Back to Me Journal

Draft document — awaiting legal review

This privacy policy draft (last updated 2026-05-02) describes Me Journal's current practices accurately, but has not yet been reviewed by qualified legal counsel. Until our solicitor signs off, please do not rely on this document for compliance decisions in your jurisdiction. For specific privacy/legal questions, contact privacy@me-journal.com.

Privacy Policy

Privacy Policy — Me Journal

Document control · Version 1.0 · Classification Confidential — Legal · Created 2026-05-02 · Last updated 2026-06-07 · Owner N (Astronero Ltd) · Next review 2026-12-04 · Location legal/PRIVACY_POLICY.md

| Version | Date | Author | Summary of change | |---|---|---|---| | 1.0 | 2026-06-07 | N / Claude | Doc-control header added; content pre-existing |

Last updated: 2026-06-01 Effective date: to be set when published Operator: Astronero Ltd, a private company limited by shares registered in England & Wales (Companies House number 15024376, incorporated 24 July 2023). Contact: privacy@me-journal.com.

DRAFT — NOT YET LEGALLY REVIEWED. This document was prepared by an AI assistant against current UK GDPR, EU GDPR, and CCPA/CPRA (effective 1 January 2026) requirements. Before publishing, a solicitor qualified in England & Wales with data-protection expertise must review it. Specific items to check: the Article 27 EU representative, the data-transfer mechanism for US processors, and the California-specific Notice at Collection text.

1. Who we are

Astronero Ltd (referred to in this policy as "Me Journal", "we", "us", or "our") operates the Me Journal app and website at https://me-journal.com. We are the data controller for the personal data described in this policy.

If you have questions about this policy or want to exercise any of the rights described below, contact us at:

  • Email: privacy@me-journal.com
  • Postal: Astronero Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

UK users. Astronero Ltd is established in the United Kingdom, so our lead supervisory authority is the Information Commissioner's Office (ICO) — https://ico.org.uk. UK users may lodge a complaint with the ICO. No UK GDPR Article 27 representative is required, because we are established in the UK.

EU/EEA users. Astronero Ltd is established in England & Wales, which is outside the EU/EEA. We do not currently offer Me Journal to users in the EU/EEA. Sign-up is limited to the countries listed in "Where Me Journal is available" below, and we check the country at sign-up. Because we do not target or offer the Service to people in the EU/EEA, we are not currently required to designate a representative under Article 27 of the EU GDPR. Before we open Me Journal to the EU/EEA, we will appoint an Article 27 representative established in the EU/EEA and insert their name and contact address here. If you are in the EU/EEA — for example, an existing account-holder who is travelling — you may still lodge a complaint with the supervisory authority in your own country of residence.

Where Me Journal is available. We offer Me Journal in most countries of the world. We do not offer it in the EU/EEA (until an Article 27 representative is appointed), nor in a small number of countries with strict data-protection regimes that we will open only as their local requirements are met (currently Switzerland, South Korea, India, the United Arab Emirates, the Philippines, China, Turkey, Thailand, South Africa, Egypt and Chile), nor to anyone located in, resident in, or a citizen of a country or territory subject to comprehensive sanctions — currently Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk and Luhansk regions of Ukraine — nor anywhere our payment provider cannot lawfully process payments. We check the country your sign-up appears to come from, using your network (IP) address. This check is honest but not perfect: a VPN, or someone who has relocated, can get past it — so we back it with the served-countries and 18+ terms in our Terms of Use, and by not marketing into the EU/EEA, rather than relying on the check alone. The check runs at sign-up only: if you already have an account and travel abroad, you keep your access (except where we must suspend it to comply with sanctions law).

2. What this policy covers

This policy explains:

  • What personal data we collect and why
  • What we use it for (the legal basis under GDPR / "purposes" under CCPA)
  • Who we share it with (our sub-processors)
  • How long we keep it
  • Your rights and how to exercise them
  • How we keep the data secure

Scope: this policy applies to everything you do on the Me Journal website and inside the signed-in app. It does NOT cover websites we link to.

