Privacy Policy | afora - Your Data Security & Privacy

1. Overview

Protecting your personal data is our priority. afora is local-first: entries are stored locally with encryption. iCloud sync is available for Pro users but requires explicit opt-in. AI features, analytics, and crash reporting are opt-in and disabled by default.

Core promise: Journal entries, moods, photos, tags, locations, and reflections are encrypted on your device. We cannot read them locally. CloudKit copies in your iCloud are not end-to-end encrypted by us and only occur if you explicitly opt-in. AI, analytics, and crash reports are disabled by default and only run with your explicit consent.

2. Controller

Burzinski & Jaenisch GbR
Burgunder Str. 1
14197 Berlin, Germany
Email: afora@bejaniclabs.de
No data protection officer appointed (not required).

3. Data Processing in the App

3.1 Local storage (default)

Journal entries, moods, tags, folders, photos, events, and optional location names are stored locally with AES‑256; keys stay in the iOS Keychain. Legal basis: Art. 6(1)(b) GDPR (performance of the contract – providing the app).

3.2 iCloud sync (Pro; on by default)

For Pro users, sync is enabled by default when iCloud is available, using your personal Apple iCloud (CloudKit). Apple is the controller for iCloud; data is stored there as JSON (not end-to-end encrypted by us). We do not receive iCloud content. You can disable sync in Settings → Sync at any time. Legal basis: Art. 6(1)(b) GDPR (performance of the contract).

3.3 Account & authentication (Supabase, EU)

Sign-in uses Supabase (region: Frankfurt, EU). Data: email, name (if provided), Supabase user ID, session tokens stored in your Keychain. Legal basis: Art. 6(1)(b) GDPR. Retention: until account deletion or request for erasure.

3.4 AI features (optional, off by default)

Backtrack questions, title suggestions, and writing assists run only if you enable them. On iOS 26+ we first attempt on-device AI (no data leaves your device). If cloud processing is needed, we send the minimum necessary data:

Title generation: up to 1,000 characters and up to 10 tags
Backtrack: up to 500 characters per entry, mood labels for up to 6 months, optional tags/titles/events/places per your privacy toggles
Continue/Start Writing: may include the full note text plus optional mood/title to generate the response

Cloud AI is routed through our backend (Cloudflare Workers, EU) via Cloudflare AI Gateway to OpenRouter (USA, Zero Data Retention enabled). Models currently used: Mistral Nemo (backtrack questions), Google Gemini 2.5 Flash Lite (titles), Google Gemini 2.5 Flash (writing), and OpenAI GPT-OSS-120B as fallback. With Zero Data Retention enabled, OpenRouter and model providers do not store your prompts or responses after processing. Data is used only to generate the answer and is not retained by us, OpenRouter, or the model providers. Cloudflare AI Gateway does not log request content. Transfers outside the EU rely on EU Standard Contractual Clauses or equivalent safeguards (OpenRouter uses SCCs; Cloudflare is EU-U.S. Data Privacy Framework certified). Legal basis: Art. 6(1)(a) GDPR (consent). You can disable anytime in Settings → Privacy.

3.5 Analytics (optional, off by default)

If you opt in, we use PostHog (self-hosted in the EU) to capture app launches, tab switches, feature usage, device type, OS version, and app version. No journal content, moods, or text are collected. Legal basis: Art. 6(1)(a) GDPR. Retention: 90 days.

3.6 Onboarding preferences (optional, off by default)

During onboarding, you can share anonymous preferences to help us improve the app. This data is only collected if you explicitly grant privacy consent. We collect:

Age range (e.g., 18-24, 25-34)
Selected goals (e.g., reduce stress, build habits)
Streak goal preference (e.g., 7 days, 21 days)
Reminder time and cycle preferences (e.g., morning, evening)
Feature opt-in flags (analytics, crash reporting, AI features)

Your user ID is hashed using SHA-256 before storage for pseudonymization. We do NOT collect your name or location. Data is stored on our backend server (hosted on Railway in the Netherlands, EU). Legal basis: Art. 6(1)(a) GDPR (consent). Retention: until account deletion or upon request. You can request deletion by contacting us at afora@bejaniclabs.de.

