How Breviya handles your data

Breviya is operated by Nimavera Inc., a Delaware corporation (“Nimavera”, “we”, “us”). For data-protection enquiries, contact privacy@breviya.com or support@breviya.com. A postal address for service of notice is available on request and will be published here once our Delaware registered-agent address is finalised.

If you are in the European Economic Area, the United Kingdom, or Switzerland, Nimavera Inc. acts as the data controller for the personal data you provide to Breviya. If you are a California resident, Nimavera Inc. acts as the business that determines the purposes and means of processing your personal information under the California Consumer Privacy Act.

This Privacy Policy explains how Breviya handles information when you use the Breviya website, web application, account system, guided session player, breathwork tools, journaling and voice features, mood and stress check-ins, the AI Companion, the AI-distilled persona, habit tracking, reach-out support flows, notifications, team and referral features, the care-team report, admin tools, backups, and related APIs. It applies to information processed through the product experience itself, including account creation, consent, onboarding, subscriptions, content generation, and continuity tools such as exports or imports.

Breviya is designed as a premium wellbeing, reflection, and personal-growth platform, not an ad-supported tracking business. The app uses data primarily to operate your account, personalize sessions, programs, recommendations, and the Companion, preserve progress, support subscriptions, secure the service, and give you continuity across devices or restores. Some of the information you choose to provide — for example mood, stress, and reflections about how you are doing — can be sensitive; how that is handled is described throughout this policy and in the sensitive-data section.

• Account and identity data. Email address, hashed password, display name, timezone, email verification records, password reset records, session tokens, and role or tier information needed to keep your account working.
• Onboarding and preference data. Goal focus, experience level, preferred session length, sound and voice preferences, meditation frequency, baseline mood or stress values, theme choices, and similar settings that shape your defaults.
• Practice and progress data. Meditation history, completed session metadata, saved or generated sessions, favorites, recently played history, streaks, total minutes, program enrollment and progress, Silva-style method progress, achievements, and dashboard curation signals.
• Journal and reflection data. Reflection prompts, encrypted journal content, gratitude items, mood or stress ratings, daily reflections, and other reflective entries that you choose to store in the app.
• Mood, stress, and wellbeing-state data. Mood, stress, and energy check-ins, baseline and before/after ratings, belief check-ins, and similar self-reported wellbeing signals. Some of this may be sensitive — see the sensitive-data section.
• Identity and goal data. The identity you want to grow into, your current self-description, blockers, readiness, trigger windows, commitments, micro-actions, and an optional “future-self” voice memo — used to personalise your journey.
• Habit data. Habits you create and your daily logs, including outcomes, difficulty, mood at log time, and reminder settings.
• Voice recordings and transcripts. When you use voice journaling or memos, the audio you record is uploaded to Breviya storage, and — unless you turn transcription off — sent to a third-party speech-to-text provider to produce a text transcript, which is stored like any other entry.
• Companion and conversation data. Messages you exchange with the AI Companion, and the metadata of those conversations, used to provide and improve the in-app support flow.
• Reach-out and safety-signal data. When you use a “reach out” or support flow, Breviya records the detected mood, what it offered, and whether it helped. To respond safely, Companion and reach-out messages are screened for self-harm or crisis language; if detected, a safety flag is stored and crisis resources are shown to you. See the AI, audio, and profiling section and the medical and crisis disclaimer in the Terms.
• AI-derived persona. An evolving, AI-distilled summary of the themes, goals, and blockers you appear to be working on, generated from the data above, together with periodic snapshots of it. This is automated profiling that personalises your experience; you can pause it at any time.
• Notification data. Web-push subscription details (the browser push endpoint and keys) when you enable reminders, your notification preferences, and records of emails we send you (such as weekly digests).
• Generated content and media. AI-generated sessions, prompts, recaps, narration audio, and illustrated “storyboard” scene images created for or by you.
• Team and referral data. If you join a team or use referrals, your membership, role, and referral codes or uses.
• Breathwork and wellbeing interaction data. Chosen breathing pattern, duration, custom pacing configuration, and before or after state inputs when you log them.
• Subscription and billing data. Tier, subscription status, Stripe customer or subscription identifiers, checkout and portal events, and entitlement state. Breviya does not store full payment card numbers in its own database.
• Security and operational logs. Login success or failure events, export and admin actions, abuse-prevention metadata such as IP address or user agent when relevant, and rate-limit events used to protect the service.
• Device-side storage and continuity data. Browser local storage values used for dashboard layout, recent sessions, unfinished playback, chosen voice settings, recent wisdom stories, last mood check-in, and similar convenience features.
• Backup and restore payloads. Personal account backup files and admin-level user-base backup files. Personal backups focus on account continuity data. Admin organization backups can include identity fields, role and subscription state, and password hashes for restoration purposes.

