Privacy Policy
Last updated:
1. Introduction
This Privacy Policy describes how Sandplay Assistant ("we", "our", or "us") collects, uses, and protects your personal information when you use our mobile application (the "App").
By using Sandplay Assistant, you agree to the collection and use of information in accordance with this policy. We are committed to compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable data protection laws.
2. Contact Information
For any questions regarding this Privacy Policy or our data practices, please contact us at:
3. Information We Collect
3.1 Account Information
When you create an account, we collect your email address via Amazon Cognito (our authentication service). We do not store passwords — authentication is handled securely by AWS Cognito.
3.2 Session Data and User Content
If you use cloud backup, your session data (including photos, notes, and session records) is encrypted and stored on Amazon S3 in AWS region eu-north-1 (Stockholm, EU). Session data stored locally on your device never leaves the device unless you explicitly enable cloud backup.
3.3 AI Analysis Data
When you use the AI analysis feature, photos and text from your sandplay sessions are transmitted to Amazon Bedrock (powered by Anthropic Claude) for phenomenological analysis. This processing occurs in AWS eu-north-1 (Stockholm, EU). Data submitted for AI analysis is used solely to generate the analysis result and is not used to train AI models. See Section 7 for full details.
3.4 Usage Data
We collect anonymized diagnostic information to improve the App's stability and performance, including:
- App version and device type (not device identifiers)
- Error reports and crash logs
- Anonymized usage statistics via Google Analytics
3.5 Payment Information
We do not collect or store payment information directly. All purchases and subscriptions are processed through Google Play Billing (Android) or Apple App Store (iOS). We only receive confirmation of purchase status and subscription validity from the respective platform.
4. How We Use Your Information
We use the information we collect to:
- Authenticate your account and manage sessions (Amazon Cognito)
- Store and synchronize your session data via encrypted cloud backup (Amazon S3)
- Provide AI-powered phenomenological analysis of sandplay sessions (Amazon Bedrock)
- Manage subscriptions and premium access
- Diagnose technical issues and improve App stability
- Respond to your support requests
- Send push notifications about scheduled sessions (with your permission)
Legal basis (GDPR): Processing is based on the performance of a contract (Art. 6(1)(b) GDPR) for core App functionality, and on your consent (Art. 6(1)(a) GDPR) for optional features such as AI analysis and cloud backup.
5. Data Storage and Security
All cloud data is stored in AWS eu-north-1 (Stockholm, Sweden) — within the European Union. We implement the following technical and organizational measures:
- Encryption at rest: All backups on Amazon S3 are encrypted using AWS KMS (Key Management Service)
- Encryption in transit: All data is transmitted via TLS/HTTPS
- Access control: Authentication via Amazon Cognito with JWT tokens; each user can only access their own data
- Infrastructure: AWS Lambda (serverless), DynamoDB, S3 — all HIPAA-eligible AWS services
Despite these measures, no method of electronic storage or transmission is 100% secure. We will notify affected users of data breaches within 72 hours of becoming aware of the breach, as required by GDPR.
6. Data Retention and Deletion
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.
You may delete your account and all associated data directly from within the App (Settings → Account → Delete Account). Upon deletion, all your data is permanently removed from our servers within 30 days.
You may also request deletion by contacting support@sandplayassistant.com with "Data Deletion Request" in the subject line.
Note: Some information may be retained in encrypted backups for a limited time, and certain information may be retained if required by law.
7. AI Processing — Amazon Bedrock
The AI analysis feature sends session photos and text to Amazon Bedrock (Claude model by Anthropic) via AWS Lambda functions. The following applies:
- Data is transmitted to and processed in AWS eu-north-1 (Stockholm, EU)
- Data submitted for AI analysis is used solely to generate the requested analysis — it is not stored beyond the processing request and is not used for AI model training
- AI-generated results are phenomenological observations based on the Aman Structural Scheme and do not constitute clinical or therapeutic assessments
- Use of the AI feature is optional. You may use the App without submitting data for AI analysis
Amazon Bedrock is a HIPAA-eligible AWS service. For AWS's data processing terms, see the AWS Service Terms.
8. Third-Party Services and Sub-Processors
We use the following third-party services to operate the App. Under GDPR, these are our data sub-processors:
8.1 Amazon Web Services (AWS) — Primary Sub-Processor
All backend infrastructure runs on AWS (eu-north-1, Stockholm). Services used:
- Amazon Cognito — user authentication
- Amazon S3 — encrypted cloud backups
- AWS Lambda — serverless backend processing
- Amazon DynamoDB — structured data storage
- Amazon Bedrock — AI analysis
- AWS KMS — encryption key management
- Amazon SNS — push notification delivery
AWS Privacy Notice: https://aws.amazon.com/privacy/
8.2 Google Play Billing
For Android subscription processing. Google's Privacy Policy: https://policies.google.com/privacy
8.3 Apple App Store
For iOS subscription processing. Apple's Privacy Policy: https://www.apple.com/legal/privacy/
8.4 Google Analytics
We use Google Analytics to collect anonymous usage data (aggregated, non-identifiable) to improve the App. Google's Privacy Policy: https://policies.google.com/privacy
8.5 Firebase Cloud Messaging (FCM)
Used for delivering push notifications about scheduled sessions on Android. Google's Privacy Policy applies.
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or other jurisdictions with applicable data protection laws, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise these rights, contact us at support@sandplayassistant.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
10. International Data Transfers
All personal data is stored and processed within the EU (AWS eu-north-1, Stockholm). We do not transfer personal data outside the EEA in the course of normal operations. If any processing by sub-processors occurs outside the EEA, it is covered by Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR.
11. Children's Privacy
Sandplay Assistant is designed for use by professional therapists and is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on this page, updating the "Last updated" date, and — where required by law — notifying you within the App.
You are advised to review this Privacy Policy periodically for any changes.
13. Contact Us
If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us: