Privacy Policy
Gratitude Lock is built so we cannot read what you write. Your gratitude entries are encrypted on your device and stored on our servers as ciphertext we have no key to. This page lays out exactly what we do collect, why, and how you can take it back.
What data we collect
Account: email address (only when you sign in with Apple, Google, or email — anonymous users have no email on file). Locale and timezone, derived from your device, so prompts and reminders fire in your local time.
Subscription: tier (free / journal-only / full-lock / premium). We never store payment-card data; that lives at Apple, Google, and RevenueCat.
Device: build version, OS, and a random installation ID for crash and performance reports. No advertising IDs unless you explicitly opt in to personalised ads at the Google UMP consent prompt.
Entries: you write gratitude entries. We store them as ciphertext (AES-256-GCM) on our servers; the encryption key never leaves your device. We can never read your entries.
Server-blind encryption
When you write an entry on your device, the app encrypts it with a key derived (via HKDF) from your account, stored in iOS Secure Enclave / Android Keystore. That key never leaves the device.
The ciphertext gets pushed to our Supabase database in the EU. Even with full database access, we see only random bytes — no plaintext, no metadata about content.
The downside is real: if you lose your device AND uninstall the app AND have no cloud-sync identity (anonymous accounts), your entries cannot be recovered. We cannot reset your encryption key from our side. Sign in with Apple or Google to enable cross-device recovery.
How AI reflections work (Premium)
Premium users can opt in to weekly AI reflections. When you opt in, your entries from the past week are decrypted on your device, sent to our Railway proxy server (EU), then to Anthropic for a one-shot reflection. Anthropic processes the request under their Zero-Retention agreement: no logging, no model training, no human review.
The reflection is encrypted on our server before it lands back on your device. We never store the plaintext of either your entries or the reflection.
You can revoke AI consent at any time in Settings. Past reflections you have already received stay on-device.
Firebase Analytics (US data residency)
We use Firebase Analytics for anonymous app-usage telemetry (which features get used, crash rates, performance traces). Firebase is operated by Google in the United States, which means analytics events transit US infrastructure even though all your other data stays in the EU.
Events are aggregated, no entry content is ever transmitted, and we use no advertising identifiers in the free tier. You can opt out of analytics entirely in Settings → Privacy.
We disclose this US-residency split here because EU users have a legal right to know which subprocessors touch their data and where. The trade-off (better crash diagnostics in exchange for one US-resident telemetry stream) is one we accept and want you to know about.
Anthropic Zero-Retention
Anthropic is our LLM provider for AI reflections. We have a signed Zero Data Retention agreement: API requests and responses are not logged, not used for model training, and not retained beyond the request lifecycle.
Anthropic infrastructure is multi-region; we have configured the request routing to prefer EU endpoints where available, but cannot guarantee the request never transits a US region. If you are concerned, do not opt in to AI reflections — the feature is strictly opt-in.
Your right to export your data
In Settings → Privacy → Export my data, you can request a complete archive of your account. We will compile it within 72 hours and email you a signed download link valid for 14 days.
The archive contains: account metadata (email, locale, timezone, tier, subscription history), all entry plaintext (decrypted on our worker using the key you supply), AI reflections you have received, your prompt-bank usage, and a manifest of every other table that contains your data.
Format: a single JSON file plus a PDF version of your entries laid out in the app typography.
Your right to delete your data
In Settings → Privacy → Delete my account, you can request hard deletion. We mark your account for deletion immediately, queue an export of your data (in case you need it), and hard-delete everything within 72 hours.
For 7 days after the request, you can reverse the deletion via a magic link in the confirmation email — the "tombstone" pattern. After 7 days, the deletion is irreversible: account row, entries, reflections, subscription record, all gone.
Apple and Google subscriptions are NOT cancelled by us — you must cancel separately in App Store / Play Store settings. We cannot do this on your behalf.
Retention periods
Active accounts: data is retained as long as your account is active.
Inactive accounts: after 24 months without sign-in, we send a reminder email (if we have one); after 36 months without sign-in we delete the account.
Deletion-grace tombstones: 7 days, then hard-delete.
Backups: nightly Supabase point-in-time-recovery snapshots are retained for 7 days. Data deleted at our application layer also expires from the snapshot rotation within that window.
Users under 16
The app requires age confirmation of 13+ during onboarding. Users between 13 and 15 are flagged as minors per EU GDPR-K — for advertising, this means we set the AdMob TFUA (tagged-for-users-under-age-of-consent) and TFCD (tagged-for-child-directed-treatment) flags so only contextual, non-personalised ads are served.
We do not knowingly collect data from users under 13. If you believe a child under 13 has created an account, contact us at the email below and we will delete it.
Changes to this policy
When we change this page in a way that affects your rights, we will notify you in-app and via email (where we have one). The "last updated" date at the top of this page always reflects the current revision.
Contact
Questions, complaints, or requests: privacy@gratitudelock.app. We answer within 5 business days.