Privacy Policy - JOURNAL, Personal Diary

Last updated: 03/05/2026

This Privacy Policy explains what data the JOURNAL, Personal Diary mobile application ("the App", "we", "us") collects, why we collect it, how we use it, and the rights you have over it. It is written for users in the European Union / EEA / UK (GDPR / UK GDPR), but we apply the same standards to all users.

Data Controller: Carry Studios - contact: carrystudios@gmail.com

1. What We Store Locally on Your Device

By default, all your diary entries, photos, voice memos, mood data, tags and settings are stored exclusively on your device in a local SQLite database. They never leave your device unless you explicitly sign in and opt into Cloud Sync, App-Settings Backup, or Google Drive Backup (see sections 3, 4 and 5).

We do not require you to create an account to use the App.

2. What We Process Without an Account

Even without signing in, the App processes a small amount of data necessary for it to function correctly:

| Data | Purpose | Lawful Basis | Where it Goes | |------|---------|--------------|---------------| | Anonymous app usage events (e.g. screen opened, feature used) via Google Analytics for Firebase | Understand which features are used so we can improve the App | Legitimate interest (Art. 6(1)(f) GDPR) - and you can disable it from Settings | Google servers | | Crash & error reports via Sentry (may include device model, OS version and IP address) | Diagnose crashes and bugs | Legitimate interest (Art. 6(1)(f) GDPR) | Sentry servers | | App Check tokens (via Google Play Integrity) | Block abuse / fake clients from talking to our backend | Legitimate interest (Art. 6(1)(f) GDPR) | Google servers | | AdMob advertising ID and limited contextual data | Display the optional rewarded ad you can watch to earn "thought points" inside the App | Consent (you tap to watch the ad) | Google AdMob | | In-app purchase records (which premium features you bought, purchase date, price) | Restore your purchases across devices and respect your entitlements | Performance of contract (Art. 6(1)(b) GDPR) | Google Play Billing + local DB; if Cloud Sync is on, also our Firebase project | | Subscription records (entitlement state, purchase + expiry dates, store country, anonymised receipt identifiers) routed through RevenueCat | Operate the optional premium subscription that unlocks Cloud Sync, restore entitlements across devices, and detect refunds / lapses | Performance of contract (Art. 6(1)(b) GDPR) | Google Play Billing → RevenueCat → our Firebase project (audit only) |

We do not sell or share this data with advertising networks for cross-context behavioural advertising. AdMob may use your advertising ID for non-personalised ad delivery in line with your device-level consent settings.

3. Optional Account (Sign-In)

Creating an account is free and only requires Google Sign-In or email/password. Sign-in by itself enables:

• App-Settings Backup (free, opt-in per device - see section 4).
• The ability to subscribe to Premium, which in turn unlocks Cloud Sync for your diary content (see section 5).

Sign-in alone does not upload any diary entries, photos or voice memos to our servers.

When you sign in we receive from your authentication provider:

• Your email address.
• Your display name (if any).
• Your profile photo URL (if any).
• Your Google account ID (Google Sign-In only).

These identifiers are stored in Firebase Authentication and are necessary to identify your account and any associated cloud data. Lawful basis: performance of a contract (Art. 6(1)(b) GDPR).

4. Optional App-Settings Backup (free)

Once signed in, you may opt in per device to back up your app settings - colours, theme, font, language, notification preferences, intro / onboarding flags, day-block layout and similar UI preferences - to a single document in our database, scoped to your account.

• This feature is free and is not gated by the premium subscription.
• It does not upload any diary content (no entries, no photos, no voice memos, no mood, no tags).
• The setting is enabled per device. Auto-push fires when the App goes to background and your settings have changed; auto-pull fires on sign-in and when the App returns to foreground if the cloud document is newer.
• Disabling sync on a device, signing out, or deleting your account stops the device from pushing or pulling further updates. The cloud document is removed when you delete your account (section 7).

Lawful basis: performance of a contract (Art. 6(1)(b) GDPR) - you opt in and we sync.

5. Optional Premium Subscription and Cloud Sync (Firebase)

Cloud Sync of your diary content is available only with an active premium subscription (Monthly, Yearly or Lifetime tier). Without an active subscription, signing in does not upload any diary content and Cloud Sync is paused; only Authentication, App-Settings Backup (section 4) and the subscription audit record (section 5.6) involve our backend.

