Privacy Policy
1. Who we are
Cerberissium Pty Ltd ("we", "us", "our") operates My Meadow, a personal wellbeing and habit-tracking application available at my-meadow.net. We are the responsible party ("controller") for your personal data as described in this policy.
Contact us at any time: support@cerberissium.com
2. What data we collect
| Data | Why we collect it | How long we keep it |
|---|---|---|
| Email address | Account creation, login, and support communications | Until you delete your account |
| Nickname | To personalise your experience in the app | Until you delete your account |
| Habits, tasks, reminders, and lists | Core functionality — to provide the Service to you | Until you delete them or your account |
| Habit completion history | Streak tracking, garden growth, wellbeing scoring, personal baselines, and weekly summaries | Until you erase history or delete your account |
| Journal entries and mood scores | Personal reflection and wellbeing trend tracking (see Section 5) | Until you delete them or your account |
| Trigger and coping logs | To help you track emotional triggers, intensity levels, and coping strategies you use | Until you delete them or your account |
| Guide preference and values | To personalise your AI guide and tailor insights | Until you change them or delete your account |
| Grove connections | To manage your connections with friends, family, and professionals (Rootkeepers) | Until you remove the connection or delete your account |
| Questionnaire responses | If assigned by a Rootkeeper, to facilitate professional support between sessions | Until you delete your account |
| Convergence events | Wellbeing pattern detection; optionally shared with your Rootkeeper if you enable this (see Section 6) | Until you delete your account |
| Subscription and billing status | To manage your plan and access level | Until you delete your account (billing records retained as required by law) |
| Push notification tokens | To deliver habit reminders and digest notifications you have opted into | Until you disable notifications or delete your account |
| AI usage data | To enforce fair usage limits and prevent abuse | Rolling 12 months |
| Support ticket content | To respond to your enquiries | 2 years from submission |
| Basic usage logs | Security monitoring and error diagnosis | 90 days |
We do not collect location data, device identifiers, advertising IDs, or biometric data.
On-device data: Certain data — including personal baselines, cached AI responses, and circuit-breaker states — is stored locally on your device (in your browser's localStorage) and is never transmitted to our servers. Clearing your browser data removes this information.
3. How we use your data
We use your data solely to:
- Provide, operate, and improve the My Meadow Service
- Authenticate you and secure your account
- Generate personal baselines, wellbeing scores, insights, and convergence alerts from your habit and mood data
- Provide instant feedback and AI-generated encouragement when you complete habits
- Process your subscription and manage billing through our payment provider (Paddle)
- Facilitate connections with friends, family, and professionals through the Grove
- Deliver push notifications and email digests you have opted into
- Respond to support requests you submit
- Send transactional emails (account confirmation, password reset, billing receipts)
- Enforce our Terms of Service and protect against fraud or abuse
We do not use your data for advertising, profiling, or sale to third parties.
4. AI features and your data
When you use the AI guide feature, minimal data — such as the name of the habit you completed and your guide preference — is sent to an AI model (Claude, operated by Anthropic) to generate a personalised message of encouragement. We do not send your full habit history, personal details, journal entries, mood scores, or any sensitive information to the AI model.
Instant feedback: When you complete a habit, an immediate response is generated locally on your device using pre-built templates. This does not involve any server or AI call. A personalised AI response may supplement this when available.
AI responses are cached locally on your device for up to 24 hours to reduce unnecessary network requests. Anthropic's use of API data is governed by their own privacy policy available at anthropic.com/privacy.
5. Field Notes (Journal)
Journal entries (Field Notes) that you write in My Meadow are stored securely and are never shared with anyone — including Rootkeepers, friends, support persons, or Cerberissium staff. No other user of the Service can access, view, or request your journal entries.
Your journal entries are:
- Encrypted in transit between your device and our servers using TLS
- Stored in a secure database with Row Level Security — only your authenticated account can access them
- Not used for AI training, analytics, or any purpose beyond displaying them to you
- Not included in any data shared with Rootkeepers, even if you have granted them access to other parts of your profile
Mood scores: If you record a mood score alongside a journal entry, the numerical mood score (not the entry text) may be used to generate insights and contribute to your wellbeing score. If you enable Rootkeeper sharing, aggregated mood trends (not individual entries) may be visible to your connected professional.
We may be required to disclose data (including journal entries) if compelled by a valid court order, subpoena, or other binding legal process. In such cases, we will notify you where legally permitted to do so. Outside of these narrow legal obligations, your journal entries remain entirely private.
