Privacy Policy

DeeplyHeard operates this platform and is responsible for your data. For any privacy-related questions or requests, contact us at support@deeplyheard.org.

Account data: your email address (used only for authentication and transactional email) and the username you choose at onboarding. Your email is never shown to other users and never used for marketing.

Journey data: the life event you select (such as grief, divorce, or job loss) and your current stage within that journey. This information qualifies as consumer health data under Washington's My Health My Data Act and similar state laws. It is used only to place you in the appropriate peer support community.

Program enrollment and progress: whether you are enrolled in any structured program and where you are within it. This also qualifies as consumer health data.

Journal entries: private text entries you write. Only you can read them. They are stored in our database under your account and protected by access controls that prevent anyone else — including DeeplyHeard staff — from reading them.

Mood logs: a numeric mood score (1–5) and an optional short note, along with your stage at the time of the log. Mood logs qualify as consumer health data.

Milestones: a title, optional note, mood score, and date that you record. Milestones qualify as consumer health data.

Community posts, reactions, and comments: linked to your pseudonymous persona, not your real identity. You choose your identity on every post: your username, anonymous, or stage-only.

Peer encouragements sent or received: these are pre-written messages selected by DeeplyHeard and sent anonymously. Neither the sender nor the recipient is identified.

Wellbeing events: a first-party record of certain in-app actions (such as submitting your first post, clicking a crisis resource, or activating go-dark mode). These are stored in our own database. No personally identifiable information is included in these records.

Technical data: a session cookie managed by Supabase Auth to keep you logged in. IP addresses are transiently processed by our hosting infrastructure (Vercel and Supabase) as a standard part of serving web requests. We do not log, store, or analyze IP addresses ourselves.

We use the following analytics tools. We are specific about each one because accuracy on this point matters for a mental health platform.

Vercel Analytics and Vercel Speed Insights: loaded on all pages of the platform, including pages inside the authenticated app. These tools do not use cookies and do not track individual users across sessions. They collect anonymized page view data, referrer information, device type, and country-level location. This data is processed by Vercel, Inc. (United States).

Google Analytics 4 (property ID: G-XG93RD6L6J) via Google Tag Manager (container ID: GTM-PB2QWNKJ): loaded only on public marketing pages. These tools are not loaded anywhere inside the authenticated app. They activate only after you accept cookies via the consent banner. They are configured with IP anonymization enabled and advertising data redaction enabled. They record page views, scroll depth, quiz funnel steps, and button clicks on marketing pages. This data is processed by Google LLC (United States).

First-party wellbeing events: we record certain in-app behavioral signals to our own Supabase database (for example, when you submit your first community post, when you click a crisis resource, or when you activate go-dark mode). These records contain no personally identifiable information. They are used only for internal platform improvement and are never shared with third parties.

We use no advertising pixels, no cross-site behavioral tracking, no device fingerprinting, and no data brokers. We have a TikTok account (@deeplyheard_), an Instagram account (@deeplyheard_), and a Facebook page used for organic content only. No user data from this platform is shared with TikTok or Meta in any form.

Your real name. Your precise location. Your phone number. A profile photo. Your browsing history outside of DeeplyHeard. Anything from third-party services or social networks. We do not use social login. Your DeeplyHeard account is never linked to an external identity.

We use a small number of third-party services to operate the platform. Each handles only the data necessary for its role:

Supabase, Inc. (United States): database storage, authentication, file storage, and edge functions. Supabase processes your account data, journey data, journal entries, mood logs, milestones, community content, and wellbeing events. Privacy policy: supabase.com/privacy.

Vercel, Inc. (United States): hosting, edge network, Vercel Analytics, and Speed Insights. Vercel processes HTTP requests to serve the platform and collects anonymized analytics data on all pages. Privacy policy: vercel.com/legal/privacy-policy.

Resend, Inc. (United States): transactional email delivery. Resend processes your email address to deliver account-related emails such as password resets, welcome messages, and weekly digests. Privacy policy: resend.com/legal/privacy-policy.

Google LLC (United States): analytics on public marketing pages only, activated after cookie consent. Configured with IP anonymization and advertising data redaction. Privacy policy: policies.google.com/privacy.

Consumer health data collected on DeeplyHeard — including your life event, stage, program enrollment, mood logs, and milestones — is never sold. It is never shared with advertisers, data brokers, or insurance companies. It is never used for targeted advertising of any kind.

