Last updated: April 2026
ICO Registration Number: [TODO: Add once registered]
Continued Bonds is a creative writing and reflection app for adults processing bereavement. It is operated by [DATA CONTROLLER NAME], [DATA CONTROLLER ADDRESS] (“we”, “us”, “our”).
For any privacy questions or to exercise your rights, email: privacy@continuedbonds.app
We only collect what we need to provide the service.
Your email address and a hashed password when you register. We need this to create and protect your account. Basis: contract (Article 6(1)(b) UK GDPR).
Your answers to the grief and wellbeing questionnaire. This includes a risk assessment that helps us identify whether you might benefit from professional support before using the app. This data is health-related and is classed as special category data under UK GDPR. We process it only with your explicit consent, given separately at registration. Basis: explicit consent (Article 9(2)(a) UK GDPR).
Information about your bereavement that you choose to share — for example, your relationship to the person who died and how long ago your loss happened. This shapes the writing prompts we offer you. Nothing here is required; share only what feels right. Basis: contract / explicit consent.
The writing you submit in sessions, including the prompt text and your response. This is stored securely and linked only to your account. Basis: contract.
When you submit a writing session, the text you wrote is sent to Google's Gemini AI for emotional analysis and artwork generation. Only your writing is sent — your name, email address, assessment responses, and all other account data stay within our database and are never shared with Google. If you follow the app's guidance and avoid including names or identifying details in your writing, no personally identifiable information leaves the app.
The analysis — emotion scores, dominant emotions, a brief profile — is stored alongside your entry to create your memorial artwork and show you a reflection of what came through in your writing. This analysis involves health-adjacent data and is treated as special category data. Basis: explicit consent (Article 9(2)(a) UK GDPR).
Memorial artwork created by AI from the themes and emotions in your writing. Images are stored in your private gallery and are not accessible to anyone else. Basis: contract.
Your ratings and notes when reflecting on the generated artwork. Basis: contract.
Word count, recorded automatically. We use this for operational analytics only — for example, to understand whether the app is being used as intended. You are not individually profiled based on this data. Basis: legitimate interests (Article 6(1)(f) UK GDPR).
Your assessment responses are used to calculate a wellbeing score, which automatically routes you to one of three paths: direct app access, a gentle suggestion to consider professional support, or a stronger recommendation to speak to someone before continuing.
This is automated processing that uses your responses to make an assessment of your emotional and psychological state. You always retain the choice to continue to the app — this routing does not lock you out, but it is a meaningful use of your data and we want to be transparent about it.
The emotional analysis of your writing also uses AI to score and classify the emotions in your text. This is profiling under UK data protection law. It is performed for your benefit — to create personalised artwork — and not to make decisions that have legal or significant effects on you beyond the app itself.
You have the right to request human review of any automated assessment output and to object to this processing. Contact us at privacy@continuedbonds.app to do so.
We use the following services to operate Continued Bonds. Where data is transferred outside the UK, we explain the legal basis for that transfer.
Stores your account data, journal entries, and all app data in a secure PostgreSQL database hosted on AWS infrastructure within the European Economic Area (EU-West-1, Ireland). No transfer outside the EEA occurs for Supabase-held data. A data processing agreement is in place with Supabase Inc.
When you submit a writing session, the text you wrote is sent to Google LLC (USA) for emotional analysis and artwork generation. This is the only data we share with Google. Your name, email address, assessment responses, loss profile, and all other account data are never included. The writing is sent without any label or identifier that links it to you as a named individual.
The app encourages you not to include real names or identifying details in your writing. If you follow that guidance, the text sent to Google contains no personally identifiable information.
This transfer is covered by the UK International Data Transfer Agreement (IDTA) incorporated into Google's API data processing terms, which provide appropriate safeguards under Article 46 UK GDPR. See Google's Privacy Policy for more detail on how Google handles data received via its APIs.
Hosts the application. Vercel Inc. is a US company. Request metadata (IP addresses, browser type, request paths) may be processed by Vercel's infrastructure for operational and security purposes. Vercel provides a UK IDTA-compliant data processing addendum.
We use a single session cookie to keep you signed in. This is strictly necessary for the app to work and does not track you across other websites. Under UK PECR, strictly necessary cookies do not require your consent.
We use your browser's local storage to remember your cookie consent preference and to temporarily save writing drafts (so you don't lose work if your session times out). Drafts are automatically cleared after 24 hours.
We do not use advertising cookies, analytics cookies, or any third-party tracking.
Your data is kept for as long as your account is active. When you delete your account, all your personal data — account information, assessments, loss profile, journal entries, emotional analyses, artwork, and reflections — is permanently deleted from our database immediately. Artwork stored in our file storage is deleted at the same time.
After deletion, your data may remain in encrypted database backups for up to 30 days before those backups cycle out. Your data cannot be accessed from backups except to restore the database in the event of a critical failure.
Infrastructure logs held by Vercel (IP addresses, request metadata) are subject to Vercel's own retention policy. These logs are not linked to your identity in our systems.
If you cannot access your account to delete it, email privacy@continuedbonds.app and we will process your request within 30 days.
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
To exercise any of these rights, email: privacy@continuedbonds.app
Continued Bonds is for adults aged 18 and over. By creating an account, you confirm that you are at least 18 years old. We do not knowingly collect data from anyone under 18. If you believe a child has registered, please contact us and we will delete the account promptly.
All data is encrypted in transit (HTTPS/TLS) and at rest. Access to your data is protected by row-level security — only you can read your own entries and responses, enforced at the database level. Artwork is stored in a private file bucket and accessed only via short-lived signed links.
We are an early-stage product and cannot guarantee perfect security, but we take these measures seriously and will notify you and the ICO without undue delay if a data breach occurs that is likely to affect your rights.
If we make significant changes to this policy — for example, adding a new data processor or changing our lawful basis for any processing — we will notify you by email before the changes take effect.
Data controller: [DATA CONTROLLER NAME], [DATA CONTROLLER ADDRESS]
Privacy questions and rights requests: privacy@continuedbonds.app
ICO registration number: [TODO: Add once registered at ico.org.uk/registration]