Privacy Policy
Last updated: April 9, 2026
Plain English: We built Open Heart around one idea: your relationship data is yours. We encrypt your entries on your device. Our server stores blobs it can't read. This policy explains exactly what we collect, what we can't see, and what you control.
1. What We Collect
Account Data
- Email address — used for authentication via Firebase Auth
- Password — hashed by Firebase, we never see your plaintext password
Profile Data (stored locally on your device)
- Name, relationship status, love language ranking, attachment style ranking
- This data lives in SQLite on your phone. It syncs to our server only as encrypted blobs.
Journal Entries (encrypted)
- Your entries are encrypted on your device using tweetnacl (NaCl) before they leave your phone
- Our server stores base64-encoded encrypted blobs
- We cannot read your entries. We don't have your encryption key.
Usage Data (opt-in)
- Anonymous crash reports via Sentry (no entry content, no PII)
- Basic usage metrics if you opt in (which features are used, not what you write)
Device Data
- Device locale (to show crisis resources in your language/region)
- OS version (for compatibility)
Payment Data
- Handled entirely by Apple App Store or Google Play Store via RevenueCat
- We never see your credit card number.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the service | Account data, encrypted entries | Contract performance |
| Sync between partners | Encrypted blobs | Contract performance |
| AI conversation starters | Decrypted entries (on-device, with consent) | Explicit consent |
| Crisis resource display | Device locale | Legitimate interest (safety) |
| Crash reporting | Anonymous error data | Legitimate interest |
| Billing | Payment via App Store/Play Store | Contract performance |
We do not: sell your data, use it for advertising, train AI models on your entries, profile you for third parties, or share your data with data brokers.
3. What We Cannot See
This is the most important section.
Open Heart uses end-to-end encryption (tweetnacl/NaCl):
- Your entries are encrypted on your phone before they leave your device
- Your encryption key lives in your device's secure hardware (iOS Keychain / Android Keystore)
- Our server stores encrypted blobs — base64 strings that are meaningless without your key
- We cannot decrypt your entries. Not our engineers, not law enforcement, not anyone.
- During the reveal, your partner's phone decrypts entries locally using the shared key
If you lose your device and your 24-word recovery phrase, your encrypted entries are gone forever. That's the tradeoff for real privacy.
4. AI Features and Data Processing
When you use AI features (conversation starters, coaching, summaries):
- Entries are decrypted on your device first
- Decrypted text is sent to our AI provider (Anthropic Claude or OpenAI) via API
- This requires your explicit consent per session
- The AI provider does not store your entries after processing
You can use Open Heart without AI features. Solo journaling and the reveal work without any data leaving your device.
5. Third-Party Services
| Service | What We Share | Their Privacy Policy |
|---|---|---|
| Firebase Auth | Email, hashed password | Google Privacy |
| Firestore | Encrypted blobs only | Google Cloud Privacy |
| RevenueCat | Subscription status | RevenueCat Privacy |
| Anthropic (Claude) | Decrypted entries (opt-in) | Anthropic Privacy |
| OpenAI | Decrypted entries (opt-in) | OpenAI Privacy |
| Sentry | Anonymous crash data | Sentry Privacy |
6. Cookies and Tracking
Website: No advertising cookies. No cross-site tracking. No Facebook Pixel or Google Ads. Vercel Analytics may be used (cookieless).
Mobile app: No cookies, no tracking pixels, no third-party analytics beyond opt-in crash reporting.
7. Data Storage and Security
- Local-first: entries in SQLite on your device
- Server: Google Cloud (Firestore), SOC 2 and ISO 27001
- In transit: TLS 1.3
- At rest: tweetnacl E2E encryption
- Keys: iOS Keychain / Android Keystore (hardware-backed)
- Recovery: 24-word mnemonic phrase
8. Data Retention and Deletion
- While active: account data and encrypted blobs retained
- After deletion request: 30-day grace period, then permanent deletion
- Export: JSON export available anytime from Settings
- Therapist export: shared entries only
To delete: Settings > Your Data > Delete Account.
9. Your Rights
GDPR (EEA, UK, Switzerland)
Access, rectification, erasure, portability, restriction, objection, withdraw consent. Contact privacy@myopenheart.co. Response within 30 days.
CCPA (California)
Right to know, delete, and opt-out. We do not sell or share your data.
10. International Data Transfers
Encrypted data may be processed in the US (Google Cloud). Because it's E2E encrypted, encrypted blobs are meaningless regardless of storage location. For AI processing (opt-in), Standard Contractual Clauses apply.
11. Children's Privacy
Not intended for users under 18. If we discover a minor's account, we delete it.
12. Crisis Detection Privacy
Crisis keyword detection runs entirely on your device. No crisis data is sent to servers or logged. Device locale is used only to display regional hotlines.
13. Changes to This Policy
Material changes notified 30 days in advance via email and/or in-app notification.
14. Contact Us
- Email: privacy@myopenheart.co
- Website: www.myopenheart.co/privacy