3.7 Crash reports & feedback (optional, off by default)

If enabled, we use Sentry (EU region) to collect crash data (device model, OS version, stack traces). Journal content is never sent. Optional user feedback can include name and email if you provide them. Retention: 90 days. Legal basis: Art. 6(1)(a) GDPR.

3.8 Subscriptions & payments

Payments are processed by Apple. Subscription status is managed via RevenueCat. Data: subscription status, product, purchase/renewal dates, anonymized App User ID (linked to your Supabase user ID for entitlement checks). No card data is shared with us. RevenueCat is based in the USA; SCCs apply. Legal basis: Art. 6(1)(b) GDPR.

3.9 Location (optional)

If you add a place to an entry, we store the location locally (and in your iCloud if sync is on). Legal basis: Art. 6(1)(a) GDPR.

4. Website

4.1 Server logs

IP address, timestamp, and user agent are stored for up to 30 days for security (Art. 6(1)(f) GDPR).

4.2 Web Analytics

We use Vercel Analytics and DataBuddy for privacy-friendly web analytics. These tools collect anonymous usage data without cookies or personal information to help us understand how visitors use our website.

5. Processors and recipients

Apple (iCloud, App Store payments, Sign in with Apple)
Supabase (authentication) – region: Frankfurt (EU)
Cloudflare (backend hosting via Cloudflare Workers, AI Gateway routing) – global network, EU-U.S. Data Privacy Framework certified, SCCs; AI Gateway does not log prompts/responses
Upstash Redis (caching subscription checks) – region: Frankfurt (EU), TTL 12–18 minutes
RevenueCat (subscription management) – USA, SCCs
PostHog (analytics, EU deployment) – only if enabled
Sentry (crash reporting, EU region) – only if enabled
Railway (backend server hosting for onboarding data) – region: Netherlands (EU) – only if privacy consent granted
OpenRouter, Inc. (AI relay to model providers) – USA (New York), SCCs, Zero Data Retention enabled (no storage of prompts/responses) – only if AI is enabled
AI model providers: Mistral AI (Mistral Nemo), Google (Gemini 2.5 Flash / Flash Lite), OpenAI (GPT-OSS-120B) – only if AI is enabled; Zero Data Retention via OpenRouter; SCCs or equivalent for non-EU transfers
Vercel (website hosting/analytics)
DataBuddy (privacy-first web analytics, GDPR compliant, no cookies)

6. International transfers

AI processing via OpenRouter (USA), RevenueCat (USA), and AI model providers (Mistral AI, Google, OpenAI) may involve transfers outside the EEA. We rely on EU Standard Contractual Clauses, EU-U.S. Data Privacy Framework (Cloudflare), or equivalent safeguards. Data sent for AI is minimized and not retained thanks to Zero Data Retention routing.

7. Your rights

Access (Art. 15)
Rectification (Art. 16)
Erasure (Art. 17)
Restriction (Art. 18)
Portability (Art. 20) – export in Settings → Your Data
Withdrawal of consent (Art. 7) – toggle in Settings
Objection to processing based on legitimate interests (Art. 21) – e.g., to server logs
Complaint to a supervisory authority

8. Retention

Journal content: until you delete it (local/iCloud)
AI request data: not stored after response
Analytics (PostHog): 90 days
Onboarding preferences (backend server): until account deletion or upon request
Crash reports/feedback (Sentry): 90 days
Subscription cache (Upstash Redis): 12–18 minutes
Server logs: 30 days
RevenueCat subscription records: for the duration of the subscription plus statutory retention

9. Security

AES-256 encryption for journal data
Keychain storage for keys and tokens
TLS for all network traffic
Biometric lock (Face ID / Touch ID) supported
Data minimization for AI (truncation and sanitization)

10. Changes

We may update this policy. Material changes will be announced in-app or by email.

11. Contact

Questions or requests? afora@bejaniclabs.de