← Close

Privacy Policy

Effective Date: January 1, 2026 | Last Updated: February 2026 | Version: 3.0

OUR COMMITMENT TO PRIVACY: MPHaven is committed to protecting your privacy and being transparent about our data practices. This policy explains what information we collect, how we use it, and your rights. We do not sell your personal information.

Quick Navigation:

What We Collect
How We Use Data
Payment Processing
Third-Party Services
Data Security
Data Retention
Your Rights
Children's Privacy
International Users
Cookies

1. Information We Collect

1.1 Information You Provide Directly

Account Information: Name, email address, and password (securely hashed using bcrypt or similar)
Profile Information: Optional information you add to your profile (display name, timezone preferences)
User Content: Notes, journal entries, reflections, mood tracking data, or other content you create within the app
Communications: Information you provide when contacting support, including email correspondence and attached files
Feedback and Surveys: Responses to optional surveys or feedback forms

1.2 Information Collected Automatically

Local Storage Data: Disclaimer acknowledgment, timestamp, version number, and user agent string stored in your browser's local storage
Usage Data: Features accessed, time spent in app, page views, click patterns (anonymized and aggregated)
Device Information: Device type, operating system version, browser type and version, screen resolution
Log Data: IP address (may be truncated or hashed), access times, error logs, performance data
Session Data: Login/logout times, session duration

1.3 Information from Third Parties

Authentication Providers (Google OAuth): If you sign in with Google, we receive your name and email address from Google. We do not receive your Google password.
Payment Processors (Stripe, PayPal): Transaction details, subscription status, payment method type (e.g., "Visa ending in 1234"). We do NOT receive or store full credit card numbers, CVV codes, or full banking information.

1.4 Sensitive Health Information

⚠️ IMPORTANT: While MPHaven is a mental health and wellness app, we treat certain information as sensitive health information, including:

Your journal entries and notes about mental health
Mood tracking data
Crisis check responses
Any other content that reveals information about your mental health status

We limit use of this information to providing the app services. We do not share this information with third parties except as necessary to operate the app (e.g., encrypted storage on Supabase servers).

2. How We Use Information

We use your information for the following purposes:

2.1 To Provide and Improve the App

Create and manage your account
Authenticate your identity and maintain session security
Store and retrieve your User Content
Remember your disclaimer acknowledgment (required for legal compliance)
Provide customer support and respond to your inquiries
Analyze usage patterns to improve features and user experience (using anonymized data)
Develop new features and services

2.2 To Process Payments and Subscriptions

Process subscription payments through third-party processors
Manage subscription renewals and cancellations
Send payment confirmations and receipts
Handle billing disputes and refund requests

2.3 To Communicate with You

Send essential service communications (account verification, password resets, payment confirmations)
Provide technical notices and security alerts
Respond to your support requests
Send updates about Terms or Privacy Policy changes (when legally required)
Optional: Send product updates, tips, or educational content (you may opt out)

2.4 For Security and Legal Compliance

Prevent fraud, abuse, and unauthorized access
Detect and respond to security incidents
Enforce our Terms of Service
Comply with legal obligations (e.g., valid subpoenas, court orders)
Protect the rights, property, and safety of MPHaven, our users, and the public

2.5 We Do NOT Use Your Data For

✅ Selling to third parties — We never sell your personal information
✅ Advertising — We do not use your data for targeted advertising
✅ Training AI models — Your User Content is not used to train AI systems
✅ Sharing with data brokers — We do not share data with data brokers

3. Payment Processing

IMPORTANT: MPHaven does not store, process, or have access to your full payment credentials. All payments are handled by PCI-DSS compliant third-party payment processors:

Processor	Information They Collect	Privacy Policy
Stripe	Payment card details, billing address, IP address, device information	stripe.com/privacy
PayPal	Payment account details, billing address, IP address, transaction history	paypal.com/privacy

What MPHaven Receives: We receive limited information from payment processors, including:

Transaction confirmation (success/failure)
Subscription status (active, cancelled, expired)
Payment method type (e.g., "Visa ending in 1234")
Billing email address

We do NOT receive full card numbers, CVV codes, banking credentials, or other sensitive payment information.