3. The personal data we collect

3.1 Information you give us when you sign up

| Data | Purpose | Legal basis (UK/EU GDPR) | |---|---|---| | Email address | Authentication, transactional emails, password recovery | Contract (provide the service) | | Name (optional) | Personalise the app experience | Contract | | Password (hashed; never plain text) | Authenticate you securely | Contract | | Subscription / payment method (handled by Stripe — we never see your full card number) | Bill you for paid subscriptions | Contract / Legitimate interests (fraud prevention) |

3.2 Information you create in the app

| Data | Purpose | Legal basis | |---|---|---| | Journal entries (text + voice transcripts) | Provide the journaling service | Contract | | Mood logs | Provide the mood-tracking feature | Contract | | Gratitude entries | Provide the gratitude feature | Contract | | Future Self – Foundation entries (paid users) | Deliver the programme | Contract | | App preferences (reminders, settings) | Run the app the way you want | Contract |

Special category data note: journal entries, mood logs, and the Body Compass cycle tracker can include data revealing your physical or mental health, sexual orientation, religious beliefs, or other special-category categories under Article 9 UK/EU GDPR. We process this only with your explicit consent (Article 9(2)(a)) — your active use of these features constitutes that consent. You can withdraw consent at any time by deleting the relevant entries or your account; see § 7.

3.3 Information collected automatically

| Data | Purpose | Legal basis | |---|---|---| | IP address (for security + abuse prevention) | Detect anomalous access; security incident response | Legitimate interests | | Device + browser type | Compatibility, render the right UI | Legitimate interests | | App usage events (page views, feature interactions) | Understand which features matter, fix bugs, improve product | Legitimate interests; California: a "business purpose" | | Push subscription data (endpoint + keys) | Deliver reminder notifications you've enabled | Consent (Article 6(1)(a) / CCPA equivalent) |

3.4 Information we don't collect

We deliberately don't collect:

  • Voice recordings — voice transcription is performed on your device via the browser's Web Speech API; only the transcribed text is sent to us
  • Precise location (GPS coordinates)
  • Government-issued identifier (passport, driver's licence, social security)
  • Biometric identifiers (fingerprint templates, face geometry)
  • Genetic information
  • Children's data — Me Journal is intended for adults; if you're under 18 please don't sign up. We delete accounts where we discover the user is under 18.

4. How we use your data — purposes

Beyond the table above, the high-level purposes are:

  1. Provide and maintain the service — run the app, save your data, sync across devices, deliver subscription content
  2. Authenticate you — keep your account secure
  3. Bill you (paid users) — process subscription payments via Stripe; issue receipts; deal with refunds
  4. Send transactional messages — receipts, password resets, subscription renewals, security alerts
  5. Send reminders — only when you've enabled them; you control these in settings
  6. Improve the product — understand which features get used, fix bugs, plan roadmap (we use aggregated and pseudonymised data for this where possible)
  7. Comply with law — respond to lawful requests, keep records we're legally required to keep (e.g. tax records for paid subscriptions)
  8. Resist unlawful or overbroad requests — in jurisdictions where journaling data could become evidence in adverse proceedings (e.g. reproductive-health-related subpoenas in some US states), we will challenge requests we believe are unlawful or overbroad and notify affected users where legally permitted

We do not use your data for:

  • Behavioural advertising (we don't run ads)
  • Selling to data brokers (we never sell personal data — see § 9)
  • Training third-party AI models without your explicit consent (see § 5)

5. AI features and your data

When AI features are enabled (some are off by default), we send selected content to an AI provider to generate the requested output (e.g. a reflection prompt, a monthly synthesis).

What we send:

  • The minimum content needed to generate the response (e.g. recent journal excerpts, mood patterns)
  • Your tier / feature context (so we use the right model)

What we don't send:

  • Your email address or other directly identifying information beyond a pseudonymous user ID
  • Content from features you haven't enabled

Our AI providers (currently Anthropic; OpenAI when activated):

  • Are configured for zero retention / no training on customer data at the API level — we do not allow them to train models on your content
  • Are bound by Data Processing Addenda compliant with GDPR Article 28
  • Process data in the United States (see § 8 on transfers)

You can disable LLM-powered features for your account at any time in Settings → Account → AI Features.

6. Who we share your data with — our sub-processors

We share personal data only with the following processors, each bound by a Data Processing Agreement compliant with GDPR Article 28:

| Sub-processor | Data shared | Purpose | Location | |---|---|---|---| | Convex (Convex, Inc., USA) | All app data — journal entries, mood logs, gratitude, programme entries, preferences | Database hosting, application backend | United States (with EU-region option per Convex SLA) | | Clerk (Clerk, Inc., USA) | Email, name, password hash | Authentication | United States | | Stripe (Stripe Payments Europe, Ltd, Ireland for EU users; Stripe, Inc., USA for US users) | Email, payment method, billing address | Payment processing | Ireland (EU users) / United States (US users) | | Cloudflare R2 (Cloudflare, Inc., USA) | Founder video files (when applicable); meditation audio (when applicable) | Object storage and content delivery | Cloudflare global network | | Anthropic (Anthropic, PBC, USA) | Selected content for AI features (when enabled by user) | LLM inference | United States | | Vercel (Vercel, Inc., USA) | Logs, analytics events (no personal data beyond pseudonymous user ID) | Hosting and analytics | United States | | Resend / equivalent (TBD — to be added when activated) | Email address, message content | Transactional and (opt-in) marketing email | to be confirmed |

A current sub-processor list is maintained at https://me-journal.com/legal/sub-processors (linked from this policy) — that page contains each sub-processor's DPA URL, certification status, location, exact data categories shared, and the international data transfer mechanism in use. We notify users via email at least 30 days before adding a new sub-processor that handles personal data.

For Article 30 GDPR Records of Processing Activities (RoPA): an internal record matching the public sub-processor list is maintained and available to the supervisory authority on request.

7. Your rights

7.1 Rights under UK GDPR + EU GDPR

You have the right to:

  • Access the personal data we hold about you (Article 15) — we provide a complete export from Settings → Account → Export my data
  • Rectify inaccurate data (Article 16) — most fields you can edit directly in the app; for anything else, email privacy@me-journal.com
  • Erase ("right to be forgotten") (Article 17) — two paths:
    • In-app deletion (immediate): Settings → Account → Delete account. A typed confirmation triggers immediate erasure of all personal data in our systems (atomic Convex wipe, Stripe subscription cancelled, Clerk auth account deleted). Audit-log rows are retained in pseudonymised form for ISO 27001 + GDPR Art. 17(3) defence-of-claims purposes, with no link back to you.
    • Out-of-band deletion (30-day grace): if your authentication account is deleted at the Clerk side (Clerk Portal, Clerk admin action, account compromise) without going through the in-app flow, your data enters a 30-day soft-delete grace window. During this window you can sign in again with the same email and restore your full account using your vault password. Once the 30 days elapse, the data is permanently and irreversibly purged. After this point, the data is unrecoverable even if you sign up again with the same email — a re-signup at the same address creates a brand-new, empty account with no link to the previous one (no journal entries, no mood logs, no plan history, no vault). Even if you remember your previous vault password it cannot decrypt anything, because the encryption keys were destroyed along with the encrypted content. This matches ICO guidance on accidental- deletion safeguards and the industry-standard recovery window (Google, Apple, Microsoft, GitHub all use a similar model). See § 8.6 for the full lifecycle. Some pseudonymous billing records are retained longer where legally required (HMRC VAT — held by Stripe, our payments processor, NOT by us directly).
  • Restrict processing (Article 18) — contact us at privacy@me-journal.com to request a temporary processing pause
  • Data portability (Article 20) — your export from § 7.1 is structured, machine-readable JSON you can take elsewhere
  • Object to processing (Article 21) — you can opt out of features driven by legitimate interests (e.g. usage analytics) in Settings → Account → Privacy
  • Withdraw consent (Article 7(3)) where processing is based on consent — turn off the relevant feature
  • Complain to your supervisory authority — for UK users, the Information Commissioner's Office (ICO) at https://ico.org.uk; for EU/EEA users, the supervisory authority in your own country of residence
  • Rights related to automated decision-making and profiling (Article 22) — Me Journal does not currently make any decisions about you that produce legal or similarly significant effects through automated processing alone. AI features generate output you read and can ignore; they don't gate access to anything

