Privacy Policy
Last updated: 14 April 2026
1. Who We Are
My ADHD Path is operated by Creative Sauce Ltd, registered in England. We are the data controller for the personal information we collect through myadhdpath.co.uk. You can contact us about data matters at hello@creativesauce.io
2. What Data We Collect
If you use the site without an account (Free, no login):
We collect no personal data. The Navigator runs entirely in your browser. No cookies are set for tracking. We do not use analytics tracking scripts. Standard server logs (IP address, browser type, pages visited) are collected automatically by our hosting provider (Vercel) and are not linked to any individual.
If you create a free account:
- Email address (used for authentication)
- Account creation date
- Account tier (free/pro)
If you upgrade to Pro (£39 one-time):
- Everything above, plus:
- Chat messages (your questions and AI responses) - stored for conversation context and rate limiting
- Journey tracker data (which steps you have completed)
- Medication log entries (medication name, dose, time, notes - entered voluntarily by you)
- Stripe customer ID and payment status (we do not store card numbers or payment details - Stripe handles this)
3. Why We Collect Your Data
- Authentication: Your email lets you log in and access your account.
- Service delivery: Chat messages are stored so the AI can maintain conversation context. Journey and medication data is stored so you can track your progress over time.
- Payment processing: Stripe customer ID links your payment to your account for Pro tier access.
- Rate limiting: We count chat messages per day to enforce the 50 message daily limit.
- Safeguarding: Chat messages may be reviewed if a safeguarding concern is flagged by the system.
4. Legal Basis for Processing
Under UK GDPR, we process your data on the following bases:
- Contract: Processing your data is necessary to provide the service you signed up for (account management, Pro features, payment processing).
- Legitimate interest: Server logs and basic analytics to maintain platform security and performance.
- Legal obligation: Retaining payment records as required by UK tax and accounting law.
5. How We Handle AI Chat Data
Important: Your chat messages are sent to Anthropic's Claude API for processing. Anthropic's data retention and privacy policies apply to this processing. Anthropic does not use API inputs to train their models. Your messages are processed, a response is generated, and Anthropic does not retain conversation data beyond their standard API logging period (typically 30 days for safety monitoring). See Anthropic's privacy policy at anthropic.com/privacy for full details.
On our side, your chat messages (both your inputs and AI responses) are stored in our Supabase database. This is necessary for conversation context (so the AI remembers what you discussed earlier in the session) and for enforcing the daily message limit.
We do not read your chat messages unless a safeguarding flag is triggered or you report a problem. We do not use your chat data for marketing, advertising, or training any AI model. You can delete all your chat history at any time via the Settings page.
6. Sensitive Data and Health Information
Some data you enter - such as medication logs, journey progress, and chat conversations about ADHD symptoms - could be considered health-related data under UK GDPR.
We process this data on the basis of your explicit consent (you voluntarily enter it) and because it is necessary to provide the service you requested. We treat all user data with the highest level of care, but we want to be transparent: My ADHD Path is not a healthcare provider and your data is not held to NHS or medical record standards.
If this concerns you, you can use the free tools (Navigator, Library, Guides) without creating an account - no personal or health data is collected.
7. Third Parties
We share data with the following third parties, only as needed to deliver the service:
| Service | Data shared | Purpose |
|---|---|---|
| Supabase | Email, account data, chat messages, journey data | Database and authentication (EU hosted) |
| Stripe | Email, payment details | Payment processing |
| Anthropic | Chat messages (content only, no email or identity) | AI chat responses |
| Vercel | Server logs (IP, browser) | Website hosting |
We do not sell, rent, or share your data with advertisers, data brokers, or any other third parties. We do not use tracking pixels, social media trackers, or advertising cookies.
8. Your Rights Under UK GDPR
You have the right to:
- Access: Request a copy of all data we hold about you.
- Rectification: Ask us to correct inaccurate data.
- Erasure: Delete your account and all associated data via the Settings page, or by contacting us. This is permanent.
- Portability: Request your data in a machine-readable format.
- Restriction: Ask us to limit how we process your data.
- Objection: Object to processing based on legitimate interest.
- Complaint: Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.
To exercise any of these rights, email us at hello@creativesauce.io. We will respond within 30 days.
9. Data Retention
- Account data: Retained for as long as your account exists. Deleted when you delete your account.
- Chat messages: Retained for as long as your account exists. Deleted when you delete your account.
- Payment records: Retained for 7 years after the transaction as required by UK tax law, even if you delete your account.
- Server logs: Retained by Vercel for up to 30 days.
10. Cookies and Local Storage
We use only essential cookies required for authentication (Supabase session cookies). We do not use analytics cookies, advertising cookies, or any non-essential tracking.
Because we only use strictly necessary cookies, we do not require a cookie consent banner under UK PECR (Privacy and Electronic Communications Regulations).
11. Children
My ADHD Path is designed for adults (18+). We do not knowingly collect data from anyone under 18. If we become aware that a child has created an account, we will delete it and all associated data immediately.
12. Security
Your data is stored in Supabase (EU-hosted PostgreSQL database) with row-level security enabled. All connections use HTTPS/TLS encryption. Authentication is handled by Supabase Auth with secure session management. Payments are processed by Stripe with PCI DSS compliance. We regularly review our security practices, but no system is 100% secure. If we discover a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR.
13. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top reflects the most recent revision. For significant changes, we will notify account holders by email.
14. Contact
For any privacy-related questions, data requests, or concerns: hello@creativesauce.io