Privacy Policy

AutiPower ("we", "us", "our") is an AI-powered autism parenting support platform operated as a public good initiative. Our platform is accessible at autipower.com.

Contact: our contact form at autipower.com/contact

For privacy-related requests, use the subject line: "Privacy Request — AutiPower".

We collect the following categories of data:

**Account data:** Your name, email address, and authentication credentials (via Google OAuth or email magic link), provided when you create an account.

**Child profile data:** Information you voluntarily provide about your child — including their name, age, communication level, interests, sensory sensitivities, known triggers, routine rigidity, and parenting goals. This data is entered by you and used solely to personalise AI responses.

**Conversation data:** Messages you send to the AI and responses generated. These are stored to maintain conversation history within a session and to improve response continuity.

**Behavioral logs:** If you use the behavior tracking feature, logs including behavior type, trigger, intervention, and outcome are stored.

**Technical data:** Standard server logs including IP address, browser type, and timestamps. These are used for security and abuse prevention only.

We do NOT collect: — Payment or financial data (the platform is free) — Location data beyond IP address — Device identifiers or advertising IDs — Any data from children directly (all data is entered by parents/caregivers)

AutiPower is designed for use by parents and caregivers of autistic children. We do not knowingly collect data directly from children. All child profile information is entered by a parent or legal guardian.

**Age of account holders:** You must be 18 years or older to create an account.

**COPPA compliance (United States):** We do not knowingly collect personal information from children under 13. Child profiles describe a child but are created and controlled entirely by the parent. If you believe a child under 13 has created an account directly, contact us immediately at our contact form at autipower.com/contact and we will delete the account.

**GDPR Article 8 (European Union):** Child profile data is treated as sensitive personal data. It is processed solely on the basis of your consent, which you give when you create the profile. You may withdraw consent and request deletion at any time.

**India DPDP Act 2023:** We treat all child-related data as sensitive personal data requiring verifiable parental consent. Parents retain full control and deletion rights under this Act.

**Minimisation principle:** We collect only what is necessary to provide personalised AI guidance. We do not require fields like diagnosis, medical history, or school records. Any sensitive information you choose to share in free-text messages is your decision and is stored only within your conversation history.

We use your data for the following purposes only:

— To authenticate your account and maintain your session — To personalise AI responses using your child's profile — To store conversation history so you do not lose prior guidance — To allow you to track behavioral patterns over time — To send emails you explicitly request (magic link login, contact form responses) — To maintain platform security and prevent abuse

We do NOT use your data for: — Advertising or marketing targeting — Selling or sharing with third parties for commercial purposes — Training AI models (your conversations are not used to train Anthropic's models — see Section 6) — Automated decision-making that has legal or significant effects on you or your child

Your data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure in your selected region.

**Access controls:** Row-level security (RLS) is enforced at the database level. This means your data is structurally inaccessible to other users — not just by policy, but by database architecture.

**Encryption:** All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

**Platform access:** Only the platform operator has administrative database access. No third-party contractors or services have access to your personal data.

**Retention:** Your data is retained for as long as your account is active. You may request deletion at any time (see Section 8). We do not retain data after account deletion.

We use the following third-party services:

**Anthropic (Claude API):** Your messages and child profile context are sent to Anthropic's API to generate AI responses. Anthropic's API usage policy states that data submitted via the API is not used to train their models. See Anthropic's privacy policy at anthropic.com/privacy.

**Supabase:** Database and authentication infrastructure. See supabase.com/privacy.

**Google OAuth:** If you sign in with Google, Google shares your name and email with us. We do not share any data back to Google beyond what OAuth requires. See Google's privacy policy.

**Resend:** Used to send transactional emails (contact form replies, magic links). Email content is processed by Resend's infrastructure. See resend.com/privacy.

**Vercel:** Hosting infrastructure. Standard server logs may be collected by Vercel. See vercel.com/legal/privacy-policy.

We do not use advertising networks, social media trackers, or analytics platforms that track users across sites.

Depending on your jurisdiction, you have the following rights:

**Right to access:** Request a copy of all data we hold about you and your child.

**Right to correction:** Request correction of inaccurate data.

**Right to deletion ("right to be forgotten"):** Request deletion of your account and all associated data, including child profiles, conversation history, and behavioral logs. We will complete deletion within 30 days.

**Right to portability:** Request your data in a machine-readable format (JSON).

**Right to withdraw consent:** You may withdraw consent for data processing at any time by deleting your account.

**Right to object:** Object to any processing you believe is not justified.

**GDPR (EU/UK) users:** You have all rights under Articles 15–22 of the GDPR. You may also lodge a complaint with your national supervisory authority.

**CCPA (California) users:** You have the right to know, delete, and opt out of sale (we do not sell data).

**India DPDP Act users:** You have rights to access, correction, and erasure under the Digital Personal Data Protection Act 2023.

To exercise any of these rights, use our contact form at autipower.com/contact and select "General enquiry" — include the nature of your request in the message.

To delete your account and all associated data:

1. Use our contact form at autipower.com/contact — select "General enquiry" and state "Delete My Account" in the message 2. Include the email address associated with your account 3. We will confirm deletion within 7 days and complete it within 30 days

We will delete: — Your user profile — All child profiles associated with your account — All conversation history and messages — All behavioral logs — Your authentication record

We cannot delete data already processed by third-party APIs (Anthropic, Resend) within their own infrastructure, but we will delete all data within our control.

AutiPower uses only functional cookies necessary for authentication (session management via Supabase). We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

You may disable cookies in your browser settings, but this will prevent you from logging in.

We may update this Privacy Policy as the platform evolves. Material changes will be communicated by email to registered users at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

The current version is always available at autipower.com/privacy.

For any privacy-related question, request, or concern:

Contact: autipower.com/contact Subject line: "Privacy Request — AutiPower"

We aim to respond within 5 business days.