Legal

Privacy Policy

Effective date: 18 March 2026 · Last updated: 18 March 2026

This Privacy Policy explains how Clarity Journal ("we", "us", "our") collects, uses, and protects your personal data when you use our mobile application. We comply with the General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG). Please read this carefully.

1. Controller

The data controller responsible for processing your personal data is:

Finn Strehl
Kaiser-Friedrich-Ring 142
40547 Düsseldorf
Germany
Email: strehldevs@gmail.com
Phone: +49 176 59058049

2. Data We Collect

2.1 Data you provide directly

Journal entries & reflections — text you write inside the app
Display name — the name you enter during onboarding (stored locally on your device)
Archetype and preference selections — stored locally on your device
App lock PIN — stored encrypted locally on your device via Expo Secure Store; never transmitted

2.2 Data collected automatically

Pseudonymous analytics events — app opens, feature usage, screen views (no names or email addresses attached)
A/B test participation — which paywall or UI variant you saw
Subscription status — whether you are a free or Pro user (via RevenueCat)
Device identifiers — pseudonymous identifiers used by analytics and RevenueCat (not linked to your real identity by us)
Purchase receipts — processed by Google Play and RevenueCat; we do not store card data

2.3 Data we do NOT collect

Email addresses or phone numbers (no account registration required)
Location data
Camera, microphone, or contacts
Advertising IDs (we do not serve ads)

3. How We Use Your Data

Purpose	Data used	Legal basis (GDPR Art. 6)
Providing the app's core journaling functionality	Journal entries, preferences	Art. 6(1)(b) — contract performance
AI analysis of your reflections (pattern detection, weekly insight)	Journal entry text	Art. 6(1)(b) — contract performance
Subscription management and payment processing	Subscription status, purchase receipts	Art. 6(1)(b) — contract performance
Improving the app via anonymous analytics	Pseudonymous event data	Art. 6(1)(f) — legitimate interests
A/B testing of UI features and paywalls	Pseudonymous device identifier, variant shown	Art. 6(1)(f) — legitimate interests
Push notifications (reminders, if enabled)	Notification token	Art. 6(1)(a) — consent
Legal compliance and fraud prevention	Transaction records	Art. 6(1)(c) — legal obligation

4. AI Processing of Journal Entries

When you submit a reflection or trigger pattern analysis, the text of your journal entry is sent to Google (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) via the Gemini API for the purpose of generating an AI response. This is the core service you signed up for.

Important: Your journal entry text is transmitted to Google's servers (Gemini API) to generate your response. We do not store your entries on our own servers — they are saved only locally on your device. Google processes this data under its API data processing agreement. As of the effective date of this policy, Google does not use API-submitted content to train its models by default.

We encourage you to avoid entering data that could identify third parties (e.g. full names of other people) in your reflections unless necessary for your personal journaling purpose.

5. Third-Party Service Providers

We use the following third-party processors who may receive your data:

Service	Purpose	Data shared	Privacy Policy
Google (Gemini API)	AI reflection analysis	Journal entry text (sent on-demand)	policies.google.com/privacy
RevenueCat	Subscription management	Pseudonymous user ID, subscription status, purchase events	revenuecat.com/privacy
PostHog	Analytics & A/B testing	Pseudonymous event data, device identifiers	posthog.com/privacy
Google Play	App distribution & payment	Purchase data (handled by Google)	policies.google.com/privacy
Expo (Expo Inc.)	Push notification delivery	Notification token (if you enable reminders)	expo.dev/privacy

All third-party processors are contractually bound to process your data only as instructed and in compliance with GDPR where applicable.

6. International Data Transfers

Some of our service providers (including Google, RevenueCat, and PostHog) are based in the United States. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision.

7. Data Retention

Journal entries — stored only on your device. We cannot access or delete them. You can delete the app at any time to remove all locally stored data.
Analytics data — retained by PostHog for up to 12 months in pseudonymised form.
Subscription records — retained by RevenueCat and Google Play per their policies and applicable tax law (typically 7 years for financial records under German law).
AI processing — journal entries sent to Google (Gemini API) are not retained by us. Refer to Google's retention policy for their processing.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15) — request a copy of the data we hold about you
Right to rectification (Art. 16) — request correction of inaccurate data
Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
Right to restriction (Art. 18) — request that we limit how we process your data
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (you can export your journal from within the app)
Right to object (Art. 21) — object to processing based on legitimate interests
Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time (e.g. push notifications can be disabled in your device settings)

To exercise any of these rights, contact us at: strehldevs@gmail.com

We will respond to requests within 30 days. You also have the right to lodge a complaint with a supervisory authority. In Germany, you may contact the data protection authority relevant to your federal state, or the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

9. Data Security

We take reasonable technical and organisational measures to protect your data. Journal entries are stored only on your device using AsyncStorage and, for sensitive data like your PIN, using Expo Secure Store (backed by the device's secure enclave / Keystore). Network transmissions to Google (Gemini API) and other services are made over encrypted HTTPS connections.

However, no method of transmission over the internet is 100% secure. You are responsible for keeping your device secure and enabling app lock if you are concerned about third-party access to your journal.

10. Children's Privacy

Clarity Journal is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the app after changes constitute acceptance of the updated policy.

12. Contact

For any questions about this Privacy Policy or to exercise your rights, contact:

Finn Strehl
Email: strehldevs@gmail.com
Address: Kaiser-Friedrich-Ring 142, 40547 Düsseldorf, Germany

This policy was written in English. In the event of any conflict between this English version and any translated version, the English version shall prevail.