Privacy Policy

Last Updated: April 7, 2026

1. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service. Cookies are small data files stored on your device. We use the following categories of cookies:

Strictly Necessary Cookies: Required for the site to function (e.g., session management, security tokens, language preferences). These cannot be disabled.

Analytics Cookies: Help us understand how visitors interact with our site (e.g., pages visited, scroll depth, feature usage). We use Google Analytics with IP anonymization enabled.

Functionality Cookies: Remember your preferences and settings (e.g., language selection, cookie consent choices) to provide a personalized experience.

You can manage your cookie preferences through the cookie consent banner displayed on your first visit, or by adjusting your browser settings. Refusing non-essential cookies will not affect core site functionality but may limit certain analytics features. For detailed information about each cookie we use, its purpose, and its expiration period, contact legal@miangel.ai.

2. Third-Party Links

Our Service may contain links to third-party sites. We are not responsible for their content or privacy practices. Please review their policies before using their services.

3. Age Requirements & Children's Privacy

MiAngel is NOT available to children under 13 years of age under any circumstances. We do not knowingly collect, use, or disclose personal information from anyone under 13. If we discover that a user under 13 has provided personal information, we will immediately delete the account and all associated data. Users aged 13-17 (minors) MUST have verifiable parental or legal guardian consent to use MiAngel. Parents/guardians may revoke consent at any time by contacting legal@miangel.ai, which will result in immediate account deletion. We reserve the right to request proof of age and parental consent at any time. By using MiAngel, minors and their parents/guardians acknowledge that health and biometric data will be collected and processed as described in this Privacy Policy.

4. International Data Transfers & Health Data Compliance

Your data may be stored and processed in the United States and other jurisdictions where our service providers operate. By using MiAngel, you consent to these transfers. We implement appropriate safeguards including Standard Contractual Clauses (SCCs) and ensure compliance with GDPR (European Union), CCPA (California), and other applicable data protection laws. Health Data Regulations: While MiAngel is not a covered entity under HIPAA, we implement HIPAA-equivalent security standards for all health and biometric data. We are designed to support HIPAA Business Associate Agreements (BAAs) for healthcare providers using our clinical dashboard. MiAngel is not a medical device and does not provide medical diagnoses or treatment. Our predictive analytics are for informational and wellness purposes only.

5. Contact Us

If you have questions about this Privacy Policy, reach us at legal@miangel.ai

6. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Non-material changes (formatting, clarifications) may take effect immediately upon posting. Material changes — including modifications to data collection practices, retention periods, third-party sharing, or your rights — require at least thirty (30) days advance notice via email or in-app notification before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy. The "Last Updated" date at the top of this page indicates the most recent revision. We maintain a changelog of material modifications, available upon request at legal@miangel.ai.

7. Information We Collect

Personal: Personal Information: Name, email, demographic data, and other details you provide during registration or profile setup.

Chat: Chat Data: Content of your conversations with DeBrah (MiAngel's AI companion), including emotional states, mental health check-ins, and AI-generated insights.

Usage: Usage Data: Device information, IP address, browser type, log data, interaction patterns, and feature usage analytics.

Health: Health & Biometric Data: With your explicit consent, we collect health data from connected wearable devices and health platforms (including but not limited to Fitbit, Oura Ring, Apple Health, Google Fit) such as: heart rate, heart rate variability (HRV), sleep duration and quality, activity levels, steps, calories burned, stress indicators, blood oxygen levels (SpO2), body temperature, and other biometric measurements provided by your connected devices.

Mood: Emotional Wellness Data: Mood logs, journal entries, emotional patterns, wellness goals, progress milestones, and self-reported mental health indicators.

Predictive: Derived Insights: AI-generated predictions, risk assessments, pattern correlations, and wellness recommendations based on your aggregated data (mood + biometrics + behavior).

Emergency: Emergency Contact Information: If you opt-in to the MiAngel Safety Net feature, we collect the name, phone number, email, and relationship of your designated emergency contact(s). This information is used exclusively for proactive crisis intervention notifications and is encrypted at rest.

8. How We Use Your Information

Service Delivery: To provide core features including AI chat, mood tracking, journaling, and personalized wellness insights.

Health Analytics: To analyze patterns between your emotional state, biometric data, and behavior to provide predictive wellness insights (e.g., panic attack forecasting, depressive episode prediction, stress pattern recognition).

Personalization: To tailor AI responses, wellness recommendations, and intervention timing based on your unique health profile and emotional patterns.

Research & Development: To train and improve AI models using anonymized, aggregated, and de-identified data. Individual identities are never included in training datasets. Our de-identification process includes: removal of direct identifiers (name, email, phone number, IP address), replacement of quasi-identifiers with generalized categories, k-anonymity verification to ensure no individual can be re-identified from the remaining data, and separate storage of any linkage keys with strict access controls. De-identified datasets are reviewed by our data governance team before use in model training.

Risk Management: To detect potential mental health crises and provide appropriate escalation to human support or emergency services when needed.

MiAngel Safety Net Emergency Contact Notification: If you opt-in, we use your emergency contact information to proactively notify your designated contact(s) when we detect signs of severe distress (self-harm language, declining mental health patterns over 2+ weeks, physiological anomalies, concerning absence). This is intervention BEFORE crisis escalation, not reactive response. Notification may take minutes to hours and requires your explicit, revocable consent.

Platform Integration: To sync data with connected wearable devices (Fitbit, Oura, Apple Health, etc.) via their authorized APIs to maintain accurate health profiles.

Clinical Support: With your explicit consent, to share longitudinal wellness data with your healthcare providers through our HIPAA-compliant clinical dashboard.

Product Improvement: To analyze feature usage, identify bugs, and enhance user experience across the platform.

9. Ownership of Data & Retention

You own your personal data. MiAngel is the custodian of your data and may process it as described in this policy. We retain your data for as long as your account is active or as needed to provide services.

Data Retention Schedule by Category: Personal Information (name, email, demographics) — retained for the duration of your account plus 30 days after deletion. Chat & Conversation Data — retained for the duration of your account. Health & Biometric Data (wearable integrations) — retained for up to 5 years from the date of collection to enable longitudinal trend analysis, unless you request earlier deletion. Emotional Wellness Data (mood logs, journal entries) — retained for the duration of your account. Derived Insights & Predictive Analytics — retained for up to 5 years from the date of generation in identifiable form; de-identified data (subject to k-anonymity verification with k≥5) may be retained indefinitely for research and AI model training. Emergency Contact Information — retained for the duration of your Safety Net opt-in; deleted within 30 days of opting out. Usage & Analytics Data — retained for up to 2 years. SMS Message Records — retained for up to 1 year for compliance and delivery verification.

Upon account deletion, all personally identifiable information is permanently removed within 30 days. Anonymized, de-identified data that has already been incorporated into aggregate training datasets cannot be extracted and may persist indefinitely. You can request a complete data export or deletion at any time through your account settings or by contacting legal@miangel.ai.

10. Data Sharing and Disclosure

Intro: We do not sell your personal or health data. Period. We may share data only in the following circumstances:

Providers: Service Providers: We use trusted third-party services for cloud storage (Firebase), analytics, AI processing (OpenAI, Anthropic), and infrastructure. These providers are contractually bound to protect your data and may not use it for their own purposes.

Wearables: Wearable Device Providers: When you connect a wearable device (Fitbit, Oura, Apple Health, Google Fit), we access your health data through their authorized APIs. We only request the minimum necessary permissions, and you can revoke access at any time. These providers have their own privacy policies governing data collection.

Healthcare: Healthcare Providers: With your explicit, revocable consent, we may share longitudinal wellness data with your doctors, therapists, or mental health professionals through our secure clinical dashboard. You control exactly what is shared and with whom.

Legal: Legal Compliance: We may disclose information if required by law, court order, subpoena, or government authority. We will notify you unless legally prohibited.

