Privacy Policy
Contents
- Introduction
- Who We Are
- Minimum Age
- Personal Data We Collect
- How We Use Personal Data
- End-to-End Encryption & Data Access Limitations
- AI Features and Data Processing
- How We Share Personal Data
- Data Retention
- Security Measures
- Your Rights and Choices
- International Data Transfers
- US State Privacy Disclosures
- Changes to This Privacy Policy
- Contact Us
1. Introduction
DeepJournal is a privacy-first, end-to-end encrypted (E2EE) AI journaling application. Your journal is designed to be private by default: all encryption happens on your device, and DeepJournal cannot read your journal content or your encryption keys.
This Privacy Policy explains how we collect, use, store, and protect personal data when you use DeepJournal’s applications, websites, and related services (collectively, the “Service”). It also explains your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and US state privacy laws.
By using DeepJournal, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are
DeepJournal is operated by:
Company name: Andicop
Country of incorporation: France
Registered address: Dijon, France
Andicop is the data controller for personal data processed through the Service.
For all privacy-related questions, requests, or concerns, please contact us through:
👉 https://deepjournal.app/contact
We have not appointed a Data Protection Officer (DPO), as we are not required to do so under Article 37 of the GDPR.
3. Minimum Age
DeepJournal is not intended for users under the age of 16.
We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a user under 16, we will take steps to delete that data and close the account.
4. Personal Data We Collect
A. Data You Provide Directly
- Account information: email address, authentication credentials (password hashes), and login identifiers when you create an account
- Authentication providers: if you sign in using Google, Apple, or Microsoft, we receive basic account identifiers from those providers
- Payment information: subscription status and payment identifiers when you subscribe to DeepJournal Premium (payments are processed by Stripe; we do not store your full payment details)
- Communications: information you provide when contacting us for support or inquiries
B. Encrypted Journal Content
- Journal entries, notes, states, and logs
- Local encrypted database files
- Encryption keys and recovery keys (wrapped/encrypted only)
All journal content is end-to-end encrypted on your device. We never have access to plaintext journal data or encryption keys.
C. Technical and Usage Data
- Basic usage and performance metrics (e.g., app version, feature usage)
- Error and crash information
- Aggregated analytics for the web version (via Vercel Analytics and Google Search Console)
We do not log IP addresses at the application level.
D. Cookies
We use cookies and similar technologies on our website for essential functionality and analytics.
Details are available here:
👉 https://deepjournal.app/cookie-policy
5. How We Use Personal Data
We use personal data only to:
- Provide, operate, and maintain the Service
- Authenticate users and manage accounts
- Process subscriptions and payments
- Enable encrypted syncing across devices
- Provide customer support
- Improve performance, reliability, and security
- Prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not use journal content to train AI models.
No training on user content is possible.
6. End-to-End Encryption & Data Access Limitations
DeepJournal uses strict end-to-end encryption (E2EE):
- All encryption happens locally on your device
- Encryption keys are generated and stored only under your control
- Your encryption password is separate from your account login password
- DeepJournal never receives, stores, or can recover your encryption password, DEK, or plaintext data
⚠️ Important:
If you lose your encryption password and recovery key, your data cannot be recovered.
Data portability and access limitations
Because of E2EE:
- You can export your data in plaintext only if you have your encryption keys
- We cannot decrypt or export your journal content on your behalf
7. AI Features and Data Processing
Default AI Mode (Private by Design)
By default, DeepJournal’s AI features operate using secure enclaves and Trusted Execution Environments (TEEs) via Tinfoil and the Encrypted HTTP Body Protocol (EHBP).
This means:
- AI prompts and responses are encrypted end-to-end
- Data is decrypted only inside verified secure enclaves
- DeepJournal, hosting providers, and infrastructure operators cannot read your prompts or outputs
Optional Third-Party AI Providers
In the future, DeepJournal may allow users to optionally enable third-party AI providers (such as OpenAI or Anthropic).
If you choose to enable these providers:
- Your data may be processed according to their privacy policies
- End-to-end encryption may not apply in the same way
- You will be clearly informed before enabling such features
DeepJournal does not control how third-party AI providers process data.
8. How We Share Personal Data
We do not sell or share personal data.
We may share limited data only with trusted service providers necessary to operate the Service, including:
- Hosting and infrastructure: Vercel (EU), Supabase (EU)
- Payments: Stripe
- Email delivery: Resend
These providers process data only under our instructions and applicable data protection laws.
We may also disclose personal data if required by law or to protect our legal rights, users, or the integrity of the Service.
9. Data Retention
- Encrypted journal data: retained until you request account deletion
- Account information: deleted upon account deletion, subject to legal obligations
- Technical logs: retained for limited periods for security and debugging
When you request account deletion:
- Server-side data is deleted
- Your local encrypted SQLite database remains on your device until you delete the app
10. Security Measures
We use industry-standard technical and organizational measures, including:
- End-to-end encryption
- Strong cryptographic primitives (XChaCha20-Poly1305, Argon2id)
- Secure key handling and memory wiping
- Encrypted local databases
- Access controls and monitoring
No system is 100% secure, but DeepJournal is designed to minimize data exposure by design.
11. Your Rights and Choices
Depending on your location, you may have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and personal data
- Export your data (subject to E2EE limitations)
- Restrict or object to certain processing
- Withdraw consent where applicable
- Lodge a complaint with a data protection authority
You can exercise these rights via:
👉 https://deepjournal.app/contact
We do not make decisions based solely on automated processing that produce legal or similarly significant effects.
12. International Data Transfers
Our infrastructure is primarily located in the European Union.
Where data may be accessed from outside the EU (e.g., by users in the US), we rely on:
- EU-based hosting
- Contractual safeguards
- Strong encryption as an additional protective measure
13. US State Privacy Disclosures
For residents of US states with privacy laws (including California, Virginia, and Colorado):
- We do not sell personal data
- We do not engage in targeted advertising
- We do not process sensitive personal data for profiling
You may exercise your rights through the contact methods above.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.
When we do, we will update the “Last updated” date and publish the revised version on our website.
15. Contact Us
For questions, requests, or concerns about this Privacy Policy or your data: