Privacy Policy

Sidekick CommV (Enterprise number: 1016.861.193), registered at Kattendijkdok-Westkaai 61 box 1202, 2000 Antwerpen, Belgium (“we,” “us,” or “our”), operates the Unloop mobile application (the “App”).

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our App. Different legal bases apply to different types of processing, as described in Section 2. Where we require your explicit consent (such as for processing health-related data), we obtain it through a dedicated in-app consent flow, separate from general terms acceptance.

If you do not agree with this policy, please do not use the App.

1. Information We Collect

We practice data minimization: we only collect data that is necessary to provide and improve the App.

1.1 Information You Provide Directly

Account Information

• Name, email address, and password (managed securely via our authentication provider)

Profile Information

• Gender, birth year
• Character selection and personalization preferences

Mental Health Self-Assessment Data

• PHQ-9 (depression screening) and GAD-7 (anxiety screening) questionnaire responses and scores
• These are standardized, clinically validated self-assessment tools - they are not clinical diagnoses
• This data is classified as health-related data and is processed with your explicit consent (see Section 2.5)

Cognitive Behavioral Therapy (CBT) Session Data

• Automatic thoughts, situations, and associated emotions you identify
• Cognitive distortions you select or that are suggested
• Evidence you provide for and against beliefs
• Belief strength ratings (0-100 scale)
• Core beliefs and reframes developed during sessions
• Behavioral experiment predictions, outcomes, and reflections
• Habit reversal and urge surfing session data

Journaling Data

When you journal (via text or voice), your entry is processed in real time to extract structured insights such as candidate thoughts, emotions, stressors, and sentiment. We do not store your raw journal text or voice recordings. Only the structured, extracted data is saved to your account.

Community and Social Data

• Group challenge participation
• Accountability partner connections (“handshakes”)
• Nudge messages sent between users
• You can control your visibility within groups and block other users

1.2 Information Collected Automatically

Usage Data

• App activity such as task completion, streaks, points earned, and module progress
• Push notification tokens (used solely for delivering notifications you have enabled)

Device Information

• Device type, operating system, and app version (collected for compatibility and troubleshooting purposes)

Tracking Technologies and Cookies

Mobile App:

• The App does not use advertising trackers, IDFA, or third-party advertising SDKs
• The App does not track you across other apps or websites
• We do not participate in cross-app tracking or targeted advertising

Website (theunloop.com):

• Our website uses cookies and similar technologies provided by PostHog (our analytics provider) to understand how visitors use our website
• Essential cookies: Required for the website to function (e.g., session management). These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our website (e.g., pages visited, time spent). These are only set if you consent via our cookie banner.
• We do not use advertising or marketing cookies
• We do not sell or share cookie data with third parties for advertising
• Analytics data is processed by PostHog on servers in the European Union (Frankfurt, Germany)
• You can manage your cookie preferences at any time via the cookie settings on our website, or by adjusting your browser settings to block or delete cookies

1.3 Information From Third-Party Integrations (Opt-In Only)

Health and Biomarker Data (via Sahha)

• If you choose to connect your health data, we may receive: sleep duration, activity levels, steps, active calories, exercise strain, circadian alignment, and wellbeing scores
• If this data is accessed via Apple HealthKit, we do not use it for advertising and do not share it with third parties for advertising or data brokerage purposes
• This is entirely optional. You can connect or disconnect health tracking at any time. The App functions fully without this data.

1.4 Information We Do NOT Collect

• We do not collect precise geolocation data
• We do not collect financial information (payments are processed by Apple/Google and our subscription provider)
• We do not collect contacts, photos, or other device data
• We do not store raw journal entries or voice recordings
• We do not collect data from other apps on your device

2. How We Use Your Information

We use your information for the following purposes, each with a specific legal basis:

2.1 To Provide and Operate the App (Legal Basis: Contractual Necessity)

• Creating and managing your account
• Delivering personalized CBT exercises, roadmaps, and cognitive restructuring sessions
• Tracking your progress across challenges and modules
• Generating AI-powered insights, reframes, and behavioral experiments based on your session data
• Sending push notifications you have opted into (streaks, nudges, reminders)

2.2 To Improve the App (Legal Basis: Legitimate Interest)

• Understanding which features are most used and effective
• Identifying and fixing bugs or performance issues
• Improving AI-generated content quality

2.3 To Ensure Safety (Legal Basis: Legitimate Interest and Legal Obligation)

• Detecting crisis indicators in session data to surface appropriate helpline resources
• Complying with applicable laws and legal requests

2.4 Anonymous Analytics (Legal Basis: Consent - Opt-In)

• If you enable “Share anonymous usage data” in your settings, we collect anonymized, aggregate usage statistics to improve the App
• This data cannot be linked back to you personally
• You can enable or disable this at any time in Settings > Account and Data

2.5 Processing of Health-Related Data (Legal Basis: Explicit Consent - GDPR Article 9(2)(a))

Certain data you provide - including self-assessment scores (PHQ-9, GAD-7), CBT session data (thoughts, beliefs, emotions, distortions), and health/biomarker data - may be considered health-related data under the GDPR.

We process this data based on your explicit consent, which we obtain through a dedicated consent flow when you first use these features. This consent is:

• Freely given: You can use account features without providing health-related data
• Specific: We explain exactly what data is processed and why
• Informed: You are directed to this Privacy Policy before consenting
• Unambiguous: Consent is given through a clear affirmative action

You may withdraw your consent at any time by contacting us at studio@theunloop.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

3. How AI Is Used in Unloop

Unloop uses artificial intelligence to power core features of the App. We believe in transparency about how AI processes your data.

You are interacting with an AI system when you use the following features:

• Journaling analysis: When you submit a journal entry, it is sent to our AI service for real-time processing. The AI extracts structured data (thoughts, emotions, distortions, stressors, sentiment, and crisis indicators). Your raw journal text is not stored after processing.
• Cognitive restructuring: Your identified thoughts, beliefs, and evidence are processed by AI to generate suggested reframes, Socratic questions, and behavioral experiments.
• Roadmaps: AI uses your session history and progress data to generate personalized therapeutic roadmaps.

All AI-generated content in Unloop (reframes, suggestions, roadmaps) is clearly identified as AI-generated within the App.

Important:

• AI processing occurs on secure cloud infrastructure (AWS) within the European Union (eu-central-1 region)
• Your data is transmitted via encrypted connections (HTTPS/TLS)
• We do not use your personal data to train general-purpose AI models. Your data is used solely to provide you with personalized responses within the App
• AI-generated content is not clinical advice - see the Disclaimer (Section 10)
• No automated decisions with legal or similarly significant effects are made about you based solely on automated processing. All AI-generated suggestions are advisory - you retain full control over which suggestions you adopt

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for advertising purposes. We share data only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party services to operate the App:

All service providers are contractually bound to process your data only for the purposes we specify and to maintain appropriate security measures.

4.2 Community Features

If you participate in group challenges or accountability partnerships, limited information (your name, streak count, and nudge messages) is visible to other users you are connected with. You can manage your participation and visibility within the App.

4.3 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to protect the rights, safety, or property of Unloop, our users, or the public.

4.4 Business Transfers

If Unloop is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Storage, Security, and International Transfers

5.1 Security Measures

• Your data is stored on secure servers hosted by Supabase (PostgreSQL) with encryption at rest
• AI processing takes place within the European Union (AWS eu-central-1)
• All data is transmitted using TLS/HTTPS encryption in transit
• Passwords are hashed and managed by our authentication provider - we never have access to your plaintext password
• We implement role-based access controls to limit who within our organization can access user data
• We conduct regular security reviews of our infrastructure and development practices

While we implement strong security measures, no system is 100% secure. We encourage you to use a strong, unique password for your Unloop account.

5.2 International Data Transfers

Your data is primarily stored and processed within the European Union. However, some of our service providers (Supabase, Expo, Sahha, RevenueCat) are US-based companies. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c)
• EU-US Data Privacy Framework, where applicable

You may request a copy of the relevant transfer safeguards by contacting us at studio@theunloop.com.

5.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach poses a high risk to you, we will also notify you without undue delay, providing details of the breach and steps you can take to protect yourself.

6. Data Retention

• Account data: Retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it.
• Session data (thoughts, beliefs, experiments): Retained for as long as your account is active. Archived or resolved items remain in your account history unless you delete your account.
• Journal entries: Raw text is not stored. Extracted structured data is retained as part of your session data.
• Health/biomarker data: Retained for as long as the integration is active. You can disconnect at any time.
• Anonymous analytics data: Retained indefinitely in aggregate form and cannot be linked to individual users.
• Inactive accounts: If your account is inactive for 24 months, we will notify you via email. If no action is taken within 30 days of notification, we will delete your account and associated data.

7. Your Rights

You have the following rights regarding your personal data. We extend these rights to all users regardless of location:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate data
• Deletion: Request that we delete your personal data (available via Settings > Account and Data > Delete Account, or by contacting us)
• Restriction: Request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of contested data)
• Portability: Request your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent (e.g., health-related data, anonymous analytics), you may withdraw it at any time
• Automated decision-making: We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. All AI-generated suggestions are advisory and require your active engagement.

7.1 For EU/EEA/UK Residents

We process your data under the legal bases described in Section 2 in accordance with the General Data Protection Regulation (GDPR) and UK GDPR.

You have the right to lodge a complaint with a supervisory authority. For users in Belgium, this is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorite de protection des donnees):

• Address: Drukpersstraat / Rue de la Presse 35, 1000 Brussels, Belgium
• Email: contact@apd-gba.be
• Website: www.dataprotectionauthority.be

Users in other EU/EEA countries may contact their local supervisory authority.

7.2 For US Residents

We comply with applicable US state privacy laws, including the California Consumer Privacy Act (CCPA), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and other state-level privacy regulations as they come into effect.

• We do not sell your personal information
• We do not share your personal information for cross-context behavioral advertising
• Mental health data is treated as sensitive data requiring opt-in consent under applicable state laws

To exercise any of these rights, contact us at studio@theunloop.com.

8. Children's Privacy

Unloop is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. We verify age during the sign-up process. If we learn that we have collected data from a user under 18, we will take steps to delete it promptly.

9. Data Protection

9.1 Data Protection Contact

For questions about data protection or to exercise your privacy rights, contact our data protection lead at studio@theunloop.com.

9.2 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our processing of health-related data, as required by GDPR Article 35.

10. Disclaimer - Not a Medical Service

Unloop is a self-help wellness tool based on cognitive behavioral therapy (CBT) principles. It is not a medical device, clinical therapy service, or substitute for professional mental health treatment.

• Content generated by the App, including AI-powered reframes and roadmaps, is for informational and self-help purposes only
• Unloop does not provide clinical diagnoses, medical advice, or professional therapy
• If you are experiencing a mental health crisis, please contact your local emergency services or find a helpline near you at findahelpline.com

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the version number and date at the top and notify you through the App or via email for material changes.

Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

12. Governing Law

This Privacy Policy is governed by Belgian law and the General Data Protection Regulation (GDPR). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Antwerp, Belgium.

13. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Privacy Policy version 1.0 - last reviewed on April 10, 2026.