Protection: Safety & Protection: We may share information to prevent imminent harm, protect our rights, investigate fraud, or enforce our Terms of Service. This includes the MiAngel Safety Net Emergency Contact Notification feature: if you opt-in and we detect signs of severe distress (self-harm language, declining patterns, physiological anomalies, concerning absence), we will proactively notify your designated emergency contact(s) with relevant context to enable intervention BEFORE a crisis escalates. This notification is opt-in, requires your explicit consent, and can be disabled at any time.

Business: Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified, and the same privacy protections will apply.

Research: Research Partners: We may share fully anonymized, aggregated, de-identified data with academic or research institutions for mental health research. No individual identities are ever disclosed.

11. Data Security & Guardian Middleware AI™

Your data is protected by Guardian Middleware AI™, our patented cryptographic trust layer. Every interaction is: (1) Cryptographically Authenticated: Biometric or device attestation verifies your identity before accessing sensitive data. (2) Policy-Bound: AI interactions are governed by machine-enforced behavioral policies that cannot be overridden. (3) Audit-Trail Protected: Every data access is logged in a tamper-evident audit chain for accountability. (4) Deny-by-Default: Private memory and health data remain encrypted and inaccessible without verified authentication. Additionally, we employ: AES-256 encryption for data at rest, TLS 1.3 for data in transit, regular security audits and penetration testing, role-based access controls (RBAC) for internal systems, automated threat detection and monitoring, and secure API integrations with third-party health platforms. While no system is 100% secure, Guardian Middleware AI™ provides enterprise-grade, verifiable protection designed for regulated healthcare environments.

12. Your Choices & Data Rights

Access: Access & Export: You can request a complete copy of all your data (personal, health, chat logs, mood history) in machine-readable format at any time through your account settings or by contacting legal@miangel.ai.

Delete: Deletion (Right to Erasure): Under GDPR Article 17 and applicable state laws, you can request full account deletion. Grounds for erasure include: withdrawal of consent, data no longer necessary for its original purpose, objection to processing, or unlawful processing. Upon request, we will permanently remove all personally identifiable information within 30 days. Note: Anonymized data used in AI training cannot be extracted once de-identified, as it is no longer personal data under applicable law.

Wearables: Disconnect Wearables: You can disconnect any linked wearable device (Fitbit, Oura, Apple Health, etc.) at any time from your account settings. Past data will be retained but no new data will be collected from that device.

Consent: Manage Consent: You can revoke consent for clinical data sharing with healthcare providers at any time. This will immediately stop future data sharing but cannot recall information already shared.

OptOut: Marketing & Communications: Unsubscribe from promotional emails, push notifications, or marketing communications. Service-critical notifications (security alerts, policy updates) cannot be disabled.

Portability: Data Portability: You have the right to receive your data in a structured, commonly used format and transmit it to another service provider.

13. Do Not Track (DNT) Signals

Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites requesting that your browsing activity not be tracked. MiAngel currently does not respond to DNT browser signals. However, you can manage your privacy preferences through the cookie consent controls provided on our site, your account settings, and the data rights described in Section 12 above. We honor opt-out requests made through these mechanisms regardless of your DNT browser setting. California residents: Under CalOPPA, we are required to disclose how we respond to DNT signals. As stated above, we do not currently alter our data collection and use practices in response to DNT signals, but you retain full control over your data through the rights described in this policy.

14. Sub-Processors & Third-Party Data Processors

We use the following categories of sub-processors to operate MiAngel. Each processor is contractually bound to protect your data, limit processing to specified purposes, and comply with applicable data protection laws:

Cloud Infrastructure & Storage: Google Cloud Platform / Firebase (United States) — hosting, database, authentication infrastructure, and Cloud Functions.

AI Processing: OpenAI (United States) and Anthropic (United States) — natural language processing for AI Companion conversations. Data sent to these processors is subject to our pseudonymization controls (Standard and Premium plans).

Email Communications: Resend (United States) — transactional and marketing email delivery.

Analytics: Google Analytics (United States) — anonymized usage analytics and site performance monitoring.

