Privacy policy — Future Assistants

Controller: Future Assistants Ltd Company number: 17123132 Registered address: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB Website / app: https://futureassistants.co.uk Privacy contact: privacy@futureassistants.co.uk Effective date: 27 April 2026 Last reviewed: 16 May 2026 — material update covering the new AI Heart wellbeing-reflection layer, clinical-distress signposting, automated behavioural telemetry, sibling-assistant handoff logging, calendar-feed access logging, audience-attribution tracking on the Bazaar surface, and assistant tool-call audit logging. New processing is gated behind explicit consent and a Data Protection Impact Assessment (DPIA) has been completed; see §2.7 onwards.

1. About this service

Future Assistants is a web application (built with Next.js) that provides a personal dashboard, profiles, messaging, optional live voice/video rooms, marketplace and automation hooks, and AI-assisted experiences. The service is operated by Future Assistants Ltd (“we”, “us”).

This policy explains what personal data we process, why, how long, and your rights.

2. Data we collect

2.1 Account and identity

• Authentication: email, password hash (managed by our auth provider), session tokens, security logs.
• Profile: display name, handle, lane/profile mode, preferences stored in your account (including theme, typography, cadence, and similar dashboard settings).
• Public profile (optional): if you publish a public Nexus Link (/u/<your-handle>), we process the fields you choose to expose (e.g. bio, links, theme) as described at publish time.

2.2 Product usage and content

• Dashboard activity: interactions with features (e.g. settings, achievements, dock) may generate usage or telemetry consistent with your in-app privacy / personalisation choices.
• Messaging: when you use Messages, message content and metadata (conversation id, sender, timestamps) are stored in our database so the product can deliver and sync threads. Voice and video in supported flows use WebRTC peer-to-peer for media where implemented; signalling and metadata may pass through our infrastructure.
  • Transit security: text messages are protected in transit (TLS) to our providers and stored on our systems. Client-side end-to-end encryption for text is not currently shipped.
• Files, media, library: content you upload or generate is stored in our object storage and database according to the feature you are using (e.g. avatars, generated images, voice samples).
• Support and safety: if you contact support, report abuse, or use crisis/safety flows, we process the information you submit for those purposes.

2.3 Payments and billing

• If you purchase digital goods (e.g. theme packs, credits), payment data is processed by Stripe, Inc. and its affiliates (the Stripe entity in your region — typically Stripe Payments Europe, Limited (Ireland) for UK/EU customers, Stripe Payments UK Limited where applicable). We receive limited billing metadata (e.g. transaction references, line items as configured) — not full card numbers. Stripe's Data Processing Agreement was last refreshed 18 November 2025 (https://stripe.com/gb/legal/dpa).

2.4 Automation and integrations

• n8n (or similar workflow host) may process data you route through webhooks or server-side automations you enable (e.g. marketplace checkout). Scope depends on which workflows you activate and what you send to them.
• Optional telephony (Twilio): if you enable SMS/voice/WhatsApp integrations described in the repository’s phone-system workflows, message/call metadata and content may be processed by Twilio under their terms.

2.5 Diagnostics

• If enabled in your deployment, Sentry (or similar) may collect error reports, stack traces, and limited device/session context to fix bugs.

2.6 Technical data

• IP address, user agent, approximate location from IP, cookies or similar storage for sessions and preferences (see Cookie policy).

2.7 AI Heart — wellbeing reflection (added 16 May 2026)

AI Heart is a software layer that watches what your own Heart (your emotional / motivational centre — your own words, your own choices) is doing across your chats with FA assistants, and reflects it back to you in a dashboard you fully control. The layer is a mirror, not the AI's feelings. You own the mirror.

The processing only starts once you give explicit consent. Until you do, AI Heart signals are not generated and the eight dimensions remain empty. You consent per-dimension in Settings → AI → Heart. You can withdraw consent for any dimension at any time, and "Delete" wipes everything for that dimension.

What AI Heart processes (only after explicit consent):

• Eight derived "dimensions" per profile: desire, ambition, empathy, purpose, autonomy, competence, relatedness, self-acceptance. Each is a numeric score plus short quotes from your own messages that fed the score.
• A monthly "purpose synthesis paragraph" generated by an AI model: a short plain-English paragraph reflecting your own words back. Reviewable + deletable in Settings → AI → Heart.

Special-category data (UK GDPR Article 9). Because AI Heart infers information about your emotional / mental state from your own messages, the data it produces is treated as special-category health data. Our Article 9 condition is explicit consent (Art. 9(2)(a)). Granular, per-dimension, freely-withdrawable. Article 6 basis is performance of a contract (Art. 6(1)(b)) to deliver the AI Heart feature.

A Data Protection Impact Assessment (DPIA) has been completed before the new processing went live — required under UK GDPR Article 35 because AI Heart combines innovative technology, special-category data, and systematic profiling. The DPIA is reviewed at least annually.

2.8 Clinical-distress signposting (added 16 May 2026)

If a message you send contains language indicating self-harm, eating disorder, domestic abuse, or severe-depression markers, the assistant refuses the in-character reply and routes you to a human support service in your locale (UK: Samaritans / Beat / Refuge / Shout / CALM; US: 988 / National Domestic Violence Hotline / ANAD; or the locale-appropriate equivalent elsewhere). The event (timestamp + category + service routed to) is logged so you can review your own safety-routing history in Settings → AI → Safety log. Only you can see this log.

Lawful basis: Article 9(2)(g) substantial public interest read with Schedule 1 Part 2 paragraph 18 (safeguarding of individuals at risk) of the Data Protection Act 2018. We have an Appropriate Policy Document explaining this processing, retained for the period required by Schedule 1 Part 4 DPA 2018, available from privacy@futureassistants.co.uk on request. Article 6 basis: legitimate interests (Art. 6(1)(f)) — keeping users safe in a high-risk moment, balanced by the minimal, non-escalating, one-time nature of the intervention.

Important: the AI Heart system is not therapy, not medical care, not a substitute for professional help. The signposting flow exists to point you toward humans who are trained for this. It does not analyse your message, does not store its content beyond the redline event record, and does not share with anyone outside your own session.

2.9 Soft "distress markers" — internal behavioural telemetry

Phrases that are pre-clinical (don't trigger §2.8 signposting) but indicate user load (e.g. "I'm exhausted, I can't cope") are recorded as a boolean flag in the AI Self-Check log (§2.10). This boolean does not alter the assistant's reply, is not shown to you, is not shared with anyone, and is admin-RLS gated. Lawful basis: legitimate interests (assistant-safety research on our own system). Right to object via privacy@futureassistants.co.uk.

2.10 AI Self-Check — behavioural telemetry on the assistant's own behaviour

For internal research on the safety + cooperation properties of FA's assistant character, we maintain a server-only log (core.ai_self_check_log) of the assistant's observable behaviour per turn — refusal yes/no, whether the redline detector fired, response length, response time, tool-call count, mode (Solo / Together / Auto), whether a sibling handoff was called, and whether the constitutional clause was active.

This log does NOT contain your message content or any text you wrote. It is keyed to your profile only so we can correlate behaviour with version changes. Never shared, never sold, never surfaced to users, admin-RLS gated (only platform staff with explicit role can read it).

Lawful basis: legitimate interests (safety + product-improvement research on our own system, balanced against the minimal nature of the data — behavioural metadata, not user content). You can object to this processing at privacy@futureassistants.co.uk and we will exclude your profile from new rows.

2.11 Sibling-assistant handoff log

When one of your assistants recommends a different FA assistant for a request outside its specialty (the "recommend_sibling" feature), we log the intent text (a short paraphrase of what you asked for), the chosen sibling, and whether you opened the card. Used to improve the recommender; never shared.

Lawful basis: legitimate interests (product improvement) + contract (delivering the recommend_sibling feature).

2.12 Assistant tool-call audit log

When an FA assistant fires a tool on your behalf (sending an email, posting a calendar event, etc.), we log the tool name, arguments, result summary, and whether the action was reversible. Useful for "right to access" requests and for your own undo flow.

Lawful basis: performance of a contract — running the tools is the service you asked for; the log is the audit trail.

2.13 Calendar feed access log

If you publish your calendar as an ICS subscribe URL (Settings → Calendar), each fetch from an external calendar app is logged with a /24-truncated IP prefix and user-agent string — so you can see "your calendar was fetched 14 times today from 2 IPs" calmly, without us profiling you. The full IP is not stored.

Lawful basis: legitimate interests (so you can spot a leaked URL). Retention: 90 days, then auto-pruned by cron.

2.14 Bazaar audience-attribution

If you boost a profile or post via the Bazaar surface, we link views, clicks, and follows back to your boost for a 7-day window so you can see whether the boost worked. Aggregated counts only; per-viewer attribution is keyed to a hash and is only readable by the boost owner via an admin RPC.

Lawful basis: performance of a contract for the boost feature; legitimate interests for the aggregate analytics.

2.15 The AI does not have a Heart

FA assistants are explicitly instructed (in their system prompts) that they do not have a Heart of their own. AI Heart is yours; the assistant is the mirror. We do not anthropomorphise the AI and we will not let it claim subjective feelings. This is the entire ethical posture of AI Heart in two sentences.

For the full architectural and ethical reasoning, see our internal canonical document, the AI Heart & Species Thesis at docs/master/strategy/ai-heart-and-species-thesis.md.