Breviya uses information to operate and improve the product, including to:

• Create and secure your account, authenticate you, and prevent unauthorized access.
• Guide first-time onboarding, personalize the dashboard, recommend sessions, choose relevant programs, and preconfigure calmer defaults based on what you share.
• Save your progress, favorites, resume state, streaks, recent activity, and continuity between sessions.
• Generate original guided meditation plans, reflective prompts, recaps, narration, and adaptive audio or voice playback settings based on your inputs and preferences.
• Distil and update an AI persona from your activity to personalise the home screen, recommendations, Companion, and challenges — which you can pause at any time.
• Power the AI Companion, transcribe voice entries to text (where enabled), and surface crisis resources to you when a message appears to signal self-harm or acute distress.
• Send the reminders, notifications, and emails you have enabled.
• Provide journaling, voice journaling, export, import, backup, restore, the care-team report, subscription, billing, and admin functions.
• Detect misuse, enforce rate limits, investigate issues, monitor service health, and maintain logs necessary for reliability and safety.

Breviya includes generated, adaptive, and AI-personalised experiences. Some processing happens on Breviya-managed infrastructure (for example, narration), and some is sent to third-party AI providers. The full list of AI surfaces, providers, and your controls is in the AI Disclosure.

• On Breviya infrastructure. Text-to-speech narration (Kokoro, English and Spanish) is generated server-side and not sent to a third-party audio provider. Some audio and continuity state is handled in your browser.
• Third-party AI providers. Text generation (sessions, prompts, recaps, Companion, persona) uses OpenAI and OpenRouter; voice transcription uses a third-party speech-to-text model via OpenRouter (or OpenAI); storyboard images use Replicate. Only the data needed for each task is sent, under that provider's terms; providers are not permitted to use your data to train their own models where their API terms allow us to opt out.
• Voice audio leaves your device for transcription. If you record a voice entry, the audio is sent to the transcription provider to produce text. You can turn voice transcription off in Privacy settings and type instead; with it off, no audio is sent.
• Automated profiling (your persona). Breviya uses AI to build and update a short profile of you (themes, goals, blockers) from your reflections, check-ins, and activity, and uses it to personalise the app. This is automated profiling but is not used to make legal or similarly significant decisions about you. You can pause it in Privacy settings; reading your journal content for personalisation is off by default and opt-in.
• Crisis screening. To respond safely, Companion and reach-out messages are screened (by a moderation model plus a local keyword check) for self-harm or crisis language. When triggered, Breviya shows you crisis resources and records a safety flag on your account. This surfaces help to you only; it does not notify any third party, emergency service, or authority.
• No clinical profiling promise. Generated outputs and the persona are meant to support reflection, relaxation, and guided practice. They are not a clinical assessment and do not diagnose health conditions or replace a qualified professional.

Some of what you choose to share — reflections, mood and stress ratings, reach-out history, and anything you write that touches on your mental or physical health — may be treated as special-category (sensitive) personal data under the GDPR and similar laws. Breviya only processes this because you choose to provide it to use the relevant features.

• Legal bases (EEA/UK). We rely on your consent for special-category data and for optional processing such as voice transcription and using journal content for personalisation; on performance of a contract to run the account and features you ask for; and on our legitimate interests to keep the service secure and reliable. You can withdraw consent at any time, which stops the related processing going forward.
• You stay in control of what you share. Voice transcription and journal personalisation are opt-in/opt-out; you can pause the persona; and you can leave mood, stress, and reflection fields blank and still use the app.
• Automated decisions. Breviya's personalisation does not produce legal or similarly significant effects about you. Where local law gives you rights in relation to automated processing or profiling, you can contact us to exercise them.

Breviya does not describe itself as selling your personal information. Information may be shared in these limited contexts:

• Service providers and infrastructure. Hosting, database, storage, queueing, backup, and observability providers that help run the service.
• Payments. Stripe and related billing workflows, only to the extent needed to process subscriptions, customer portal actions, or webhook-based entitlement updates.
• AI providers. OpenAI and OpenRouter (text and voice transcription) and Replicate (image generation), only with the data each task needs. See the AI, audio, and profiling section.
• Email and messaging. A transactional email provider (Resend) for the emails you receive; web push is delivered through your browser's own push service.
• Sharing you initiate (the care-team report). Breviya never sends your wellbeing data to a clinician for you. You can generate a report or data file of your own information and choose to share it. Once you download or send it, you control that file and are responsible for it; any recipient (such as a therapist or doctor) is an independent party responsible for their own handling and compliance. Breviya is not a medical-records system.
• Admin and organization restore tools. Authorized admins can export and import full user-base backups for legitimate operational continuity, migration, or recovery use.
• Legal, security, or business events. To comply with law, protect users or the service, respond to lawful requests, or support a merger, financing, acquisition, or asset transfer.

Breviya stores data in a mix of application database records, storage volumes, browser local storage, and optional S3-compatible object storage depending on deployment configuration. Backup and restore features are part of the product, so some data may persist in backup archives until those archives are rotated or deleted.

• Account records, progress, subscriptions, and operational logs are retained as long as needed to run the service, keep your account active, preserve continuity, or satisfy security and legal obligations.
• Personal account exports are generated on request. Imported backups are merged into your account rather than replacing the entire system state.
• Admin organization backups can preserve a broader snapshot of user records for recovery and migration. Those files should be treated as highly sensitive.
• Device-level state such as recent sessions, dashboard arrangement, voice preferences, and certain reminders may remain in your browser until you clear site storage.

Breviya uses layered controls that are intended to reduce risk, including password hashing, token based authentication, rate limiting on sensitive endpoints, audit logging for key security and admin actions, and application-level encryption for journal content.

Journal entries are encrypted within the application using AES-256-GCM before storage and are only decrypted when you read or export them. Data exports — including the care-team report — are recorded in an internal audit log. That said, no internet-connected service can guarantee absolute security, and you remain responsible for protecting your device, browser session, exported files, and account credentials.

Depending on where you live, you may have rights to access, correct, export, delete, or limit certain uses of your personal information. Breviya is designed with practical user controls inside the product wherever possible.

• In-app controls. You can review and adjust profile or preference data in Settings.
• Privacy toggles. In Settings → Privacy you can pause personalization (the persona), turn voice transcription off, and control whether your journal content is used to personalise the Companion and persona (off by default).
• Export and backup. You can export sessions, export journal data, create a personal account backup, and generate a care-team report of your own data from within the product.
• Deletion. You can request deletion of your account through in-app controls. Some records may remain in logs, backups, or security archives for a limited period where necessary.
• Browser storage controls. You can clear site storage in your browser to remove local-only conveniences such as recent stories, saved layout, or voice preferences.

Breviya is intended for users aged 16 or over. We do not knowingly collect personal information from children under 13 years of age (as defined by the U.S. Children's Online Privacy Protection Act, “COPPA”). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly.

Users between 13 and 15 years old may use the service only with verifiable consent from a parent or legal guardian, and only where permitted by their local law. Some jurisdictions (including parts of the EU) require users to be 16 or older to consent on their own to the processing of personal data; in those jurisdictions we apply that higher age. If you believe a child has created an account in violation of these rules, contact privacy@breviya.com and we will delete the account and associated data.

Breviya is also not a hospital, clinic, insurer, or emergency service, and it is not offered as a HIPAA-regulated medical record system unless separately agreed in writing. Do not rely on the service for emergency help, diagnosis, treatment decisions, or crisis support. Breviya may screen messages for self-harm or crisis language to surface support resources to you, but it is not a monitoring, crisis, or emergency service and does not alert third parties on your behalf — see the medical and crisis disclaimer in the Terms.

Nimavera Inc. is established in the United States. Breviya's application infrastructure is hosted in the United States and, where required to serve EU users, the European Union. Several sub-processors — including Stripe, the AI providers (OpenAI, OpenRouter, and the Groq-hosted transcription model routed through it, and Replicate), and our email provider (Resend) — are headquartered in the United States. For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK Addendum, and the EU-U.S. Data Privacy Framework (where the sub-processor is certified), supplemented by appropriate technical and organisational safeguards. The current providers are listed on our Sub-processors page.

Nimavera Inc. may update this Privacy Policy as the product, infrastructure, or legal obligations evolve. The current version will be posted on this page with an updated effective date.

For account-level privacy actions, start with the in-app controls available in Settings and related export or deletion tools. For data-protection requests, complaints, or other privacy enquiries, contact privacy@breviya.com. If you are in the EEA or UK, you also have the right to lodge a complaint with your national data-protection regulator.