Privacy Policy — Yournal

This Privacy Policy explains how Propsy Digital Sp. z o.o. ("Propsy Digital", "we", "our") collects, uses, shares, and protects your personal data when you use the Yournal mobile application and the website propsydigital.com (together, the "Service").

This Policy should be read together with our Terms of Service. Capitalised terms used but not defined here have the meaning given in the Terms.

1. Who Is the Data Controller

The controller of your personal data is:

Propsy Digital Sp. z o.o.
ul. Marsz. Józefa Piłsudskiego 74/320
50-020 Wrocław, Poland
KRS: 0001158753, NIP: 8971950004, REGON: 541052080

For all privacy-related matters, including exercising your rights described in Section 9, contact us at: privacy@propsydigital.com

We have not appointed a Data Protection Officer, as we are not legally required to do so. Our privacy contact above will respond to all data protection enquiries.

2. Summary — At a Glance

For a quick overview, here is what you should know:

• You can use Yournal without an account. In that case, your written journal entries stay on your device.
• Mood, emotion, and activity tags that you record are sent to our backend even without an account, so we can provide the service and enforce free-tier limits.
• AI features send your content to our AI providers (Anthropic and OpenAI) only when you actively use them.
• We do not sell your data. We do not use your journal entries to train AI models.
• We do not show you advertising based on the content of your journal.
• You have rights under GDPR (and, where applicable, CCPA): access, rectification, erasure, portability, objection. See Section 9.
• Some data is processed in the United States (Firebase, AI providers). We rely on Standard Contractual Clauses and equivalent safeguards. See Section 6.

3. What Data We Collect and Why

We collect only the data we need to operate the Service. The sections below describe this in detail.

3.1 Data You Provide When Using the App

Important distinction:

• Without an account, journal entries are stored only on your device. They are never transmitted to our servers. However, mood, emotion, and activity tags and AI inputs are transmitted.
• With an account, if you enable cloud sync, your journal entries are also transmitted to our servers so you can access them across devices.

3.2 Data Collected Automatically

Analytics data is collected in a form that does not directly identify you. We use it to understand aggregate patterns of use, not to profile you individually.

3.3 Data When You Purchase Premium or AI Top-Ups

When you make a purchase through Google Play or the Apple App Store:

• We do not receive your payment card details, bank details, or full billing address. These are handled directly by Google or Apple as the merchant of record.
• We receive a purchase token and transaction identifier from Google or Apple, which we use to verify your purchase and activate your subscription or top-up.
• If you contact us about a purchase, we may also see information you choose to share with us (e.g. order ID, email used at purchase).

If we launch our own subscription platform in the future (as described in our Terms), we will update this Policy to describe the additional payment-related data we will process at that time.

3.4 Data When You Use Our Website (propsydigital.com)

When you visit propsydigital.com, we collect:

• Standard server log data (IP address, browser type, pages visited, referrer, timestamp) — for security and basic operation.
• Google Analytics data (subject to your cookie choice) — for understanding visitor patterns.

See Section 8 for details on cookies and how to manage them.

3.5 Data When You Contact Us

When you email us or otherwise contact us, we process the email address you write from, the contents of your message, and any other information you choose to share. We use this solely to respond to your enquiry. Legal basis: legitimate interest (responding to your contact) or, where relevant, performance of contract.

4. How We Use Your Data — Purposes Summary

We use the data described in Section 3 for the following purposes:

1. To provide the Service — storing your content, syncing it across devices if you have an account, generating AI outputs you request.
2. To operate accounts and authentication — verifying logins via Google Sign-In or Apple Sign-In, managing your subscription status.
3. To enforce usage limits — counting AI requests so we know when free-tier or Premium limits are reached.
4. To improve the Service — understanding which features are used, running A/B tests, fixing bugs and crashes.
5. To communicate with you — responding to support enquiries, sending push notifications you have opted into, sending service-related emails (e.g. account deletion confirmation), notifying you about changes to our Terms or this Policy.
6. To comply with legal obligations — responding to lawful requests from authorities, retaining records required by tax or accounting law.
7. To protect our rights and the security of the Service — detecting fraud, abuse, and unauthorised access.

We do not:

• Sell your personal data to anyone, for any purpose.
• Share your journal content with advertisers or data brokers.
• Use your journal content to train AI models, whether our own or those of our AI providers.
• Build advertising or marketing profiles based on the content of your journal.

5. Who We Share Your Data With

We share your data only with the categories of recipients listed below, and only to the extent necessary for the purposes described.

5.1 Service Providers (Processors)

The following providers process data on our behalf, under written data processing agreements that bind them to confidentiality and to processing data only on our instructions:

We will keep this list current. Where we onboard a new sub-processor that processes personal data in a materially different way, we will update this Policy.

5.2 Payment Platforms

Purchases of Premium subscriptions and AI top-ups are processed by:

• Google LLC / Google Ireland Limited (Google Play billing) — currently
• Apple Inc. (App Store In-App Purchase) — future

These platforms are independent controllers of payment data. Their handling of your payment information is governed by their respective privacy policies, not ours.

5.3 Legal Disclosures

We may disclose your data to public authorities or other third parties where we are required to do so by law (e.g. court order, tax investigation), or where disclosure is necessary to protect our rights, your safety, or the safety of others. Where legally permitted, we will inform you of such requests.

5.4 Business Transfers

If we are involved in a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the new entity. We will notify you in advance via the in-app notice and/or email, and the new entity will be bound by this Policy or by terms at least as protective.

5.5 We Do Not Sell Your Data

We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising (as those terms are defined under California law). See also Section 11 below.