By making a payment, you agree to the terms of service and privacy policies of these processors. We encourage you to review their policies.

4. Third-Party Services

We use the following third-party services to operate the app:

Service	Purpose	Data Shared	Privacy Policy
Supabase	Authentication, database, backend infrastructure	Email, name, hashed password, User Content, usage metadata	supabase.com/privacy
Google OAuth	Sign-in authentication (optional)	Name, email (only if you choose Google sign-in)	Google Privacy Policy
Stripe	Payment processing	Payment details, billing info, email	stripe.com/privacy
PayPal	Payment processing (alternative)	Payment details, billing info, email	paypal.com/privacy

Our Responsibility: We select third-party service providers that maintain strong security and privacy standards. However, we are not responsible for the privacy practices of these third parties. Your use of their services is subject to their respective terms and privacy policies.

5. Data Storage and Security

5.1 Where Your Data Is Stored

Local Storage (Your Device): Disclaimer acknowledgment, user preferences, session tokens. You can clear this anytime via browser settings.
Supabase Servers (United States): Account information, User Content, usage metadata. Servers are located in AWS data centers in the U.S.
Payment Processor Servers: Stripe and PayPal store payment information on their own PCI-DSS compliant servers.

5.2 How We Protect Your Data

Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
Encryption at Rest: Sensitive data is encrypted in the database using AES-256 encryption
Password Security: Passwords are hashed using bcrypt with salt before storage. We never store plain-text passwords.
Access Controls: Strict role-based access controls limit who can access data. Only authorized personnel have access.
Regular Security Audits: We conduct regular security reviews and vulnerability assessments
Monitoring: We monitor for suspicious activity and unauthorized access attempts

5.3 Security Limitations

⚠️ IMPORTANT: No method of transmission over the Internet or electronic storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. You use the app at your own risk.

Your Responsibility: You are responsible for maintaining the security of your account credentials. Do not share your password with others. Use a strong, unique password.

6. Data Retention

We retain your information for as long as necessary to provide the app and comply with legal obligations:

Data Type	Retention Period	Reason
Account Information	While account is active + 30 days after deletion	Provide service; allow account recovery; comply with legal obligations
User Content	Until you delete it or delete your account + 30 days	Provide service; backup recovery
Payment Records	7 years (or as required by payment processor)	Tax compliance; fraud prevention; dispute resolution
Support Communications	3 years after last contact	Customer service; legal compliance
Usage Data (Anonymized)	2 years	Analytics; product improvement
Local Storage	Until you clear browser data	Store preferences; disclaimer acknowledgment
Backup Copies	30 days after deletion	Disaster recovery; data integrity

Deleting Your Data: You may request deletion of your data at any time by contacting privacy@mphaven.com or deleting your account through account settings. We will delete your data within 30 days, except where we are required to retain it for legal compliance (e.g., payment records for tax purposes).

7. Your Privacy Rights

7.1 California Privacy Rights (CCPA/CPRA 2026)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right	What You Can Do
Right to Know	Request information about the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the past 12 months
Right to Delete	Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, complying with legal obligations)
Right to Correct	Request correction of inaccurate personal information we maintain about you
Right to Opt-Out of Sale/Sharing	Opt out of the sale or sharing of personal information. We do not sell or share your data, so no action is needed.
Right to Limit Use of Sensitive Information	Limit use of sensitive personal information. We only use sensitive information (health data, precise location) as necessary to provide the app.
Right to Non-Discrimination	We will not discriminate against you for exercising these rights (e.g., denying service, charging different prices)

7.2 Other State Privacy Rights

Residents of the following states have similar rights under their respective state privacy laws:

Virginia (VCDPA): Right to access, correct, delete, and opt out of targeted advertising and sale
Colorado (CPA): Right to access, correct, delete, and opt out of targeted advertising and sale
Connecticut (CTDPA): Right to access, correct, delete, and opt out of targeted advertising and sale
Utah (UCPA): Right to access, delete, and opt out of targeted advertising and sale
Other states: As additional state privacy laws are enacted, we will comply with applicable requirements

7.3 How to Exercise Your Rights

To exercise any of the above rights, please contact us at: privacy@mphaven.com

What to Include in Your Request:

