Effective Date: October 2025

Data Protection and
Privacy Policy

Who We Are and What We Do

Youmi Support Ltd ("we", "us", "our") provides digital support services for people who are supporting someone with mental health difficulties. We are not a mental health treatment service. We are the data controller for the personal information you provide to us. This means we decide how and why your data is processed. Youmi Support Ltd, a company registered in England and Wales (Company No. 16162841), with its registered office at 22 Mount Pleasant Road, London, W5 1SG, United Kingdom.

1. Purpose of this document

Youmi Support Ltd ("we", "our", "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered mental health support service designed specifically for carers and supporters of people experiencing mental health difficulties. Our service provides conversational AI support to help carers better understand and support their loved ones. We do not provide direct mental health support to individuals experiencing mental health difficulties — our service is exclusively for their carers, supporters, family members, and friends.

Youmi Support Ltd is a private limited company registered in England and Wales under company number 16162841, with our registered office at 22 Mount Pleasant Road, London, W5 1SG.

2. Data Controller

Youmi Support Ltd is the data controller for your personal data. This means we are responsible for deciding how we hold and use personal information about you. You can contact us at:

  • Email: hello@youmisupport.com
  • Registered office: 22 Mount Pleasant Road, London, W5 1SG
  • Data Protection Officer: louis@youmisupport.com

3. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

a) Explicit Consent (Article 9(2)(a) UK GDPR): Because conversations with our AI may involve sensitive information about mental health (special category data), we require your explicit consent to process this information. You provide this consent when you sign up for our service. You can withdraw consent at any time by contacting us.

b) Contract Performance (Article 6(1)(b) UK GDPR): We process your account data (email, name) to provide our service to you under our Terms of Service.

c) Legitimate Interests (Article 6(1)(f) UK GDPR): We process certain data for our legitimate interests in improving our service, preventing fraud, and ensuring service security, provided this does not override your rights and interests.

4. Age Restrictions

Our service is only available to individuals aged 18 and over. We do not knowingly collect or process personal data from anyone under 18. If you are under 18, please do not use our service or provide any personal information to us. If we discover we have inadvertently collected data from someone under 18, we will delete it immediately.

5. What Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, password (encrypted), account creation date, account status.
  • Conversation Data: All messages you send to our AI system, including any information you share about the person you are caring for, your concerns, questions, and the situations you discuss. This may include special category data about mental health.
  • AI Response Data: The responses generated by our AI system in your conversations.
  • Usage Data: Login times, session duration, features used, conversation frequency, device type, browser type, IP address (anonymised after 30 days).
  • Technical Data: Error logs, system performance data, feature usage analytics.
  • Crisis Detection Data: If our system detects keywords indicating a crisis situation (such as immediate harm risk), this is flagged and stored separately for emergency response purposes.
  • Research Data (with separate consent): If you consent to participate in research, we may use anonymised conversation data for academic research purposes with approved university partners.

6. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To provide AI-powered conversational support, maintain your account, personalise your experience, and enable core service features.
  • Crisis Detection and Response: To identify when you may be experiencing or describing a crisis situation and to escalate appropriately to our co-founders for human review and support referrals.
  • Service Improvement: To analyse usage patterns, improve AI responses, develop new features, and enhance service quality (using aggregated, anonymised data where possible).
  • Safety and Security: To detect and prevent fraud, abuse, security threats, and to maintain service integrity.
  • Legal Compliance: To comply with legal obligations, respond to lawful requests, and protect legal rights.
  • Research (with consent): To conduct academic research through approved partnerships with university ethics committees, using anonymised data only with your explicit consent.
  • Communication: To send service updates, respond to enquiries, and provide customer support.

