Privacy
This page is the whole policy. It is written to be read, not scrolled past.
What we collect
Three things. Your email address, so you can sign in and get receipts. Your billing status, so we know whether your subscription is active. And encrypted blocks of data — your journal entries, sealed on your device before they reach us.
What we cannot read
Everything you write. Session answers, trigger logs, and quiz results are encrypted on your device with a key derived from your password. That key never leaves your device. What arrives at our servers is ciphertext — scrambled data we have no way to unscramble. If we were subpoenaed, hacked, or bought, your words would still be unreadable, because the ability to read them was never ours.
What we never collect
No ad trackers. No Google Analytics, no Meta or TikTok pixels, no session replay, no fingerprinting, no ad IDs. We count visits with Plausible, a privacy-first analytics tool that uses no cookies and stores no personal data.
Where your data lives
Hosting provider and country will be stated here before launch. [Placeholder — finalized when the hosting account is created.]
The encryption model in one paragraph
When you write, your device encrypts the text with AES-256, using a key derived from your password. Only the encrypted form is sent and stored. Server-readable metadata is limited to timestamps, session identifiers, completion status, and mood scores — enough to show your streaks and progress without reading a word you wrote. If you lose your password and your recovery code, your entries cannot be recovered. That is not a missing feature; it is the design.
Deletion
Deleting your account hard-deletes every row and every encrypted block within 24 hours. There is no soft delete, no retention window, no "deactivation."
Selling data
We have never sold data and never will. The business model is the subscription — you pay us, so advertisers don't.