Your full name
Email address associated with your account
Description of the right you wish to exercise
Specific information you're requesting (if applicable)

Verification Process: To protect your privacy, we will verify your identity before processing your request. We may ask for:

Email confirmation from your registered account
Additional identifying information to match our records
Government-issued ID (for sensitive requests like account deletion)

Response Time: We will respond to verified requests within 45 days. If we need additional time, we will notify you and may extend by another 45 days.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

7.4 General Data Rights (All Users)

Regardless of your location, you can:

Access Your Data: View and download your User Content through the app
Update Your Information: Edit your profile and account settings
Delete Your Account: Delete your account through account settings or by contacting support
Opt Out of Marketing: Unsubscribe from promotional emails using the link in each email
Manage Cookies: Control cookies through your browser settings

8. Children's Privacy

⚠️ AGE RESTRICTION: MPHaven is not intended for users under 18 years of age. We do not knowingly collect personal information from anyone under 18.

If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact us immediately at privacy@mphaven.com. We will take steps to delete the information within 30 days.

If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will delete that information as quickly as possible.

9. International Users

U.S.-Based Service: MPHaven is based in the United States and is intended primarily for users in the United States. Our servers are located in the U.S., and your data is stored and processed in the U.S.

International Data Transfers: If you access the app from outside the U.S., please be aware that your information will be transferred to, stored, and processed in the U.S., where data protection laws may differ from those in your country.

European Union Users: If you are in the EU or EEA, you may have additional rights under the General Data Protection Regulation (GDPR), including:

Right to data portability (receive your data in a machine-readable format)
Right to object to processing
Right to withdraw consent
Right to lodge a complaint with your local data protection authority

By using the app, you consent to the transfer of your information to the U.S. and processing as described in this Privacy Policy.

10. Cookies and Tracking Technologies

10.1 What We Use

Local Storage (Essential): We use browser local storage to remember your disclaimer acknowledgment and session preferences. This is essential for app functionality and cannot be disabled without breaking the app.
Session Tokens: Stored in local storage or cookies to keep you logged in. These expire after your session ends or when you log out.

10.2 Third-Party Cookies

Our third-party service providers may use cookies:

Stripe/PayPal: Use cookies necessary for secure payment processing and fraud detection. We do not control these cookies.
Google OAuth: May use cookies if you sign in with Google. Managed by Google.

10.3 Analytics

Current Status: We do not currently use third-party analytics tools (e.g., Google Analytics). If we add analytics in the future, we will update this policy and provide opt-out options.

10.4 Do Not Track

Our app does not currently respond to "Do Not Track" (DNT) browser signals. We may add DNT support in the future.

10.5 Managing Cookies

You can manage cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies
Safari: Preferences → Privacy
Firefox: Settings → Privacy & Security

Note: Disabling essential cookies/local storage will prevent the app from functioning properly.

11. Automated Decision-Making

We Do Not Use Automated Decision-Making: MPHaven does not use automated decision-making systems (including AI or algorithms) that have legal or similarly significant effects on you. Any features involving algorithms (e.g., content recommendations) are purely suggestive and do not make decisions affecting your rights.

12. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

Notify you within 72 hours of becoming aware of the breach (as required by applicable law)
Describe the nature of the breach and what information was affected
Explain steps we are taking to address the breach
Provide recommendations on how you can protect yourself

Notifications will be sent via email to the address on your account and/or through in-app notification.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons.

How We Notify You:

Material changes: Email notification + in-app notice
Minor changes: Updated "Last Updated" date + notice on the app

When Changes Take Effect: Changes become effective 30 days after notification. Your continued use after the effective date constitutes acceptance.

Disagreeing with Changes: If you do not agree to the changes, you must stop using the app and may delete your account before the changes take effect.

We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Officer: privacy@mphaven.com
Data Protection Inquiries: dpo@mphaven.com
California Privacy Requests: privacy@mphaven.com
EU Data Subject Requests: gdpr@mphaven.com
General Support: support@mphaven.com
Legal Notices: legal@mphaven.com

Response Time: We will respond to privacy inquiries within 7 business days, and requests exercising privacy rights within 45 days.