Privacy Policy

Last updated: May 19, 2026

Your privacy is important to us. This summary highlights key topics; the complete policy includes GDPR, CPRA, and COPPA detail.

For the full legal text (required for regulators and app-store review):

View Full Privacy Policy

Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

How We Use Your Information

We use the information we collect to provide, maintain, and improve our services, process transactions, and communicate with you.

Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this policy.

Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Your Rights

You have the right to access, update, or delete your personal information. You can also opt out of certain communications from us.

Contact Us

If you have any questions about this Privacy Policy, please contact Donny Wonny LLC at privacy@donnywonny.com. Our mailing address is 539 W. Commerce St #5827, Dallas, TX 75208.

GDPR Rights (EU Residents)

If you are a resident of the European Economic Area (EEA), you have the right to: access your personal data, request erasure of your data (right to be forgotten), data portability (receive your data in a structured, machine-readable format), restrict or object to processing, and lodge a complaint with a supervisory authority. To exercise these rights, email privacy@donnywonny.com or contact our appointed EU representative below.

EU GDPR Representative (Article 27)

In accordance with EU GDPR Article 27, we have appointed an EU representative to handle inquiries from data subjects located in the European Union and European Economic Area. EU residents may contact our representative directly for any GDPR-related matters, including data subject access requests, deletion requests, and complaints. EU Representative: Euverify Ltd (Ireland) Unit 3D North Point House North Point Business Park New Mallow Road Cork, T23 AT2P Ireland Email: gdpr@euverify.com Secure verification + DSAR portal: https://gdpr.euverify.com/verify/a982def2-7d1a-46b3-bd09-b4789722d8d6

UK GDPR Representative

For UK residents, in accordance with UK GDPR (which continues to apply post-Brexit), we have appointed a separate UK representative to handle inquiries from data subjects located in the United Kingdom. UK Representative: Euverify Ltd (UK) 3rd Floor, 86-90 Paul Street London, EC2A 4NE United Kingdom Email: gdpr@euverify.com Secure verification + DSAR portal: https://gdpr.euverify.com/verify/a982def2-7d1a-46b3-bd09-b4789722d8d6

CCPA Disclosure (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the right to: know what personal information is collected and how it is used, request deletion of personal information, opt out of the sale of personal information (we do not sell your data), and non-discrimination for exercising your privacy rights. To submit a verifiable consumer request, email privacy@donnywonny.com.

COPPA Compliance (Children's Privacy)

Donny Wonny is intended for users aged 13 and older. We do not permit accounts for children under 13 and apply a neutral age screen at sign-up that rejects any registration indicating an age under 13 — there is no under-13 account path. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will disable the account and delete that information promptly. Parents or guardians may contact us at privacy@donnywonny.com to request removal of their child's data.

Parental Supervision & Message Escrow

When a verified guardian links a supervised minor's account (a 'Donny Den' family setup), the minor's direct messages are end-to-end encrypted with an additional 'escrow envelope' sealed to the guardian's identity key. This lets the guardian read the minor's DMs from the Parent Portal at donnywonny.com/dashboard while preserving end-to-end encryption against everyone else (including us). The same escrow extends to group chats (circles) the minor participates in: each Megolm group session key is sealed to the parent's identity key in addition to every other group member, so the parent can decrypt group messages locally without the server ever holding plaintext. Safeguards: (1) every supervised conversation — both one-to-one DMs and group circles — displays a visible 'Your parent can read these messages' badge to the minor on the chat screen. (2) Every time a guardian opens the conversation list or reads a conversation, an entry is written to the parental_audit log that the supervised minor can view in their own activity history. Guardians may also approve or revoke contacts and reset PIN backups; each of these actions is logged the same way. Escrow can only be enabled by a verified guardian and cannot be silently changed.

Lifting Parental Supervision

If you signed up under parental supervision and you're now 18 or older — or you're still a minor but ready to renegotiate the arrangement with your parent — you can lift supervision through Settings → Privacy → "Lift parental supervision". Two paths exist. (1) If you self-attest you are 18 or older, supervision lifts immediately. Your guardian receives a courtesy notification but cannot block. This matches GDPR Article 7(3): an adult cannot be prevented from withdrawing consent or disabling a privacy-affecting feature by a third party. (2) If you are still under 18, the request is sent to your guardian(s) with explicit Approve / Deny actions. Until they approve, supervision stays active. Requests auto-expire after 30 days, and you can re-request. After supervision lifts: you stay a member of your family group (you keep the shared family Donny and Donny Den access), but new direct messages and circle messages are no longer accessible to your guardian. **Important honest disclosure about historical messages:** messages you sent BEFORE the lift that were already accessible to your guardian via the parental escrow envelope remain decryptable on their device. This is a technical limit of end-to-end encryption — once a key has been used to decrypt content, that decryption cannot be retroactively undone, in the same way that any letter someone has already read cannot be made unread. Lifting supervision is forward-only protection. If you need a complete reset of all historical content, you can additionally delete your account and start fresh (Settings → Privacy → Delete account). Every step (request creation, guardian response, lift application) is written to your visible audit log.