7.2 Rights under California CCPA / CPRA (effective 1 January 2026 amendments)

If you are a California resident, you have these rights under the California Consumer Privacy Act / California Privacy Rights Act:

  • Right to know — what categories of personal information we collect, the categories of sources, business purposes, and categories of third parties we share with (this policy's § 3-§ 6 cover this)
  • Right to access / data portability — see § 7.1 above
  • Right to delete — see § 7.1 above
  • Right to correct — see § 7.1 above
  • Right to limit use of sensitive personal information — your journal entries, mood data, and the Body Compass cycle tracker qualify as sensitive PI under CPRA. We use sensitive PI only to provide the journaling features you've opted into; we do not use it for inferring characteristics, advertising, or any secondary purpose
  • Right to opt out of sale/sharing — we do not sell or share personal information for cross-context behavioural advertising. Our website honors Global Privacy Control (GPC) signals from your browser as a valid opt-out request, with a visible confirmation
  • Right not to be discriminated against — exercising any privacy right will never result in degraded service or higher pricing
  • Notice at Collection — see § 3 above; we collect at the point you use each feature

To exercise any California-specific right, email privacy@me-journal.com or use the "Privacy" section of your account settings. We respond within 45 days as required by CCPA.

7.2.5 Digital legacy / deceased-user data

You can specify in advance what should happen to your data after your death via Settings → Digital Legacy in the app. Three options:

  • Delete everything — on confirmed bereavement, all your data is purged
  • Transfer to a nominated legacy contact — your contact gets a 30-day read-only window with a downloadable archive of your data, then your account converts to free tier and billing stops
  • Keep dormant — your account is marked as belonging to someone who has died; billing stops and the account is then wound down under our 24-month retention process (described below)

The legacy contact you nominate must verify their email before the nomination is "active". You can change or remove your preference at any time.

When someone reports your death, our process is:

  1. Family / executor submits at /legal/bereavement
  2. They email the death certificate + proof of relationship to bereavement@me-journal.com
  3. Within 14 days, we review the documents and decide
  4. If approved, a 30-day cooling-off period begins. During this period, we send the original account email reminders saying "if you're alive, click here to stop this process" — a safeguard against the rare case of fraud or wrongful death certificate
  5. After cooling-off, your pre-set preference is executed
  6. Every step is logged in our internal audit log and retained for 7 years (per UK statute of limitations) as compliance evidence

For an account that is kept after a death rather than deleted immediately, we send a small number of respectful, transactional notices to the account's own email address over the following two years. This is partly a safeguard: if a death is ever reported in error, the living account holder can see the notice and restore their account. After that retention period the account and all its data are permanently deleted.

Legal basis: GDPR doesn't apply to deceased persons (Recital 27), but Member State variations protect specific categories — France's 2016 Digital Republic Act, Spain's LOPDGDD, Italy's extended GDPR rights, Ireland's DPA 2018, UK's DPA 2018 Schedule 19. Our process honours these by giving the user explicit control while alive + verifying authority post-death.

For US users: state laws like RUFADAA (Revised Uniform Fiduciary Access to Digital Assets Act, adopted in ~25 states) recognise a user's pre-set digital-legacy preferences as legally binding. Our process satisfies RUFADAA's "user-directed action" standard.

If your nominated legacy contact has also died: family or executor of either party can still submit a bereavement request; we manually review and follow your "if my contact is gone" preference (or, if you didn't specify, default to the deletion path).

