Privacy Policy

Last updated: 4 February 2026

1. Introduction

Six Steps ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the UK GDPR, EU GDPR, and HIPAA requirements.

2. Data Controller

The data controller responsible for your personal data is Six Steps. For any privacy-related enquiries, please contact us at privacy@sixsteps.app.

3. What Data We Collect

3.1 Account Information

  • Email address (required for account creation)
  • Region/country (for providing appropriate support resources)
  • Password (stored securely using bcrypt hashing)

3.2 Session Data

  • Your responses during reflection sessions (encrypted)
  • Session metadata (start time, duration, completion status)
  • Spaces explored during sessions

3.3 Consent Records

  • Records of consents you have given
  • Timestamps of when consent was given or withdrawn

4. Special Category Data

Your reflection content may contain health-related information, which is classified as "special category data" under GDPR. We process this data based on your explicit consent, which you provide when starting each session.

5. How We Use Your Data

We use your data to:

  • Provide the reflection service
  • Display appropriate support resources for your region
  • Allow you to review your session history
  • Generate PDF exports of your reflections
  • Maintain security and prevent abuse

6. Data Retention

Reflection content: Your session responses are automatically redacted after 30 days. Session metadata (dates, spaces explored) is retained longer to support your journey tracking.

Account data: Retained until you delete your account.

Consent records: Retained for legal compliance purposes.

7. Data Security

We protect your data using:

  • AES-256 encryption for all sensitive content at rest
  • TLS 1.3 encryption for all data in transit
  • Regular security audits and updates
  • Access controls limiting who can view data

8. Your Rights

Under GDPR, you have the right to:

  • Access – Request a copy of your personal data
  • Rectification – Correct inaccurate personal data
  • Erasure – Request deletion of your personal data
  • Portability – Receive your data in a machine-readable format
  • Withdraw consent – Withdraw consent at any time
  • Object – Object to processing of your personal data

To exercise these rights, visit your account settings or contact us at privacy@sixsteps.app.

9. Third Parties

We do not sell your personal data. We may share anonymised, aggregated data for research purposes, but this data cannot be used to identify you.

10. Cookies

We use essential cookies only, required for the service to function (e.g., session authentication). We do not use tracking or advertising cookies.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or through the application.

12. Contact Us

For any questions about this privacy policy or our data practices, please contact us at privacy@sixsteps.app.