Privacy Policy
Last updated: April 2026 Effective date: April 2026
Who we are
MyExternalCortex is currently a solo developer project based in the United States. There is no incorporated business entity at this time. When we refer to "we", "us", or "our", we mean the individual operating this service.
Contact: petro@cpetro.us
What we collect and why
We collect the minimum information needed to provide the service.
| Data | Why we collect it |
|---|---|
| Discord or Telegram user ID and display name | To identify your account and route messages to you |
| Your messages to the bot | To understand your tasks, appointments, and requests — these are sent to the Anthropic API to generate responses |
| Tasks and appointments you create | To remind you and track your to-dos |
| Habit check-in responses (yes/no answers) | To surface patterns and offer coaching over time |
| Timezone and notification preferences | To send reminders at the right time |
| Wins count | To celebrate your progress |
We do not collect your real name, email address, or any payment information at this time. We do not ask for or store a medical diagnosis. Habit and coaching data reflects self-reported behavior only.
How your data is stored
Your messages, task titles, and appointment details are encrypted at rest using industry-standard symmetric encryption (AES-128 via Fernet). Habit check-in responses (yes/no only, no content) are stored unencrypted — they contain a date and a boolean, nothing personally identifiable.
The database is stored on a server controlled by the operator. No one else has access to your data.
Third-party services
We use three external services to operate. You should understand what each receives.
Anthropic (AI processing)
When you send a message to the bot, that message is sent to the Anthropic API to generate a response. Anthropic's usage policy states that they do not train models on API inputs and outputs. Anthropic is a US-based company. We have not entered into a formal Data Processing Agreement with Anthropic at this time.
Discord
If you use the Discord interface, your messages pass through Discord's infrastructure. Discord's Privacy Policy governs how they handle your data. Discord does not offer a Data Processing Agreement for bot operators.
Telegram
If you use the Telegram interface, your messages pass through Telegram's infrastructure. Telegram's Privacy Policy governs how they handle your data. Telegram does not offer a Data Processing Agreement for bot operators.
GDPR and EU users
We intend to achieve full GDPR compliance when this service becomes a paid product. We take that obligation seriously.
Honest current status: We are not GDPR-compliant today. The core reason is that Discord and Telegram — the platforms this service runs on — do not offer Data Processing Agreements for third-party bot operators. Without those agreements, we cannot satisfy the GDPR's processor chain requirements, regardless of what we do on our end.
If you are an EU resident and this matters to you, your only current option is not to use this service. We recognize that is an unsatisfying answer and we are not trying to hide behind it. It is simply the honest one.
HIPAA
This service is not HIPAA-compliant. Discord and Anthropic do not offer Business Associate Agreements. However, the technical safeguards we implement — encryption at rest, audit logging, row-level data isolation, and the right to erasure — are equivalent to HIPAA's technical requirements. We do not store medical diagnoses or protected health information as defined by HIPAA.
Your rights
Regardless of where you live, you can:
- See your data: Use
/profileto see your account settings. Ask the bot "what tasks do I have?" at any time. - Delete everything: Use
/delete_my_dataon Discord or Telegram. This immediately and permanently deletes all your data — tasks, appointments, messages, habit history, and account. There is no recovery. - Correct your data: Tell the bot to update or delete any specific task, appointment, or setting.
- Export your data: Not currently available in-app. Contact us and we will provide a copy of your data in a readable format.
Data retention
Your data is kept for as long as your account exists. When you delete your account
(/delete_my_data), all data is deleted immediately and permanently.
We do not automatically expire inactive accounts at this time.
Changes to this policy
If we make material changes to this policy, we will notify active users via the bot before the changes take effect. The "Last updated" date at the top of this page will always reflect the current version.
Because we are committed to honesty: if a change makes this policy less protective of your data, we will say so plainly and explain why.
Contact
Questions, concerns, or data requests: petro@cpetro.us
We will respond to data requests within 30 days.