Privacy

Your diary is yours.
Completely.

You're asked to share something vulnerable here — thoughts you might not say out loud, feelings you haven't made sense of yet. That's the whole point. And it only works if you can trust that no one else will see it.

This isn't a promise backed by a privacy policy. It's built into the architecture. Client-side encryption means we can't read your entries even if we wanted to. These are the specifics.

The encryption model

Every entry is encrypted in your browser before any network call, using AES-256-GCM — the same algorithm used by password managers and banking infrastructure. The key is derived from your credentials using PBKDF2 with 310,000 iterations. It never leaves your device.

What gets stored in our database is ciphertext: an unreadable blob alongside a timestamp and your user ID. No plaintext. No entry content. No emotional data in raw form.

When you open an entry, the ciphertext is fetched and decrypted locally in your browser. Your words never travel the network as readable text.

Write
Entry lives in your browser only
Encrypt
AES-256-GCM, key from your credentials
Store
Only ciphertext reaches Supabase
Fetch
Ciphertext returned to your browser
Decrypt
Decrypted locally — readable only to you

How AI reflection works privately

When you request a reflection, your entry is decrypted in memory in your browser, then sent to a server-side proxy — a minimal Edge Function that verifies your auth token and forwards the request to Claude.

The proxy never logs request bodies. Your entry content reaches Claude's API and comes back as a streamed response. Nothing is cached, stored, or written to disk at any point in that flow.

We use Anthropic's zero data retention mode on all calls containing journal content. This means Claude doesn't store your entries for training or any other purpose.

What we never collect

No ad tracking on the journal editor or reflection screens. The most sensitive surfaces in the product have zero third-party scripts. There is no analytics pixel watching what you write about.

No data is sold to third parties. Ever. This is not a line item in a business model we're hedging on — it's a constraint we built around.

No moderation layer reads your entries. There's no content policy enforcement on your journal because your journal is encrypted and we can't read it.

Emotional pattern data is stored as derived signals only — never raw content. We store "high negative sentiment on this date," not the words that produced that signal.

Database access control

Every table in our database has Row Level Security enabled, with a default deny-all policy. Explicit rules are written for each operation — read, write, update, delete. Every rule checks that the requesting user's ID matches the row's owner.

This means even a bug in application code can't expose one user's data to another. The database enforces the boundary directly.

The short version

Encrypted before it leaves your device

Zero data sold to third parties

No ad tracking on sensitive screens

Claude API with zero-retention mode

Start writing. It stays between you and the page.