6. International Data Transfers

Several of our service providers (Section 5.1) are based in the United States. This means that your data — including mood/emotion/activity tags, AI inputs, and, if you have cloud sync enabled, your journal entries — is transferred outside the European Economic Area.

For these transfers we rely on the following safeguards, as required by Chapter V of the GDPR:

• EU-US Data Privacy Framework (DPF) — where the recipient is certified under the DPF (currently including Google LLC and Apple Inc. for the relevant data flows).
• Standard Contractual Clauses (SCCs) approved by the European Commission — where the DPF does not apply, including for transfers to Anthropic and OpenAI.
• Additional supplementary measures where appropriate, including encryption in transit and at rest.

You may request a copy of the safeguards in place for any specific transfer by contacting privacy@propsydigital.com.

7. How Long We Keep Your Data — Retention

We keep your data only for as long as necessary for the purposes for which it was collected. Specifically:

If we are required by law (e.g. court order, tax audit) to retain data longer, we will do so until that requirement ends.

8. Cookies and Similar Technologies

8.1 In the App

The Yournal mobile app itself does not use cookies. However, the SDKs we use (Firebase, future PostHog) may rely on locally stored identifiers on your device to function. These identifiers are necessary to operate features such as authentication and analytics.

8.2 On Our Website

The website propsydigital.com uses cookies, including:

• Strictly necessary cookies — required for the site to function. No consent required.
• Analytics cookies (Google Analytics) — used to understand visitor patterns. Set only with your consent.

When you first visit the site, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can change your choice at any time through the Cookie settings link in the website footer.

You can also manage cookies through your browser settings (typically: Settings → Privacy → Cookies). Note that blocking strictly necessary cookies may prevent the site from working correctly.

9. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — to obtain confirmation of whether we process your data and, if so, a copy of it.
• Right of rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right to erasure / "right to be forgotten" (Art. 17) — to have your data deleted, subject to certain exceptions (e.g. data we must keep by law).
• Right to restriction of processing (Art. 18) — to limit how we process your data in certain circumstances.
• Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller. You can exercise this right at any time via the in-app export function (see Terms § 6.4).
• Right to object (Art. 21) — in particular, to object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent (e.g. push notifications, analytics cookies on the website), you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority — in Poland, this is the Urząd Ochrony Danych Osobowych (UODO), https://uodo.gov.pl. You may also lodge a complaint with the authority in your country of residence.

To exercise any of these rights, contact us at privacy@propsydigital.com. We will respond within 30 days (extendable by another 60 days for complex requests, with notice to you). There is no fee, except where requests are manifestly unfounded or excessive.

We may ask you to verify your identity before responding, to protect your data from unauthorised access.

10. Children's Privacy

Yournal is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13.

If you are under 16 and located in the European Economic Area, you must have verifiable parental or guardian consent before creating an account or using features that involve transmission of data to our servers, as set out in our Terms.

If you believe that a child has provided us with personal data without appropriate consent, please contact privacy@propsydigital.com and we will take steps to delete that data.

11. Information for California Residents

If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides you with additional rights regarding your personal information. To the extent the CCPA applies to us with respect to your data, you have the following rights:

• The right to know what categories of personal information we have collected about you, the sources of that information, the purposes for which we use it, and the categories of third parties with whom we share it. The disclosures in Sections 3 to 5 provide this.
• The right to request a copy of the specific pieces of personal information we have collected about you.
• The right to request deletion of your personal information, subject to certain exceptions.
• The right to correct inaccurate personal information we maintain about you.
• The right to opt out of the "sale" or "sharing" of personal information. We do not sell your personal information and we do not share it for cross-context behavioural advertising. You therefore have no opt-out to exercise, but we honour Global Privacy Control (GPC) signals on our website.
• The right to non-discrimination — we will not deny you service, charge you a different price, or provide a different quality of service because you exercised your CCPA rights.
• The right to limit the use of sensitive personal information. To the extent we process sensitive categories (such as account credentials), we do so only as necessary to provide the Service.

To exercise any CCPA right, contact us at privacy@propsydigital.com with the subject line "California Privacy Request". We may ask you to verify your identity. You may also designate an authorised agent to make a request on your behalf, subject to verification.

12. How We Protect Your Data

We use appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS) and at rest where supported by our infrastructure.
• Access controls limiting who within Propsy Digital can access systems containing personal data.
• Logging and monitoring of access to sensitive systems.
• Written data processing agreements with all sub-processors.
• Regular review of our security practices.

No system can be guaranteed to be 100% secure. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority and, where required, you directly, in accordance with Articles 33 and 34 of the GDPR.

13. Automated Decision-Making and Profiling

AI features in Yournal (summaries, reflections, mood insights, pattern reports) involve automated processing of your content to generate output. This is not automated decision-making in the legal sense of Art. 22 GDPR: the output is informational, has no legal or similarly significant effect on you, and is presented for your personal reflection only.

We do not use your data for automated decisions that produce legal or similarly significant effects on you.

14. Changes to This Policy

We may update this Policy from time to time. When we make material changes:

• If you have a registered account, we will notify you by email to your registered address at least 14 days before the changes take effect.
• If you use Yournal without an account, we will display a notice in the app the next time you open it.

Each version of the Policy is identified by the "Last updated" date at the top. Earlier versions are available on request.

Non-material changes (e.g. clarifications, corrections of typos, adding a sub-processor whose role is consistent with this Policy) may be made without notice, but will always be reflected in an updated "Last updated" date.

15. Contact

For any privacy-related question, request, or complaint:

Propsy Digital Sp. z o.o.
ul. Marsz. Józefa Piłsudskiego 74/320
50-020 Wrocław, Poland

Email: privacy@propsydigital.com

You can also reach the supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl