Privacy Policy

2.1 Information You Provide Directly

Account Registration Information

• Phone number (immediately hashed and never stored in plaintext)
• Verification codes sent via SMS

Conversational Interview Data

During your conversational interview with JOSH's AI system, you provide information through natural conversation, including:

• Personal characteristics: Name, age, gender, location (city/state)
• Lifestyle information: Work situation, living situation, daily routines, schedules
• Social preferences: Communication style, social energy levels, interaction preferences
• Interests and activities: Hobbies, passions, how you spend free time
• Values and priorities: What matters to you in friendships, life goals, personal values
• Behavioral patterns: How you handle stress, conflict, decision-making
• Relationship history: Past friendship experiences, what works/doesn't work for you
• Emotional tendencies: How you process emotions, what you need in friendships
• Conversation style: Examples of how you communicate and connect with others

This information is used to build your psychological profile for matching purposes.

Photos

• Profile photos you upload (minimum 2, maximum 6)
• Photos are stored securely and shared only as part of the matching process

Contact Information

• Email address (optional, for account recovery and notifications)
• Real phone number (hashed for privacy, used for SMS communications)

Communications

• Messages you send through SafeChat anonymous messaging
• Messages exchanged during the onboarding conversational interview
• Communications with JOSH support staff

Payment Information

• Billing information is processed and stored by Stripe, our payment processor
• We do not store complete credit card numbers
• We retain transaction history, purchase dates, and amounts paid

2.2 Information Collected Automatically

Usage Data

• Features you use within the Service
• Time and duration of your activities
• Introduction responses (accept, decline, pass)
• SafeChat engagement (message frequency, session duration)
• Reveal decisions and timing

Device Information

• Mobile device type and operating system
• Browser type and version
• IP address (anonymized for analytics)
• Device identifiers
• Time zone settings

SMS Metadata

• Message delivery status
• Timestamp of messages sent and received
• Message routing information (not message content)

Analytics Data

• Aggregated, anonymized usage patterns
• Feature adoption rates
• Service performance metrics
• Error logs and crash reports

2.3 Information from Third Parties

Service Providers

• Twilio: SMS delivery status and metadata
• Stripe: Payment processing information and transaction status
• Anthropic: AI processing results (no storage of your data by Anthropic)

We do not purchase or receive personal information about you from data brokers or other third-party sources.

3.1 Core Service Operations

Friendship Matching

• Building your psychological profile through conversational interview analysis
• Identifying compatible matches using AI-powered compatibility algorithms
• Creating introduction previews with compatibility reasoning
• Generating match recommendations based on multi-dimensional compatibility scoring

Account Management

• Creating and maintaining your account
• Verifying your identity and phone number
• Processing your registration and onboarding
• Authenticating your access to the Service

Communications

• Sending SMS messages as part of the conversational interview
• Delivering introduction previews and notifications
• Facilitating SafeChat anonymous messaging
• Sending important Service updates and security alerts
• Responding to your inquiries and support requests
• Sending Day 9 reminders for SafeChat sessions

Payment Processing

• Processing Sprint Pass purchases through Stripe
• Managing your billing information
• Maintaining transaction records
• Handling refund requests (in limited circumstances)

3.2 Service Improvement and Development

• Analyzing how users interact with the Service to improve functionality
• Identifying and fixing technical issues and bugs
• Testing new features and improvements
• Conducting research to enhance matching algorithms
• Understanding user preferences and behavior patterns
• Optimizing the conversational interview experience

3.3 Safety and Security

• Detecting and preventing fraud, abuse, and violations of our Terms of Service
• Monitoring for safety concerns including harassment, scams, and crisis situations
• Responding to safety incidents and user reports
• Protecting against unauthorized access or use of the Service
• Complying with legal obligations and law enforcement requests
• Enforcing our Terms of Service and other policies

3.4 Analytics and Aggregated Data

• Creating anonymized, aggregated statistics about Service usage
• Understanding demographic trends and user preferences
• Measuring the effectiveness of our matching algorithms
• Reporting on business metrics and service performance

Important: We only use aggregated and anonymized data for analytics. Individual user data is never sold or shared for advertising purposes.

3.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Protecting our legal rights and interests
• Preventing illegal activity and enforcing our policies

4.1 With Other Users (Controlled Disclosure)

Introduction Preview Stage

• First name only
• Age
• Photos you've uploaded
• City/state location
• Compatibility summary written by JOSH

SafeChat Stage

• Your messages (routed through masked phone numbers)
• No real contact information is shared

After Mutual Reveal

• Full name
• Real phone number
• Email address (if provided)
• Complete profile information
• All photos

You control when this information is shared. Both parties must explicitly confirm "REVEAL" before real contact information is exchanged.

4.2 With Service Providers

We share information with third-party service providers who perform services on our behalf:

All service providers are contractually obligated to:

• Use your information only for the specified purposes
• Maintain reasonable security measures
• Not sell or share your information with others
• Comply with applicable privacy laws

4.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants)
• Government or law enforcement requests
• Investigations of potential violations of our Terms of Service
• Fraud prevention or security investigations
• Protection of the rights, property, or safety of JOSH, our users, or the public

In cases where we are legally permitted to do so, we will notify you before disclosing your information unless prohibited by law or court order.

