Built for the level of trust this conversation requires.

AUCO processes the content of a conversation under UK GDPR Article 9(2)(a) – explicit consent. The consent step is a mandatory, separate, explicit screen in the onboarding flow, captured on the server with an audit-log entry. It is not bundled into the terms-of-service tick.

Article 6 lawful basis is Article 6(1)(b) – contract: AUCO is delivering the wellness service the user has signed up for.

Conversations, profiles, consents, and audit data sit in a managed Postgres database in UK / EU region. Static assets and edge-cache live on Cloudflare's UK/EU points of presence. Error telemetry runs through Sentry's EU region (ingest.de.sentry.io). The only third-country transfer is the Anthropic API for language-model inference, which is governed by standard contractual clauses and the technical commitment that no conversation memory is retained at the vendor.

Every user input passes through a deterministic regex layer before the language model is consulted. A match suspends the session and renders a region-appropriate crisis card with helpline numbers as tappable links (Samaritans 116 123, NHS 111, Mind in the UK; Lifeline 13 11 14, Beyond Blue 1300 22 4636, 13YARN 13 92 76 in Australia). The language model is never the sole gate for safety. The regex set is version-pinned, tested, and audited by a probe that runs nightly.

Users can delete their account at any time from /account. The deletion runs immediately – no grace period, no confirmation loop beyond a single "type DELETE" friction step. Profile, conversations, consents, and life-stage transitions are hard-deleted. Audit-log rows are retained with the user identifier removed (user_id = NULL) and a marker indicating user-initiated erasure, so the compliance trace survives without retaining personal data.

AUCO emits no streak metrics, no badges, no return-rate KPIs, no "we missed you" notifications, no celebratory dopamine loops. A nightly probe measures average sessions per user per week; if it exceeds three, a compliance gate fires and we look at it. This is not a marketing claim – it is enforced as a probe writing to a compliance gate, version-controlled in the repository.

Every assistant turn in the database is pinned to the exact model identifier, prompt version, and knowledge-base content snapshot that produced it. A year from now we can still tell you what AUCO said, why, and what it was drawing on. This is the field lesson from the Tessa incident: reproducibility is the safety surface.

AUCO sits within the MHRA wellness boundary. It does not make clinical assessments. It does not recommend treatment. It does not replace professional care. A continuously-running claims linter checks every user-facing string in the codebase against a list of regulatory triggers (around clinical claims) and brand-voice triggers (around empty motivational language). The check is part of CI – code does not ship if a string fails.

A draft DPIA is in the repository and being reviewed by the data controller pre-launch. It covers purpose, nature of processing, lawful basis, residual risks, less-risky alternatives considered, and data-subject rights. Quarterly review thereafter. Available on request to advisors and regulators.

Once an account is provisioned, signed-in users can view a live compliance posture at /admin/quality-gates. It surfaces the current state of every probe, every framework control, and every quality gate. This is the same data we use to make pre-launch decisions.

• The current managed-database region is being migrated; the eu-west-2 (London) project is the launch target.
• Jailbreak red-team testing is committed pre-public-launch.
• The DPIA carries a controller signature on launch, not before.
• AUCO has not yet processed real-user conversations at any scale – the engagement-discipline probe will be most meaningful once it has real data.