MindJrnl, Inc. (“MindJrnl,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the MindJrnl platform, including our website at mindjrnl.com, our web application, and any related services (collectively, the “Service”).
Your mental wellness data is deeply personal. We built MindJrnl with privacy as a foundational principle, not an afterthought. We believe that your data belongs to you, and we will never sell, rent, or trade your personal information to third parties for their marketing purposes.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Service.
This Privacy Policy applies to all users of the Service worldwide. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please pay particular attention to Sections 4 and 8, which describe the legal bases for processing your data and your rights under the General Data Protection Regulation (GDPR). If you are a California resident, please see Section 9 for information about your rights under the California Consumer Privacy Act (CCPA).
We collect information in several ways: directly from you when you provide it, automatically when you use the Service, and occasionally from third-party sources. The types and extent of information we collect depend on how you interact with the Service and which features you use.
2.1 Information You Provide Directly
When you create an account and use the Service, you may provide us with the following categories of information:
- Account Information: When you register for an account, we collect your name, email address, and an encrypted password. If you sign up using a third-party authentication provider (such as Google), we receive your name, email address, and profile picture URL from that provider.
- Profile Information: You may optionally provide additional information such as your timezone, display name, avatar, and notification preferences.
- Journal Entries: The content you write in your journal entries, including text, mood scores, tags, and any associated metadata such as timestamps and template types.
- Habit Data: Information about habits you create, including habit names, descriptions, frequency settings, completion records, and streak data.
- Wellness Metrics: Health and wellness data you choose to log, including sleep duration and quality, exercise type and duration, stress levels, hydration intake, and meditation minutes.
- Task Data: Tasks and to-do items you create, including titles, descriptions, due dates, priorities, and completion status.
- Payment Information: When you subscribe to a paid plan, your payment information is collected and processed directly by our payment processor, Stripe. We do not store your full credit card number, CVV, or other sensitive payment details on our servers. We receive and store only a tokenized reference, your billing email, the last four digits of your card, and the card expiration date for billing management purposes.
- Communications: When you contact us through email, our contact form, or other channels, we collect the content of your messages along with your name, email address, and any other information you choose to include.
2.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain information about your device and your usage patterns:
- Usage Data: We collect information about how you interact with the Service, including pages visited, features used, actions taken (such as creating entries, completing habits, or viewing analytics), timestamps, and general interaction patterns. This data is collected in anonymized or pseudonymized form where possible.
- Device Information: We collect information about the device you use to access the Service, including your browser type and version, operating system, screen resolution, device type (desktop, tablet, mobile), and language settings. This helps us ensure the Service displays correctly across devices.
- Log Data: Our servers automatically record information when you access the Service, including your IP address (which may be truncated or anonymized), the date and time of your request, referring/exit pages, and general location information derived from your IP address (city/country level only).
- Cookies and Similar Technologies: We use essential cookies for authentication and session management. We also use analytics cookies to understand how the Service is used in aggregate. For detailed information about our cookie practices, see Section 10.
2.3 Information from Third Parties
We may receive limited information from third-party services that you choose to connect with the Service. For example, if you sign up or log in using Google OAuth, we receive your basic profile information (name, email, profile picture) from Google. We do not purchase or obtain personal data from data brokers or other commercial sources.
We use the information we collect for the following purposes:
3.1 Providing and Maintaining the Service
- To create, manage, and authenticate your account
- To store, process, and display your journal entries, habits, wellness metrics, and tasks
- To generate personalized analytics and insights based on your data
- To provide AI-powered features such as mood analysis, journal suggestions, and wellness recommendations
- To process subscription payments and manage billing
3.2 Improving and Developing the Service
- To analyze usage patterns in aggregate to identify popular features, common workflows, and areas for improvement
- To conduct internal research on user demographics, interests, and behavior in anonymized form
- To test and develop new features, products, and services
- To monitor and analyze trends, usage, and activities in connection with the Service
3.3 Communication
- To send you transactional emails, including account confirmations, password reset emails, billing receipts, and subscription notices
- To respond to your support requests, comments, questions, and feedback
- To send you product updates, feature announcements, and newsletter content (only if you have opted in)
- To notify you of changes to our terms, policies, or practices
3.4 Safety and Security
- To detect, prevent, and address fraud, unauthorized access, and other illegal activities
- To monitor for violations of our Terms of Service
- To protect the rights, property, and safety of MindJrnl, our users, and the public
- To comply with applicable legal obligations
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):
- Contract Performance (Article 6(1)(b)): We process your account information, journal entries, habit data, wellness metrics, task data, and payment information as necessary to perform our contract with you (i.e., to provide the Service you signed up for). Without this processing, we cannot provide the Service.
- Legitimate Interests (Article 6(1)(f)): We process usage data, device information, and log data for our legitimate interests in improving and securing the Service, understanding how it is used, and preventing fraud. We have balanced these interests against your rights and freedoms and have determined that our processing does not unduly impact your privacy.
