Back to Sof.iaEspañol

Privacy Policy — Back to Love

At a glance

If you only have 60 seconds, the key points:

  • What you write to Sof.ia is yours. We store it so she can remember you from one conversation to the next — not to sell your story to anyone.
  • Sof.ia is an AI. What you tell her flows through a large-language-model provider (Anthropic, makers of Claude — and, optionally, xAI, makers of Grok) to generate her reply. Both providers have strict rules: they do not use your messages to train their models.
  • Your data lives in Germany. Primary storage in Frankfurt. Covered by European law (GDPR) plus Swiss law (nFADP) that governs the operating company.
  • We don't sell your data. Period. Not to insurers, not to advertisers, not to anyone.
  • If you leave, you leave. Cancel → 90 days for you to decide whether to come back → if not, we delete everything.
  • You have rights over your data (access, correction, deletion, etc.) and you can exercise them by writing to us.
  • Questions? Email privacy@backtolove.ai.

If you want the detail, read on.

1. Who we are

💬 What this means, without a lawyer in the middle: We're a small team behind a Swiss company (Hive Mind Consulting AG). If you have a serious complaint about how we handle your data, this tells you who is legally responsible and where to escalate.

Back to Love is an emotional-support service for people going through a breakup, a relationship crisis, or the pain of not being able to let go. The main conversation happens with Sof.ia, an AI trained on a therapeutic method built specifically for heartbreak. You can talk to her on WhatsApp or through the web chat at backtolove.ai/chat.

Data controller:

Hive Mind Consulting AG (Switzerland)

Applicable jurisdictions:

  • Switzerland — nFADP (revised Federal Act on Data Protection, in force since Sept. 2023) because the operating company is based here.
  • European Union / EEA — GDPR because primary storage is in Frankfurt and many users are in the EU.
  • United Kingdom — UK GDPR for British users.
  • The countries where users reside, in particular Mexico, Colombia, Argentina, Chile, Peru, Spain and other LATAM countries.

Data Protection Officer (DPO):

DPO@backtolove.ai

2. What information we collect

💬 What this means, without a lawyer in the middle: We know you by your WhatsApp number (if you come in that way) or by an anonymous cookie in your browser (if you come in through the web) and by what you tell us. We keep a memory of you that Sof.ia builds conversation by conversation — so you don't have to repeat your story from scratch every time. That's it. We don't follow you around the internet.

We group it into four buckets:

2.1 What you give us directly

  • Your name or the name you'd like Sof.ia to call you by (when you share it in conversation)
  • Your email address (when you subscribe, or when you "claim" your web chat so you can recover it later)
  • Your WhatsApp number (when you start chatting with Sof.ia on WhatsApp — we identify you by this number)
  • Your messages to Sof.ia — everything you write, in text, voice notes, or screenshots
  • Screenshots you send to Sof.ia for her to analyze
  • Voice notes you send to Sof.ia — automatically transcribed to text

2.2 What's generated automatically when you talk to Sof.ia

  • Sof.ia's replies and the drafts she proposes
  • The "memory file" — a structured summary Sof.ia keeps about you (emotional triggers, patterns she notices, key dates, important events in your process). It's enriched automatically after each conversation.
  • Your process state — what phase of the journey you're in, how urgent your situation is
  • The event timeline — notable things that happened (your ex texted, you broke no-contact, a date you had, a relapse)
  • Voice-note transcripts — generated automatically by a transcription service (see section 6)

2.3 Payment information (when you subscribe)

  • Billing data processed by Stripe, our payments provider. We do NOT store your card details — Stripe does, on their PCI-DSS certified servers.
  • Your payment history (which plan, when, active or canceled)

2.4 Basic technical information

  • Anonymous web chat session cookie (b2l_chat_session): a random identifier we store in your browser to recognize your conversation when you come back. It doesn't identify you as a person — it just links today's chat with next time's. Without this cookie, the web chat doesn't work.
  • Admin cookies (only for the Back to Love team, not users) to keep the internal panel session alive.
  • Error logs (when something fails technically, we record what happened — no personal content)
  • Approximate country inferred from your WhatsApp number's prefix (e.g., +52 → Mexico). We don't use fine-grained geolocation.

What we do NOT collect

  • ❌ Your exact location (GPS, fine IP tracking)
  • ❌ Your contact list
  • ❌ Your browsing history outside Back to Love
  • ❌ Biometric data (fingerprint, voice as identifier — voice notes are used for the conversation only, not to identify you)
  • ❌ Social media information (we don't read your Instagram, Facebook, etc.)
  • ❌ The content of messages you don't send us (we don't read your WhatsApp with other people)

3. How we use your information

💬 What this means, without a lawyer in the middle: We use what you tell us to help you. If we see useful patterns at an aggregated, anonymous level, we use them to improve Sof.ia. And if a tax authority asks how much we billed, we answer. That's it.