7.3 Children's data — global

Me Journal is for adults. We do not knowingly collect personal data from anyone under 18. If we learn that we've collected data from a user under 18, we delete the account. Parents/guardians who believe their child has created an account can email privacy@me-journal.com.

We do not offer a route for under-18s to sign up with parental consent — we simply require all users to be 18 or older.

For users in the United States: we do not knowingly collect personal data from children under 13 (the US Children's Online Privacy Protection Act, COPPA). Because Me Journal is restricted to adults aged 18 and over, under-13s are excluded as a matter of course.

7.3aa Incomplete signups removed after 30 days

If you start signing up but don't finish (e.g. you close the browser during the DOB / consent / plan / vault setup screens and never come back), we keep the partial sign-up data for 30 days from your last activity, then delete it automatically. During that window we send reminder emails on days 7, 14, 21 and 28 inviting you to finish if you want to. If you return and progress any further in the flow, the clock restarts.

After day 30 of inactivity, the incomplete account is purged permanently — same wipe path as account deletion. Users with an active paid subscription, an admin-issued plan grant, or who have completed onboarding are NOT subject to this sweep (different lifecycles).

This is a GDPR Article 5(1)(e) storage-limitation safeguard — we don't sit on age data + consent attempts for users who clearly aren't proceeding.

7.3a Keeping your consent current

Your journal can include special-category health data (UK/EU GDPR Article 9), so we ask for your explicit consent before any feature processes it. We ask once, when you first set up your account — we do not put your consent on a timer or make you repeat onboarding at fixed intervals.

If we ever materially change what we do with your data — a new purpose, a new category of processing, or a new optional feature that relies on health data — we will ask you again. In practice that means we publish an updated version of this Privacy Policy and request fresh consent for the new purpose before it takes effect. Consent is tied to a specific purpose, so a genuinely new purpose needs new consent; the passage of time on its own does not.

You can withdraw your consent at any time, and it is as easy to withdraw as it was to give (Article 7(3)). You don't have to wait to be asked. You can turn off any optional feature (for example AI insights, or Body Compass) in Settings, and you can export everything (Article 20) or permanently delete everything (Article 17) from Settings → Account whenever you like. Withdrawing consent stops the relevant processing from that point forward; it does not affect processing we lawfully carried out before you withdrew.

Finally, your journal content is end-to-end encrypted — it is encrypted on your device with a key only you hold, and the Me Journal team cannot read it. Your consent governs which features are allowed to run on your device using your own data; it is not permission for us to read that data, because we can't.

7.4 Account deletion — two paths + 30-day soft-delete grace

Path 1 — In-app deletion (immediate). Settings → Account → Delete account. After a typed confirmation, your account is irreversibly erased: all Convex content (journal entries, mood logs, gratitude entries, programme progress, preferences, vault key material) is wiped in an atomic transaction; your Stripe subscription (if any) is cancelled immediately; your Clerk authentication account is deleted. Audit-log rows are retained in pseudonymised form (no link back to you) for ISO 27001 audit-integrity and GDPR Article 17(3)(e) defence-of-legal-claims purposes.

Path 2 — Out-of-band deletion (30-day grace). If your authentication account is deleted at Clerk's side without going through the in-app flow — for example via the Clerk Account Portal, a Clerk admin action, or an account compromise where an attacker initiates the deletion — your Me Journal data is NOT immediately erased. Instead it enters a 30-day soft-delete grace window. During this window:

  • The account is locked. You cannot sign in to use it.
  • All Stripe subscriptions are flagged to cancel at the end of the current billing period (no further charges; California Auto-Renewal Law compliant).
  • If you sign in again with the same email during the 30 days, you are routed to a restore screen. Entering your vault password proves ownership of the encrypted content and restores the full account.
  • For accounts that never set up a vault password, recovery is offered on email-match alone with an explicit confirmation step.

After 30 days, an automated daily process irreversibly purges the account — same outcome as Path 1, just delayed.

