App Privacy Policy

1. Data controller

2. What data we collect

The Flank app collects the following categories of personal data:

2.1 Account data

• Email address and hashed password (for authentication via Firebase Authentication).
• Display name or first name (optional, used to personalise coaching interactions).
• Phone number (optional, required for telephony check-in features via Twilio).
• Country of residence, nationality, and timezone (used to personalise the service and, where relevant, to route crisis support resources to your region — see section 6).
• Subscription plan and billing status.
• Account creation date, last login, and session history metadata.

2.2 Coaching session and conversation data

Flank's core functionality involves AI-powered coaching conversations. This data is the most sensitive we hold:

• Voice transcripts — text transcriptions of your spoken coaching sessions. Raw audio is processed in real time and is not stored by Flank. Only the text transcript is retained.
• Text conversations — written messages exchanged during text-mode coaching sessions.
• Telephony call records — metadata (call time, duration, session type) for telephony check-in calls. Call audio is processed and transcribed; raw audio is not retained by Flank.
• Session type and structure — morning check-in, evening reflection, task planning session, or general coaching.

2.3 Derived coaching data

Flank uses AI to extract structured meaning from your conversations and generate coaching artefacts:

• Journal entries — auto-generated summaries and reflective narratives derived from session content.
• Insights and patterns — recurring themes, behavioural observations, and progress signals extracted by AI.
• Belief graph — a structured model of your stated values, beliefs, goals, and priorities, built incrementally from your conversations.
• Memory system — contextual memories stored to personalise future coaching interactions and maintain continuity across sessions.
• Mood and energy data — self-reported mood and energy levels captured during check-ins.

2.4 Task and planning data

• Tasks, action items, and day focus goals you create or have generated by AI.
• Task completion status, ordering, and history.
• Quick Plan inputs and AI-generated task plans.

2.5 Technical and usage data

• Device type, operating system, app version, and browser.
• Feature usage events (session started, plan created, etc.) via PostHog.
• Error logs and performance diagnostics.
• Notification preferences and scheduled call settings (for telephony features).

2.6 Billing data

Subscription payments are processed by Stripe. Flank stores only your subscription status, plan tier (Think, Do, or Reflect), and billing period. We do not store full card numbers, CVV codes, or raw payment credentials — these are held exclusively by Stripe.

2.7 Automated safety analysis data

To improve coaching quality and user safety, Flank runs automated analysis on conversation content within the app's cloud infrastructure. This produces two categories of derived metadata stored against your session record:

• Rumination assessment signals — computed indicators derived from your messages within a session, including: topic recurrence flags (whether the same subject has been discussed repeatedly without progress), abstract language density scores (frequency of absolute or generalising language patterns), and distress trajectory classifications (whether emotional intensity is escalating or resolving across the session). These are computed statistical signals — metadata — not stored copies of your message content. They are used to help the AI coach respond more effectively in the moment.
• Crisis detection flags — if Flank's automated safety systems detect signals associated with serious distress or safety risk, a flag is recorded against the session metadata. See section 6 for full detail of what is and is not logged in these circumstances.

Neither rumination signals nor crisis flags are shared with third parties, used for advertising, or made visible to you within the product. Both are subject to your deletion rights in the same way as all other session data.

3. Legal basis for processing

• Contract — the majority of your data (account data, session data, coaching artefacts, tasks) is processed to deliver the Flank service you have subscribed to.
• Consent — for optional features such as scheduled telephony calls and product analytics. You can withdraw consent at any time in app settings.
• Legitimate interests — to improve coaching quality, run safety analysis, detect and prevent abuse, and ensure service reliability, where these interests are not overridden by your rights.
• Legal obligation — to comply with financial, regulatory, and legal obligations, including record-keeping requirements.

4. AI processing of your conversations

Flank's coaching functionality relies on large language models (LLMs) and AI services from third-party providers. Your conversation content is sent to these services for real-time processing (e.g. generating a coaching response, extracting an insight, or creating a task plan).