7. How We Share Your Data

We do not sell your personal data. We share data only in the following limited circumstances:

  • AI Service Provider (Anthropic): Your conversation data is processed by Anthropic’s Claude AI system to generate responses. This involves transfer to the United States. Anthropic is bound by a Data Processing Agreement and Standard Contractual Clauses.
  • Essential Service Providers: We use carefully selected third-party processors who help us operate our service: Microsoft (email and productivity), Wix (domain registration), Webflow (website hosting), Attio (customer relationship management), and Notion (internal collaboration). Each processor is bound by a Data Processing Agreement.
  • Crisis Situations: If our AI detects crisis keywords indicating immediate harm risk, this is flagged to our co-founders for human review. We may share necessary information with emergency services or crisis support organisations if we reasonably believe there is an immediate risk of serious harm.
  • Academic Research Partners (with consent): If you provide explicit consent, we may share anonymised conversation data with approved university research partners who have ethics committee approval. Your identity is always removed and data is aggregated before sharing.
  • Legal Requirements: We may disclose data if required by law, court order, or regulatory authority, or to protect our legal rights.
  • Business Transfers: If our company is acquired or merged, your data may be transferred to the new entity, subject to the same privacy protections.

8. International Data Transfers

Your personal data is processed by third-party service providers, some of which are located outside the United Kingdom and European Economic Area, including in the United States. Where we transfer your data to countries not deemed to have adequate data protection laws by the UK, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use the UK Information Commissioner’s Office-approved Standard Contractual Clauses for transfers to the United States (Anthropic, Microsoft, Wix, Webflow, Notion).

Transfer Impact Assessment: We have conducted a Transfer Impact Assessment to evaluate the risks of transferring mental health data to the US and have implemented supplementary security measures. A complete list of our data processors, their locations, and applicable safeguards is available upon request.

9. Data Retention

We retain your data for different periods depending on its purpose:

  • Active Account Data: Retained while your account is active and for 30 days after account closure (to allow for account recovery).
  • Conversation Data: Retained for 12 months after your last active conversation, then automatically deleted. You can request earlier deletion at any time.
  • Crisis Detection Logs: Retained for 7 years to meet safeguarding audit requirements and legal obligations.
  • Anonymised Research Data (with consent): May be retained indefinitely in anonymised form for research purposes, as it cannot be linked back to you.
  • Financial and Tax Records: Retained for 7 years to comply with UK tax law.
  • Legal Claims Data: Retained for the duration of any legal proceedings plus 6 years from resolution. See our Data Retention Policy for complete retention schedules.

10. Your Data Protection Rights

Under UK GDPR, you have the following rights:

  • Right of Access (Article 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Article 17): Request deletion of your data in certain circumstances, including withdrawal of consent.
  • Right to Restrict Processing (Article 18): Request that we limit how we use your data in certain circumstances.
  • Right to Data Portability (Article 20): Request transfer of your data to another service in a structured, machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
  • Rights Related to Automated Decision-Making (Article 22): Our AI system does not make automated decisions that have legal or similarly significant effects. Crisis detection flags are always reviewed by humans.
  • Right to Withdraw Consent: You can withdraw your consent for processing special category data at any time, though this will prevent us from providing our service. To exercise any of these rights, contact us at hello@youmisupport.com. We will respond within one month. There is no charge unless your request is manifestly unfounded or excessive.

11. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access Controls: Strict role-based access controls limit who can view your data. Only authorised personnel can access conversation data, and only when necessary for crisis response or user support requests.
  • Authentication: Multi-factor authentication required for all staff accounts.
  • Monitoring: Continuous security monitoring, intrusion detection, and audit logging.
  • Regular Security Audits: Annual penetration testing and security assessments.
  • Staff Training: All staff complete mandatory data protection and security training annually.
  • Incident Response: We have a Data Breach Response Plan and will notify you and the ICO within 72 hours of discovering any breach that poses a risk to your rights.

12. Cookies and Tracking

We use essential cookies to operate our service and optional cookies for analytics (with your consent). See our Cookie Policy for full details on what cookies we use and how to manage them.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by displaying a notice on our service. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

14. Complaints

If you have concerns about how we handle your personal data, please contact us first at hello@youmisupport.com. We take all complaints seriously and will investigate promptly. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK data protection supervisory authority:

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Tel: 0303 123 1113
  • Website: https://ico.org.uk

15. Contact Information

For any questions about this Privacy Policy or our data practices, contact us at:

  • Youmi Support Ltd - email: hello@youmisupport.com
  • Address: 22 Mount Pleasant Road, London, W5 1SG
  • Data Protection Officer: Louis Allen – louis@youmisupport.com
  • Company Number: 16162841