Why this two-path model? Mental-health journaling content has high emotional sunk-cost; an accidental deletion (operator error, account compromise, automated abuse-detection false positive) without a recovery window is catastrophic. The 30-day grace matches the model used by Google, Apple, Microsoft, GitHub, Instagram, Spotify and others, and is explicitly recognised by the UK Information Commissioner's Office (ICO) as the preferred approach for online services. The grace period is well inside the GDPR Article 12(3) "without undue delay" requirement (typically read as ≤1 month).

Subscription cancellation vs data erasure — two separate clocks. Cancellation of any paid subscription takes effect immediately when you request it (a click + confirm in the billing portal, or automatically when an out-of-band deletion triggers soft-delete). No further charges from that point. Data erasure has its own timeline: the in-app "Delete account" flow erases immediately; the out-of-band soft-delete erases 30 days after the deletion event. The two clocks are deliberately separate:

  • Cancellation is immediate — required by California's Automatic Renewal Law (ARL), FTC Click-to-Cancel (US), UK Consumer Contracts Regulations 2013, and EU Directive 2011/83 (as modernised by 2019/2161). The user must be able to stop further billing at the moment of request, in the same channel as sign-up.
  • Data erasure is timed — the in-app path satisfies an explicit user intent and erases immediately; the out-of-band path uses a 30-day grace so an accidental, hijacked, or false-positive deletion does not destroy a user's data before they can challenge it. The 30-day window is explicitly preferred by the UK Information Commissioner's Office (ICO) as the safer approach for online services, and is well inside the GDPR Article 12(3) "without undue delay" limit (≤1 month).

So in the out-of-band deletion case: your subscription stops billing on Day 0; your data is held until Day 30 in case you need to restore it; on Day 31 the data is permanently purged. Both events are recorded in pseudonymised audit logs (ISO 27001).

8. International data transfers

Several of our sub-processors are based in the United States (see § 6). Your personal data is therefore transferred to the US.

For UK GDPR + EU GDPR transfers, we rely on:

  • The EU Commission's adequacy decision for the UK (for UK ↔ EU transfers)
  • Standard Contractual Clauses (SCCs) for transfers to US sub-processors
  • EU–US Data Privacy Framework certification where the sub-processor is certified
  • UK Addendum to the SCCs for UK-origin data
  • Supplementary measures (encryption in transit and at rest; zero-retention configurations on AI providers; minimisation of data sent)

You can request a copy of the SCCs for any specific sub-processor by emailing privacy@me-journal.com.

9. We do not "sell" your personal data

We do not sell your personal data for money. We do not "share" your personal data for cross-context behavioural advertising as those terms are defined under CCPA/CPRA. We do not exchange your data with data brokers, advertising platforms, or "people finder" services.

When we use a sub-processor (see § 6), we share only the personal data necessary for them to perform the service we've contracted them for, and they are bound to use it only on our instructions.

9b. When you invite someone to share with you, or receive a sharing invite

If you use the Cycle Tracker (or any future module that supports sharing) to grant another person read-only access to part of your data, we send that person an invitation email at the address you provide.

If you are the inviter:

  • You confirm to us that you have permission to provide the invitee's email address.
  • We process their email solely to send the invitation, hold the pending share in our database, and notify you whether they accept or decline.
  • If they decline, expire (after 14 days), or you revoke the invite, the share record is deleted within 7 days.
  • The invitee can see exactly which aspects of your data you granted before they accept; they can also accept and view at any later point in the 14-day window.

If you receive an invitation email from us:

  • We have your email address because a Me Journal user provided it while inviting you to view part of their data. We rely on the user's warranty that they had a basis to share your address. The lawful basis for our processing of your email until you respond is our legitimate interest (Article 6(1)(f) UK/EU GDPR) in delivering the message the user asked us to send.
  • The invitation is single-purpose: it lets you decide whether to accept the share. We will not send you any other email based on this invitation. We will not add you to any marketing list.
  • The invitation token expires automatically after 14 days. After expiry, the invite record is deleted within 7 days.
  • You can decline the invite from the invitation page; declining triggers immediate deletion of the share record. You can also ignore the invite — it will expire and be deleted automatically.
  • If you sign up to accept a share, our standard account-data processing applies (see this Policy) and you can delete your account at any time via Account Settings → Delete account.
  • If you want us to delete your email and the invite record immediately without responding to the invite, email support@me-journal.com and we will delete within 7 days.