We use the following AI providers for conversation processing and real-time streaming responses:

• OpenAI (GPT models) — OpenAI Inc., USA. Data processed under a data processing agreement. OpenAI's API terms prohibit training on API data by default.
• Anthropic (Claude models) — Anthropic PBC, USA. Used for coaching conversation generation, task planning, and insight extraction. Data processed under a data processing agreement.
• Google Gemini AI — Google LLC / Google Cloud. Used for certain AI processing tasks. Data may be processed in the EU.
• xAI (Grok) — xAI Corp, USA. Used for specific conversation processing tasks. Data processed under applicable terms.
• ElevenLabs — ElevenLabs Inc., USA. Used for AI voice synthesis (text-to-speech) to deliver spoken coaching responses. Only text content (AI responses) is sent to ElevenLabs; your voice or transcripts are not sent to ElevenLabs.
• Twilio — Twilio Inc., USA. Used for telephony features (inbound and outbound coaching calls via phone). Twilio processes call routing and telephony data. Data processed under a data processing agreement.

What is shared: When processing a coaching conversation, the content of your current session (and relevant context from your memory system) is sent to the relevant AI provider. We endeavour to minimise the personal data included in AI requests. Where possible, conversations are sent without directly identifying information (such as your email address). However, you may choose to share personal details within your coaching conversations — this content will be processed by these providers.

What is not shared: Your full account credentials, payment data, raw voice audio, rumination assessment signals, and crisis flags are never sent to AI providers.

All AI providers operate under data processing agreements or applicable API terms that restrict use of API data for model training. International transfers to USA-based providers are protected by Standard Contractual Clauses.

5. Voice and telephony data

In-app voice sessions

When you use voice mode within the Flank app, your speech is captured by your device microphone and streamed for real-time transcription. The resulting text transcript is stored and forms part of your coaching session record. Raw audio is not stored by Flank after transcription is complete. The AI voice you hear in response is generated by ElevenLabs from the AI's text output — your voice is not cloned or stored by ElevenLabs.

Telephony check-ins (Do and Reflect plans)

On paid plans, Flank can initiate or receive coaching calls to your registered phone number via Twilio. Your phone number is stored to enable this feature and is shared with Twilio solely for call routing. Call audio is transcribed in real time to generate a session transcript; raw call audio is not retained by Flank. Twilio may retain call metadata (duration, call direction, timestamps) in accordance with its own privacy policy. You can disable telephony features and delete your phone number at any time in app settings.

6. Automated safety analysis

Flank uses two automated analysis systems that run on your conversation content within our own cloud infrastructure (Google Firebase, europe-west2). Neither system sends your content to third parties.

6.1 Rumination detection

Flank runs a rule-based analysis on your messages within a session to detect patterns associated with unproductive circular thinking — known clinically as rumination. This analysis examines:

• Topic recurrence — whether the same subject keeps being raised across turns without progress.
• Abstract language density — frequency of absolute or globalising language patterns (e.g. “always”, “never”, “everything”) relative to concrete, specific language.
• Distress trajectory — whether emotional intensity signals are escalating, stable, or resolving across the session.

The output of this analysis is a computed assessment object (statistical signals and classifications) — not a copy of your message content. When the signals indicate elevated risk, this assessment is included in the context provided to the AI coach to help it respond more effectively. The assessment may optionally be stored as session metadata to support future coaching continuity.

This analysis is not a clinical assessment. It does not diagnose depression, anxiety, or any medical condition. It detects conversation patterns and is invisible to you — it manifests only through the quality of the coaching response.

6.2 Crisis detection and referral

Flank's coaching conversations may, in rare circumstances, surface moments of serious distress. Flank operates an automated safety system that detects signals associated with potential crisis — including expressions of suicidal ideation, active self-harm, harm to others, acute medical emergency, severe hopelessness, or disclosures of domestic or sexual violence. When such signals are detected, Flank stops coaching and instead provides verified crisis support resources appropriate to your region.

Detection operates at two levels: within the AI model's instructions (which are trained to recognise and respond to crisis language), and as a runtime phrase-matching layer within our cloud infrastructure that acts as a safety net.

Your country of residence (or, where not set, timezone or phone number country code) is used to determine which localised crisis resources to display. This geographic routing happens within Flank's infrastructure and is not shared with crisis services.

What we log when crisis detection triggers

What we do not do with crisis data

• We do not extract crisis content into the belief graph. If you disclose something serious during a session, it does not become a stored belief or pattern.
• We do not include crisis session content in auto-generated journal entries or daily synthesis.
• We do not use crisis flags for analytics, advertising, or product marketing decisions.
• We do not send crisis event data to any third party (including analytics providers).
• We do not create a visible “crisis history” within the product — the flag exists for safety infrastructure only.
• We do not store a “crisis history” flag on your user profile. Flags are stored only within the specific session record in which they occurred.

Crisis resource accuracy

Where Flank displays crisis support resources (helpline numbers, text services, and website links), these are drawn from a curated database verified against official sources (government health departments and established NGOs) on a quarterly basis. Despite our best efforts, contact details can change. We cannot guarantee that all displayed resources are current at the moment you see them. In any emergency, always contact your local emergency services directly (999 in the UK, 911 in the US, 112 in the EU).

7. Data processors and sub-processors

SCCs = Standard Contractual Clauses, the recognised mechanism for lawful international data transfer under UK GDPR.

8. Data sharing

We do not sell your personal data. We do not share your coaching data with advertisers, data brokers, or any third party for marketing purposes. Your data is shared only with the processors listed above, and only to the extent necessary to deliver the service.

We may disclose data where required by law, to protect the rights and safety of Flank, its users, or the public, or in connection with a business transfer (such as a merger or acquisition), in which case users will be notified in advance.

9. Data retention

10. Data security

We take the security of your coaching data seriously. Our security measures include:

• All data in transit is encrypted using TLS/HTTPS.
• Data at rest is encrypted within Google Firebase / Google Cloud infrastructure.
• Firebase Security Rules restrict access to user data — each user can only access their own data.
• Authentication uses Firebase Authentication with hashed, salted passwords. We never store plain-text credentials.
• Access to production data by Fueld AI Ltd employees is strictly limited and audited.
• API keys and secrets are stored in environment variables and secret managers, not in code.

While we employ industry-standard security practices, no system is entirely immune to breach. In the event of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required under UK GDPR.

11. International data transfers

Your primary account and session data is stored on Google Firebase servers located in the EU (europe-west2, London). However, certain AI processing providers (OpenAI, Anthropic, Twilio, ElevenLabs, Stripe, xAI) are based in the United States. Data transfers to these providers are governed by Standard Contractual Clauses (SCCs) or equivalent UK-approved transfer mechanisms, ensuring your data receives equivalent protection to that required under UK GDPR.

Automated safety analysis (rumination detection and crisis detection) runs within our Firebase Cloud Functions in europe-west2. This data does not leave EU infrastructure.

12. Your rights under UK GDPR

As a Flank user, you have the following rights:

• Right of access — request a copy of all personal data we hold about you (a “Subject Access Request”).
• Right to rectification — correct inaccurate or incomplete personal data.
• Right to erasure — request deletion of your account and associated personal data, including crisis detection flags and rumination assessment signals. You can initiate this from within the app or by contacting us directly.
• Right to restrict processing — request that we limit how we process your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on legitimate interests, including the automated safety analysis described in section 6.
• Right to withdraw consent — where processing is based on consent (e.g. scheduled telephony, analytics), you can withdraw consent at any time in app settings.
• Rights regarding automated decisions — Flank does not make legally significant automated decisions about you. The automated safety analysis described in section 6 influences the AI coach's responses within a session but does not produce decisions with legal or similarly significant effects.

To exercise your rights, email data_protection@flank.life. We will respond within one calendar month. You also have the right to complain to the ICO at ico.org.uk.

13. Important notice — not medical advice

Flank is a personal coaching and productivity tool. It is not a medical device and does not provide medical, psychological, therapeutic, legal, or financial advice. The coaching content generated by Flank is for personal reflection and productivity purposes only.

Flank's crisis detection feature is a signposting tool, not a clinical triage, screening, or assessment system. It connects users to existing crisis services — it does not provide crisis intervention, diagnose any condition, or constitute any clinical decision support. Flank is not a licensed healthcare provider and is not a substitute for professional medical or mental health support.

If you are experiencing a mental health crisis or require professional support, please contact a qualified professional or emergency services immediately. In the UK: call 999 or the Samaritans on 116 123.

14. Children's privacy

Flank is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has created an account, we will delete that account and its associated data promptly. If you believe your child has provided us with personal data, please contact data_protection@flank.life.

15. Changes to this policy

We may update this App Privacy Policy as our service evolves — particularly as legal reviews of our safety analysis features are completed. The “Last updated” date at the top of this page reflects any changes. For material changes, we will notify you via email or an in-app notification before the changes take effect. Continued use of the app after the effective date constitutes acceptance of the updated policy.

16. Contact us