Friend in the Cloud — Privacy Policy
Version: 2.0 Last updated: April 2026 Effective date: April 23, 2026
Our Core Promise
Your privacy is not just a legal obligation for us — it is a core value.
🔒 We never sell your data. We never share your conversations. What you say here, stays here.
This policy explains what we collect, how we use it, how we protect it, and the control you have over it.
1. Who We Are
Friend in the Cloud ("FITC", "we", "us", "our") is an AI-powered companion platform providing emotional support, personal growth tools, and AI avatar services.
For the purpose of applicable data protection laws:
- Thailand (PDPA): FITC is the data controller for personal data collected through the Service.
- European Economic Area / United Kingdom (GDPR/UK GDPR): FITC is the data controller for personal data of EEA/UK users.
- Australia (Privacy Act 1988): FITC handles personal information in accordance with Australian Privacy Principles.
Contact for privacy matters: support@friendinthecloud.com
2. Data We Collect
2.1 Account Information
- Name or chosen display name
- Email address
- Password (stored as a salted hash; never in plain text)
- Subscription plan and billing status
- Account creation date and login history
2.2 Conversation Data
- Messages between you and your AI companions
- Files, images, and documents you upload
- Custom instructions, personality settings, and preferences
This data is stored to enable memory, personalization, and continuity of your companion experience.
2.3 Usage Data
- Interaction counts, session frequency, feature usage
- Subscription tier usage (to enforce fair-use limits)
- Platform navigation patterns (aggregated and anonymized for product improvement)
2.4 Payment Data
- Processed entirely by Stripe; we do not store card numbers, CVV codes, or banking details
- We store: transaction IDs, amounts, dates, subscription status references
2.5 Device and Connection Data
- Browser type and version
- IP address (collected for security, abuse prevention, and regional compliance)
- Device type and operating system
- Approximate geolocation (country/region level) derived from IP
2.6 Marketplace Data (if applicable)
- For users who list AI avatars: payout account information (processed by Stripe Connect or PayPal)
- For buyers: purchase history and Clone state data
3. How We Use Your Data
We use the data we collect to:
- Provide, maintain, and improve the Service;
- Personalize your AI companion's responses over time;
- Process payments and manage subscriptions;
- Enforce subscription tier limits and fair-use policies;
- Send essential account communications (never unsolicited marketing);
- Detect, prevent, and respond to fraud, abuse, or security threats;
- Comply with legal obligations;
- Enforce our Terms of Service.
4. AI Data Processing
4.1 Automated processing disclosure
You acknowledge that user inputs, conversations, and behavioral data may be processed by automated systems, including artificial intelligence models, for the purpose of:
- Generating AI responses and Companion outputs;
- Improving system performance and personalization;
- Pattern recognition for safety and abuse detection;
- Platform reliability and quality assurance.
Such processing may involve automated analysis without human intervention.
4.2 Automated decision-making
Automated systems used by the Service may generate outputs, recommendations, or suggestions. Such outputs:
- Do not constitute legally binding decisions;
- Should not be relied upon for matters with significant legal, financial, medical, or safety effects;
- May be reviewed by human operators only in cases of abuse investigation, technical troubleshooting, or express user request.
Where required by applicable law (including EU AI Act provisions), users have the right to request human review of automated decisions that produce legal or similarly significant effects on them.
4.3 Training of AI models
- Your private conversations are NOT used to train our AI models or any third-party AI models without your explicit consent.
- FITC's AI systems are trained on licensed data, publicly available information, and internally developed datasets.
- Anonymized, aggregated usage patterns may be used for service improvement; this processing cannot be used to identify individual users.
5. What We Never Do
- We never sell your personal data to third parties.
- We never use your private conversations to train AI models without explicit consent.
- We never share your data with advertisers.
- We never read your private conversations for any purpose other than providing the service, investigating abuse on reasonable grounds, or complying with legal obligations.
- We never share your data with brokers or analytics companies for profiling purposes.
6. Legal Bases for Processing (GDPR/UK GDPR Users)
For users in the European Economic Area and United Kingdom, we process personal data under the following legal bases:
- Contractual necessity: Processing necessary to provide the Service you have signed up for.
- Legitimate interests: Processing necessary for security, fraud prevention, service improvement (balanced against your rights).
- Legal obligation: Processing required to comply with applicable laws.
- Consent: Where we request your explicit consent (e.g., for optional features involving additional data use).
You may withdraw consent at any time for consent-based processing.
7. Your Rights
7.1 Universal rights
All users have the right to:
- Access a copy of their personal data;
- Correct inaccurate personal data;
- Delete their account and associated personal data;
- Export their data in a portable format;
- Contact us with privacy questions or concerns.
7.2 Additional rights for EEA/UK users (GDPR)
In addition to universal rights, you have:
- Right to restriction of processing in certain circumstances;
- Right to object to processing based on legitimate interests;
- Right to data portability in machine-readable format;
- Right to withdraw consent for consent-based processing;
- Right to lodge a complaint with your local supervisory authority.
