Finalnote

Privacy Policy

Last updated: 15th August, 2025

Introduction

At Finalnote, we understand that privacy is especially important when you're sharing deeply personal information during a vulnerable time. This privacy policy explains how we collect, use, and protect your information when you use our AI-based therapy tool.

We are committed to being completely transparent about what information we collect and how we use it. Your trust is precious to us, and we handle your data with the utmost care and respect.

Who We Are

Finalnote is operated by Impct Studio Limited, a company registered in England and Wales (Company Number: 16005355). Our registered office is at 16 The Mall, Surbiton, KT6 4EQ. We provide an AI-based therapy tool designed to help people find closure and move through the grieving process.

For the purposes of data protection law, we are the "data controller" of your personal information.

Contact Details:

Important Notice

Finalnote is a therapeutic tool designed to support you during the grieving process. It is not a replacement for professional medical advice, diagnosis, or treatment. The conversations you have are with an AI simulation, not a real person. We strongly encourage you to seek support from qualified healthcare professionals alongside using our service.

AI Technology and Third-Party Processing

Our service uses Claude AI, developed by Anthropic, to power the conversational experience. When you interact with our AI, your messages are processed through Anthropic's Claude API to generate responses.

Important information about Claude AI processing:

  • Anthropic may access conversation content only if it's flagged by their automated safety systems for potential security concerns, as outlined in their privacy policy
  • We do not share any personal identifying information with Anthropic
  • Conversations are processed solely to provide you with AI responses

For complete details about how Anthropic handles data, please review:

What Information We Collect

Information About You

We collect the following personal information to provide our service:

  • First name and last name
  • Age group
  • Gender
  • When you experienced your loss
  • Email address (for account creation and communication)
  • Payment information (processed securely through third-party payment providers)

Information About Your Deceased Loved One

During the setup process, you may provide information about your deceased loved one to help create a meaningful conversation experience. This information is fully encrypted and stored securely.

We only access two pieces of this information in an anonymous, non-identifiable format for service improvement:

  • What your relationship was to them
  • How you would describe your overall relationship with them

All other information about your deceased loved one remains encrypted and private.

Technical Information

We automatically collect certain technical information, including:

  • IP address and location data
  • Browser type and version
  • Device information
  • How you use our website and service
  • Cookies and similar tracking technologies

Conversation Data

All conversations you have with the AI are collected and stored to provide the service. This includes your messages and the AI's responses.

How We Protect Your Conversations

Technical Overview All conversation content you enter is encrypted before it is stored in our systems. We use AES-256-GCM encryption, an industry-standard method used by banks and security agencies. Each record is encrypted with a unique key derived from a secure master key, which is stored separately and never alongside user data. This means that if our database were ever accessed without authorization, the stored conversation text would remain unreadable without our secure decryption process.

Plain-Language Explanation Think of your conversation like a letter. Before we store it, we lock it in a box with a one-of-a-kind key. Even if someone found the box, they couldn't read the letter without the key — and the key is kept safe in a different place.

Access to Your Conversations

Our Access Policy:

  • We do not view, read, or access your conversations under normal circumstances
  • Your conversations remain private and encrypted
  • We will only access conversation content if you explicitly opt-in to share specific conversations for service improvement to help future users
  • Any conversations shared for improvement purposes are anonymised and cannot be linked back to you

Third-Party Access:

  • Anthropic (Claude AI) may only access conversation content if their automated safety systems flag it for potential security concerns, as detailed in their privacy policy
  • No human at Anthropic reviews conversations unless they are flagged by automated systems for safety reasons
  • We do not proactively share conversation content with any third parties

Your Control:

  • You can choose to share specific conversations to help improve our service for future users
  • This sharing is always optional and requires your explicit consent
  • You can withdraw consent for previously shared conversations at any time

How We Use Your Information

We use your information to:

  • Provide and improve our AI therapy service
  • Create personalised conversation experiences
  • Process payments and manage your account
  • Send you important updates about our service
  • Provide customer support
  • Comply with legal obligations
  • Analyse service usage to improve our offering (using anonymised data only)
  • Send you relevant email communications about our service (only with your consent)

We will never use your information for marketing purposes without your explicit consent.