Specifically: no consumer health data is ever shared with Meta (Facebook or Instagram), Google Ads, TikTok, Snap, Pinterest, or any other advertising network or data broker. Our TikTok, Instagram, and Facebook accounts are used for organic content only. No user data flows to those platforms.

For the full Consumer Health Data Privacy Policy required by Washington's My Health My Data Act, see our Consumer Health Data Privacy Policy.

Only to run the platform for you. We use your data to place you in the right peer support community, personalize your journey programs, send you transactional emails you have requested, and improve the platform. Your data is not sold, shared with advertisers, licensed to data brokers, or used to train AI models. We do not monetize your data in any form.

Your journal entries: only you. DeeplyHeard staff cannot read your journal entries.

Your mood logs and milestones: only you.

Your posts and comments: other authenticated users on the platform, displayed under the identity you chose for that post. If you post anonymously, your username and email are not included in or derivable from what others see. DeeplyHeard staff can see flagged content when it is reported.

Your email address: only you and the authentication system. It is never displayed to other users or to platform staff in the course of normal operations.

Your account data is retained for as long as your account exists. If you delete your account, all your data — including journal entries, mood logs, milestones, community posts, and program progress — is removed from our systems within 24 hours. There is no waiting period and no way to recover the account afterward.

Vercel Analytics data is retained in aggregated, anonymized form per Vercel's data retention policies. Because no cookies are used, data is not linked to individual users across sessions.

Google Analytics 4 data (marketing pages only, post-consent) is retained for 14 months by default per Google's standard configuration.

You have the right to: access the data we hold about you; correct inaccurate data; delete your account and all associated data; export your data before deleting; opt out of the sale or sharing of your personal information (we do not sell or share your data, but you have this right); withdraw consent for analytics cookies at any time using the cookie banner; and submit an appeal if we deny a privacy request.

You can access, export, and delete your data directly from your profile settings. To export your data, visit your profile and click “Download my data.” For anything not covered there, contact us at support@deeplyheard.org. We will respond to privacy requests within 45 days.

If we discover a breach that involves consumer health data, we will notify affected users within 60 days of discovery, consistent with the FTC Health Breach Notification Rule and applicable state law. Notification will be sent to your registered email address and will describe the nature of the breach, the data involved, and the steps we are taking.

We use one type of cookie: a session cookie managed by Supabase Auth to keep you logged in. We also store one item in your browser's localStorage: your cookie consent preference (the key "dh_cookie_consent"), which records whether you have accepted or declined analytics cookies. No advertising cookies. No tracking pixels. No persistent identifiers beyond your session.

DeeplyHeard is intended for users 18 years of age and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us at support@deeplyheard.org and we will remove the account promptly.

Depending on where you live, you may have additional privacy rights under state law. We honor these rights for all users regardless of state.

California residents: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the right to know what personal information we collect, to delete it, to correct it, to opt out of its sale (we do not sell), to limit the use of sensitive personal information, and to non-discrimination for exercising these rights. The California Confidentiality of Medical Information Act (CMIA) provides additional protections for medical information, which we treat as consumer health data.

Washington residents: Washington's My Health My Data Act (MHMDA) provides specific rights over consumer health data. See our separate Consumer Health Data Privacy Policy for the full disclosure required by that law.

Nevada residents: Nevada SB 370 gives you the right to opt out of the sale of personal information. We do not sell personal information.

Connecticut residents: The Connecticut Data Privacy Act (CTDPA) gives you rights to access, correct, delete, and port your personal data, and to opt out of targeted advertising and the sale of personal data. We do not engage in targeted advertising or sell personal data.

Maryland residents: The Maryland Online Data Privacy Act (MODPA) provides similar rights to access, correct, delete, and port personal data, and to opt out of targeted advertising and sale. We do not engage in targeted advertising or sell personal data.

To exercise any of these rights, contact us at support@deeplyheard.org.

Washington's My Health My Data Act (RCW 19.373) requires a separate Consumer Health Data Privacy Policy for platforms that collect consumer health data. DeeplyHeard collects data that qualifies under this definition, including your life event, stage, mood logs, milestones, and program enrollment. See our Consumer Health Data Privacy Policy for the full disclosure required by that law.

If we make material changes to this policy, we will notify registered users by email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the current version.

For questions about your privacy or how your data is handled: support@deeplyheard.org