What the invitee sees vs what you keep private:

The inviter chooses which specific aspects of their data the invitee can see (e.g. period days only / events only / symptoms with severity). Aspects the inviter does NOT grant remain private to them — the invitee never sees what they aren't explicitly granted, even if the inviter has logged it.

9c. Body Compass messaging — what's encrypted and what isn't

If you enable Body Compass messaging (1:1 chat between mutual sharing partners), your messages routinely discuss menstrual cycle status, fertility intent, mental state, symptoms, and (where the user has turned on the relevant tracking modes) pregnancy and postpartum topics. This is health data that qualifies as special-category data under UK GDPR / EU GDPR Article 9. We process it only with your explicit consent, recorded at the moment you accept the in-app messaging disclosure before sending your first message.

The encryption posture for messaging is different from your private Journal — please understand the difference before sending:

  • Your Journal is end-to-end encrypted with a key derived from your vault password. Even Me Journal staff cannot read the plaintext — by design. If you forget your vault password, your journal is unrecoverable. That is the trade-off for true privacy.
  • Body Compass messages are encrypted at rest on our servers using keys we manage (provided by our database operator, Convex). We commit, in writing here and in the in-app disclosure, not to read your messages as part of routine operations. There is no admin tool in our application that lets a staff member browse message contents; doing so would require deliberate code changes that would be visible in the audit log. But — and this is the honest part — we have the technical capability to access your message contents if compelled by a valid legal order (UK ICO subpoena, court order, etc.), and we would have to comply with such orders. Where the law permits, we will notify you.

Why messages aren't end-to-end encrypted in V1:

End-to-end encrypted messaging (the WhatsApp model) requires a key- exchange protocol that adds significant engineering complexity and real user-experience trade-offs (rich push-notification previews would become "New message from your partner" only; losing your vault password would delete every prior message; multi-device use adds friction at first set-up). We've started with server-encrypted messaging because it lets us ship the feature today and learn what you actually need. End-to-end encrypted messaging is on the roadmap for a future release.

What we do not do with your messages:

  • We do not read them as part of routine operations
  • We do not analyse them for marketing, advertising, or product recommendations
  • We do not use them to train AI models — ours or anyone else's
  • We do not share them with anyone other than the conversation participant (the partner you mutually shared with)
  • We do not include message bodies in our audit logs or system logs. Only metadata (sender, recipient, length, timestamps) is logged — for abuse prevention and forensic traceability — and the sanitiser enforces this in code, not just policy

Retention:

  • Messages remain available to both parties indefinitely while the account exists
  • Either party can delete their own message individually (the body is wiped; a "deleted" marker remains in the conversation thread)
  • Either party can delete the entire conversation bilaterally (both sides erased from our database)
  • When an account is deleted, all messages involving that account are permanently removed within 30 days (see §10)

If you are not comfortable with server-encrypted-at-rest messaging for sensitive health content, use the journal instead — your private Journal remains end-to-end encrypted regardless. Body Compass messaging is opt-in; it never starts sending without your explicit consent at the messaging disclosure screen.

9d. The region waiting list

We are not yet open to sign-ups everywhere. If you reach our sign-up flow from a region we do not serve yet — for example the EU/EEA, which is switched off only until we appoint our EU representative — we offer you a waiting list instead of turning you away.

