Privacy Policy

Effective Date: February 15, 2026

1. Introduction

Me² (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes what information we collect, how it is protected, and your rights regarding your data.

Me² is a self-reflection platform where users share deeply personal thoughts and experiences. We take the protection of this data seriously and employ multiple layers of security including encryption in transit, encryption at rest, row-level security policies, and strict access controls.

2. Information We Collect

2.1 Information You Provide

  • Account information: Email address, display name, and password hash (we never store your plaintext password). You may also authenticate via Google OAuth or Apple OAuth, in which case we receive your email address and display name from the authentication provider.
  • Onboarding information: During account setup, we collect your name, age, location, and country. Your timezone is automatically determined based on your device or location.
  • Conversation content: Messages you send to and receive from your AI companion, stored in our database.
  • Psychological profile data: As you use the Service, we derive psychological insights from your conversations. This includes personality dimensions (Big Five traits: openness, conscientiousness, extraversion, agreeableness, neuroticism), Enneagram type and wing, attachment style, cognitive profile (decision-making framework, problem-solving style, cognitive biases), identity profile (core values, sacred values, role identities), shadow profile (contradictions, projection patterns), narrative profile (life story themes, chapters), temporal self-perception (relationship to past, present, and future self), relational patterns, and communication style metrics (formality, directness, warmth, distinctive phrases).
  • Knowledge entities: People, relationships, locations, events, routines, preferences, goals, health conditions, hobbies, projects, and other entities mentioned in your conversations are extracted and stored in a knowledge graph to provide personalized responses.

2.2 Information Collected Automatically

  • Usage metadata: Timestamps of conversations, message counts, session duration, feature usage (e.g., which dashboards you view), and subscription status.
  • Analytics data: We use PostHog for product analytics. Events tracked include: app lifecycle events (app opened, backgrounded), authentication events (sign up, sign in, sign out, and method used), onboarding progress, messaging activity (messages sent and received, word counts, response times), chat management actions (chats created, opened, archived, deleted), subscription events (upgrade prompts shown, subscriptions started or canceled), feature usage (profile viewed, patterns viewed, progress viewed, data exported), search activity (query lengths and result counts), and errors. You are identified in our analytics by your user ID, email address, subscription tier, and aggregate message counts.
  • Usage logs: For each AI interaction, we log the processing component used (e.g., real-time analysis, pattern analysis, deep profiling, response generation), the AI model, input and output token counts, and cost. These logs are used for billing, service optimization, and abuse prevention.
  • Device information: Device type, operating system, app version, and device identifiers for crash reporting and compatibility.
  • Performance data: API response times, error rates, and system health metrics. These contain no personal content.

2.3 Information We Do NOT Collect

We do not collect: contacts or address book data, photos or media files, biometric data, financial information (payment processing is handled entirely by Stripe), or any data from other apps on your device. While we collect your general location and country during onboarding, we do not track your precise GPS location.

3. How Your Data Is Protected

3.1 Encryption in Transit

All data transmitted between your device and our servers is protected using TLS (Transport Layer Security). This ensures your data cannot be intercepted during transmission.

3.2 Encryption at Rest

Your data is stored in a PostgreSQL database hosted by Supabase with database-level encryption at rest. This protects your data if physical storage media were compromised.

3.3 Row-Level Security

Our database enforces row-level security (RLS) policies, ensuring that API requests can only access data belonging to the authenticated user. This provides an additional layer of data isolation between users.

3.4 Access Controls

We implement strict access controls on our production infrastructure. Access to production databases and systems is limited and logged.

3.5 Third-Party AI Processing

Our AI engine is powered by Anthropic's Claude API. Under our agreement with Anthropic and their published data policies:

  • your data is not stored by Anthropic after processing;
  • your data is not used to train or improve their AI models;
  • data is transmitted over encrypted connections (TLS); and
  • Anthropic operates under a zero-data-retention policy for API usage.

We will notify you if we change AI providers, and the new provider must meet equivalent or stronger data protection standards.

4. How We Use Your Information

Conversation content and profile data: Used exclusively to power your AI companion experience. Your messages are processed through our multi-layer analysis system to extract sentiment, communication patterns, and psychological insights. Your accumulated profile data is used to personalize AI responses and provide you with self-reflection insights.

