Sensitive content stays on device by default
Journal entries, check-ins, conversations, and plans are encrypted and stored locally on the user's device rather than in a provider-facing cloud record.
Security and Privacy Summary
Privacy-first design for sensitive mental health and habit-change support
Neurture is designed so employers, universities, treatment centers, and other programs do not need participant journals, reflections, or private notes to make the product useful. The model prioritizes on-device storage, minimal data exposure, and clear product boundaries.
What Makes This Different
Neurture is intentionally designed so a partner organization does not need to become the custodian of a participant's private day-to-day mental health content.
Practical Implication
The product can complement existing care and support structures without requiring a new patient-monitoring workflow for most implementations.
Organizations do not need employee or student content
The model is designed around aggregate-only program visibility rather than participant-level behavioral surveillance.
Minimal vendor surface for limited external processing
When a feature requires external processing, Neurture uses a small set of vendors with documented security controls rather than broad content sharing.
Clear product boundaries reduce unnecessary exposure
No anonymous forums, no public social feed, and no open-ended AI therapy chat as the primary support model.
What Organizations Receive
- Aggregate activation and program-level signals when a rollout is configured that way
- A privacy-first product model that does not depend on participant journals or reflections being visible to staff
- A tool that can complement existing care without adding a provider-monitoring dashboard
What Organizations Do Not Receive
- Participant journals, personal reflections, or in-app conversations
- A patient-level monitoring feed for routine day-to-day use
- A public social surface where users are exposed to each other's disclosures
Limited External Processing
Current vendors referenced in the privacy policy
Google Cloud
Used for limited journal image processing. The privacy policy states images are processed in memory, not saved to disk, and not used for model training. Google Cloud is described there as HIPAA-compliant and ISO 27001 certified.
Supabase
Used for temporary image storage and authentication. The privacy policy states images are deleted immediately after successful processing, with automated cleanup if processing is interrupted. Supabase is described there as SOC 2 Type 2 certified and GDPR compliant.
PostHog
Used for analytics. The privacy policy states PostHog does not require personally identifiable information and is SOC 2 Type II certified.
Sentry
Used for error monitoring. The privacy policy states Sentry scrubs personally identifiable information from error reports and is SOC 2 Type 2 and ISO 27001 certified.
Operating Notes
- Privacy and deletion requests can be made via privacy@neurtureapp.com.
- In the event of a data breach, affected users are notified by email and in-app notification according to the privacy policy.
- This page is a practical summary. The privacy policy remains the governing source for legal detail.