  • What we collect: your email address, optionally a first name, and the country/region your request appears to come from, together with a record that you ticked the consent box and when.
  • Why, and our lawful basis: so we can email you once Me Journal becomes available in your region. Our lawful basis is your consent (UK GDPR / EU GDPR Art. 6(1)(a)), given by the tick-box on the waiting-list form. We use this email only for that purpose — not for any other marketing.
  • No sensitive data: the waiting list holds none of your health or journalling data — only the contact details above.
  • Your choices: every waiting-list email includes an unsubscribe link, and you can ask us to delete you from the list at any time (hello@me-journal.com). When your region opens and you create an account — or if you ask to be removed — we delete or anonymise your waiting-list entry.
  • Who it's shared with: our database host (Convex) and, when we send the invitation, our email provider (Resend). See §6 and §8.

We do not offer the waiting list, or collect any data, from regions we are prohibited from serving (for example comprehensive-sanctions countries).

10. How long we keep your data

| Category | Retention | |---|---| | Account data (email, name, login credentials) | While your account exists; deleted within 30 days of account deletion | | Journal entries, mood, gratitude, programme data | While your account exists; deleted with the account | | Inactive accounts | If an account has no activity for 24 months, the account and all data in it are permanently deleted. We email you before this happens — re-engagement reminders while the account is idle, then deletion warnings in the final months, with a final notice about a week before — and simply signing in keeps your account and resets the clock. Accounts with an active paid subscription are not subject to inactivity deletion | | Subscription and payment records | 7 years after the last transaction (UK tax / accounting requirement) | | Push subscription endpoints | While the subscription is active in your browser; pruned automatically when the push service reports the endpoint as gone | | Server logs (IP, request metadata) | 90 days, then aggregated/anonymised | | Backups | Convex maintains daily backups; deleted user data is removed from active backups within 35 days, beyond which residual data is encrypted and inaccessible | | Account audit log (deceased-user processing trail) | 7 years from last event — kept even after the account itself is purged, as legal-compliance evidence per UK statute of limitations |

When an account is closed — whether you delete it yourself, it is closed after 24 months of inactivity, or it is wound down following a bereavement — the deletion is permanent and covers all the personal data described above, with the sole exception of the pseudonymised audit-log entries noted in the last row of the table.

11. How we keep your data secure

See our separate Security Statement for a detailed description. Headlines:

  • TLS 1.2+ for all data in transit; HTTPS-only
  • Encryption at rest by Convex
  • Hashed passwords (never stored in plain text) via Clerk
  • Authentication via Clerk with MFA option
  • Strict access controls — no Me Journal staff routinely has access to user-content (journal entries, mood data); access is logged
  • Annual independent reviews (where applicable to our scale)
  • Incident response plan with notification to affected users and the ICO within 72 hours of a confirmed personal data breach (Article 33)

12. Cookies and similar technologies

See our separate Cookie Policy.

Headlines:

  • We set only the cookies strictly necessary to run the app + a session cookie via Clerk
  • We do not set advertising or tracking cookies from third parties
  • For users in the EU, we present a cookie banner on first visit asking for consent for any non-essential cookies
  • For users in the UK, we follow PECR + the ICO's cookie guidance with the same default
  • For users in California, we honour Global Privacy Control signals

13. Changes to this policy

We may update this policy as the law changes or as we add features. When we do:

  • We update the "Last updated" date at the top
  • For material changes (new categories of data collected, new sub-processors, new purposes), we email all account holders at least 14 days before the change takes effect
  • For non-material changes (clarifications, formatting), we update the policy without separate notice

Old versions of this policy are archived at https://me-journal.com/legal/privacy/history.

14. Contact

  • General privacy questions: privacy@me-journal.com
  • Data subject access / deletion / correction requests: privacy@me-journal.com
  • California consumer rights requests: privacy@me-journal.com (subject line "CCPA Request")
  • Data breach notification (urgent): security@me-journal.com
  • Postal: Astronero Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

This document is © 2026 Astronero Ltd. You may quote it as evidence of our practices when exercising your rights — please link to the canonical version at https://me-journal.com/legal/privacy.

Related documents

Privacy PolicyTerms of ServiceCookie PolicySecurity StatementSub-Processors