🔒 Security & Privacy

• Local-First Storage: All journal entries are encrypted at rest (AES-256) and stored locally on your iOS or Android device. Your data never leaves your device unencrypted.
• Encryption Keys: Stored securely in your device's keychain/keystore (iOS Keychain or Android Keystore), providing hardware-level security.
• No Plain Text: Everything is encrypted before storage—no sensitive data is ever stored in plain text.
• Native App Security: Your device's built-in security features (biometric authentication, secure enclave) protect your data.
• Optional Cloud Sync: If you enable cloud backup, all data is encrypted in transit (TLS) and at rest (AES-256) before syncing.

SoulFrame is registered with the Information Commissioner's Office (ICO) in the UK, demonstrating our commitment to data protection and compliance with UK data protection regulations.

• Device Authentication: Secure login using Firebase Authentication, with optional biometric authentication (Face ID, Touch ID, fingerprint) on your device.
• Session Management: Secure token-based sessions with automatic expiration for enhanced security.
• API Protection: Rate limiting and Firebase App Check protect all API endpoints.
• Offline Access: Once authenticated, you can access your journal entries offline—no constant server connection required.

• Complete Privacy: Your journal entries are private to your account only. We never read, analyze, or share your personal thoughts with anyone—including our team.
• Local-First Storage: All journal entries are stored locally on your device using encrypted Hive database (AES-256). Your data never leaves your device unencrypted unless you enable cloud backup.
• Offline-First: Your entries are always available, even without internet connection. Write, reflect, and review your journal entries anytime, anywhere—no internet required.
• Device-Level Security: Encryption keys are stored in your device's secure keychain/keystore (iOS Keychain or Android Keystore), providing hardware-level protection.
• Optional Cloud Backup: You can enable cloud backup in your profile settings. If enabled, your data is encrypted at rest (AES-256) and in transit (TLS) in Firebase. Only you can access your encrypted data.
• AI Processing: When you request an AI reflection, your entry is sent securely to OpenAI's API for processing. This data is not stored by OpenAI and is only used to generate your reflection. PII (emails, URLs) is redacted before transmission.
• Data Ownership: You own 100% of your data. All entries are stored locally on your device first. Cloud backup is optional and user-controlled. You can request complete deletion of your account and all associated data at any time.

• Native Mobile App: Built with Flutter for iOS and Android—optimized security and performance for mobile devices.
• Local-First Architecture: Data is stored on your device first, with optional secure cloud sync when you enable backup.
• Platform Security: Leverages iOS and Android's native security features (Keychain, Keystore, secure enclave).
• Regular Updates: Security updates and patches delivered through App Store and Google Play Store.
• API Protection: Firebase App Check and rate limiting protect all API endpoints.
• AI Safety: Crisis detection and PII redaction before AI processing.
• Input Validation: All user input is validated and sanitized to prevent security vulnerabilities.
• Device Encryption: Uses platform-native secure storage (iOS Keychain, Android Keystore) for encryption keys.

• App Store & Play Store Integration: All in-app purchases are processed securely through Apple App Store (iOS) and Google Play Store (Android). We never see or store your payment information.
• Secure Checkout: Payments are handled by Apple and Google using their enterprise-grade security measures, including fraud detection and encryption.
• Receipt Verification: Purchase confirmations are verified using cryptographic signatures from Apple and Google to prevent tampering.

• GDPR Compliance: We follow GDPR principles, providing you with full control over your data, including the right to access, export, and delete information.
• Data Minimization: We only collect data necessary to provide the service. No unnecessary personal information is requested or stored.
• Transparency: Our privacy policy clearly explains what data is collected, how it's used, and your rights regarding your information.

• Data Control: Export all your data anytime, delete your account completely, update or correct your information, opt out of communications.
• Account Security: Change password anytime, enable/disable email notifications, view account activity, secure password reset process.

• Local-First Security: Your data is encrypted and stored directly on your iOS or Android device
• Industry Standards: Following security best practices with AES-256 encryption
• Optional Cloud Backup: If enabled, all data is encrypted in transit (TLS) and at rest (AES-256)
• Regular Updates: Continuous security improvements through app updates

Questions & Support

If you have any questions about our security practices or privacy measures, we're here to help. Your trust is important to us.

Contact Support →