from SimplyHere.
If your organization's agreement with SimplyHere ends, you will be notified at least 30 days in advance. You will have the opportunity to export your data and optionally convert to a personal account before organizational access is terminated.
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you through the app or via email at least 30 days before they take effect. Continued use of SimplyHere after changes constitutes acceptance of the updated policy.
If you have questions about this privacy policy or how your data is handled, please contact us at support@simplyhere.app. We aim to respond within 48 hours.
Start free. No credit card required.
Coming soon
Coming soon