Unencrypted metadata: Used for:

  • billing and subscription management;
  • rate limiting and abuse prevention;
  • aggregate analytics and product improvement (e.g., total active users, average session length, feature adoption);
  • service reliability monitoring; and
  • communicating with you about your account.

We do NOT use your data to:

  • serve advertisements;
  • sell to third parties;
  • build profiles for marketing purposes; or
  • train AI models.

5. Data Sharing

We share your information only in the following limited circumstances:

  • AI processing (Anthropic): Conversation data is transmitted to Anthropic's Claude API for response generation and analysis, subject to their zero-data-retention policy.
  • Payment processing (Stripe): Subscription billing information is processed by Stripe. We do not store your credit card details. Stripe may retain payment records as required for legal and tax purposes.
  • Analytics (PostHog): Usage events and user identifiers (as described in Section 2.2) are transmitted to PostHog for product analytics and service improvement.
  • Infrastructure (Supabase): Your data is stored in and processed by Supabase, our database and authentication provider.
  • Authentication providers (Google, Apple): If you sign in via OAuth, these providers share your email address and display name with us during authentication. We do not share your conversation or profile data with these providers.
  • Legal compliance: We may disclose information if required by law, court order, or governmental regulation.
  • Safety exceptions: If our automated systems detect an imminent risk of self-harm or harm to others, we may take reasonable steps as described in our Terms of Service, Section 10.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

6. Data Retention

  • Active accounts: Your data is retained for as long as your account is active.
  • Canceled subscriptions: Your data remains stored after subscription cancellation. If you resubscribe, your data will be available to you.
  • Deleted accounts: Upon requesting account deletion, a 30-day grace period begins during which you may sign back in to cancel the deletion and restore your account. After the grace period, all personal data -- including conversations, psychological profiles, knowledge entities, metadata, and account information -- is permanently deleted.
  • Anonymized analytics: Aggregate, anonymized data that cannot be linked to any individual may be retained indefinitely for service improvement.
  • Legal holds: If we are subject to a legal obligation to preserve data, we will retain the data as required by law.
  • Third-party retention: Stripe may retain payment records independently as required for legal and tax compliance. PostHog may retain anonymized event data.

7. Your Rights

Under applicable Canadian privacy law (PIPEDA) and where applicable, you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Export: Download your data through your account settings. Exports are provided as a ZIP archive containing: profile data (profile.json), conversation history (conversations.txt and conversations.csv), extracted entities and relationships (knowledge.json), and conversation topics (topics.json).
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Delete your account and all associated data at any time, subject to the 30-day grace period described in Section 6.
  • Withdraw consent: Withdraw your consent to data processing, which may require account deletion as processing is necessary for the Service to function.

To exercise these rights, contact us at privacy@me-squared.io or use the controls in your account settings.

8. Canadian Privacy Compliance (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

  • We collect personal information only with your knowledge and consent.
  • We use your information only for the purposes identified in this Policy.
  • We protect your information using appropriate security measures including encryption in transit, encryption at rest, row-level security policies, and access controls.
  • We retain your information only as long as necessary.
  • We provide you with access to your personal information upon request.

9. CASL Compliance

We comply with Canada's Anti-Spam Legislation (CASL).

  • We will only send you commercial electronic messages (e.g., promotional emails) with your express consent.
  • You may withdraw consent at any time by clicking “Unsubscribe” in any email or adjusting your notification settings.
  • Transactional messages (account confirmations, security alerts, billing receipts) do not require consent under CASL.

10. Children's Privacy

Me² is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will delete the account and all associated data promptly.

11. International Data Transfers

Your data is stored on cloud infrastructure provided by Supabase. AI processing occurs on Anthropic's servers, which may be located in the United States. Analytics data is processed by PostHog, which may also be located outside of Canada. All data transfers are protected by TLS encryption in transit, and your stored data is encrypted at the database level.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notification at least 30 days before the changes take effect. The “Effective Date” at the top of this document indicates the most recent revision.

13. Contact Us

For privacy inquiries, concerns, or to exercise your data rights:

Email: privacy@me-squared.io
Address: 77 Chant Cres, Markham, Ontario, Canada

If you are not satisfied with our response to a privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.