Privacy Policy

Everything you need to know about how Jed collects, uses, and protects your information.

Last updated
March 2026

Encryption first

Every request travels over TLS and is stored encrypted at rest inside Jed-managed infrastructure.

You own your words

Download or delete your records from Settings any time. We never sell or rent personal data.

Human review is optional

No one at Jed reads your conversations unless you explicitly invite us to for support.

1. Data Controller

Jed is provided by Innerlight Labs Ltd, a company registered in England and Wales. Innerlight Labs is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact details

  • Data Controller: Innerlight Labs Ltd
  • Email: privacy@innerlightlabs.co.uk
  • Address: Innerlight Labs Ltd, 71–75 Shelton Street, London, WC2H 9JQ, United Kingdom

2. Information We Collect

We collect the minimum information required to create and operate your Jed account. The categories below describe what we collect and why.

Categories of personal data

  • Account data: name, email address, timezone, language preferences, and authentication credentials.
  • Chat messages and conversation history: messages you send to Jed, and Jed's responses.
  • Health data from Apple HealthKit: steps, heart rate, sleep analysis, active energy burned, and mindful minutes — only when you grant explicit permission via iOS Health permissions.
  • Mood entries and journal entries: mood scores, free-text journal content, and any goals or reflections you record.
  • Voice recordings: audio captured when you use Jed's voice features (VoiceService), processed for transcription and then deleted from temporary storage.
  • Analytics and crash data: device type, operating system, app version, feature interactions, crash reports, and basic diagnostics.

3. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing each category of your personal data. We rely on the following:

Contract performance (Article 6(1)(b))

  • Account data — necessary to create and maintain your account.
  • Chat messages and conversation history — necessary to deliver the core Jed companion service.
  • Journal entries and mood data — necessary to provide journaling and insights features you have subscribed to.

Explicit consent (Article 9(2)(a))

  • Health data from Apple HealthKit — this is special category data (health). We only access it after you grant explicit consent via the iOS Health permissions prompt. You can withdraw consent at any time in your device Settings, and we will stop processing this data immediately.
  • Voice recordings — processed only when you actively use voice features and grant microphone permission.

Legitimate interests (Article 6(1)(f))

  • Analytics and crash data — our legitimate interest in understanding product usage, improving features, and maintaining platform stability. You can opt out of optional analytics in Settings.

Legal obligation (Article 6(1)(c))

Where required, we process data to comply with applicable laws, including responding to valid law-enforcement requests.

4. Third-Party Processors

We share your data only with the named processors below, each bound by data processing agreements. They receive only the minimum data necessary to provide their service.

Anthropic (AI processing)

We send your chat messages, conversation history, personality preference, and a health context summary (if you have granted HealthKit access) to Anthropic's Claude API to generate Jed's responses. Anthropic does not retain your data for model training. Anthropic's own data policy confirms that API inputs and outputs are not used to train their publicly available models.

Supabase (data storage)

Your account data, conversation history, journal entries, and mood data are stored in Supabase's managed PostgreSQL database with row-level security (RLS) enforced, ensuring you can only access your own data.

Vercel (hosting)

Jed's web application is hosted on Vercel. Vercel processes request metadata (IP address, headers) as part of serving the application. No conversation or health data is stored by Vercel.

Apple (HealthKit)

When you grant HealthKit permission on iOS, Apple facilitates the read/write of health data between your device and Jed. Apple does not have access to data once it is transmitted to our servers. HealthKit data is never used for advertising or shared with third parties beyond what is described in this policy.

5. International Data Transfers

Innerlight Labs is based in the United Kingdom. Our processors — Anthropic, Supabase, and Vercel — process data in the United States.

These transfers are protected by the UK International Data Transfer Agreement (UK IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as approved by the Information Commissioner's Office (ICO). Each processor has entered into appropriate transfer safeguards with us.

By using Jed, you acknowledge that your data will be transferred to and processed in the United States under these safeguards.

6. Data Retention

We retain your data only for as long as necessary to provide the service and meet our legal obligations. Specific retention periods by category:

  • Account data: retained while your account is active. Deleted within 30 days of account deletion.
  • Chat messages and conversation history: retained while your account is active. Deleted within 30 days of account deletion or when you delete individual conversations.
  • Health data (HealthKit): retained while your account is active and HealthKit permission is granted. Deleted within 30 days of permission withdrawal or account deletion.
  • Mood and journal entries: retained while your account is active. Deleted within 30 days of entry deletion or account deletion.
  • Voice recordings: processed for transcription in real time and deleted from temporary storage immediately after transcription. Not retained.
  • Analytics and crash data: retained for up to 12 months in anonymised or aggregated form for product improvement.
  • Backup copies: removed from backup systems within 90 days of deletion from active systems, unless a longer retention period is required by law.

7. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your data (subject to legal obligations).
  • Right to restriction — request that we limit how we process your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent (e.g. HealthKit data), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

How to exercise your rights

  • Use the in-app export and deletion tools in Settings.
  • Email privacy@innerlightlabs.co.uk for manual requests or questions.
  • We will respond to verified requests within one month, as required by UK GDPR.

8. ICO Complaint Right

If you are unsatisfied with how we handle your data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.

ICO contact details

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

9. Age Restriction

Jed is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@innerlightlabs.co.uk and we will delete it promptly.

10. Security Practices

Jed uses a multi-layer security programme including encryption at rest and in transit (TLS), row-level security in our database, role-based access controls, continuous monitoring, and secure development practices. Access to production data is limited to personnel who require it and is logged and audited.

If we ever experience a breach that affects your data, we will notify you and the ICO as required by UK GDPR.

11. Changes to This Policy

We may update this policy as regulations evolve or new features launch. Material changes will be announced in-app or via email so you can review them before they take effect.

Continuing to use Jed after an update means you accept the revised policy. If you do not agree with a change, you may delete your account at any time.

Contact & Complaints

Questions about this policy or our data practices? Email privacy@innerlightlabs.co.uk.

If you are unsatisfied with our response, you may complain to the ICO at ico.org.uk.

Innerlight Labs Ltd · 71–75 Shelton Street, London, WC2H 9JQ · United Kingdom