Privacy Policy

Last Updated: November 24, 2025

1. Introduction

VākJournal ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

2. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

Personal Information

• Phone number (for authentication)
• Name, email (optional)
• Profile picture (optional)
• Voice recordings and transcriptions
• Journal entries and reflections
• Growth moments and insights
• Weekly insight summaries
• Notification preferences

Automatically Collected Information

• Device information (type, operating system)
• App usage data and analytics (hashed/anonymized)
• Crash reports and performance data
• Session information and feature interactions

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process and transcribe your voice recordings
• Generate AI-powered insights and reflections using OpenAI's API
• Create personalized conversation context based on your journal entries and growth moments
• Send you technical notices and support messages
• Respond to your comments and questions
• Protect against fraudulent or illegal activity
• Analyze app usage patterns (using hashed, pseudonymous data) to improve user experience

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/SSL
• Encryption at rest: All data stored on our servers is encrypted using industry-standard encryption
• Secure authentication using phone number verification
• Regular security audits and updates
• Secure cloud storage with access controls and monitoring

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following situations:

• With your consent
• To comply with legal obligations
• To protect our rights and prevent fraud
• With service providers who assist in app operations (under strict confidentiality agreements)

AI Processing Services

To provide AI-powered insights and personalized reflections, we share the following data with OpenAI:

• Journal conversation transcripts: Your voice recordings converted to text and our AI assistant's responses
• Growth moment texts: Insights you've identified as meaningful

Important Clarification About Conversation Content:

Your journal transcripts contain your actual conversation content as you speak it. This means:

• ✓ We do NOT send your profile information (name, phone number, email address, user ID) to OpenAI
• ⚠️ However, the conversation transcripts themselves may contain personal information you choose to share during journaling (such as names of people, places, events, feelings, and experiences)
• ⚠️ Any personal details you mention during your journal sessions are included in the transcripts sent to OpenAI for processing

What This Means For You:

Be mindful of the personal information you share during journal sessions. While your profile identity is not shared with OpenAI, the content of your conversations is shared in full to generate meaningful insights and reflections.

OpenAI's Data Practices:

• OpenAI processes this data according to their terms and does not use it to train their models when using their API
• Data sent via API is subject to OpenAI's privacy policy and data retention practices
• For more information, please review OpenAI's privacy policy at https://openai.com/policies/privacy-policy

Analytics and Error Tracking

We use third-party analytics and error tracking services (PostHog and Sentry) to improve our app. To protect your privacy:

• Email addresses, phone numbers, and names are hashed using SHA-256 before being sent to analytics services
• Audio file URLs are never included in error reports or analytics
• Only pseudonymous identifiers (hashed values) are shared, not raw personal information
• User IDs (GUIDs) are used for session tracking but are not personally identifiable

This ensures that even if these services experience a data breach, your personal information cannot be recovered from the hashed values.

6. Your Rights and Choices

You have the right to:

• Access your personal information stored in the app
• Update or correct your profile and account information
• Delete your account and associated data (see Section 7 for details)
• Export your data in JSON format (available in Profile → Data Management)
• Opt-out of notifications and communications
• Request restrictions on data processing

Right to Be Forgotten (GDPR/CCPA)

We comply with the "Right to Be Forgotten" under:

• General Data Protection Regulation (GDPR) - European Union
• California Consumer Privacy Act (CCPA) - California, USA
• Apple App Store and Google Play Store privacy requirements

How to Exercise Your Rights

Delete Your Account:

1. Go to Profile → Data Management
2. Tap "Delete Account"
3. Confirm deletion (this cannot be undone)

Export Your Data:

1. Go to Profile → Data Management
2. Tap "Export My Data"
3. Save the JSON file with all your data
4. Share or store the file as needed

Update Your Information:

• Edit your profile directly in the app
• Update notification preferences in Profile settings

Contact Us:

• Email privacy@asthrasolutions.com for any privacy-related requests

7. Data Retention and Deletion

Active Account Data Retention

We retain your personal information for as long as your account is active and necessary to provide our services.

What Happens When You Delete Your Account

When you delete your account through Profile → Data Management, the following occurs:

✅ Immediately Deleted (within seconds):

• Profile Information: Name, email, phone number, profile picture
• Journal Entries: All conversation transcripts and metadata
• AI Insights: Summaries, themes, key moments, sentiment analysis
• Growth Moments: Personal insights and reflections
• Action Items: All tracked action items and completion status
• Weekly Insights: Aggregated weekly summaries
• Conversation Context: AI memory and user preferences
• Notification Preferences: Reminder settings and push tokens
• Local Device Data: Cached data and AsyncStorage contents
• Authentication: Your phone number is permanently disassociated
• Active Sessions: All login sessions are terminated

⚠️ Retained Temporarily After Deletion:

Audio Recordings:

• Location: Stored on external backend servers (not in our database)
• Deletion Timeline: Automatically deleted 7 days after account deletion
• Reason: Short retention period allows for potential account recovery support
• Privacy: Not linked to your identity after account deletion

Anonymized Analytics Data:

• Service: PostHog analytics platform
• Data Type: Usage patterns, feature interactions, error logs
• Purpose: Product improvement and bug tracking
• Privacy: All personally identifiable information (PII) is hashed/anonymized
• Note: Cannot be reverse-engineered to identify you

Database Backups:

• Type: Automated disaster recovery backups
• Retention: 30-90 days (automatic rotation)
• Access: Only used for emergency recovery
• Note: Permanently purged when backups expire

Legal/Compliance Records:

• Financial records (if applicable, required by law)
• Security audit logs (if required for compliance)
• Retention: As required by law (typically 3-7 years)

Data Deletion Timeline

Exceptions to Immediate Deletion

We may retain your data longer if:

1. Required by law or legal obligation
2. Your account is subject to legal or security investigation
3. There are unresolved disputes or claims
4. Technical limitations (e.g., backup rotation schedules)

You will be notified if any exception applies to your account.

Recommendation: Export Before Deletion

We strongly recommend exporting your data before deleting your account:

1. You cannot recover your account after deletion
2. You cannot retrieve your journals or insights after deletion
3. Export creates a portable JSON file with all your data
4. You can archive this file for your personal records

8. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete such information.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We ensure appropriate safeguards are in place to protect your information.

10. Third-Party Services and Data Processing

Services We Use

Supabase (Database & Authentication)

• Purpose: Store your data securely with encryption
• Data: All journal entries, profile information, and app data
• Location: Cloud infrastructure with global availability
• Privacy: Row-level security ensures users only access their own data

OpenAI (AI Processing)

• Purpose: Generate insights and personalized reflections
• Data: Journal transcripts and growth moments (no PII)
• Privacy: Does not use API data for training models
• Policy: https://openai.com/policies/privacy-policy

External Backend (Voice Processing)

• Purpose: Process voice recordings and generate transcripts
• Data: Audio recordings
• Retention: Subject to service provider's policy
• Privacy: Audio not linked to identity after account deletion

PostHog (Analytics)

• Purpose: Product analytics and feature usage tracking
• Data: Hashed PII, usage patterns, feature interactions
• Privacy: All personal information is hashed before transmission
• Note: Cannot reverse-engineer identity from hashed data

Sentry (Error Tracking)

• Purpose: Monitor app crashes and performance issues
• Data: Error logs, stack traces, device information
• Privacy: No PII or audio URLs included in error reports

11. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the "Last Updated" date. Major changes affecting data deletion or retention will be communicated via email or in-app notification.

Recent Updates:

• November 24, 2025: Added detailed account deletion process, data retention specifics, and data export functionality

12. Contact Us

If you have questions or concerns about this privacy policy or our data practices, please contact us at:

Email: privacy@asthrasolutions.com
Company: Asthra LLC

For privacy-related requests (data access, deletion, export):

• Use the in-app Profile → Data Management section
• Or email privacy@asthrasolutions.com with your request

For general support:
Email support@asthrasolutions.com

Version: 2.0
Effective Date: November 24, 2025
Previous Version: November 6, 2025