Eilo mascot
eilo.ai is warming up…
Feel seen, every day.
Micro-check-ins beat long streaks.
eilo.ai logo
eilo.ai

Privacy Policy

eilo is private by default and helpful by design. You can access, correct, or delete your data, and you can say no to non-essential cookies. We honor Global Privacy Control.

Last updated: 6th October 2025

Who we are & how to reach us

eilo is a wellness assistant designed to help you notice, name, and navigate how you feel. We're committed to your privacy and mental wellness.

Contact Information:

For data protection inquiries, you can reach us at contact@eilo.ai or use our privacy request form.

What data we collect

We collect only the data necessary to provide and improve our service:

Account & Waitlist Information

  • Name and email address
  • Role or intent (when you join our waitlist)
  • Communication preferences

Usage & Analytics

  • Coarse usage patterns (no keystroke recording)
  • Feature usage statistics
  • Performance metrics to improve our service

Technical Information

  • IP address (truncated/hashed where possible)
  • Device information (browser, operating system)
  • Cookies and similar technologies

Contact & Support

  • Messages you send through our contact form
  • Attachments (if provided, virus-scanned and retained briefly)
  • Support ticket information

Why we collect it / lawful bases (EU/UK GDPR)

We process your data based on the following lawful bases:

Contract Performance

  • Providing our wellness assistant service
  • Managing your account and waitlist participation
  • Delivering features you've requested

Legitimate Interests

  • Security and fraud prevention
  • Service improvement and development
  • Analytics to understand how our service is used
  • Legal compliance and regulatory requirements

Consent

  • Marketing communications (you can opt out anytime)
  • Non-essential cookies and analytics
  • Optional features and beta testing

Legal Obligation

  • Data retention for legal requirements
  • Compliance with applicable laws
  • Response to legal requests

Your rights

Depending on where you live, you have specific rights regarding your personal data:

EU/UK GDPR Rights

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent for consent-based processing

US CCPA/CPRA Rights

  • Know/Access: Know what personal information we collect
  • Delete: Request deletion of your personal information
  • Correct: Correct inaccurate personal information
  • Limit: Limit use of sensitive personal information

India DPDP 2023 Rights

  • Consent: Withdraw consent for data processing
  • Access: Access your personal data
  • Correction: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Grievance: Submit grievances about data processing

How to exercise your rights:

Cookies & similar tech

We use cookies and similar technologies to provide and improve our service:

Necessary Cookies

These are essential for our service to function:

  • Authentication and session management
  • Security and fraud prevention
  • Basic functionality

Analytics Cookies (Optional)

These help us understand how our service is used:

  • Usage patterns and feature adoption
  • Performance monitoring
  • Service improvement insights

Functional Cookies

These enhance your experience:

  • Theme preferences (dark/light mode)
  • Language settings
  • User interface preferences

Cookie Management: You can manage your cookie preferences using our cookie banner or by adjusting your browser settings.

Global Privacy Control: If you have GPC enabled, we automatically treat this as a rejection of non-essential cookies.

International transfers

Your data may be processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place:

Data Processing Locations

  • Primary processing: United States
  • Backup and redundancy: Multiple regions
  • Analytics: United States and EU

Safeguards

  • Standard Contractual Clauses (SCCs) for EU transfers
  • International Data Transfer Agreement (IDTA) for UK transfers
  • Adequacy decisions where applicable
  • Data processing agreements with all vendors

All international transfers are conducted in compliance with applicable data protection laws and include appropriate technical and organizational measures to protect your data.

Data retention

We retain your data only as long as necessary for the purposes outlined in this policy:

Retention Periods

  • Contact/Support data: 30 days (default)
  • System logs: 30-90 days
  • Analytics data: 12-24 months (aggregated)
  • Account data: Until account deletion or 2 years of inactivity
  • Legal requirements: As required by applicable law

Automatic Deletion

We automatically delete or anonymize data when:

  • Retention periods expire
  • You request deletion
  • Your account is inactive for 2 years
  • Legal requirements are met

Some data may be retained longer if required for legal compliance, dispute resolution, or security purposes.

Security

We implement comprehensive security measures to protect your data:

Technical Safeguards

  • Encryption in transit (TLS 1.3) and at rest
  • Regular security audits and penetration testing
  • Access controls and authentication
  • Network security and monitoring

Organizational Measures

  • Principle of least privilege access
  • Regular security training for staff
  • Incident response procedures
  • Data protection by design and by default

Incident Response

In the event of a data breach, we will:

  • Contain and assess the incident within 24 hours
  • Notify relevant authorities within 72 hours (where required)
  • Inform affected users without undue delay
  • Implement additional safeguards as needed

Children

eilo is not intended for children under 13 (US) or under 16 (EU).

We do not knowingly collect personal information from children. If we discover that we have collected data from a child, we will:

  • Delete the information immediately
  • Notify parents or guardians if possible
  • Implement additional safeguards

If you believe we have collected data from a child, please contact us immediately at contact@eilo.ai.

Changes

We may update this privacy policy from time to time. When we do:

Notification Methods

  • Email notification to registered users
  • Notice on our website
  • In-app notification for significant changes

Your Rights

  • Review the updated policy
  • Withdraw consent if you disagree with changes
  • Delete your account if necessary

Last updated: 6th October 2025

We will not make material changes to how we use your data without your explicit consent, except as required by law.

Cookie Details

Cookie NamePurposeTypeDurationProvider
session_idAuthentication and session managementNecessarySessioneilo.ai
csrf_tokenSecurity and fraud preventionNecessarySessioneilo.ai
theme_preferenceUser interface preferencesFunctional1 yeareilo.ai
cookie_consentRemember cookie preferencesNecessary1 yeareilo.ai
_plausibleAnalytics and usage insightsAnalytics1 yearPlausible Analytics

Questions about your privacy?

If you have any questions about this privacy policy or want to exercise your rights, please contact us: