Updated: May 2026.

1. Who We Are

The Sibyl App is operated by Sibyl Care B.V., a company registered in the Netherlands (Bergweg 265a, 3037EM Rotterdam).

Under GDPR, Sibyl Care B.V. is the data controller responsible for your personal data.

Contact: support@sibyl.care

2. What Data We Collect

Personal Information

• Email address

• Account and communication preferences

• Information you provide when contacting support

Health-Related and Sensitive Data (Optional)

• Information you choose to share about your pregnancy loss experience

• Emotional or psychological experiences (e.g., grief, anxiety, mood)

• Physical symptoms you describe as part of chat, journaling, or reflections

See Section 13 for more detail on how we handle this category of data.

App Usage and Technical Data

• Device type and operating system

• App interactions, session duration, and feature usage

• Anonymised or pseudonymised analytics data

We do not collect precise location data.

3. How We Use Your Data (Legal Basis)

We process personal data only when there is a lawful basis to do so.

Consent

• Processing sensitive health-related data you voluntarily provide

• AI-powered emotional support, journaling, and personalisation features

You may withdraw consent at any time by deleting your account or contacting us.

Legitimate Interest

• To operate, secure, and improve the App

• To monitor performance and fix technical issues

• To analyse anonymised usage patterns

You may object to processing on this basis at any time.

Legal Obligation

• Where we are required to retain data by applicable law or regulatory authorities

4. Use of Artificial Intelligence

Sibyl is powered by artificial intelligence to provide emotional support, reflective prompts, and personalised content.

When you use AI-powered features

• You are interacting with an AI system, not a human

• AI responses are supportive and informational only — they are not professional medical or psychological advice

• The AI does not have access to your full medical history

AI Provider

Sibyl uses Anthropic's Claude as its sole AI model. Anthropic processes your inputs to generate responses.

Anthropic will not use your data to train or improve AI models. This commitment is contractually binding in our Data Processing Agreement with Anthropic.

Data Handling

• Your inputs are processed by Anthropic solely to generate AI responses

• Sibyl does not use your conversations to train its own AI models

• We do not sell your data or share it for advertising or marketing purposes

Anthropic processes data in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission. See Section 6 for more detail.

5. Data Security and Storage

We take significant technical and organisational measures to protect your data.

Infrastructure

• EU data residency: all core application data is stored on Google Cloud Platform, europe-west4 region (Netherlands) — within the EU

• Encryption in transit: TLS 1.3 for all data moving between your device and our systems

• Encryption at rest: GCP-managed disk encryption on all storage

• No public-facing ports: infrastructure access is via Identity-Aware Proxy (IAP) tunnelling and hardware security keys

• Secrets management: credentials and API keys are held in GCP Secret Manager — never in code or repositories

Access Controls

• Two-factor authentication (2FA) is enforced on every system and service that supports it

• Access to personal data is restricted to authorised personnel only

• Identifiable user data — any view that links your email address to your data — is accessible only to key teammates when necessary to diagnose or fix a specific technical issue

External Contractors

Our development team works under a signed Data Processing Agreement (DPA) specifying security standards, data minimisation, sub-processor restrictions, and a 24-hour breach notification requirement. They may not use personal data for any purpose beyond delivering services to Sibyl.

6. International Data Transfers

Sibyl is based in the European Union and our primary systems are hosted on EU-based servers. Most of your data never leaves the EEA.

Transfer to the United States — Anthropic

When you use AI-powered features, your inputs are processed by Anthropic in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, providing an equivalent level of data protection.

All other services

• Customer.io (email delivery) — EU data centre; no transfer outside the EEA

• Google Cloud Platform (hosting and database) — europe-west4 (Netherlands); no transfer outside the EU

We take reasonable steps to ensure an equivalent level of data protection wherever data is processed.

7. Your Rights Under GDPR

You have the right to:

• Access your personal data

• Correct inaccurate or incomplete data

• Request deletion of your data (“right to be forgotten”)

• Restrict processing

• Receive your data in a portable format

• Object to processing based on legitimate interests

• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

To exercise any of your rights, contact us at support@sibyl.care. We respond within 30 days.

8. Data Retention and Deletion

We retain personal data only for as long as necessary to provide the App or comply with legal obligations.

• Account data: retained until you request deletion

• Support communications: generally retained for up to 12 months

• Security and system logs: retained for up to 12 months

You can delete all your personal data at any time by emailing support@sibyl.care. We will process your request and permanently remove your data within 30 days, unless retention is required by law. We make this option easy to find and remind you of it regularly within the App.

You may also delete your account directly via the App.

9. Children's Data

Sibyl is intended for use by adults aged 18 and over. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@sibyl.care.

10. Research and Insights

We may use aggregated and de-identified data — which cannot be linked back to you — for research, statistical analysis, and improving our services. Aggregated data is not considered personal data under GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you through the App or by email. The current version is always available at sibyl.care/privacy.

12. Contact

Sibyl Care B.V.

Bergweg 265a3037EM RotterdamThe Netherlands

support@sibyl.care

13. Health Information We Collect

Sibyl may process sensitive health-related data that you voluntarily choose to share, including:

• Emotional and psychological experiences related to pregnancy loss

• Physical symptoms you describe (e.g., pain, bleeding, recovery experiences)

• Other reproductive health information shared through onboarding, journaling, or AI-guided reflections

This data is classified as special category data under GDPR (Article 9) and is processed only with your explicit consent.

We do not:

• Use this data for advertising

• Sell your data

• Share health data for marketing purposes

• Use your data to train AI models

Health-related data is:

• Encrypted in transit (TLS 1.3) and at rest (GCP-managed encryption)

• Stored on EU-based servers (GCP europe-west4, Netherlands)

• Processed only to deliver emotional support and personalisation features

• Subject to strictly limited processing by Anthropic solely to generate AI responses, governed by SCCs and a contractual no-training commitment

You may withdraw consent at any time by contacting support@sibyl.care. Once your deletion request is processed, your health data will be permanently removed from our systems within 30 days, unless retention is legally required.

Thank you for trusting Sibyl.