Privacy Policy

Effective Date: February 10, 2026

1. Introduction

Me² ("we," "us," or "our") is committed to protecting your privacy through architectural design, not just policy promises. This Privacy Policy describes what information we collect, how it is protected, and your rights regarding your data.

Me² is a self-reflection platform where users share deeply personal thoughts and experiences. We have designed our systems so that your most sensitive data is encrypted with a key only you control, making it inaccessible to us, our employees, and any unauthorized third parties.

2. Information We Collect

2.1 Information You Provide

  • Account information: Email address, display name, and password hash (we never store your plaintext password).
  • Conversation content: Messages you send to and receive from your AI companion. This content is encrypted client-side before transmission and stored only in encrypted form.
  • Psychological profile data: Personality dimensions, emotional patterns, extracted entities, and memories derived from your conversations. All stored in encrypted form.

2.2 Information Collected Automatically

  • Usage metadata: Timestamps of conversations, message counts, session duration, feature usage, and subscription status. This metadata is NOT encrypted and is necessary for service operation.
  • Device information: Device type, operating system, app version, and anonymous device identifiers for crash reporting and compatibility.
  • Performance data: API response times, error rates, and system health metrics. These contain no personal content.

2.3 Information We Do NOT Collect

We do not collect: precise geolocation data, contacts or address book data, photos or media files, biometric data, financial information (payment processing is handled entirely by Stripe), or any data from other apps on your device.

3. How Your Data Is Protected

3.1 Client-Side Encryption

All conversation content and psychological profile data is encrypted on your device using AES-256-GCM before being transmitted to our servers. The encryption key is derived from your password using Argon2id, an algorithm specifically designed to resist brute-force attacks. This key is never stored on our servers.

3.2 What This Means in Practice

  • Our database contains only encrypted ciphertext. If our database were breached, attackers would obtain data that is computationally infeasible to decrypt.
  • Our employees, including system administrators, cannot read your messages or view your psychological profile.
  • If compelled by a court order to produce your data, we can only provide encrypted ciphertext that we cannot decrypt.

3.3 The AI Processing Window

To generate AI responses, your messages must be temporarily decrypted. This occurs in an isolated, stateless serverless function that:

  1. receives your encryption key over TLS;
  2. decrypts only the messages needed for the current conversation;
  3. sends decrypted content to our AI provider's API;
  4. encrypts the AI response before storage; and
  5. terminates, destroying all plaintext and keys from memory.

No plaintext is ever written to disk, logged, cached, or persisted in any form during this process.

3.4 Third-Party AI Processing

Our AI engine is powered by Anthropic's Claude API. Under our agreement with Anthropic and their published data policies:

  • your data is not stored by Anthropic after processing;
  • your data is not used to train or improve their AI models;
  • data is transmitted over encrypted connections (TLS 1.3); and
  • Anthropic operates under a zero-data-retention policy for API usage.

We will notify you if we change AI providers, and the new provider must meet equivalent or stronger data protection standards.

4. How We Use Your Information

Encrypted content (messages, profile, memories): Used exclusively to power your AI companion experience. Processed only during active conversations when your encryption key is available.

Unencrypted metadata: Used for:

  • billing and subscription management;
  • rate limiting and abuse prevention;
  • aggregate analytics (e.g., total active users, average session length);
  • service reliability monitoring; and
  • communicating with you about your account.

We do NOT use your data to:

  • serve advertisements;
  • sell to third parties;
  • build profiles for marketing purposes; or
  • train AI models.

5. Data Sharing

We share your information only in the following limited circumstances:

  • AI processing: Decrypted conversation data is transmitted to Anthropic's Claude API for response generation, subject to their zero-retention policy.
  • Payment processing: Subscription billing information is processed by Stripe. We do not store your credit card details.
  • Legal compliance: We may disclose information if required by law, court order, or governmental regulation. However, encrypted content can only be provided in encrypted form, which we cannot decrypt.
  • Safety exceptions: If our automated systems detect an imminent risk of self-harm or harm to others, we may take reasonable steps as described in our Terms of Service, Section 10.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

6. Data Retention

  • Active accounts: Your encrypted data is retained for as long as your account is active.
  • Deleted accounts: Upon account deletion, all personal data (encrypted content, metadata, and account information) is permanently deleted within 30 days.
  • Anonymized analytics: Aggregate, anonymized data that cannot be linked to any individual may be retained indefinitely for service improvement.
  • Legal holds: If we are subject to a legal obligation to preserve data, we will retain the encrypted data as required, but we remain unable to decrypt it.

7. Your Rights

Under applicable Canadian privacy law (PIPEDA) and where applicable, you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Export: Download your encrypted data through your account settings.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Delete your account and all associated data at any time.
  • Withdraw consent: Withdraw your consent to data processing, which may require account deletion as processing is necessary for the Service to function.

To exercise these rights, contact us at privacy@me-squared.com or use the controls in your account settings.

8. Canadian Privacy Compliance (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

  • We collect personal information only with your knowledge and consent.
  • We use your information only for the purposes identified in this Policy.
  • We protect your information using industry-leading encryption technology.
  • We retain your information only as long as necessary.
  • We provide you with access to your personal information upon request.

9. CASL Compliance

We comply with Canada's Anti-Spam Legislation (CASL).

  • We will only send you commercial electronic messages (e.g., promotional emails) with your express consent.
  • You may withdraw consent at any time by clicking "Unsubscribe" in any email or adjusting your notification settings.
  • Transactional messages (account confirmations, security alerts, billing receipts) do not require consent under CASL.

10. Children's Privacy

Me² is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will delete the account and all associated data promptly.

11. International Data Transfers

Your encrypted data is stored on servers located in [Supabase region]. AI processing occurs on Anthropic's servers, which may be located in the United States. All data transfers are protected by TLS encryption in transit, and your stored data is encrypted at rest with your personal key.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notification at least 30 days before the changes take effect. The "Effective Date" at the top of this document indicates the most recent revision.

13. Contact Us

For privacy inquiries, concerns, or to exercise your data rights:

Email: privacy@me-squared.io
Address: 77 Chant Cres, Markham, Ontario, Canada

If you are not satisfied with our response to a privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.