Security & CAPTCHA: Cloudflare (United States) — CDN, DDoS protection, and Turnstile CAPTCHA verification.

SMS Messaging: Third-party SMS gateway (United States) — delivery of opt-in text message notifications.

Data Processing Agreements: MiAngel has executed Data Processing Addendums (DPAs) incorporating Standard Contractual Clauses (SCCs) with all listed sub-processors. For EEA-to-US transfers, these DPAs are supplemented by technical safeguards including AES-256 encryption, access controls, and audit trails. Complete DPAs are available upon request at legal@miangel.ai.

Sub-Processor Change Notification: We will update this list when we add or replace sub-processors. Material changes to sub-processors that handle health or biometric data will be communicated via email notification to affected users at least 30 days before the change takes effect. You may object to a new sub-processor by contacting legal@miangel.ai within that 30-day period.

15. Regulatory Contacts & Complaint Rights

You have the right to lodge a complaint with the appropriate regulatory authority if you believe your data has been handled in violation of applicable law:

United States — Federal Trade Commission (FTC): File a complaint at reportfraud.ftc.gov or call 1-877-FTC-HELP (1-877-382-4357).

United States — State Attorney General: Contact your state attorney general's office for state-specific privacy complaints. Florida residents may contact the Florida Attorney General at myfloridalegal.com.

California Residents (CCPA): You may exercise your rights under the California Consumer Privacy Act by contacting legal@miangel.ai or through your account settings.

European Union / EEA (GDPR): You may lodge a complaint with your local Data Protection Authority (DPA). A list of DPAs is available at edpb.europa.eu.

United Kingdom: Contact the Information Commissioner's Office (ICO) at ico.org.uk.

For any privacy-related complaints, we encourage you to contact us first at legal@miangel.ai so we can attempt to resolve your concern directly.

16. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a lawful basis for data processing, we rely on the following legal bases under GDPR Articles 6 and 9:

Contractual Necessity (Article 6(1)(b)): Processing personal data necessary to provide the MiAngel Service you have requested, including AI companion interactions, mood tracking, journaling, and account management.

Consent (Article 6(1)(a) and Article 9(2)(a)): Processing of health data, biometric data, and emotional wellness data requires your explicit consent, which you provide during registration and device connection. You may withdraw consent at any time through your account settings or by contacting legal@miangel.ai. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

Legitimate Interest (Article 6(1)(f)): Processing for product improvement, fraud prevention, platform security, and aggregated analytics where our interests do not override your fundamental rights. We conduct Legitimate Interest Assessments (LIAs) for each processing activity relying on this basis, and these assessments are available upon request.

Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including tax requirements, regulatory requests, court orders, and mandatory reporting obligations.

Vital Interest (Article 6(1)(d)): In rare cases, processing may be necessary to protect your vital interests or those of another person, such as when our Safety Net feature detects imminent risk of self-harm.

Special Category Data (Article 9): Health data, biometric data, and data concerning mental health constitute special category data under GDPR. We process this data only with your explicit consent (Article 9(2)(a)) or where necessary to protect vital interests (Article 9(2)(c)). We do not process special category data for marketing, profiling for advertising, or any purpose beyond the specific wellness services you have consented to.

Data Subject Request Response Times: We will respond to all data subject access requests (DSARs), deletion requests, and portability requests within thirty (30) days of receipt, as required by GDPR Article 12(3). Where requests are complex or numerous, we may extend this period by an additional sixty (60) days, with notice to you. For CCPA requests, we will respond within forty-five (45) days as required by California Civil Code Section 1798.130.

17. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following additional rights:

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your personal information was collected, our business or commercial purpose for collecting or sharing your personal information, the categories of third parties with whom we share your personal information, and the specific pieces of personal information we have collected about you in the preceding 12 months.

Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery, security incident detection).

Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you.

Right to Opt-Out of Sale or Sharing: MiAngel does NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, no opt-out mechanism is required; however, you may still contact us at legal@miangel.ai if you have concerns about data sharing.

Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information (including health data) to purposes necessary to provide the Service. MiAngel already limits the use of sensitive personal information to service delivery, security, and the specific wellness features you have opted into.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access levels for exercising your privacy rights.

Categories of Personal Information Collected (preceding 12 months): Identifiers (name, email, IP address); Internet or network activity (browsing history, interaction data); Geolocation data (approximate, derived from IP address); Sensitive personal information (health data, biometric data, emotional wellness data); Inferences drawn from the above categories to create a profile about preferences and characteristics.

To exercise any of these rights, contact us at legal@miangel.ai or through your account settings. We will verify your identity before processing any request. You may designate an authorized agent to submit a request on your behalf, provided the agent has your written permission and we can verify your identity.

18. Mandatory Reporting & Legal Disclosure

MiAngel is a wellness platform, not a licensed healthcare provider. However, you should be aware of the following regarding legal disclosure obligations:

Law Enforcement Requests: We may be compelled to disclose user data in response to valid legal process, including subpoenas, court orders, or search warrants. We will notify you of such requests unless legally prohibited from doing so (e.g., by a court order or federal law such as 18 U.S.C. Section 2705).

Imminent Harm: If we have a good-faith belief that there is an imminent threat of death or serious bodily injury to you or another person, we may disclose relevant information to law enforcement or emergency services without prior notice to you, consistent with 18 U.S.C. Section 2702(b)(8) and applicable state laws.

Child Safety: If we become aware or reasonably suspect that a user under 18 is in danger of abuse, neglect, or exploitation, we may report the situation to relevant authorities as required or permitted by applicable state mandatory reporting laws (e.g., Florida Statutes Section 39.201). MiAngel employees and AI systems are not designated mandatory reporters under most state laws; however, we reserve the right to report credible threats to the safety of minors.

Limitations of Confidentiality: While we protect your privacy rigorously, conversations with MiAngel's AI Companion are NOT protected by therapist-patient privilege, attorney-client privilege, or any other legal privilege. MiAngel is not a licensed healthcare provider, and AI-generated conversations do not create a therapeutic or medical relationship. Information disclosed during AI conversations may be subject to legal discovery or subpoena in civil or criminal proceedings.

Transparency Reports: MiAngel, Inc. will publish an annual transparency report disclosing the number and types of government and law enforcement requests for user data received, complied with, and challenged during the preceding calendar year. This report will be available at legal@miangel.ai upon request.

19. Data Breach Notification

In the event of a data breach involving your personal information, health data, or biometric data, MiAngel, Inc. commits to the following notification protocol:

Timing: We will notify affected users without unreasonable delay, and no later than seventy-two (72) hours after becoming aware of the breach, consistent with GDPR Article 33, Florida Statutes Section 501.171 (30-day maximum), California Civil Code Section 1798.82, and New York General Business Law Section 899-aa.

Content of Notification: Our breach notice will include: (a) a description of the nature of the breach; (b) the categories and approximate number of data records concerned; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate adverse effects; (e) contact information for our Data Protection Officer at legal@miangel.ai.

Regulatory Notification: Where required by law, we will notify the appropriate supervisory authority (GDPR), state attorney general, or other regulatory body within the timeframes mandated by applicable law.

Remediation: Depending on the nature and severity of the breach, we may offer affected users identity monitoring services, credit monitoring, or other appropriate remediation at no cost.

Backup Data Retention: Upon account deletion, personally identifiable data is purged from primary systems within 30 days. Encrypted backup copies may persist in disaster recovery archives for up to 90 days before permanent purging. Data that has been fully de-identified and incorporated into aggregate training datasets cannot be extracted and is no longer personal data under applicable law.

Incident Response: MiAngel, Inc. maintains a documented incident response plan that is tested and updated at least annually. Our plan includes procedures for containment, investigation, remediation, notification, and post-incident review.

Questions About Your Privacy? Our team is here to help. We believe in complete transparency and your right to understand exactly how your data is protected. legal@miangel.ai