- Consent (Article 6(1)(a)): Where required, we obtain your consent before processing. For example, we ask for your consent before sending you marketing communications or using non-essential cookies. You can withdraw your consent at any time by adjusting your settings or contacting us.
- Legal Obligation (Article 6(1)(c)): We may process your personal data to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
For special categories of personal data: your wellness metrics (such as sleep and exercise data) and mood scores could potentially constitute health-related data under GDPR. We process this data based on your explicit consent (Article 9(2)(a)), which you provide when you choose to log this information in the Service. You are never required to provide wellness or mood data; these features are entirely optional.
We do not sell, rent, or trade your personal data to third parties for their marketing or commercial purposes. We share your information only in the limited circumstances described below:
5.1 Service Providers
We use the following third-party service providers who may process your data on our behalf:
- Supabase (Database and Authentication): Stores your account information, journal entries, habits, and other application data. Supabase provides PostgreSQL hosting with row-level security, AES-256 encryption at rest, and is SOC 2 Type II certified. Data is stored in the United States.
- Stripe (Payment Processing): Processes subscription payments and manages billing. Stripe is PCI DSS Level 1 certified and handles all sensitive payment data directly. We never see or store your full credit card number.
- Vercel (Hosting and CDN): Hosts our web application and serves static assets through a global content delivery network. Vercel processes server logs that may include IP addresses and request metadata.
- Google Analytics (Usage Analytics): Helps us understand how users interact with the Service in aggregate. We have configured Google Analytics with IP anonymization enabled. We do not use Google Analytics to track individual users or share your personal data with Google for advertising purposes.
Each service provider is contractually obligated to use your data only for the purpose of providing their service to us and to maintain appropriate security measures. We conduct periodic reviews of our service providers' privacy and security practices.
5.2 Couples Plan Sharing
If you use the Couples plan, certain data may be shared with your connected partner as part of the plan's shared features. Only data that you specifically designate for sharing is visible to your partner. Your private journal entries and personal wellness data remain private unless you choose to share them.
5.3 Legal Requirements
We may disclose your information if required to do so by law or in response to:
- A subpoena, court order, or other legal process
- A request by a law enforcement agency operating under appropriate legal authority
- To protect our rights, property, or safety, or the rights, property, or safety of our users or others
- In connection with the investigation of fraud, intellectual property infringement, or other illegal activity
Where legally permitted, we will make reasonable efforts to notify you before disclosing your data in response to a legal request.
5.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website before your personal data is transferred and becomes subject to a different privacy policy.
MindJrnl is based in the United States, and your data is primarily processed and stored in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.
For users in the EEA, UK, or Switzerland: we transfer your personal data to the United States based on the following safeguards:
- Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our service providers to ensure adequate data protection for international transfers.
- EU-U.S. Data Privacy Framework: Where applicable, we rely on service providers that have certified under the EU-U.S. Data Privacy Framework (and relevant UK and Swiss extensions).
You may request a copy of the relevant transfer mechanisms by contacting our Data Protection Officer at the address listed in Section 14.
We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:
- Account Data: Retained for as long as your account is active. If you delete your account, all account data is permanently erased within 30 days.
- Journal Entries, Habits, and Wellness Data: Free plan users have 7-day data retention for analytics features. Pro and Couples plan users have unlimited data retention for the duration of their active subscription. All user-generated content is deleted within 30 days of account deletion.
- Payment Records: Billing records and transaction history are retained for 7 years after the transaction to comply with tax and financial reporting obligations.
- Usage Analytics: Anonymized and aggregated analytics data is retained indefinitely. Non-anonymized usage logs are retained for a maximum of 90 days before being anonymized or deleted.
- Support Communications: Emails and support tickets are retained for 3 years after the last communication in the thread, or until account deletion, whichever occurs first.
- Marketing Consent Records: Records of your consent to receive marketing communications are retained for as long as you remain subscribed, plus 3 years after unsubscription for compliance purposes.
When your data is no longer needed, we will securely delete or anonymize it. If deletion is not technically feasible (for example, data stored in backup systems), we will isolate the data from further processing until deletion becomes possible.
Depending on your location and applicable law, you may have the following rights regarding your personal data:
- Right of Access: You may request a copy of the personal data we hold about you. You can access most of your data directly through the Service at any time. For a comprehensive data export, contact us and we will provide your data in a machine-readable format within 30 days.
- Right to Rectification: You may correct or update inaccurate or incomplete personal data. You can update your profile information directly through the Settings page. For corrections to other data, please contact us.
- Right to Erasure (“Right to Be Forgotten”): You may request that we delete your personal data. You can delete your account and all associated data through the Settings page. Upon deletion, all your data is permanently removed within 30 days, except where we are legally required to retain certain information.
- Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format. Pro plan users can export their data in CSV or PDF format directly from the app. Free plan users can request a data export by contacting us.
- Right to Restrict Processing: You may request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of your data or when you believe our processing is unlawful.
- Right to Object: You may object to the processing of your personal data for direct marketing purposes at any time. You may also object to processing based on our legitimate interests, and we will cease processing unless we demonstrate compelling legitimate grounds.
- Right to Withdraw Consent: Where we process your data based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law.
To exercise any of these rights, please contact us at privacy@mindjrnl.com or use the contact information provided in Section 14. We will respond to all legitimate requests within 30 days. In certain cases, we may need to verify your identity before processing your request.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.
9.1 Your California Rights
As a California resident, you have the right to:
- Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting the information, and the categories of third parties with whom we share the information.
- Delete: Request that we delete your personal information, subject to certain exceptions provided by law.
- Correct: Request that we correct inaccurate personal information we maintain about you.
- Opt-Out of Sale or Sharing: We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of these practices.
- Non-Discrimination: You will not be discriminated against for exercising any of your CCPA rights.
9.2 Categories of Information Collected
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers: Name, email address, IP address, account ID
- Commercial Information: Subscription plan, payment history, billing records
- Internet/Electronic Activity: Browsing history on our Service, interactions with features, device information
- Inferences: Mood patterns, wellness trends, and habit analytics derived from your usage of the Service
9.3 Exercising Your California Rights
To exercise your California privacy rights, contact us at privacy@mindjrnl.com with the subject line “California Privacy Request.” You may also submit a request through our contact form. We will verify your identity before processing your request by matching the information you provide with the information we have on file. We will respond to verifiable consumer requests within 45 days. If additional time is needed, we will notify you of the extension and the reason.
Cookies are small text files that are stored on your device when you visit our website. We use cookies and similar technologies for the following purposes:
10.1 Essential Cookies
These cookies are strictly necessary for the Service to function and cannot be disabled. They include:
- Authentication cookies: Used to keep you logged in and maintain your session. These cookies expire when you log out or after 7 days of inactivity.
- Security cookies: Used to detect and prevent fraudulent login attempts and cross-site request forgery (CSRF) attacks.
- Preference cookies: Used to remember your settings, such as your preferred theme (light/dark mode) and timezone.
10.2 Analytics Cookies
We use Google Analytics to understand how visitors interact with our Service in aggregate. These cookies collect information such as pages visited, time spent on pages, and the sequence of pages visited. This data is anonymized and aggregated -- we do not use analytics cookies to identify individual users.
You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
10.3 No Third-Party Tracking Cookies
We do not use third-party advertising or tracking cookies. We do not participate in ad networks, and we do not allow third parties to place cookies on our Service for advertising purposes.
10.4 Managing Cookies
Most web browsers allow you to control cookies through their settings. You can usually set your browser to refuse all or some cookies, or to alert you when cookies are being set. Please note that disabling essential cookies may prevent you from using certain features of the Service.
We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
11.1 Technical Measures
- Encryption at Rest: All data stored in our database is encrypted using AES-256 encryption.
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
- Row-Level Security: Our database implements row-level security policies that ensure you can only access your own data. Even in the unlikely event of an application-level vulnerability, the database itself enforces access controls.
- Password Hashing: User passwords are hashed using bcrypt with a high work factor. We never store passwords in plain text.
- Secure Authentication: We support secure authentication methods including email/password with bcrypt hashing and OAuth 2.0 through trusted providers.
- Regular Updates: We keep all software dependencies up to date and promptly apply security patches.
11.2 Organizational Measures
- Access Controls: Access to personal data is limited to employees and contractors who need it to perform their job duties. All access is logged and audited.
- Security Training: Team members receive regular training on data protection and security best practices.
- Vendor Assessment: We conduct security assessments of all third-party service providers before engaging them and periodically review their security posture.
- Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach within 72 hours, as required by applicable law.
While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may arise.
The Service is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.
If you are a parent or guardian and you believe that your child under 13 has provided us with personal information, please contact us immediately at privacy@mindjrnl.com. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information from our servers within 30 days.
Users between the ages of 13 and 18 may use the Service with the consent and supervision of a parent or legal guardian. The parent or guardian is responsible for monitoring the minor's use of the Service and ensuring compliance with these terms.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the “Last updated” date at the top of this policy
- Post the revised policy on this page
- For material changes, send a notification to the email address associated with your account at least 30 days before the changes take effect
- For material changes, display a prominent notice within the Service
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@mindjrnl.com
- Contact Form: mindjrnl.com/contact
- Mailing Address: MindJrnl, Inc., 548 Market Street, Suite 35410, San Francisco, CA 94104, United States
Data Protection Officer
For matters specifically related to data protection and GDPR compliance, you may contact our Data Protection Officer:
We aim to respond to all privacy-related inquiries within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
For EU/EEA residents, you may find the contact details for your national data protection authority on the European Data Protection Board website.