We use your data for three things, nothing else:

  1. So Sof.ia can do her job. Support you with real context about your situation, remember what matters, adjust her tone to who you are and where you're at.
  2. To improve the service. We analyze general patterns — without naming anyone — to understand what kind of replies work, what fails, where Sof.ia needs sharpening.
  3. To meet legal obligations. Billing, tax compliance, responses to authority requests (when legally required).

Legal bases (GDPR Art. 6 / nFADP Art. 31):

  • Performance of a contract (GDPR Art. 6.1.b) when you're subscribed to a paid plan
  • Explicit consent (GDPR Art. 6.1.a / nFADP Art. 6.6) for processing sensitive data related to your emotional wellbeing (more on this in section 4)
  • Legitimate interest (GDPR Art. 6.1.f / nFADP Art. 31.2) for security, abuse prevention, service improvement (with documented balancing test)
  • Legal obligation (GDPR Art. 6.1.c / Swiss Code of Obligations) for billing and tax compliance

4. Sensitive data (special category)

💬 What this means, without a lawyer in the middle: What you tell Sof.ia is sensitive. We treat it that way. We don't sell it to anyone. The only humans who can potentially read it are the service administrators — and there's a record of when and why they did. If you want to stop everything and have us delete yours, you can do it whenever.

What you tell Sof.ia touches your emotional and mental wellbeing. Under GDPR (Article 9) and nFADP (Article 5, letter c), that falls into the category of "specially protected data" — the same category as medical, health, religious, or sexual-orientation data.

We treat this data with extra care:

  • Legal basis: your explicit consent (GDPR Art. 9.2.a / nFADP Art. 6.7.a). When you start talking to Sof.ia or subscribe, you're giving that consent. Without it, we can't operate the service.
  • Encryption in transit and at rest. Your messages travel over TLS and are stored encrypted.
  • Limited human access. Only Back to Love administrators can read specific conversations, and only for a concrete reason (reviewing replies in approval mode, attending to a crisis, refining the method). Every time a human reads or acts on a conversation, it's logged in an internal audit trail.
  • We don't share them with health insurers, employers, or anyone outside the team and the technical providers listed in section 6.
  • You can withdraw your consent at any time — that means you cancel the service and we delete your data according to the timeline in section 8.

5. How the AI processes your messages

💬 What this means, without a lawyer in the middle: Your messages flow through one or more AI providers in the USA so Sof.ia can reply to you. None of them use them to train anything, they delete them after 30 days on their end, and our contracts with them require treatment under European standards. Sof.ia doesn't decide anything legally important about your life — she only listens and responds.

Sof.ia runs on one of several large-language-model providers — currently Claude (from Anthropic, USA) and, optionally, Grok (from xAI, USA) depending on the active configuration. Here's what happens technically when you write to her:

  1. Your message reaches our server in Frankfurt:
    • From WhatsApp, directly via the Meta WhatsApp Cloud API.
    • From the web (backtolove.ai/chat), from your browser to our API.
  2. We save it in our database (Supabase, Frankfurt).
  3. If you sent a voice note, we transcribe it to text with OpenAI Whisper (USA). The original audio is discarded after transcription.
  4. We build a "prompt" for the active language model that includes:
    • Sof.ia's method (how she listens, what she asks)
    • Your memory file (what Sof.ia knows about you)
    • The last ~20 messages of your conversation
    • Your new message (text and/or image)
  5. We send that to the active provider (Anthropic or xAI) in the USA.
  6. The provider generates the reply and returns it to us.
  7. We send it to you over WhatsApp or it appears in the web chat.

About Anthropic and xAI specifically:

  • They do not use your data to train their models under their enterprise API terms. Anthropic offers zero retention by default; xAI offers equivalent guarantees in its commercial terms.
  • They may temporarily retain messages for up to 30 days to detect API abuse. After that they're deleted on their side.
  • International transfer. Because both are in the USA, sending your data to their API constitutes an international transfer. We justify it with Standard Contractual Clauses (SCCs) approved by the European Commission and recognized by the Swiss FDPIC (Swiss authority).

One more important thing:

  • Sof.ia does not make automated decisions with legal or significant consequences. She doesn't approve or reject you for insurance, a loan, or a job. She only accompanies you. So GDPR Article 22 (on automated decisions) doesn't strictly apply — but we tell you anyway (see section 13).

6. Who else sees your data

💬 What this means, without a lawyer in the middle: These are the technical services we use to make Back to Love work. Each sees a piece. None of them can use it for their own purposes. And we don't sell yours.