Cloud Sync is fully optional. You can use the entire App without ever signing in, and you can sign in without subscribing.

5.1 What We Upload (Cloud Sync)

While the subscription is active and you are signed in, the App synchronises the following to Cloud Firestore, scoped to your account:

• Diaries: cover, title, settings, ordering metadata.
• Diary days: text body, date, mood, tags, voice-memo references, ordering metadata.
• Photos: references to photo blobs (the bytes themselves are stored in Cloud Storage - see 5.2).
• Purchase history: feature IDs, purchase dates, prices for one-time in-app purchases and thought-point unlocks.
• Thought-points ledger: balance and transactions.
• Sync bookkeeping: per-device identifiers, last-sync timestamps, the status of any sync currently running, and markers recording deletions.

Conflict resolution is last-write-wins on a per-row update timestamp.

5.2 Where It Is Stored

• Text and metadata: Cloud Firestore.
• Photos and audio (voice memos): Cloud Storage for Firebase, scoped to your account.
• Our Cloud Functions and Cloud Firestore data are hosted in the European Union (Frankfurt, Germany). Some sub-services (Authentication, Cloud Storage, Analytics, App Check) and our sub-processors may process data on Google's global infrastructure, including in the United States. We rely on Google's Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable to legitimise international transfers.

5.3 Optional End-to-End Encryption

You may enable client-side end-to-end encryption for the most sensitive parts of Cloud Sync from Settings → Account.

• What's encrypted on your device before upload: the text body of every diary day entry, and the bytes of every uploaded photo and voice memo.
• What stays cleartext: diary structural metadata (dates, mood, tags, ordering), purchase history, thought-points ledger and sync bookkeeping. We need these in the clear for server-side cleanup, retention and entitlement checks.
• Cipher and key derivation: industry-standard AES-256-GCM, with the encryption key derived from your passphrase using PBKDF2-HMAC-SHA-256.
• Key storage on device: the derived key is cached in your device's secure key store after your first successful unlock, so you only enter the passphrase once per device per account.
• We never receive your passphrase or your derived key. A non-secret salt is stored on our servers so any of your devices can derive the same key from your passphrase, but the salt alone is useless without the passphrase, which never leaves your device. If you forget the passphrase, the only recovery path is to wipe the encrypted cloud copy and re-upload from a device that can still decrypt it.

Once a mode (standard or encrypted) is chosen for an account, switching modes requires wiping and re-uploading all cloud content.

5.4 Important Confidentiality Notice (Standard Mode)

If you do not enable end-to-end encryption (5.3), Cloud Sync runs in standard mode. In standard mode:

• All Cloud Sync data is encrypted in transit (TLS) and at rest by Google.
• However, the App developer (the data controller) has technical access to your standard-mode data through the Firebase administration console for the purpose of operating, debugging and supporting the service.
• We do not read your diary content, share it, or use it for any purpose other than running the sync service. Access is restricted, logged, and limited to staff who need it to operate the service.

If this level of confidentiality is not acceptable to you, enable end-to-end encryption (5.3) or do not enable Cloud Sync at all. With encryption on, the developer can still see metadata (dates, mood, tags) but not the body text or media.

5.5 Lawful Basis and Sensitive Data

Performance of a contract (Art. 6(1)(b) GDPR): you subscribe and ask us to sync your data, and we sync it. You can withdraw at any time by signing out, cancelling your subscription, or deleting the account from Settings → Account.

Diary entries can contain special-category data under Art. 9 GDPR (e.g. health, religion, political views, sexuality). By signing in to Cloud Sync you give your explicit consent to upload such content for the sole purpose of synchronising it across your devices. You can withdraw this consent at any time by signing out, which stops new uploads. To remove already-synced data see section 7 (Account Deletion).

5.6 Subscription State Mirror

For audit, customer support and refund handling, RevenueCat sends server-to-server webhooks that we mirror into a small entitlement record under your account, with a per-event audit log alongside it. This record contains entitlement state, anonymised event identifiers and timestamps, and no diary content. Audit events are automatically purged after 90 days; the entitlement record itself is removed when you delete your account (section 7).

6. Optional Google Drive Backup

Independently from Cloud Sync, you can take a manual backup of your local database to your own Google Drive. The App requests the drive.file scope, which lets it create / read / delete only files it has itself created in your Drive - it cannot see your other Drive content.

