Privacy Policy

Last Updated: August 2025

What We Collect

  • Identifiers: Email address.
  • Preferences: Selected journal categories, notification schedule, timezone.
  • Authentication: Supabase session identifiers and necessary security cookies; authentication method (Google OAuth or email/password).
  • Service Logs: Basic device/browser info, IP address, timestamps, email/prompt delivery status.
  • We do not collect: Your journal entries or other personal responses to prompts.

How We Use Data

  • Perform the service (contract): Authenticate your account, send prompts on your schedule, store preferences, and secure your session.
  • Improve & protect (legitimate interests): Diagnose issues, measure deliverability, prevent abuse/fraud.
  • Communications: Transactional emails (account, prompts, critical notices). We only send optional updates with your consent; you can opt out anytime.

Cookies & Similar Technologies

We use strictly necessary cookies set by Supabase Auth to keep you signed in and secure the session. We do not use advertising cookies or cross-site tracking pixels.

Data Storage & Security

  • Database: Supabase (PostgreSQL) with TLS in transit and encryption at rest.
  • Hosting: Vercel for application hosting and logs.
  • Email: Resend for transactional email delivery.
  • Controls: Least-privilege access, credential management, and routine backups/monitoring.

International Data Transfers

Our processors (Supabase, Vercel, Resend) may process data in the United States and other countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

Data Sharing

We do NOT sell your data.
We do NOT share your data with third parties except to operate the service:
  • Supabase (authentication & database)
  • Vercel (app hosting)
  • Resend (email delivery)
  • Stripe (donations, if you choose to donate)

Your Rights

  • Access / Correction: View and update your information in the app or by request.
  • Deletion: Request account deletion at any time.
  • Pause: Stop notifications at any time in settings.
  • Export: Contact us to request a machine-readable export of your data.

Regional Disclosures

  • California (CPRA): We do not sell or share personal information for cross-context behavioral advertising.
  • EEA/UK (GDPR): Our legal bases are contract (to provide the service) and legitimate interests (to secure and improve it). You may have additional rights to object or complain to your local authority.

How to Exercise Your Rights

Email support@inklingsjournal.live from the address on file. We may ask you to verify ownership by replying from that address before we act on your request.

Data Retention

  • Active accounts: Retained while your account is open.
  • Prompt & delivery logs: Retained up to 90 days for troubleshooting and abuse prevention.
  • Deleted accounts: Active records removed within 30 days of a verified request; residual copies may remain in encrypted backups for up to 90 days and then purge on routine cycles.

Children

Ink-lings is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it.

Changes

We may update this policy from time to time. If we make material changes, we will notify you by email or in-app notice. Continued use after changes become effective constitutes acceptance.

Contact

Email: support@inklingsjournal.live