We work with several technical providers. Each sees only what it needs to do its job:

ProviderWhat forWhat it seesWhere it is
Anthropic (Claude)Generate Sof.ia's repliesYour messages + memory + brainUSA (with SCCs)
xAI (Grok)Alternative to Claude when active in configurationYour messages + memory + brainUSA (with SCCs)
OpenAI (Whisper)Transcribe voice notes to textThe audio of your voice noteUSA (with SCCs)
Meta (WhatsApp Cloud API)Receive and send WhatsApp messagesThe content of messages in transitUSA + EU (with SCCs)
SupabaseDatabase + authentication + file storageEverything we store about youFrankfurt, Germany (EU)
StripeProcess paymentsYour card data + payment historyUSA + EU (with SCCs)
ResendSend transactional emails (chat recovery, receipts)Your email + email contentUSA (with SCCs)
NetlifyHost the website and serverless functionsTechnical logs, no personal contentUSA + global edge
SentryDetect technical errorsStack traces, no personal contentEU (Frankfurt)
TwilioRent the phone number +1 561 464 5395 (WhatsApp messaging does NOT pass through Twilio; the number is hosted by Meta directly)Only number-rental metadataUSA

Concrete promises:

  • We don't sell your data to third parties for marketing or any other purpose.
  • We don't share it with health insurers, employers, ad agencies, or social networks.
  • We don't use it to profile you for external advertisers.
  • Our providers have signed contracts that forbid them from using your data beyond what we ask them to do.

7. Where your data is stored

💬 What this means, without a lawyer in the middle: What you write lives on a server in Germany. When Sof.ia needs to think about her reply, a momentary copy goes to the USA and comes back. European and Swiss law cover your data the whole way.

  • Primary storage: Frankfurt, Germany (Supabase, AWS eu-central-1).
  • WhatsApp messaging: Meta WhatsApp Cloud API (USA + EU), under SCCs.
  • AI processing: USA (Anthropic, xAI, OpenAI), under EU Standard Contractual Clauses and recognized by the Swiss authority.
  • Payments: Stripe processes in USA and EU depending on the user's country.

8. How long we keep it

💬 What this means, without a lawyer in the middle: While you use the service, we keep yours. If you leave, we give you 3 months in case you come back — then we delete everything. If you want us to delete right now, we do.

WhatHow long
Conversations (messages with Sof.ia)While you're active + 90 days after cancellation
Memory fileSame as conversations
Voice notes (original audio)Discarded after transcription (seconds)
Billing data10 years (legal requirement — Swiss Code of Obligations, Art. 957)
Error logs (Sentry)90 days
Admin audit logs12 months
AI provider data (API usage)Up to 30 days (defined by Anthropic / xAI / OpenAI)
Web session cookie (b2l_chat_session)12 months from last visit

About the 90 days post-cancellation:

If you cancel your subscription and then decide to come back within 90 days, you'll find everything where you left it — Sof.ia will remember your story, your memory, your process phase. If you don't come back, on day 91 we permanently delete everything (except billing data we're legally required to keep).

If you want us to delete sooner, write to privacy@backtolove.ai and we'll process within 30 days of your request.

9. We don't sell your data. Period.

💬 What this means, without a lawyer in the middle: If this is free for you some day, the payment is covered by someone who pays. Your emotional life isn't the payment.

This is its own section because it matters.

  • We don't sell your data — not messages, not memory, not profiles, not identifiable statistics.
  • We don't rent it.
  • We don't license it to academic researchers without your explicit, separate consent.
  • We don't share it with ad agencies, social networks, or any company that intends to use it for their own commercial purposes.
  • Our business model is subscription — Plan Sof.ia (€12/wk · €39/30d) or Plan Sof.ia Pro (€29/wk · €99/30d), with a limited free tier. That's what pays for Back to Love. Your data does not.

10. Your rights

💬 What this means, without a lawyer in the middle: That data is yours. You can ask to see it, correct it, take it with you, or have us delete it. And if you think we screwed up, there's a public body you can report us to.

Under GDPR and nFADP, you have the following rights over your data:

  1. Right of access (GDPR Art. 15 / nFADP Art. 25) — ask us for a copy of everything we hold about you
  2. Right to rectification (GDPR Art. 16 / nFADP Art. 32) — correct inaccurate information
  3. Right to erasure / be forgotten (GDPR Art. 17 / nFADP Art. 32) — ask us to delete everything
  4. Right to restriction of processing (GDPR Art. 18) — freeze use of your data
  5. Right to portability (GDPR Art. 20 / nFADP Art. 28) — receive your data in a structured format to take it to another service
  6. Right to object (GDPR Art. 21) — object to a specific use
  7. Right to withdraw consent at any time

How to exercise them:

Write to privacy@backtolove.ai. We respond within 30 days max (most likely 2-3 days).

If you're not satisfied with our response, you have the right to lodge a complaint with:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC / PFPDT) — Bern.
  • European Union: the data protection authority in your country of residence (in Germany, the relevant federal authority; in Spain, the AEPD; etc.).

