Privacy Policy
Effective Date: July 1, 2026
By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
### 1.1 Information You Provide Directly - Account Data: email address when you register via Supabase Auth. - Journal Content: problem statements, deconstruction steps, fundamental facts, reconstructed solutions, and insights you write or generate through our AI. - AI Chat Messages: questions you submit and responses generated by the AI. - Community Posts: content you choose to share publicly on the community wall. - Profile Data: display name, avatar, and status message you optionally provide. - Payment Information: if you subscribe to a paid plan via Paddle, Paddle collects and processes your payment card details. We do not receive or store full card numbers ourselves; we receive only subscription status and a transaction identifier from Paddle.
### 1.2 Information Collected Automatically
- Authentication Tokens: Supabase stores a session token in your browser to keep you signed in.
- Local Preferences: a fp_theme key in localStorage to remember your dark/light mode preference.
- Log Data: our hosting provider (Vercel) may collect standard server logs including IP address, browser type, referring page, and time of visit. These logs are not accessible to us in raw form on the free Vercel plan.
### 1.3 Information We Do NOT Collect - We do not use Google Analytics, Facebook Pixel, Hotjar, or any third-party tracking scripts. - We do not serve advertisements. - We do not knowingly collect information from children under 13.
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) | |---|---| | Provide and maintain the Service (save your records, generate AI reports) | Performance of a contract / Legitimate interest | | Authenticate your account (Supabase Auth) | Performance of a contract | | Process your subscription payments (Paddle) | Performance of a contract | | Send service-related emails (e.g., password reset) | Legitimate interest | | Improve the AI prompt quality based on anonymized patterns | Legitimate interest | | Comply with legal obligations | Legal obligation |
We do not use your journal content or AI conversations to train AI models. Your data is sent to DeepSeek solely for generating your requested responses and is not retained by DeepSeek for training (per their API terms).
3. Data Sharing and Third Parties
We share data with the following third-party processors solely to operate the Service:
| Processor | Purpose | Location | Data Shared | |---|---|---|---| | Supabase | Database, authentication, storage | US (AWS) | Email, journal records, profile data, session tokens | | DeepSeek | AI model inference for Q&A and report generation | US/CN servers | Your journal records and chat messages (in transit only; not stored by DeepSeek per API ToS) | | Paddle | Payment processing for subscriptions | UK | Email, transaction metadata (not full card numbers) | | Vercel | Hosting and content delivery | US | Server logs (IP, browser metadata) |
We do not sell your personal information. We do not share your data with advertisers or data brokers.
### International Data Transfers Data may be transferred to and processed in the United States and other jurisdictions. Where required by law, we rely on Standard Contractual Clauses or equivalent mechanisms.
4. Data Retention
- Account data: retained for as long as your account is active. - Journal records and AI chats: retained until you delete them or delete your account. - Community posts: retained until you delete them or change their privacy setting. - Payment records: retained for the period required by tax and accounting laws.
You may request deletion of your account and all associated data at any time by contacting us.
5. Your Rights
Depending on your jurisdiction, you may have the following rights:
| Right | Description | |---|---| | Access | Request a copy of your personal data we hold. | | Rectification | Correct inaccurate or incomplete data. | | Erasure | Request deletion of your data ("right to be forgotten"). | | Restriction | Limit how we process your data. | | Portability | Receive your data in a structured, machine-readable format. | | Objection | Object to processing based on legitimate interest. | | Withdraw Consent | Withdraw consent where processing is based on consent. |
To exercise any of these rights, email us at xinan136888@gmail.com. We will respond within 30 days.
### CCPA / CPRA (California Residents) California residents have the right to: (1) know what personal information is collected, used, shared, or sold; (2) delete personal information; (3) opt out of the sale or sharing of personal information; and (4) non-discrimination for exercising these rights. We do not sell or share personal information as defined by the CCPA.
6. Cookie Policy
See our full Cookie Policy for a detailed list of cookies and tracking technologies used on this Service, including how to manage your preferences.
7. Security
We implement appropriate technical and organizational measures to protect your data, including: - TLS encryption for all data in transit. - Supabase Row-Level Security (RLS) to enforce per-user data isolation. - Service-level API keys scoped to the minimum required permissions.
No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
8. Children's Privacy
Our Service is not intended for anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. Your continued use of the Service after changes constitutes acceptance.
10. Contact
For questions about this Privacy Policy or to exercise your rights:
Email: xinan136888@gmail.com
Effective Date: July 1, 2026