Privacy Policy

1. Introduction

Welcome to DeepWrite. We are committed to protecting your privacy and handling your personal information with care and transparency. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI-powered journaling application.

DeepWrite processes highly sensitive personal information including your private thoughts, reflections, and journal entries. We take this responsibility seriously and have implemented comprehensive security measures to protect your data.

Important Legal Notice: This privacy policy is designed to comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable international privacy laws. However, this document is for informational purposes. For legally binding compliance specific to your jurisdiction, we recommend consulting with a qualified attorney.

2. Data Controller Information

For the purposes of data protection law, DeepWrite is the data controller responsible for your personal information.

Contact Information:
For any privacy-related inquiries, questions about your data, or to exercise your rights, please contact us through the feedback form in your user account section or via the contact form on our website.

3. What Data We Collect

3.1 Account Information

• Email address
• Name (when provided via Google OAuth)
• Authentication credentials (securely hashed passwords or OAuth tokens)
• Account creation date and last login information
• User preferences and settings

3.2 Journal Content

• Journal entries (text content including your personal thoughts and reflections)
• Responses to journaling prompts and templates
• Images uploaded to journal entries
• Entry dates, titles, and metadata
• Custom journaling templates you create

3.3 AI Interaction Data

• Questions you ask our AI assistant ("Echo")
• AI-generated responses and analysis of your journal entries
• Conversation history with the AI
• AI query usage statistics (to manage subscription limits)
• Background processing job data

3.4 Subscription & Payment Information

• Subscription tier and status
• Payment history and billing information (processed and stored by Stripe)
• Usage limits and monthly query resets
• Stripe customer ID (for managing your subscription)

3.5 Usage & Analytics Data

• Application usage patterns and feature interactions
• Performance metrics and error logs
• Device information and browser type
• IP address and general location data
• Session information and authentication events

4. How We Collect Your Data

4.1 Information You Provide Directly

• When you create an account
• When you write journal entries
• When you interact with our AI assistant
• When you upload images
• When you create custom templates
• When you subscribe to a paid plan

4.2 Information Collected Automatically

• Cookies and session data (for authentication and functionality)
• Usage analytics and performance metrics
• Error logs and system diagnostics
• Real-time synchronization data

4.3 Information from Third Parties

• Google OAuth (name and email when you sign in with Google)
• Stripe (payment confirmation and subscription status)

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

5.1 Contract Performance

Processing necessary to provide the DeepWrite service, including storing your journal entries, processing AI queries, and managing your subscription.

5.2 Legitimate Interest

Improving our service quality, ensuring security, preventing fraud, and conducting analytics to enhance user experience.

5.3 Consent

For optional features like analytics cookies or marketing communications (where applicable).

5.4 Legal Obligation

Compliance with legal requirements such as payment processing regulations and tax obligations.

6. How We Use Your Data

• Provide Core Journaling Functionality: Store, organize, and display your journal entries with calendar navigation and template management
• AI-Powered Insights: Process your journal entries through our AI assistant to answer questions and provide personalized analysis
• Subscription Management: Process payments, manage subscription tiers, track usage limits, and provide access to premium features
• Service Improvement: Analyze usage patterns to enhance features, fix bugs, and optimize performance
• Security & Fraud Prevention: Protect your account, detect suspicious activity, and prevent unauthorized access
• Communication: Send essential service notifications, subscription updates, and respond to your inquiries
• Legal Compliance: Fulfill legal obligations including payment processing regulations and data retention requirements

7. Data Sharing & Third-Party Services

We do NOT sell your personal data to anyone. We only share your data with trusted third-party service providers who help us deliver and improve our service:

7.1 OpenAI (AI Processing)

When you use our AI assistant, your journal entries and questions are sent to OpenAI's API for processing. OpenAI processes this data to generate responses but does not use your data to train their AI models. Data is processed ephemerally and not retained by OpenAI beyond the immediate processing period. Journal entries are never used by the AI model to build memory as per our agreement with the provider. Review OpenAI's privacy policy at: https://openai.com/privacy/

7.2 Stripe (Payment Processing)

Payment information (credit card details, billing address) is collected and processed directly by Stripe. We only receive confirmation of payment status and subscription details. We never see or store your full payment card information. Review Stripe's privacy policy at: https://stripe.com/privacy

7.3 Google (Authentication)

When you sign in with Google, Google provides us with your email address and name (if available) to create your account. Review Google's privacy policy at: https://policies.google.com/privacy

7.4 Supabase (Infrastructure Provider)

Our database, authentication, and file storage are hosted on Supabase's secure infrastructure. Supabase acts as a data processor under our instructions. Review Supabase's privacy policy at: https://supabase.com/privacy

7.5 Legal Disclosures

We may disclose your information if required by law, court order, or government regulation, or if necessary to protect our rights, property, or safety, or that of our users or the public.