4.4 Business Transfers

If JOSH is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via SMS and/or email before your information is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you explicitly consent. For example:

• If you agree to participate in a testimonial or case study
• If you authorize us to share specific information with a third party
• If you connect your account to third-party services (if we add this feature)

5.1 Masked Phone Numbers

• All SafeChat messages are routed through Twilio proxy numbers
• Your real phone number is never visible to the other person
• The other person sees only a temporary masked number
• Both parties communicate through masks until mutual Reveal

5.2 Phone Number Hashing

• Real phone numbers are immediately hashed using HMAC-SHA256
• Plaintext phone numbers are never stored in our database
• Hashes are used only for message routing and cannot be reversed
• This prevents unauthorized access to your real phone number

5.3 Message Encryption

All SafeChat messages are encrypted at rest using AES-256-GCM:

• Each message is encrypted with a unique initialization vector (IV)
• Authentication tags ensure message integrity
• Encryption keys are stored separately from message data
• Messages are decrypted only during relay, never for storage or display

5.4 Number Pool Management

After a SafeChat session ends:

• The masked phone number enters a 72-hour cooldown period
• The number cannot be immediately reused for another session
• This prevents psychological association between different matches
• Numbers are rotated to maintain anonymity

5.5 Automatic Session Closure

• SafeChat sessions automatically close after 10 days
• Upon closure, masked numbers are released
• No further messages can be sent through the session
• Conversation history remains encrypted in our database

5.6 No Staff Access to Content

• JOSH staff cannot read your SafeChat messages without legal warrant
• Encrypted messages can only be decrypted by automated systems for relay
• Safety monitoring uses automated keyword detection, not human review
• In crisis situations, we may access encrypted content to ensure user safety

6.1 Technical Security Measures

• Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Encryption at Rest: Sensitive data including SafeChat messages is encrypted in our database
• Phone Number Hashing: Real phone numbers are never stored in plaintext
• Secure Authentication: Magic links with HMAC signatures for identity verification
• Access Controls: Strict role-based access controls for staff and systems
• Regular Security Audits: Ongoing review of security practices and vulnerabilities

6.2 Organizational Security Measures

• Background checks for employees with access to user data
• Confidentiality agreements for all staff and contractors
• Security training for employees
• Incident response procedures for data breaches
• Regular backups with encryption
• Monitoring and logging of system access

6.3 Third-Party Security

Our service providers (Twilio, Stripe, Anthropic, Supabase, Vercel) maintain:

• SOC 2 Type II compliance (where applicable)
• GDPR compliance
• Industry-standard security certifications
• Regular third-party security audits

6.4 No Guarantee of Absolute Security

While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You use the Service at your own risk.

6.5 Your Security Responsibilities

You are responsible for:

• Maintaining the security of your phone and any devices used to access the Service
• Not sharing your account access with others
• Reporting any suspected unauthorized access immediately
• Using secure passwords if you create web account credentials
• Logging out from shared devices

7.1 Active Account Data

While your account is active, we retain:

• Profile information and conversational interview data
• Photos and personal information needed for matching
• SafeChat message history (encrypted)
• Introduction history and match data
• Account settings and preferences
• Payment transaction records

7.2 After Account Deletion

When you delete your account, we handle data as follows:

Deleted Within 30 Days:

• Profile information (name, age, photos, location)
• Conversational interview data
• Unencrypted personal information
• Account preferences and settings

The 30-day period allows account recovery if you change your mind.

Deleted Immediately:

• Encrypted SafeChat messages
• Active SafeChat sessions (closed)
• Access to the Service

Retained for Legal/Financial Compliance:

• Transaction records and payment history: 7 years (IRS requirement)
• Legal hold data: Until legal matter is resolved
• Safety incident reports: As required by law

Retained Indefinitely (Anonymized):

• Aggregated analytics data with no personal identifiers
• Statistical information about Service usage patterns
• De-identified research data

7.3 Inactive Accounts

If your account is inactive for 24 consecutive months:

• We may send a reminder asking if you want to keep your account
• If no response after 30 days, we may delete your account
• Data retention follows the same schedule as user-initiated deletion

7.4 Legal Obligations

We may retain information longer if required by:

• Law or regulation
• Pending litigation or government investigation
• Terms of Service enforcement actions
• Fraud prevention and security purposes

8.1 Access Your Information

You can:

• View your profile information in the Service
• Request a copy of your personal data by emailing help@callmejosh.ai
• We will provide your data in a portable format within 30 days

8.2 Correct Your Information

You can:

• Update your profile information at any time through account settings
• Contact us at help@callmejosh.ai to correct inaccurate information
• We will update your information within 15 business days

8.3 Delete Your Information

You can:

• Delete your account at any time through account settings
• Request deletion by emailing help@callmejosh.ai
• Deletion follows the retention schedule in Section 7

Note: Some information may be retained as required by law or for legitimate business purposes.

8.4 Opt Out of Communications

You can control communications:

Marketing Messages:

• Reply STOP to any marketing SMS to unsubscribe
• Click "unsubscribe" in marketing emails
• Update preferences in account settings

Service Communications:

• You cannot opt out of essential Service messages (introduction notifications, SafeChat messages, payment confirmations, security alerts)
• These are necessary for Service operations

Complete Opt-Out:

• Text STOP to opt out of all JOSH communications
• This will close your account and you cannot resume Service

8.5 Data Portability

Upon request, we will provide:

• Your profile information in JSON or CSV format
• Your conversational interview transcript
• Your match history and introduction data
• Information in a commonly used, machine-readable format

8.6 California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at help@callmejosh.ai with "California Privacy Request" in the subject line.

8.7 Nevada Privacy Rights

Nevada residents who wish to exercise their sale opt-out rights may submit a request to help@callmejosh.ai. Note: We do not currently sell personal information as defined by Nevada law.