6. Rootkeeper data sharing and consent
If you connect with a Rootkeeper through the Grove, you may choose to share certain data to support professional care between sessions. Shared data may include:
- Habit completion trends and streak data
- Aggregated mood trends (not journal entry text)
- Wellbeing convergence alerts (if you enable this separately)
- Questionnaire responses assigned by your Rootkeeper
- Data freshness indicators (when you last logged data)
You can connect with multiple professionals simultaneously. Each professional sees only the data you have explicitly chosen to share with them. Sharing consent is granular and revocable at any time from within the app.
What is never shared with Rootkeepers: Journal entry text, trigger log details, coping strategy selections, and any data you have not explicitly consented to share.
7. Third parties we share data with
We share your data only with trusted third-party service providers, and only to the extent necessary to operate the Service:
- Supabase (database and authentication provider) — stores your account data, habits, tasks, and app content securely
- Cloudflare (edge computing and API provider) — processes requests between the app and our AI and payment systems
- Paddle.com (payment provider and merchant of record) — handles all billing, subscription management, invoicing, and tax compliance on our behalf. Paddle receives your payment details and billing information directly. Paddle's privacy policy is available at paddle.com/legal/privacy
- Anthropic (AI model provider) — generates personalised guide responses when you use the AI feature. Only minimal data is shared (see Section 4)
- Transactional email provider — delivers account confirmation, password reset, and support emails
We do not sell, rent, or trade your personal information with any party for marketing or advertising purposes.
8. Cookies and tracking
My Meadow does not use tracking cookies, advertising cookies, or third-party analytics. We use only essential session cookies required for authentication (managed by Supabase). These are strictly necessary to keep you logged in and cannot be disabled without preventing the Service from functioning.
We do not use Google Analytics, Facebook Pixel, or any similar tracking tools.
9. Data security
We take reasonable technical and organisational measures to protect your data, including:
- All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
- Passwords are never stored — we use secure, passwordless email authentication via Supabase
- Database access is restricted using Row Level Security (RLS) — users can only access their own data
- API keys and secrets are stored as encrypted environment variables, never in code
- AI requests are authenticated and rate-limited per user
- Circuit breaker patterns prevent data leakage during service outages by falling back to locally cached data
No system is completely secure. If you believe your account has been compromised, please contact us immediately at support@cerberissium.com.
10. Your rights
Depending on your location you may have the following rights regarding your personal data. We honour these rights for all users regardless of location:
- Access: Request a copy of the data we hold about you
- Correction: Ask us to correct inaccurate data
- Deletion: Request that we delete your account and associated data
- Portability: Request your data in a portable format
- Objection: Object to processing in certain circumstances
- Withdraw consent: Where processing is based on consent, withdraw it at any time
- Restrict processing: Request that we limit processing of your data in certain circumstances
To exercise any of these rights, email us at support@cerberissium.com. We will respond within 30 days.
11. South African residents — POPIA
We comply with the Protection of Personal Information Act 4 of 2013 (POPIA). As an operator processing personal information on behalf of South African residents, we are committed to the eight conditions for lawful processing set out in POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.
If you believe we have processed your personal information unlawfully or in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.
12. International users — GDPR
If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR. Our legal basis for processing your data is:
- Contract performance — to provide the Service you signed up for
- Consent — for optional features such as Rootkeeper data sharing, push notifications, and convergence event sharing
- Legitimate interests — for security monitoring and Service improvement
- Legal obligation — where required by applicable law
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. You may lodge a complaint with your local data protection authority if you are unsatisfied with how we handle your data.
13. Children's privacy
My Meadow is not intended for use by children under the age of 16 without parental or guardian consent. We do not knowingly collect personal data from children under 16 without verified consent from a parent or legal guardian.
Where a user indicates they are under 16 during registration, the account is placed on hold until a parent or guardian provides consent through our verified parental consent process. Consent links are valid for 7 days. Parents or guardians may withdraw consent at any time by emailing support@cerberissium.com, at which point the account will be deactivated and data deleted.
If you believe a child under 16 has provided us with personal data without proper consent, please contact us and we will delete it promptly.
14. Data retention and deletion
You may delete your account at any time from within the app. Upon deletion, your personal data and content will be removed from our active systems within 30 days. Some data may be retained in backups for up to 90 days before being permanently purged. Billing records may be retained longer where required by tax or financial law.
On-device data (localStorage) is not automatically removed when your account is deleted. You may clear this by clearing your browser data.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the date at the top of this page. Continued use of the Service after the effective date constitutes your acceptance of the updated policy.
16. Contact us
For any privacy-related questions or to exercise your rights, please contact us:
Cerberissium Pty Ltd
Email: support@cerberissium.com
Website: my-meadow.net