Navigate – Privacy Notice

What stays on your device

The majority of Navigate's state is stored in your browser's localStorage and sessionStorage. This data never leaves your device unless you explicitly enable a feature that sends it.

UI preferences — theme, palette, font size, sound and chime settings
Tool session history and safety-mode flags (used to gently adjust which tools are suggested)
Window of Tolerance state and check-in responses
Terms accepted and therapist-mode preferences
Analytics consent preference
Journal draft text
Programme progress

All local keys use the anima- prefix. You can clear all local data at any time via Settings → Delete my data, or through your browser's site data settings.

Usage analytics Off by default

Analytics are disabled by default. You can turn them on in Settings.

If you enable analytics:

A random device ID (UUID) is generated and stored locally. It is not linked to your name, email, or any personal account — it exists only to count unique devices.
Anonymous usage events — such as which tools you open and approximate session duration — are sent to our server and stored in Supabase.
Traffic source metadata (UTM campaign parameters, referrer domain only — never the full referrer URL) may be included to help us understand which channels bring visitors. This is non-identifying and aggregated into daily statistics.
IP addresses are not stored. User-agent strings are truncated.

If you later disable analytics, the device ID is deleted from your device and no further data is sent. Previously collected anonymous data is retained per the retention schedule below.

Lawful basis: Consent.

Feedback submissions

If you submit feedback through the app, your message and basic context (feedback type, approximate session state) are stored in our Supabase database. No name or email is attached unless you choose to include them in the message.

Please do not include sensitive personal information in feedback messages.

Lawful basis: Legitimate interest (product improvement).

Purchases and subscriptions

If you purchase Navigate Plus, Clinician Pro, or any paid tier:

Your email address, Stripe customer ID, subscription status, product tier, and purchase amount are stored in Supabase.
Card details are never stored by Navigate. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.
Cross-device access uses a magic-link flow — your email is used to look up your entitlement and send you a one-time sign-in link.

Purchase data is retained for the duration of your active subscription plus six years, to meet UK financial record-keeping requirements.

Lawful basis: Contract performance.

Beta mailing list Optional

If you join the beta list from the landing page, your email address is stored in Supabase so we can send you occasional updates about Navigate.

This is entirely optional. You can unsubscribe at any time:

Visit /unsubscribe on this site, or
Contact us at therapyonthehill.com

Lawful basis: Consent.

AI features — Companion and journal reflections Optional

Navigate Plus includes optional AI-assisted journal reflections and a companion chat. These features are powered by Google Gemini.

When you use an AI feature, Navigate sends the following to our server-side proxy (/api/gemini), which forwards it to Google:

The text you type in the message or journal field
The current tool or programme context (e.g. "you just completed a box breathing session")
Recent conversation history, if present

The Gemini API key is never exposed to your browser — all requests go through our server. Google's data handling is governed by the Gemini API terms.

Please do not include sensitive personal information — names of other people, clinical history, or identifying details — in AI feature inputs.

Lawful basis: Consent (via use of the feature).

Third-party services

Navigate uses the following sub-processors. Only the data described is shared with each.

Provider	Purpose	Data shared	Privacy policy
Supabase	Database & auth	Feedback, analytics events (opt-in), purchases, beta leads	supabase.com/privacy
Stripe	Payment processing	Email, payment method, purchase amount	stripe.com/privacy
Vercel	Hosting & serverless	Request metadata, error logs	vercel.com/legal/privacy-policy
Google Gemini	AI reflections (optional)	User-provided text prompts	ai.google.dev/terms
Sentry	Error monitoring	Stack traces, browser/OS version, anonymised user context	sentry.io/privacy

Data retention

Data	Retained for
Local browser storage	Until you clear it or use Settings → Delete my data
Anonymous analytics events	30 days
Aggregated daily statistics	24 months (non-identifying)
Feedback submissions	12 months
Purchases & subscription records	Duration of subscription + 6 years
Beta mailing list	Until you unsubscribe

Your rights under UK GDPR

If Navigate processes any personal data about you, you have the following rights:

Access — request a copy of your data
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data ("right to be forgotten")
Withdraw consent — disable analytics at any time in Settings; unsubscribe from the beta list at any time
Data portability — request your data in a machine-readable format
Object — object to processing based on legitimate interest

To exercise any of these rights, contact us using the details below. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Deleting local data

You can delete all locally stored data immediately via Settings → Delete my data in the app, or by clearing site data for navigateregulation.com in your browser settings.

Deleting server-side data

Contact us and we will delete your data within 30 days.

Contact

Navigate is operated by Dr Richard Pomfret, Therapy on the Hill.

Website: therapyonthehill.com
Email: richard@therapyonthehill.com

For questions about this notice, data requests, or to report a privacy concern, please get in touch.