7.3 Additional rights for Thailand users (PDPA)
In addition to universal rights, you have:
- Right to be informed of the collection, use, and disclosure of your data;
- Right to object to processing in certain circumstances;
- Right to request suspension of processing while a dispute is resolved;
- Right to lodge a complaint with Thailand's Personal Data Protection Committee.
7.4 Additional rights for Australian users (Privacy Act)
Australian users have rights under the Australian Privacy Principles, including access, correction, and complaint rights via the Office of the Australian Information Commissioner.
7.5 How to exercise your rights
To exercise any of these rights, contact us at support@friendinthecloud.com. We will respond within 30 days (or as required by applicable law, whichever is shorter).
8. Data Storage and Security
8.1 Where we store data
Your data is stored with Supabase (PostgreSQL infrastructure) in secure cloud data centers. Primary region: [to be specified — typically US or EU region].
8.2 Cross-border data transfers
If your data is stored or processed outside your country of residence:
- For EEA/UK users: Transfers are conducted under Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.
- For Thailand users: Transfers comply with PDPA cross-border transfer requirements.
- For Australian users: Transfers comply with Australian Privacy Principle 8.
8.3 Security measures
We implement industry-standard security measures including:
- Encryption at rest and in transit (TLS 1.2+);
- Password hashing using industry-standard algorithms;
- Access controls and role-based permissions;
- Regular security reviews and updates;
- Incident response procedures.
8.4 Breach notification
In the event of a data breach affecting your personal data:
- We will notify affected users without undue delay;
- For EEA/UK users: within 72 hours where required by GDPR;
- For Thailand users: in accordance with PDPA requirements;
- For Australian users: in accordance with Notifiable Data Breaches scheme requirements.
9. Data Retention
9.1 Retention schedules
| Data type | Retention period |
|---|---|
| Active account data | Duration of account activity |
| Conversation data | Duration of account; deleted 30 days after account deletion |
| Payment records | 7 years (for tax/accounting compliance) |
| Security/audit logs | 12 months from creation |
| Marketing preferences (where applicable) | Until you opt out |
| Anonymized usage analytics | Indefinitely (cannot be linked to you) |
9.2 Account deletion
Upon account deletion, your personal data and conversations are permanently deleted within 30 days, except where:
- We are required to retain specific records for legal or regulatory compliance (e.g., payment records);
- Anonymized/aggregated data remains in analytical systems in a form that cannot identify you;
- Data is necessary to enforce legal claims or defend against them.
10. Cookies and Similar Technologies
We use only essential cookies required for:
- Authentication and session management;
- Security (CSRF protection, rate limiting);
- User preferences (e.g., theme, language).
We do not use tracking cookies, advertising cookies, or third-party analytics cookies that profile you.
11. Third-Party Service Providers
We use the following third-party service providers, each bound by their own privacy practices:
| Provider | Purpose | Privacy policy |
|---|---|---|
| Stripe | Payment processing, subscription management, creator payouts | https://stripe.com/privacy |
| Anthropic | AI model provider (Claude) | https://www.anthropic.com/privacy |
| OpenAI | AI model provider (where applicable) | https://openai.com/privacy |
| Supabase | Database and authentication infrastructure | https://supabase.com/privacy |
| Vercel | Platform hosting | https://vercel.com/legal/privacy-policy |
We have contractual data processing agreements with these providers ensuring they handle your data in accordance with applicable law.
12. Children's Privacy
The Service is not intended for users under 18 years of age.
- We do not knowingly collect personal data from children under 18.
- If you believe we have collected data from a minor, please contact us immediately at support@friendinthecloud.com so we can delete it.
- Parents and guardians who believe their child has created an account without permission should contact us for immediate account removal.
13. Marketing Communications
- We send essential transactional communications (account notices, receipts, security alerts) as a core part of providing the Service; these cannot be opted out of without terminating your account.
- We send marketing communications (product updates, feature announcements) only with your consent; you may opt out at any time.
- We do not share your contact details with third-party marketers.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect:
- Changes in our practices;
- Changes in applicable law;
- New features or services.
Material changes will be communicated by:
- Email notification to registered users;
- In-app notification on next login;
- Update to the "Last Updated" date at the top.
We will not reduce your rights under this Policy without your explicit consent.
15. Contact
For privacy-related questions or to exercise your rights:
Email: support@friendinthecloud.com Contact page: https://friendinthecloud.com/contact
For complaints to supervisory authorities:
- Thailand: Personal Data Protection Committee — https://www.mdes.go.th
- European Economic Area: Your national data protection authority
- United Kingdom: Information Commissioner's Office — https://ico.org.uk
- Australia: Office of the Australian Information Commissioner — https://www.oaic.gov.au
By using Friend in the Cloud, you acknowledge that you have read and understood this Privacy Policy.