Legal Basis for Processing

Under data protection law, we need a legal basis to process your personal information. Our legal bases include:

  • Consent: Where you have given clear consent for us to process your personal data for specific purposes
  • Contract: Where processing is necessary for the performance of a contract with you
  • Legal obligation: Where we need to comply with legal requirements
  • Legitimate interests: Where processing is necessary for our legitimate business interests, provided this doesn't override your rights

For sensitive personal data relating to your grief and loss, we rely on your explicit consent and our legitimate interest in providing therapeutic support services.

For email marketing communications, we rely solely on your explicit consent, which you can withdraw at any time.

Sharing Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

Service Providers

We work with trusted third-party providers who help us deliver our service, including:

  • Cloud hosting providers (Vercel, Supabase)
  • Payment processors (Stripe)
  • AI service providers (Anthropic for Claude AI)
  • Analytics providers
  • Email marketing providers (Loops)

These providers are contractually bound to protect your information and can only use it for the specific services they provide to us.

Stripe processes payment information securely and in compliance with PCI DSS standards. Your payment details are never stored on our servers.

Loops handles our email communications and only receives your email address and basic profile information when you consent to receive emails from us.

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

If our company is acquired or merged, your information may be transferred as part of that transaction. We will notify you of any such change.

Your Rights

Under data protection law, you have several rights regarding your personal information:

UK GDPR and Data Protection Act 2018

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Ask us to correct inaccurate information
  • Right to erasure: Request deletion of your personal data
  • Right to restrict processing: Ask us to limit how we use your data
  • Right to data portability: Request your data in a portable format
  • Right to object: Object to certain types of processing
  • Rights regarding automated decision-making: Protection against automated decisions

International Users

If you're located in the EU, you have the same rights as UK users under GDPR. Users in other jurisdictions may have additional rights under local privacy laws, including:

  • California residents under CCPA
  • Brazilian residents under LGPD
  • Canadian residents under PIPEDA

Business Transfers

You can unsubscribe from email communications at any time by clicking the unsubscribe link in any email or contacting us directly.

To exercise any of these rights, please contact us at privacy@finalnote.co.

Data Retention

We keep your information only as long as necessary:

  • Account information: Until you delete your account or request deletion
  • Conversation data: Deleted when you delete a connection or your account
  • Encrypted deceased person information: Deleted when you delete your connection or your account
  • Technical logs: Typically retained for 12 months for security purposes
  • Email marketing data: Retained until you unsubscribe or request deletion

You can request deletion of your data at any time by contacting us.

International Data Transfers

Our service may involve transferring your data outside the UK/EU, including to Anthropic's servers for AI processing. When we do this, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions from relevant authorities
  • Standard contractual clauses
  • Certification schemes
  • Codes of conduct

Stripe and Loops also process data internationally and maintain appropriate data protection safeguards in compliance with applicable laws.

All transfers comply with applicable data protection laws.

Cookies and Tracking

We use cookies and similar technologies to:

  • Keep you logged in
  • Remember your preferences
  • Understand how you use our service
  • Improve our website performance

You can control cookies through your browser settings, but this may affect functionality.

Security Measures

We implement robust security measures to protect your information:

  • End-to-end encryption for sensitive data
  • Regular security audits and assessments
  • Secure data centres with physical security
  • Access controls and authentication systems
  • Regular staff training on data protection
  • Incident response procedures

Age Restrictions

Our service is intended for adults. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, please contact us immediately.

Changes to This Policy

We may update this privacy policy from time to time. When we do, we will:

  • Update the "Last updated" date
  • Notify you by email if the changes are significant
  • Post the updated policy on our website

We encourage you to review this policy periodically.

Complaints and Concerns

If you have concerns about how we handle your data, please contact us first at privacy@finalnote.co. We will investigate and respond promptly.

You also have the right to lodge a complaint with supervisory authorities:

  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • EU: Your local data protection authority
  • Other jurisdictions: Your local privacy regulator

We encourage you to review this policy periodically.

Disclaimer and Limitation of Liability

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your information. By using our service, you acknowledge this inherent risk.

We provide our service "as is" and disclaim warranties to the extent permitted by law. Our liability is limited to the maximum extent allowed by applicable law.

Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

We aim to respond to all enquiries within 30 days, or sooner where required by law.