Is Attune GDPR compliant?

Yes. Attune is designed for UK GDPR compliance from the ground up. Key measures include: on-device biometric processing (raw facial video never leaves your device), explicit consent for all data processing, one-tap data deletion, 48-hour video retention limits, and data processing agreements with all infrastructure providers.

Where is my data stored?

User account data is stored on EU-based servers. Emotional profiles (anonymized VAD vectors) are stored encrypted at rest. Raw facial video is processed on-device and never transmitted or stored on servers. Video date recordings are deleted within 48 hours.

Does Attune share data with third parties?

No user data is sold. Data is shared only with: Cavefish (technology provider), infrastructure providers under GDPR-compliant data processing agreements, and law enforcement when legally required. Raw biometric data is never shared with third parties.

Security & Trust — Data Protection

On-device processing

Raw facial video never leaves your device. EchoDepth processes locally and transmits only anonymized emotional vectors.

Encryption at rest

All stored data is encrypted using AES-256. Emotional profiles are stored separately from identifying information.

48-hour video deletion

Video date recordings are permanently deleted within 48 hours. Only anonymized interaction features are retained.

One-tap deletion

Exercise your right to erasure instantly. One tap deletes all your data from our systems permanently.

Data protection architecture

Attune's privacy-first architecture separates sensitive biometric processing from cloud infrastructure:

Device layer: EchoDepth runs on your smartphone. Facial video is analyzed in real-time and immediately discarded. Only mathematical emotional vectors (VAD profiles) leave your device.
Transport layer: All data in transit is encrypted using TLS 1.3. Certificate pinning prevents man-in-the-middle attacks.
Storage layer: EU-based infrastructure. Emotional profiles are encrypted at rest and stored separately from account identifiers. Pseudonymization by default.

Compliance

Requirement	Status	Details
UK GDPR	Compliant	Lawful basis: explicit consent for all processing. DPA registered.
Article 9 (Special categories)	By design	On-device processing avoids transmission of biometric data. Stored profiles are mathematical vectors, not biometrics.
Data Processing Agreements	In place	GDPR-compliant DPAs with all infrastructure providers.
Right to erasure	Implemented	One-tap deletion from app. Automated propagation to all systems.
Data portability	Implemented	Export your profile data in machine-readable format.
ICO registration	Registered	Cavefish Ltd is registered with the UK Information Commissioner's Office.

Access controls

Employee access: Minimal access principle. Production data access requires explicit justification and is logged.
Third-party access: No user data sold. Shared only with infrastructure providers under DPA. Raw biometric data never shared.
User controls: Granular consent settings. Opt-out of model training. Complete data deletion on request.

Incident response

In the event of a security incident:

Affected users notified within 72 hours per GDPR requirements
ICO notification for qualifying breaches
Post-incident review and remediation published

Security contacts

Report security vulnerabilities responsibly:

Security issues: security@attunechemistry.com
Privacy inquiries: privacy@attunechemistry.com
DPO contact: dpo@attunechemistry.com

Enterprise documentation

For enterprise customers and platform partners, we provide:

Detailed security architecture documentation
GDPR Article 9 compliance analysis
Data processing agreement templates
Penetration test summaries (under NDA)
Infrastructure and subprocessor details

Need security documentation?

Enterprise customers and platform partners can request detailed compliance documentation.

Contact security team

Security at Attune