The backup is stored solely within your own Google Drive account. Nothing is sent to our servers when you use Drive Backup. Drive Backup is disabled while you are signed in to a cloud account, to avoid having two competing backup mechanisms running at once.

7. Your Rights Under GDPR

You have the right to:

• Access - request a copy of the personal data we hold about you. The App's local database export covers all device-side data; for cloud-side data contact us.
• Rectification - correct inaccurate data (you can edit any diary entry in-app).
• Erasure ("right to be forgotten") - delete your account and all cloud-side data via Settings → Account → Delete account. This wipes the database documents we hold for you (diary content, app settings, subscription state and audit events), the photo / audio blobs in Cloud Storage and all sync bookkeeping. Local data on the device must be deleted by uninstalling the App.
• Portability - export your diary as a backup file (Settings → Backup) at any time.
• Restriction and objection to processing - contact us.
• Withdraw consent at any time (sign out, disable analytics, decline ads, cancel your subscription).
• Lodge a complaint with your national data-protection authority.

Most rights can be exercised in-app. For anything else, email carrystudios@gmail.com.

Cancelling your subscription stops new diary content from being uploaded but does not by itself delete data already in the cloud - use "Delete account" for full erasure, or "Replace cloud with this device" to overwrite it.

8. Third-Party Services and Sub-Processors

| Service | Provider | Role | More Info | |---------|----------|------|-----------| | Firebase (Auth, Firestore, Storage, Analytics, App Check, Cloud Functions) | Google Ireland Ltd. / Google LLC | Sub-processor | https://firebase.google.com/support/privacy | | Sentry | Functional Software, Inc. (Sentry) | Sub-processor (crash reports) | https://sentry.io/privacy/ | | RevenueCat | RevenueCat, Inc. | Sub-processor (subscription entitlement management) | https://www.revenuecat.com/privacy | | Google Sign-In | Google | Authentication provider | https://policies.google.com/privacy | | Google Drive (when you opt in) | Google | Storage of your manual backup | https://policies.google.com/privacy | | Google AdMob | Google | Rewarded ads (only when you tap to watch) | https://policies.google.com/technologies/ads | | Google Play Billing | Google | In-app purchases and subscriptions | https://policies.google.com/privacy |

We have a Data Processing Addendum in place with Google for Firebase services and with RevenueCat for subscription management. If we change or add a sub-processor in a way that materially affects how your data is handled, we will update this list and surface the change in the App.

9. Data Retention

• Local data: stays on your device until you delete an entry or uninstall the App.
• Cloud-synced diary data: kept while your account exists. Deleting the account removes it within a reasonable period (typically minutes to a few days for fully cascading deletion of Storage objects and Firestore documents).
• App-settings backup document: kept while your account exists; removed on account deletion.
• Sync bookkeeping (per-device last-sync timestamps): kept for up to 60 days after last sync, then automatically purged by a server-side cleanup function.
• Subscription audit events: automatically purged after 90 days. The summary entitlement record is preserved while the account exists and removed on account deletion.
• Purchase records: retained as long as needed to honour your premium entitlements; we may anonymise them after that.
• Crash reports (Sentry): retained according to Sentry's standard retention.
• Analytics events: retained according to your Firebase Analytics retention setting (default is 14 months).

10. Security

• All network traffic between the App and our backend uses HTTPS / TLS.
• Cloud Firestore and Cloud Storage data is encrypted at rest by Google.
• Optional client-side end-to-end encryption (section 5.3) further protects diary body text and media bytes against access by us or our sub-processors.
• The mobile client sends App Check (Play Integrity) tokens with every backend call to block abusive or tampered clients.
• Access to the Firebase project is restricted, password-protected and uses two-factor authentication.

No system is perfectly secure. If you discover a vulnerability please email carrystudios@gmail.com.

11. Children

The App is not directed at children under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us so we can delete it.

12. Limited Use Disclosure (Google API Services)

JOURNAL, Personal Diary's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. https://developers.google.com/terms/api-services-user-data-policy

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted in the App and the "Last updated" date above will reflect the change. Continuing to use the App after a change constitutes acceptance of the updated policy.

14. Contact Us

For any questions, requests or to exercise your rights:

Email: carrystudios@gmail.com