Privacy Policy
Last updated: 2 June 2026
This Privacy Policy explains how Cleo ("Cleo", "we", "us") collects, uses, shares, and protects personal data when you use our SMS-based companion service (the "Service"). We handle your family's data with care and only as needed to provide the Service. It applies both to the person who sets Cleo up ("Person A") and to the loved one who receives messages ("Person B").
1. Who we are (Data Controller)
The controller responsible for your personal data is:
- Konstantin Bick — Sole Proprietorship (operating under a German business license)
- Arnimstraße 14, 22609 Hamburg, Germany
- Email: contact@getcleo.xyz
2. How we collect data & roles
We collect personal data in three ways:
- From Person A — when they sign up and complete setup (their own details and the details they enter about Person B).
- From Person B — through the SMS messages they exchange with Cleo.
- Automatically — limited technical logs created when the Service is used.
When Person A provides Person B's phone number and details, Person A confirms they are authorised to do so and that Person B consents to receiving messages from Cleo.
3. The data we collect
- Account & contact data: the phone number and email of Person A, and the name and phone number of Person B.
- Authentication data: your email and a secure sign-in session (kept in an essential cookie) used to log you in.
- Service settings: time zone, daily message time, medication names and reminder times, doctor-appointment details (type, frequency, dates), escalation preferences, and consent status.
- Approximate location: if you provide one, a postal code (and the coarse coordinates we derive from it) used only to fetch local weather and tailor wellness tips (e.g. hydration on hot days).
- Message content: the SMS messages exchanged between Person B and Cleo. Because these are free-form, they may include health-related information (for example, how someone is feeling or whether they took a medication).
- Technical data: a limited record of sign-up requests (including IP address) to prevent abuse and fraud, plus standard hosting and delivery logs.
4. How we use the data
- To deliver the daily message, medication and doctor-appointment reminders, and alerts to Person A.
- To generate Cleo's conversational replies (see Section 5).
- To operate, secure, and improve the Service, and to prevent abuse (e.g. SMS rate-limiting).
- To comply with legal obligations.
5. AI & automated processing
Cleo's replies are generated by an AI provider (Anthropic's Claude). To do this, recent message content is sent to that provider and processed to (a) write Cleo's response and (b) classify the message — for example, recognising a medication confirmation or possible signs of distress. If a message suggests a possible crisis or low wellbeing, this can trigger an alert to Person A. These steps help run the Service and do not produce legal or similarly significant decisions about you. AI output can be imperfect and is not professional advice.
6. Legal bases (GDPR)
Where the EU General Data Protection Regulation applies, we rely on: performance of a contract (Art. 6(1)(b)); your consent (Art. 6(1)(a)); and our legitimate interests in operating and securing the Service (Art. 6(1)(f)). Because message content may include health information, we process such special-category data only on the basis of your explicit consent (Art. 9(2)(a)), which you may withdraw at any time.
7. How we share data
We do not sell your personal data, and we do not share mobile opt-in information or SMS consent with third parties for their own marketing. We share data only with service providers (processors) who help us run the Service, each bound by an appropriate data-processing agreement:
- Sendblue — message delivery (iMessage and SMS).
- Supabase — database, authentication, and hosting.
- Anthropic (Claude) — generating Cleo's replies from recent message context.
- Vercel — application hosting.
- Resend — transactional email (e.g. sign-in links).
- Open-Meteo & Zippopotam.us — local weather forecast and postal-code lookup for weather tips (coordinates only; no message content shared).
We may also disclose data where required by law.
8. SMS program disclosures
Person B receives recurring messages (typically a daily message plus any reminders you set). Message frequency varies. Message and data rates may apply. Reply STOP at any time to opt out and stop all messages; reply HELP for help.
9. Cookies
We use only essential cookies needed to keep you securely signed in (set by our authentication provider, Supabase). We do not use advertising or cross-site tracking cookies, and we do not track you across other websites.
10. Data retention
We keep account and contact data for as long as your account is active. Message content is retained while the Service is active and is deleted or anonymised within 90 days after the account is closed or you opt out, unless we are required to keep it longer to meet a legal obligation. You may request deletion at any time (see Section 12).
11. International transfers
Some of our providers are based in the United States, so your data may be transferred outside the EEA. Where required, such transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses.
12. Your rights
Depending on where you live, you may have the right to access, correct, delete, or port your data, to object to or restrict processing, and to withdraw consent. EU/EEA users may also lodge a complaint with a supervisory authority; the authority competent for us is Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Hamburg, Germany). US residents may have similar rights under their state's privacy law — for example, the right to know, access, delete, and opt out of the sale or sharing of personal information under California's CCPA/CPRA and comparable laws in other states. We honour such requests regardless of your state, and we do not sell personal information. To exercise any right, contact contact@getcleo.xyz.
13. Children
The Service is intended for adults and is not directed to children.
14. Security & data breaches
We protect data with measures including encryption in transit and database-level access controls (row-level security) that scope each account's data to that account. No system is perfectly secure, but we work to safeguard your information, and we will notify affected users and the relevant authority of a data breach where the law requires it.
15. Changes & contact
We may update this policy from time to time; material changes will be reflected by the "last updated" date above. Questions? Email contact@getcleo.xyz.