Your Privacy
You're sharing vulnerable parts of yourself here. We take that seriously. This page explains — in plain language — exactly what happens with your data.
Last updated: May 17, 2026
What We DO
- Encrypt your data: All data is encrypted in transit (TLS) and at rest (AES-256)
- Review posts for safety: Our AI scans posts to help keep the community safe and suggest compassionate rephrasing
- Let you control your identity: Choose to post anonymously or with your name, per post
- Give you your data: Export all your posts, replies, and profile data anytime
- Delete when you ask: Delete your account and all associated data permanently
What We DON'T Do
- Sell your data: We never sell your personal information to third parties. Ever.
- Track you across the web: No third-party tracking pixels or ad networks
- Share with insurance or employers: Your mental health journey stays private
- Use manipulative algorithms: No engagement optimization or dark patterns — we include break reminders and gentle scroll nudges
Data We Collect
Account Information
Email address, password (hashed, never stored in plain text), optional phone number (therapist accounts only for verification)
Profile Data
Display name, bio, avatar, preferences (optional, you control visibility)
Content You Create
Posts, replies, reactions, mood entries, journal entries (private), direct messages — stored securely, associated with your chosen identity (anonymous or named)
Usage Analytics
Privacy-respecting analytics (no personal identifiers) to improve the product
AI Safety Review
Transparency: Our AI reviews your posts before publication to help keep the community safe. This means:
- AI scans for harmful content and offers compassionate suggestions
- You always have the final say — suggestions are never forced
- Crisis signals trigger immediate access to resources
- Human moderators review flagged content (with care and training)
Your consent matters:By using ShareCare, you agree to this safety review. It's essential to creating a safe space for vulnerable users.
What AI is NOT used for:We do not use AI to profile users, target ads (we don't have ads), predict future behavior, or make decisions about you. AI exists solely to keep the community safe — not to surveil or manipulate.
Anonymity & Identity Protection
Your privacy is fundamental to mental health support. Here's how we protect your identity:
- Per-post identity choice: Choose to post anonymously or with your display name on every single post
- Cryptographic pseudonyms: Anonymous posts use a unique pseudonym per community, generated using one-way cryptographic hashing — your real identity cannot be reverse-engineered
- Identity separation: Your account profile is kept separate from anonymous posts. Even platform staff cannot easily link them without database forensics
- No cross-community tracking: Your pseudonym in one community is different from another — you can't be tracked across communities
Phone Verification (Optional)
Phone verification is optional and only required for therapist accounts to verify professional credentials.
- Regular users never need to provide a phone number
- Phone numbers are stored securely and never shared with third parties
- We use Twilio for verification — they do not retain phone numbers after verification
Children's Privacy
ShareCare is intended for users aged 13 and older(16 and older in the EU/EEA). We comply with the Children's Online Privacy Protection Act (COPPA) and GDPR requirements.
- Age verification at signup: All users must confirm they meet the minimum age requirement during account creation
- No knowingly collecting data from children: We do not knowingly collect personal information from users under 13 (or 16 in the EU/EEA)
- Parental rights: If we discover a user is underage, we will delete their account and all associated data immediately
- Report underage accounts: If you believe a user is underage, please report it to privacy@sharecare.app
Parents/Guardians: If your child has created an account without permission, contact us at privacy@sharecare.app and we will delete the account immediately.
Third-Party Service Providers
We use the following services to operate ShareCare. Each is bound by data processing agreements and processes only the minimum data necessary.
| Service | Purpose | Retention |
|---|---|---|
| Supabase | Database, authentication, file storage | Until account deletion |
| Vercel | Hosting & serverless compute | 30 days |
| Groq Cloud | AI content safety analysis | Zero data retention |
| Upstash | Rate limiting & queues | 24 hours |
| Resend | Transactional email | 30 days |
| Sentry | Error monitoring | 90 days |
Crisis Content & Safety Resources
When our AI detects crisis signals in your post (such as mentions of self-harm or suicidal ideation), here's what happens:
- Immediate resource display: You see crisis hotlines and mental health resources before posting
- No automatic reporting: We do NOT automatically report crisis content to authorities or emergency services — this is your private space
- Human moderator review: Flagged content is reviewed by trained moderators who may reach out with support resources
- Community support: Your post is published (if you choose) and community members can offer peer support
- Confidential flagging: Crisis flags are stored securely and automatically deleted after 90 days
Important: ShareCare is a peer support platform, not a crisis intervention service. If you are in immediate danger, please call emergency services (911 in the US) or a crisis hotline.
Data Retention
We keep your data only as long as needed. Here's how long each type of data is retained:
- Account & profile data: Kept until you delete your account
- Posts & replies: Kept until you or a moderator deletes them, or you delete your account
- Mood entries & journal: Kept until you delete individual entries or your account (journal entries are always private)
- Direct messages: Kept until you delete the conversation or your account
- AI analysis results: Content flags retained for 90 days, then automatically deleted
- Server & access logs: 30 days
- Rate limiting data: 24 hours
You can request complete data deletion at any time via Settings → Account → Delete Account, or by emailing privacy@sharecare.app.
Your Rights (GDPR & CCPA Compliant)
You have full control over your data. These rights are guaranteed under GDPR (European users) and CCPA (California users), but we extend them to all users worldwide.
- 1Access: Request a copy of all your data via Settings → Data & Privacy
- 2Correction: Update or correct your information anytime via your profile settings
- 3Deletion: Delete your account and all data permanently via Settings → Account → Delete Account
- 4Portability: Export your data in machine-readable JSON format via Settings → Data & Privacy
- 5Objection: Object to data processing by emailing privacy@sharecare.app
- 6Restriction: Request restriction of processing by emailing privacy@sharecare.app
Quick access: Visit /settings/data to export or delete your data. No waiting, no support tickets — your data, your control.
Security Measures
We take security seriously. Here are the technical measures we use to protect your data:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at rest: All data stored in our database is encrypted using AES-256 encryption
- Password security: Passwords are hashed using bcrypt with 12 rounds — we never store plain-text passwords
- Rate limiting: API rate limits prevent brute-force attacks and abuse
- Access controls: Database access is restricted to essential services using role-based access control (RBAC)
- Monitoring & alerts: We monitor for suspicious activity and have incident response procedures
- Regular audits: We conduct regular security audits and dependency updates to address vulnerabilities
Found a security issue? We take security reports seriously. Email security@sharecare.appwith details and we'll respond within 24 hours. Responsible disclosure is appreciated.
Questions?
We're here to help. Email us at privacy@sharecare.app
We maintain a formal incident response plan for data security events. If you believe your data has been compromised, contact us immediately.