Privacy Policy

1. Introduction

inwardly ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the inwardly iOS application (the "App").

We built inwardly on a foundation of privacy. Your journal entries are encrypted before they leave your device. We never sell your data. We never use your writing to train AI models. Period.

By using the App, you agree to the practices described in this Privacy Policy. If you have questions, contact us at privacy@goinwardly.app.

2. Information We Collect

We collect only what is necessary to operate the App.

Account information: When you create an account, we collect your email address. We do not collect your name unless you voluntarily provide a display name during onboarding.

Journal entries: Your journal entries are encrypted on your device using AES-256 encryption before being transmitted to our servers. We store the encrypted ciphertext and associated metadata (creation date, word count, mood score, entry ID). We cannot read your journal entries.

Mood data: If you use the mood check-in feature, we store your mood score (a number from 1 to 5) alongside your encrypted entry. Mood scores are not encrypted but are protected by access controls.

Usage data: We may collect anonymized, aggregate usage statistics (such as how often features are used) to improve the App. This data cannot be linked back to individual users or entries.

Device information: Standard information such as device type, operating system version, and app version may be collected for debugging purposes.

We do not collect your location, contacts, photos, or any other personal data beyond what is listed above.

3. How Your Journal Entries Are Protected

Your journal entries are encrypted using AES-256-CTR encryption before they leave your device. The encryption key is generated on your device and stored in the iOS Keychain — a hardware-backed secure enclave that only your app can access.

This means:

• We cannot read your journal entries, even if we wanted to.
• Our backend (Supabase) stores only encrypted ciphertext.
• If you delete your account, your encrypted data is deleted from our servers.
• We do not have a way to recover your entries if you lose access to your device. Please export your data regularly.

We use Supabase (supabase.com) as our backend database provider. Supabase stores your encrypted data in PostgreSQL databases hosted on AWS infrastructure. Supabase is SOC 2 Type 2 certified. Your data is protected by Row Level Security (RLS) policies that ensure each user can only access their own data.

4. AI Features and Your Data

inwardly+ subscribers have access to AI-powered features, including personalized daily prompts, weekly reflections, and pattern detection. These features are powered by the Claude API, developed by Anthropic, Inc.

When you use AI features, a small number of your recent journal entries (typically the 5 most recent) are sent to the Claude API in encrypted-in-transit form to generate insights. This transmission is:

• Encrypted in transit using TLS 1.3.
• Routed through our own secure API proxy, never directly from your device to Anthropic.
• Protected by authentication — only you can trigger requests on your behalf.

We do not use your journal entries to train AI models. Anthropic's API terms prohibit using API responses to train competing models. Your entries are used only to generate the specific insight you requested, and are not retained by Anthropic beyond the scope of the API request.

If you are on the free tier, no journal entry content is ever sent to any AI API.

5. How We Use Your Information

We use the information we collect to:

• Operate and provide the App and its features
• Authenticate your account and keep it secure
• Generate AI-powered insights (premium subscribers only, as described above)
• Send you optional daily reminder notifications (only if you enable them)
• Respond to support requests
• Improve the App through aggregate, anonymized analytics

We do not use your information to:

• Sell to or share with third parties for marketing purposes
• Build advertising profiles
• Train AI models
• Contact you for marketing without your explicit consent

6. Third-Party Services

We use the following third-party services to operate the App. Each has its own privacy policy.

Supabase (supabase.com): Backend database and authentication. Stores your account information and encrypted journal data. Privacy policy: supabase.com/privacy

Anthropic Claude API (anthropic.com): Powers AI features for premium subscribers. Receives anonymized recent entry content to generate insights. Privacy policy: anthropic.com/privacy

RevenueCat (revenuecat.com): Manages subscription purchases and entitlements. Processes your App Store subscription status. Privacy policy: revenuecat.com/privacy

Apple App Store: Processes all payments. We do not receive or store your payment card information. Apple's privacy policy applies to all payment transactions.

We do not use advertising networks, tracking pixels, or third-party analytics SDKs that profile individual users.

7. Data Retention

We retain your account information and encrypted journal data for as long as your account is active.

You may request deletion of your account and all associated data at any time by contacting privacy@goinwardly.app, or directly from Settings within the App. We will delete your data within 30 days of receiving your request.

Deleted entries are soft-deleted (marked as deleted) and permanently purged from our servers within 30 days.

Backups may retain your data for up to 30 additional days following deletion, after which it is permanently removed.

8. Your Rights

You have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Export your journal entries (available in the App for all users, including free tier)
• Opt out of AI features by not subscribing to inwardly+

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information (we do not sell personal information).

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your data is the performance of our contract with you (operating the App). You may lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@goinwardly.app.

9. Children's Privacy

The App is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@goinwardly.app and we will delete it promptly.

10. Security

We take reasonable measures to protect your information:

• Journal entries are encrypted on-device before transmission (AES-256-CTR)
• All data in transit is protected by TLS 1.3
• Our backend uses Row Level Security to ensure data isolation between users
• We use secure, hardware-backed key storage (iOS Keychain) for your encryption key
• API access to your data requires valid authentication tokens

No security system is impenetrable. If you believe your account has been compromised, contact privacy@goinwardly.app immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by email. Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

The "Last Updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Email: privacy@goinwardly.app
Website: goinwardly.app

We aim to respond to privacy inquiries within 5 business days.