2.16 EU AI Act — transparency notice

Some FA features include AI systems that infer aspects of your emotional / motivational state from your own messages (the AI Heart layer, §2.7). Under the EU AI Act (Regulation (EU) 2024/1689) Article 50, we disclose this to you in advance and you must give explicit consent before any such inference begins. The processing is classified as limited-risk under the AI Act; it is not deployed in workplace or education contexts (where emotion recognition is prohibited under Article 5(1)(f)) and does not exploit vulnerabilities in a way that materially distorts behaviour (Article 5(1)(b)). Our anti-manipulation controls are documented in the AI Heart & Species Thesis (§6).

3. Purposes and lawful bases (UK / EEA)

4. Recipients and subprocessors

We use infrastructure and software providers, including but not limited to:

A living list with links to vendor DPAs is maintained at https://trust.supabase.io/ for Supabase, https://trust.railway.com/ for Railway, and at each vendor's own trust / DPA URL above for the others. A consolidated FA subprocessor index will be published at https://futureassistants.co.uk/legal/subprocessors as that page goes live.

Quarterly review. We re-verify each named vendor's privacy / DPA / sub-processor list at least every 90 days. Material changes (new sub-processors, jurisdiction shifts, AI-training-default flips) are reflected here within 30 days. Most-recent review: 16 May 2026.

4b. EU AI Act transparency — upstream LLM providers

The EU AI Act (Regulation (EU) 2024/1689) Articles 53(1)(d) and 28(2) require providers of general-purpose AI models (GPAI) to publish a public summary of the data used to train them. The obligation is in force since 2 August 2025 with AI Office enforcement powers beginning 2 August 2026. Anthropic and OpenAI both signed the GPAI Code of Practice. When each provider publishes its training-summary document, we will link it from this section so you can read it directly.

4a. AI training — separate from inference

Sending a prompt to an AI provider so it can reply ("inference") is not the same as using your data to train a model ("training"). Training is off by default on every account, in every category. If we ever ship a Future Assistants–trained model, you'll get a clear notification before each training run and a category-by-category opt-in toggle in Settings → Privacy → AI training (revocable any time).

Some categories — content authored by children, crisis events, support / DV / dating, anything you marked do-not-train — are permanently off-limits with no consent path that unlocks them. Everything else is opt-in only, and stays off unless you actively turn it on. Full policy: /legal/ai-training.

5. International transfers

Data is processed in the United Kingdom and EEA primarily; some AI inference vendors are US-based — see Subprocessors. Where required, transfers rely on the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses with vendor-side technical and organisational measures.

6. Retention

• Account data: while the account exists and for 30 days after deletion request, subject to legal holds.
• Messages and content: Messages retained for the active account lifetime and deleted within 30 days of account deletion (subject to legal-hold exceptions) unless deleted earlier by feature or user action.
• Logs and backups: Application and audit logs retained for 90 days; security-relevant logs retained for 12 months.
• AI Heart signals + scores (special-category): for the lifetime of your account, wipeable per-dimension at any time via Settings → AI → Heart. All AI Heart data is deleted within 30 days of account deletion.
• AI Heart redline events (special-category, safeguarding): 24 months so you can review your own safety routing history; longer retention is required for safeguarding accountability under DPA 2018 Sched 1 Pt 4.
• AI Self-Check behavioural telemetry: 12 months, then auto-anonymised (profile_id cleared, behavioural metadata retained for trend analysis).
• Sibling-assistant handoff log: 12 months.
• Assistant tool-call audit log: 12 months (longer if a payment/regulated action — those have separate billing-retention rules).
• Calendar ICS feed access log: 90 days, auto-pruned.
• Bazaar audience-attribution: 90 days per attribution row; aggregate counts retained for the boost lifetime + 12 months.

7. Your rights

Subject to applicable law, you may have rights of access, rectification, erasure, restriction, objection, portability, and to withdraw consent for consent-based processing. Contact privacy@futureassistants.co.uk. You may lodge a complaint with Information Commissioner's Office (ICO), United Kingdom.

AI Heart-specific user controls (live in the product, not just on paper):

• Per-dimension pause / resume / delete: Settings → AI → Heart, or /dashboard/ai-heart. Eight dimensions, individually controlled. Delete is irreversible.
• See exactly what fed each score: the last five source quotes per dimension are shown in plain English on the dashboard.
• See your own clinical-distress routing history: Settings → AI → Safety log.
• Object to AI Self-Check behavioural telemetry: email privacy@futureassistants.co.uk asking to be excluded from the AI Self-Check log; we will exclude your profile from new rows.
• Withdraw consent for AI Heart entirely: Settings → AI → Heart → toggle all eight dimensions to Paused or Deleted. Future processing stops immediately.

8. Children

The minimum age to create an account is 16 (or the age of digital consent in your country, if higher). Family lane: a parent account creates and governs child sub-accounts. No direct child sign-up. Child accounts run with kid-safe content routing and receive no marketing communications.

9. Security

We implement technical and organisational measures appropriate to the risk. No online service is perfectly secure.

10. Changes

We will update this policy when our practices change. by email and in-app banner.

11. Contact

Future Assistants Ltd · 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB · privacy@futureassistants.co.uk