11. Cookies and tracking

💬 What this means, without a lawyer in the middle: We don't chase you around the internet with ads. We have no pixels spying on you. The only cookie you see as a user is the one that links today's chat with tomorrow's.

On WhatsApp there are no cookies. All your interaction with Sof.ia happens through the WhatsApp app, which has its own policy. We don't have access to your browser cookies from there.

On the web chat (backtolove.ai/chat):

  • Anonymous session cookie (b2l_chat_session): a random identifier that links your conversation across visits. Strictly necessary for the chat to work. Without it, every visit would start from zero. Expires after 12 months of disuse.
  • We don't use marketing cookies. No Facebook pixels, no Google Ads, nothing similar.
  • No third-party analytics installed by default. If we add analytics later, it'll be with a cookieless provider (Plausible-style) and we'll announce it here first.

On the admin panel (Back to Love team only):

  • Cookies strictly necessary to maintain the session.

12. If you're under 18

💬 What this means, without a lawyer in the middle: If you're under 18, this service isn't for you — and it's not because we don't care, it's because we want to do it right. The numbers below ARE for you.

No. Back to Love is only for people 18 and over. This is a deliberate decision:

  • The service touches on emotional health topics without direct clinical supervision
  • Some method content touches on relationship dynamics that may not be appropriate for minors
  • Meeting parental-consent requirements for minors' health data is complex and, right now, we can't guarantee it

If we discover a user is under 18, we suspend their account and delete their data.

If you're under 18 and worried about your emotional state, please contact a local helpline or a trusted adult:

  • USA: 988 Suicide and Crisis Lifeline — call or text 988
  • UK: Samaritans — 116 123
  • Mexico: Línea de la Vida — 800 290 0024
  • Spain: 024
  • Argentina: 135
  • Colombia: Línea 106
  • Switzerland: La Main Tendue 143 / Pro Juventute (youth helpline) 147

13. Automated decisions

💬 What this means, without a lawyer in the middle: Sof.ia talks with you. She doesn't decide legal or bureaucratic things about you. If she detects a crisis, she alerts the human team — that's to protect you, not to label you.

Sof.ia is an AI, but she does not make decisions with legal or significant effect on your life:

  • She doesn't decide whether you get insurance, a mortgage, a job
  • She doesn't classify you for third parties
  • She doesn't deny you any service based on your profile

The only "automated decision" case at Back to Love is when Sof.ia detects crisis signals (suicide, abuse) and escalates the conversation with high priority for a human on the team to review. This is for your safety — but if for any reason you disagree, write to us.

14. If Back to Love is acquired or changes hands

💬 What this means, without a lawyer in the middle: If we sell the company, your data doesn't quietly change hands. We tell you. And you can always leave before it happens.

If another company buys Back to Love in the future (unlikely in the short term, we're small), your data would move to the new owner only under two conditions:

  1. We'll email you at least 30 days in advance
  2. The new owner must comply with this policy or ask you for a fresh consent

If you disagree, you can request immediate deletion of your data before the transfer.

15. Changes to this policy

💬 What this means, without a lawyer in the middle: We're not going to change the rules on you in silence.

This policy may change — laws evolve, providers change, things get adjusted.

  • Minor changes (typos, clarity): we make them without notice and publish the update date at the top.
  • Significant changes (something new that affects your data): we email you at least 14 days in advance.

If you disagree with a significant change, you can cancel and request deletion of your data before it takes effect.

16. How to contact us

For privacy matters:

privacy@backtolove.ai

For general matters:

hola@backtolove.ai

For emotional crisis:

Please contact a local emergency line. We are not an emergency service and we can't respond with the urgency you deserve. Hotlines in section 12.

Response time:

Up to 30 days for GDPR / nFADP rights requests. Most likely: 2-3 days.

Quick glossary

  • GDPR — General Data Protection Regulation. EU law on personal data.
  • nFADP — Switzerland's Federal Act on Data Protection (revised 2023), the Swiss equivalent of GDPR.
  • Special category data — sensitive data (health, religion, sexual orientation, ideology) with extra protection.
  • Standard Contractual Clauses (SCCs) — model contracts approved by the EU (and recognized by the Swiss FDPIC) that allow data transfer outside Europe with legal guarantees.
  • Data controller — the legal entity that decides what's done with your data. In this case, Hive Mind Consulting AG.
  • Data processor — a technical provider that processes data on behalf of the controller. Anthropic, Supabase, Meta, OpenAI, Stripe, etc.
  • Explicit consent — a clear "yes", not assumed, not hidden in fine print.

One last question: Anything in this make you uneasy? Write to us. We can adjust the policy — the underlying principles, not.

— the Back to Love team