Privacy Policy

Effective Date: 03/01/2024
Last Updated: 27/04/2025

1. Who we are & scope

EightX (BMX Holdings Ltd, UK) provides the Sia and Noa AI mental-wellbeing coaches. Service is 18+ only. If we identify a user as under 18, we will delete their data and terminate their account.

2. What we collect

We collect the following categories of data, along with examples and the legal basis for processing under GDPR (Art. 6; health data under Art. 9(2)(a) with explicit consent):

  • Identification data: Includes name, phone number, location and age confirmation. Legal basis: Consent.

  • Health & wellness data: Includes mood, symptoms, and goals you share with us. Legal basis: Consent.

  • Biometric data: None collected. Legal basis: Not applicable.

  • Behaviour & usage: Includes session counts and feature clicks. Legal basis: Legitimate interest.

  • Device & logs: Includes IP address, device type, and crash reports. Legal basis: Legitimate interest / Legal obligation.

3. Why we use your data

  • Deliver personalised AI coaching and maintain your account.

  • Tailor content and improve the service.

  • We use automated decision-making to personalize your AI coaching (e.g., suggesting goals based on your mood).

  • Secure systems, prevent fraud, fix bugs.

  • Communicate with you (e.g., WhatsApp messages, policy updates).

  • Meet legal obligations and defend rights.

  • We never use your data for advertising without consent.

4. Who gets access

We do not sell personal data. We share only with:

  • Fly.io (cloud hosting: stores account and usage data)

  • OpenAI (AI processing: processes chat inputs to generate responses)

  • Twilio & WhatsApp (message delivery: handles communication data)

  • Auditors, regulators, or acquirers if lawfully required

All providers are bound by contracts and, where needed, EU/UK Standard Contractual Clauses.

5. International transfers

Data may be processed outside the UK/EU (e.g., USA). We apply SCCs, encryption, and minimum-necessary data rules to ensure GDPR-equivalent protection.

6. Retention

  • Account & chat history: kept while your account is active, then erased or anonymised on request or after 12 months of inactivity.

  • Logs: up to 12 months (or longer if required for fraud investigations or by UK law enforcement).

  • Back-ups: overwritten on normal rotation.

7. Security

TLS encryption in transit, AES-256 at rest, role-based access, 2-factor admin controls, regular security testing, incident response plan. In the event of a data breach, we will notify you and the relevant authorities within 72 hours, as required by law.

8. Your rights

  • EU/UK (GDPR) — access, rectification, erasure, restriction, portability, objection, withdraw consent. You can object to automated decision-making.

  • California (CCPA/CPRA) — know, delete, correct, no sale/sharing, no discrimination.

  • Other regions: Your data will be processed in accordance with local laws; contact us to learn about your rights.

Exercise rights by contacting us; we respond within 30–45 days. Complaints may be lodged with the ICO (UK) or your local authority.

9. Cookies and Tracking

We use cookies and similar technologies to track usage (e.g., session counts, feature clicks) for analytics purposes. You can manage preferences in your browser settings or by contacting us.

10. Changes

We’ll post any material changes here and notify you in-app or by email before they take effect. See our full Privacy Policy at www.eightx.com/privacy for more details.

11. Contact

Maximilian Brandstaetter
BMX Holdings Ltd (EightX)
Email: dataprivacy@eightx.com
Postal: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom