Go Back Up

Privacy Policy

Effective date: 18 August 2025
Company: Naked Mental Health Limited (registered in England & Wales, company no. 16124798)
Registered address: 16 Gardeners Close, Maulden, Bedfordshire, MK45 2DY, United Kingdom
Contact: support@naked.health
Representative (EU, if applicable): Philip Reeve (philip@naked.health)

This Privacy Policy explains how Naked Mental Health Limited (“Naked”, “we”, “us”) collects and uses your information when you use the Naked mobile app, websites, and related services (together, the “Service”).

We’re committed to privacy by design: your journals are private to you. We don’t sell your data. We don’t use your journal entries to train AI.

Quick summary (“Key facts”)

  • Journals stay private: We don’t read them, and we don’t use them to train AI. You can delete them any time.

  • AI features ≠ medical advice: AI may help you reflect and learn, but it’s not diagnosis or treatment.

  • What we collect: Account info, device/analytics data, optional things you add (e.g., journals, ratings), and billing metadata via app stores.

  • Why we use it: To run the app, improve features, support you, secure the Service, and comply with law.

  • Legal bases: Contract, consent (e.g., health data you choose to add), legitimate interests, and legal obligations.

  • Your rights: Access, correct, delete, port, restrict, and object. UK/EU users can complain to the ICO.

  • Transfers: If data leaves the UK/EEA, we use approved safeguards (SCCs, UK Addendum, or UK-US Data Bridge).

1. Who we are

Naked Mental Health Limited is the data controller for the Service. Contact us at support@naked.health or by post: 16 Gardeners Close, Maulden, Bedfordshire, MK45 2DY, United Kingdom.

2. What we collect

2.1 Information you provide

  • Account details (e.g., name or display name, email, password or SSO identifier).

  • Profile & settings (e.g., language, notification preferences).

  • In-app content you choose to add:

    • Journals (private by default).

    • Ratings & reflections (e.g., anxiety level in “Ground Control”).

    • Technique/resource usage (e.g., what you started or favourited).

  • Support requests (messages, attachments).

  • Feedback & surveys (optional).

Special category data (health): If you add sensitive information (e.g., mental health reflections), we process it only with your explicit consent and only to provide the features you request. You can withdraw consent by deleting that data or your account at any time.

2.2 Information collected automatically

  • Device & app data: device model, OS, app version, language, time zone, approximate location (from IP), performance and crash logs, diagnostic events.

  • Usage analytics: interactions, screens viewed, session timestamps (used to improve the app).

  • Website data: cookies or similar technologies (see our Cookie Notice).

2.3 Information from third parties

  • App stores & billing (Apple/Google/RevenueCat): subscription status, transaction IDs, and limited billing metadata (we don’t see your full payment card).

  • Single sign-on providers (if enabled): basic profile and email.

  • Vendors helping deliver AI/voice, media, hosting, analytics (see Section 9).

We do not buy data about you from data brokers.

3. Why we use your information (purposes & legal bases)

Purpose Examples Legal basis
Provide the Service Account creation, sync across devices, journals, ratings, resources, reminders, push notifications Contract (Art. 6(1)(b))
Optional AI features Generate insights/voice, recommend content, personalise experience Consent for any special category data (Art. 9(2)(a)); Contract/Legitimate Interests for non-special data
Improve & secure Debugging, crash analytics, service quality, fraud/security monitoring Legitimate Interests (service quality & security)
Customer support Respond to queries, resolve issues Contract/Legitimate Interests
Communications Service messages (e.g., policy updates); optional tips/marketing Legitimate Interests for service messages; Consent/soft opt-in for marketing under PECR
Legal & compliance Tax, accounting, regulatory requests, enforcing terms Legal obligation/Legitimate Interests

You can withdraw consent at any time (it won’t affect prior processing). Where we rely on legitimate interests, you have the right to object.

4. Children

The Service is not for under-16s. If you’re 16–17, you confirm you have permission to use the Service. If we learn we’ve collected data from a child under 16, we’ll delete it.

5. Journals & sensitive content

  • Private by design: Journals are not shared with others by default.

  • No model training: We don’t use journals to train AI models.

  • You control deletion: You can delete individual entries or your account.

  • Safety: We don’t actively monitor journals. If you’re at risk, contact local emergency services or crisis support. The app is not an emergency service.

6. AI features

We use AI for things like text generation, suggestions, and optional text-to-speech. AI outputs may be imperfect and are not medical advice.

  • Processing occurs via trusted providers under data protection agreements.

  • We don’t send your journals to train providers’ models.

  • We minimise data sent to AI providers and apply safeguards (see Section 9).

7. How long we keep your data

We keep data only as long as needed for the purposes above:

  • Journals & ratings: until you delete them or delete your account.

  • Account data: for your account’s life; if inactive or after deletion, typically deleted or anonymised within 90 days.

  • Support tickets: up to 24 months.

  • Analytics & logs: typically 12–18 months (shorter where feasible).

  • Billing/transactions: up to 7 years (legal/tax obligations).

Backups may retain data for limited periods. When retention ends, we delete or anonymise.

8. How we share information

We don’t sell your personal data. We share it only with:

  • Service providers/“processors” who help us operate the Service under contract (see Section 9).

  • Legal/regulatory authorities where required by law or to protect rights/safety.

  • Business transfers (e.g., merger, acquisition); we’ll notify you where legally required.

We don’t share data for third-party advertising networks.

9. Service providers (examples)

We use reputable vendors with appropriate security and data protection measures. Depending on your use, some or all may process your data:

  • App distribution & billing: Apple App Store, Google Play, RevenueCat (subscription management)

  • Payments (web/store): Shopify Payments / Stripe (if you buy via our store)

  • Web & marketing site: HubSpot (website/forms), Shopify (store)

  • App backend & hosting: Firebase (auth, hosting, crash/analytics if enabled)

  • Media & CDN: Cloudflare R2/Workers (secure media delivery)

  • AI & voice: OpenAI (text generation), ElevenLabs (text-to-speech)

  • Automation (ops only, not for journals): Make.com (workflow automation)

  • Crash/diagnostics: Firebase Crashlytics / similar (if enabled)

We’ll keep this list updated in our online version. Remove any providers you don’t use and add others you do.

10. International data transfers

If we transfer personal data outside the UK/EEA, we use approved safeguards, such as:

  • Standard Contractual Clauses (SCCs) with the UK Addendum,

  • The UK-US Data Bridge / EU-US Data Privacy Framework (where applicable), or

  • An adequacy decision for the destination country.

You can request details of applicable safeguards.

11. Security

We use administrative, technical, and physical measures to protect your data, including encryption in transit and at rest, access controls, logging, vulnerability management, and vendor due diligence. No system is 100% secure, but we work to continually improve our controls.

12. Your rights (UK/EU)

You have rights under UK/EU data protection law:

  • Access your data and get a copy

  • Rectify inaccurate data

  • Erase data (“right to be forgotten”)

  • Restrict or object to certain processing (including where based on legitimate interests)

  • Data portability (receive data in a machine-readable format)

  • Withdraw consent at any time (e.g., for health data or marketing)

To exercise these rights, contact support@naked.health. We typically respond within one month. We may ask for proof of identity where appropriate.

Complaints

You can complain to the UK Information Commissioner’s Office (ICO): ico.org.uk. If you live in the EEA, you can complain to your local Data Protection Authority.

13. Marketing & communications

  • Service emails (e.g., security or policy updates) are essential and you can’t opt out of those.

  • Marketing messages (tips, offers) are consent-based or use soft opt-in where permitted by PECR. You can unsubscribe at any time via the message or in-app settings.

  • Push notifications (reminders, session nudges) can be disabled in your device settings.

14. Cookies & similar tech

Our websites may use cookies or similar technologies for essential functions, analytics, and performance. For details and choices, see our Cookie Notice.

15. Automated decision-making

We don’t perform automated decision-making that produces legal or similarly significant effects. Personalisation and recommendations are optional and intended to improve your experience; you can turn them off by limiting the data you provide and disabling certain features.

16. Third-party links

Our Service may link to third-party websites or services. Their privacy practices are governed by their own policies.

17. Changes to this Policy

We may update this Privacy Policy from time to time. We’ll post the new version with an updated effective date and, for material changes, provide notice (e.g., in-app). Please review it periodically. Your continued use of the Service means you accept the changes.

18. Contact us

Questions or requests about privacy?
Email: support@naked.health
Post: Naked Mental Health Limited, 16 Gardeners Close, Maulden, Bedfordshire, MK45 2DY, United Kingdom