End-to-End Encrypted Group Chat (Circles)

Donny Wonny circles — including private family pods and couples circles — use end-to-end encrypted group chat built on the Megolm group ratchet (the same Apache-2.0-licensed protocol that powers Matrix/Element). When you send a message into a circle, your device encrypts it with a Megolm session key that only members of the circle (and, for supervised minors, their linked parent — see Parental Supervision above) can decrypt. The server stores only ciphertext; we cannot read your circle messages, and neither can anyone outside the membership. The session key is rotated automatically whenever a member joins or leaves the circle, which provides forward secrecy: a removed member cannot decrypt messages sent after they leave, even if they kept a copy of the older session key. There is no plaintext fallback or 'unencrypted' mode for circle messages — the encrypted path is the only path. Translate-on-display does not apply to circle chat by default; the same explicit E2E translation opt-in described in the Translation section is required to translate a decrypted circle message via Google Cloud Translation.

Data Retention Periods

We retain your personal data only as long as necessary to provide our services. Account data is retained while your account is active and for up to 30 days after a deletion request (grace period). Journal entries and user-generated content are deleted when your account is permanently removed. Analytics data is periodically anonymized. Payment records are retained as required by applicable tax law. You may request deletion of your data at any time by contacting privacy@donnywonny.com.

Third-Party Data Processors

We use the following third-party services to process your data: Firebase (Google) for authentication, database, and hosting; Stripe for payment processing; OpenAI for AI-powered features; Google Cloud Translation for the optional translate-on-display feature; SendGrid for transactional emails; and Sentry for error monitoring and crash reporting. Each processor is contractually required to protect your data in accordance with applicable privacy laws. Per OpenAI's API data usage policy, runtime conversation inputs and outputs (the prompts and replies during a normal chat) are not used to train OpenAI's foundation models. Separately, we may use highly-rated conversations to fine-tune our own custom Donny model — see the next section for full details + opt-out controls. We may add additional processors in the future and will update this policy accordingly.

AI Training Data + PII Redaction

Donny improves over time. When a conversation between you and Donny is rated highly (e.g. you give it a thumbs-up or the message has high engagement signals), it MAY be added to our custom-model training dataset to make future Donny responses better. Before any conversation enters that dataset it passes through a multi-stage PII redaction pipeline: (1) regex sweeps for email addresses, US + international phone numbers, US Social Security numbers, credit card numbers, ZIP codes, street addresses, and authentication tokens embedded in URLs; (2) your personal allow-list of names you've explicitly asked Donny to remember pass through unredacted; (3) named-entity recognition for people's names and organizations via an offline NLP library; (4) every original identifier is then stripped from the saved record — no user ID, no IP address, no granular timestamp (date only). The resulting record is anonymized: it cannot be linked back to your account by us, by OpenAI, or by anyone with access to the corpus. Anonymized training records are retained for as long as they remain useful for ongoing model improvement — the same approach used by every major AI lab (OpenAI, Anthropic, Google) for fine-tuning corpora. Because the records contain no identifiers, individual records cannot be located or deleted on request once they enter the corpus; this is permitted under GDPR Recital 26, which excludes truly anonymous information from the scope of personal-data deletion rights, and under the CCPA de-identification carve-out. What you CAN control: (a) opt OUT of FUTURE training collection at any time at Settings → Privacy → AI Training Preferences — once you opt out, no new conversations from your account enter the corpus; (b) delete your underlying Donny conversations or your whole account at any time, which removes the personal-data source records before the next redaction pass. The redacted dataset is sent to OpenAI for fine-tuning; fine-tuning corpora are RETAINED at OpenAI as part of the resulting model, which is why the redaction step is essential. Children's data (users under 13 verified via parental consent) is never used for AI training regardless of opt-in state. We can suspend the training pipeline platform-wide; when suspended, no conversations are collected even from users who previously opted in.

Translation (Translate-on-Display)

You can choose a preferred language in Settings → Notifications & Translation and enable 'Auto-translate incoming content' to have user-generated text (posts, comments on posts and family activities, mentor bios, mentor circle posts and comments, direct messages, and supervised DMs visible in the Parent Portal) automatically translated when displayed to you. Translation requests are sent to Google Cloud Translation v3 (a Google Cloud sub-processor). To reduce cost and provider exposure for frequently-shared content, translated results are cached on our servers for 30 days, keyed by a SHA-256 hash of (source language, target language, text). The cache is content-keyed and is not associated with any individual user, so identical content posted by different users is translated only once. The original text is always preserved and a 'Show original' toggle is always available. End-to-end encrypted direct messages are NOT translated by default — translating an E2E message requires explicit opt-in, either via Settings → Notifications & Translation → 'Allow translation of end-to-end encrypted messages', or by long-pressing an encrypted message and choosing 'Always allow'. Both surfaces clearly disclose that translation sends the decrypted plaintext to Google Translation. You can disable auto-translation, revoke the E2E opt-in, or change your preferred language at any time in Settings. Because cache entries are not linked to any user account, individual cache entries cannot be deleted on request; all entries automatically expire 30 days after they are created.

International Data Transfers (Where Your Data Lives)

Donny Wonny LLC is based in the United States and our entire production infrastructure runs in US-region Google Cloud Platform: cloud database in a US multi-region (Iowa, South Carolina, Oklahoma), cloud storage and application servers in Iowa. If you use Donny Wonny from the EU, EEA, UK, or any other country, your personal data is transferred to the United States for processing and storage. We do not operate separate regional data centers. We rely on the following lawful transfer mechanisms, layered for defense in depth: (1) The EU-US Data Privacy Framework (DPF) — adopted by the European Commission in July 2023 and used by our US-based sub-processors that are DPF-certified (Google Cloud, Stripe, Vercel). DPF certification provides an adequacy decision under GDPR Article 45. (2) The UK Extension to the EU-US Data Privacy Framework (the 'UK Data Bridge') — active since October 2023 — provides the equivalent adequacy basis for UK residents under UK GDPR. (3) Standard Contractual Clauses (SCCs) — the 2021 EU Commission-approved modules — incorporated into our data-processing agreements with sub-processors that are NOT DPF-certified (currently OpenAI, SendGrid/Twilio, RevenueCat, Sentry). For UK transfers, the UK ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs applies. EU and UK data subjects retain all GDPR rights regardless of where their data is processed and may exercise those rights via our appointed Article 27 representatives (see the EU and UK GDPR Representative sections above) or directly via privacy@donnywonny.com.

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will make every effort to notify affected users within 72 hours of confirming the breach, in accordance with GDPR requirements. Notifications will be sent via email to your registered address. We will also notify the relevant supervisory authorities as required by law. Our team will investigate, contain, and remediate any breach and provide information about what data was affected and steps you can take to protect yourself.

AI Memory & Personalization

To provide a more personalized experience, Donny Wonny uses AI to generate periodic summaries of your conversation history with your Donny companion. These summaries ("memory") are stored on your account and used to inform future AI responses. Memory summaries are derived from your conversations and stored in our secure database. You can request deletion of all AI memory data at any time by contacting privacy@donnywonny.com. Memory data is included in any account export or deletion request.

Mood & Behavioral Analysis

Donny Wonny reads your mood check-in history (scores and labels you voluntarily enter) to adjust the tone and personality of your AI companion — for example, a more playful tone when you've been feeling great, or a calmer, more supportive tone during harder weeks. This analysis is performed automatically using data you submit and is used solely to improve your in-app experience. This data is not sold or shared with third parties.

Weekly Recap Notifications

If you have notifications enabled, Donny Wonny sends a weekly recap summary via push notification and email, containing statistics about your activity (messages sent, mood entries, streaks). You can opt out of weekly recap emails at any time by visiting your notification settings at donnywonny.com/settings/notifications, replying "unsubscribe" to any recap email, or updating your preference in the mobile app. Your opt-out preference is saved to your account and respected immediately.

Onboarding Preferences

During onboarding, we collect optional preferences such as your personal growth focus area, preferred check-in time, current goal, and notification preference. This information is stored on your account and used to personalize your Donny companion's responses and your app experience. You may update or delete these preferences at any time from your profile settings.

Spark Hubs

When you create or join a Spark Hub (a creator's themed content channel), we store your membership status, join date, and the Hub identifier. Spark Hub creators' display names and taglines are publicly visible. The list of Hub members is visible only to the Hub owner. Joining or leaving a Hub updates an aggregate member count but does not disclose your identity to other members. You may leave any Hub at any time, which immediately removes your membership record. Note: Spark Hubs are separate from the "Donny Dens" group plan tier described elsewhere in this policy; the latter is a private shared space for up to six family or friend members and has its own data-handling rules.

Appointed EU and UK GDPR representative — verify status at Euverify

EU and UK data subjects: our appointed Article 27 representative is Euverify Ltd. Click the badge above to verify our status or submit a Data Subject Access Request (DSAR), deletion request, or other GDPR inquiry through their secure portal.

Questions About Privacy?

We're here to help you understand how we protect your data.

Donny Wonny LLC · 539 W. Commerce St #5827, Dallas, TX 75208 · privacy@donnywonny.com

We use cookies

We use cookies to enhance your experience, analyze site traffic, and personalize content. You can customize your preferences or accept all cookies.

Donny Wonny

← Back to Home