8. International Data Transfers

DeepWrite is a global service. Your data may be transferred to and processed in countries outside your country of residence, including the United States and European Union.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party processors
• Adherence to Privacy Shield principles (where applicable)
• Compliance with GDPR requirements for international transfers

9. Data Security

We implement industry-standard security measures to protect your personal information:

9.1 Encryption

• In Transit: All data transmission uses TLS/HTTPS encryption (256-bit SSL)
• At Rest: Database and file storage encrypted at rest on Supabase infrastructure
• Password Security: Passwords are hashed using industry-standard bcrypt algorithm

9.2 Access Controls

• Row-Level Security (RLS) ensures users can only access their own data
• Multi-factor authentication support for enhanced account security
• Strict access controls for our development team
• Regular security audits and penetration testing

9.3 Infrastructure Security

• Hosted on enterprise-grade Supabase infrastructure
• Regular automated backups
• DDoS protection and firewall protection
• Continuous monitoring for security threats

Important Note: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet.

10. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: Journal entries and account data retained while your account is active
• Deleted Content: Immediately removed from production systems when you delete entries or use data deletion features
• Closed Accounts: Account data deleted within 30 days of account closure
• Payment Records: Retained for 7 years to comply with tax and financial regulations
• Usage Analytics: Anonymized analytics may be retained indefinitely for service improvement
• Legal Holds: Data may be retained longer if required by law or legal proceedings

11. Your Privacy Rights

You have comprehensive rights regarding your personal data. These rights apply under GDPR (for EU residents) and CCPA (for California residents), and we extend these rights to all users globally:

11.1 Right to Access

You can access all your personal data through your account dashboard. You can view, read, and review all journal entries, AI conversations, and account information.

11.2 Right to Rectification

You can edit and update your journal entries, account settings, and personal information at any time through the application interface.

11.3 Right to Erasure ("Right to be Forgotten")

You have the right to delete your data:

• Delete individual journal entries
• Delete all journal data through the "Data Deletion" tab in account settings
• Delete all AI conversation data
• Delete your entire account and all associated data

11.4 Right to Data Portability

You can export your journal entries and data in a machine-readable format (currently available through the "Import/Export" feature in your account).

11.5 Right to Restrict Processing

You can limit how we process your data by not using certain features (e.g., not using AI features prevents AI processing of your entries).

11.6 Right to Object

You can object to processing based on legitimate interests by discontinuing use of optional features or closing your account.

11.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time through your account settings.

11.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to file a complaint with your local data protection authority (for EU residents) or the appropriate regulatory body in your jurisdiction.

How to Exercise Your Rights: Most rights can be exercised directly through your account settings. For additional assistance, contact us through the feedback form in your account or our website contact form.

12. Cookies & Tracking Technologies

12.1 Essential Cookies

We use essential cookies necessary for the service to function:

• Authentication cookies (to keep you logged in)
• Session management cookies
• Security cookies (to prevent fraud and enhance security)

12.2 Analytics Cookies (Optional)

We may use analytics cookies to understand how users interact with our service and improve the user experience. These are optional and can be controlled through your browser settings.

12.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent certain features from functioning properly. See our Cookie Policy for more details.

13. Children's Privacy

DeepWrite is not intended for children under the age of 16 (or 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children under this age.

If we become aware that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under the applicable age, please contact us immediately through our contact form.

14. AI-Specific Privacy Considerations

14.1 How AI Processes Your Data

When you use our AI assistant ("Echo"), here's exactly what happens:

• Your question and relevant journal entries are sent to OpenAI's API
• OpenAI processes this data to generate a personalized response
• The response is stored in your account for conversation history
• OpenAI does not retain your data after processing

14.2 OpenAI Data Usage Policy

According to OpenAI's current policy, data sent through their API is NOT used to train or improve their AI models. Your journal entries remain private and are processed ephemerally (temporarily) only to generate your specific response.

14.3 AI Memory & Context

The AI maintains context only for the duration of active conversations. Each new query may include relevant journal entries for context, but no persistent memory is maintained across sessions beyond what's stored in your conversation history.

14.4 User Control Over AI Features

You have complete control over AI usage:

• AI processing only occurs when you actively ask questions
• You can delete AI conversation history at any time
• You can choose not to use AI features while still enjoying full journaling functionality
• Deleted journal entries are not accessible to AI processing

15. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request details about the personal information we collect, use, disclose, and sell (we don't sell data)
• Right to Delete: You can request deletion of your personal information (available through account settings)
• Right to Opt-Out: Right to opt-out of the sale of personal information (not applicable as we don't sell data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, use the data management features in your account settings or contact us directly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email or in-app notification
• Your continued use of DeepWrite after changes constitutes acceptance of the updated policy
• If you disagree with changes, you may close your account

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Primary Contact: Use the feedback/contact form in your account settings (when logged in)
• Alternative: Use the contact form on our website homepage
• Subject Line: Please include "Privacy Inquiry" for faster processing

We aim to respond to all privacy inquiries within 30 days (or sooner as required by applicable law).