🔒
Security & Privacy
This page explains how we protect your account and your journal—encryption, local-first storage, and what happens when you use optional features.
Related: Privacy Policy · Terms of Service · GDPR
- All data encrypted in transit (HTTPS/TLS) when syncing to cloud
- Journal entries encrypted at rest (AES-256) and stored locally on your device
- Encryption keys stored securely in device keychain/keystore (hardware-level security)
- No plain text storage of sensitive data — everything is encrypted before storage
- Native app security: Your device's built-in security features protect your data
SoulFrame Journal is registered with the Information Commissioner's Office (ICO) in the UK, demonstrating our commitment to data protection and compliance with UK data protection regulations.
- Firebase Authentication for secure login
- Session management with secure tokens
- Rate limiting on all endpoints
- Automatic session expiration
- Complete Privacy: Your journal entries are private to your account only. We never read, analyze, or share your personal thoughts with anyone—including our team.
- Local-First Storage: All journal entries are stored locally on your device using encrypted Hive database (AES-256). Your data never leaves your device unencrypted unless you enable cloud backup.
- Offline-First: Your entries are always available, even without internet connection. Write, reflect, and review your journal entries anytime, anywhere—no internet required.
- Device-Level Security: Encryption keys are stored in your device's secure keychain/keystore (iOS Keychain or Android Keystore), providing hardware-level protection.
- Optional Cloud Backup: You can enable cloud backup in your profile settings. If enabled, your data is encrypted at rest (AES-256) and in transit (TLS) in Firebase. Only you can access your encrypted data.
- AI Processing: When you request an AI reflection, your entry is sent securely to OpenAI's API for processing. This data is not stored by OpenAI and is only used to generate your reflection. PII (emails, URLs) is redacted before transmission.
- Data Ownership: You own 100% of your data. All entries are stored locally on your device first. Cloud backup is optional and user-controlled. You can request complete deletion of your account and all associated data at any time.
- Native mobile app built with Flutter — optimized security and performance
- Local-first architecture: Data stored on your device, synced securely when needed
- Hosted on secure cloud infrastructure (Firebase) for optional sync and backup
- Regular security updates and patches delivered through app stores
- Firebase App Check for API protection
- Crisis detection before AI processing
- Input validation and sanitization
- Device-level encryption using platform-native secure storage
- App Store & Play Store Integration: All in-app purchases are processed securely through Apple App Store (iOS) and Google Play Store (Android). We never see or store your payment information.
- Secure Checkout: Payments are handled by Apple and Google using their enterprise-grade security measures, including fraud detection and encryption.
- Receipt Verification: Purchase confirmations are verified using cryptographic signatures from Apple and Google to prevent tampering.
- GDPR Compliance: We follow GDPR principles, providing you with full control over your data, including the right to access, export, and delete information.
- Data Minimization: We only collect data necessary to provide the service (email, account information). We do not collect journal entries—they are stored locally on your device. No unnecessary personal information is requested or stored.
- Transparency: Our privacy policy clearly explains what data is collected (account information only, not journal entries), how it's used, and your rights regarding your information.
- Data Control: Export all your data anytime, delete your account completely, update or correct your information, opt out of communications.
- Account Security: Change password anytime, enable/disable email notifications, view account activity, secure password reset process.
- End-to-End Security: From your device to our servers
- Industry Standards: Following security best practices
- Regular Updates: Continuous security improvements
Questions & Support
If you have any questions about our security practices or privacy measures, we're here to help. Your trust is important to us.
Contact Support →