Privacy Policy
Last updated: February 6, 2026
1. Who We Are
Dear Self ("we", "us", "our") is an AI-powered personal journal service operated from the European Union. We act as the Data Controller for personal data processed through our service.
You can reach us at any time by writing to yordan@dearself.ai.
2. What Data We Collect
We collect and process the following categories of data:
| Category | Data | Storage |
|---|---|---|
| Identity | Email address (as provided by your email client) | Plain text (for routing) |
| Journal content | Email subject, body text, and any attachments you send | AES-256 encrypted at application level |
| Semantic embeddings | Vector representations of your entries (used for search and context retrieval) | Stored in pgvector |
| User profile | Preferences, timezone, and AI-derived facts about you (e.g. "prefers morning check-ins") | Encrypted |
| Payment data | Processed entirely by Stripe. We store only your Stripe Customer ID and subscription status. | Plain text (non-sensitive identifiers) |
| Metadata | Timestamps, email message IDs (for threading) | Plain text |
| Website Analytics | Anonymized link clicks, page views, and conversion events (opt-in only) | Google Analytics |
We do not use tracking cookies or analytics for the journaling service itself. On our marketing website, we use minimal tracking only if you provide explicit consent via our cookie banner.
3. Cookies and Tracking
We use a small number of cookies and local storage items to operate this website:
- dearself_consent (LocalStorage): Stores your privacy preference (accepted/declined) so we don't ask you every time you visit.
- Google Analytics: If you opt-in, Google Analytics sets cookies to help us understand how visitors interact with the site. This data is anonymized and cannot be used to identify you personally.
4. Legal Basis for Processing (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)): Processing your journal entries, storing them, generating reflections, and responding to queries is necessary to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)): We process minimal metadata (timestamps, message IDs) to maintain email threading and ensure service reliability.
- Consent (Art. 6(1)(a)): Where we send you periodic reflections or check-in prompts, you can opt out at any time by emailing us.
5. How We Use Your Data
Your data is used exclusively to:
- Receive, parse, and store your journal entries (encrypted).
- Generate AI-powered replies, reflections, and search results based on your entries.
- Build your personal profile to improve response relevance over time.
- Send you periodic summaries, prompts, and annual reports (if enabled).
- Process payments through Stripe.
We do not use your data to train AI models, serve advertising, build aggregate profiles, or share information with third parties for their own purposes.
6. AI Processing
Dear Self uses Google Gemini for natural language understanding and response generation. When you send a journal entry:
- Your entry is decrypted in-memory on our server for processing.
- The text is sent to the Gemini API to generate a response. This transmission uses TLS encryption.
- Google's API processes the text and returns a response. Per Google's API terms, data sent via the API is not used to train their models.
- The response is delivered to you by email. Your original text is re-encrypted at rest.
At no point is your data persisted on Google's infrastructure beyond the duration of the API request.
7. Encryption and Security
We follow a Trust No One (TNO) architecture:
- Application-level AES-256 encryption: Your journal content is encrypted before it reaches the database. A full database dump would reveal nothing readable.
- Private network: The database and cache run inside a private VPC with no public internet access.
- TLS everywhere: All connections between services, and all external API calls, are encrypted in transit.
- No passwords to leak: Authentication is based on email address ownership. There is no password, no login form, and no credential database.
8. Sub-processors
We use the following third-party services to operate Dear Self. Each is bound by a Data Processing Agreement (DPA):
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Application hosting, managed PostgreSQL, Redis, object storage | EU (Frankfurt) |
| Resend | Email sending and inbound webhook routing | US |
| Google (Gemini API) | AI inference (text generation and embeddings) | US / Global |
| Google (Analytics) | Anonymized website usage tracking (opt-in only) | US / Global |
| Stripe | Payment processing | US / EU |
| Cloudflare | DNS and TLS termination | Global (edge) |
For sub-processors located outside the EU (Resend, Google, Stripe), data transfers are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
9. Data Retention
- Active accounts: Your journal entries are retained for as long as your account is active. You can request deletion at any time.
- Account deletion: Upon request, all your data (entries, embeddings, profile, and generated reports) will be permanently erased within 30 days.
- Payment records: Stripe transaction data is retained per Stripe's own policies and applicable tax/accounting law (typically 7 years for invoices).
- Backups: Encrypted database backups may retain deleted data for up to 7 days before automatic rotation.
10. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data. To exercise any of them, email yordan@dearself.ai:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Ask us to correct inaccurate data.
- Right to erasure (Art. 17): Request permanent deletion of all your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to restrict processing (Art. 18): Ask us to stop processing your data while a complaint is resolved.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw consent for optional processing (e.g. periodic reflections) at any time without affecting prior processing.
We will respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
11. International Data Transfers
Your journal content is hosted on DigitalOcean infrastructure in the EU (Frankfurt region). However, during AI processing your decrypted text is temporarily transmitted to Google's Gemini API and email content passes through Resend's infrastructure, both of which may be located outside the EU.
These transfers are safeguarded by Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where applicable, and the sub-processors' own GDPR compliance commitments.
12. Children
Dear Self is not directed at individuals under 16 years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a child under 16, we will delete it promptly.
13. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email (the same channel you use the service through). Continued use of the service after notification constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions, concerns, or to exercise your rights:
Dear Self — Data Protection
Email: yordan@dearself.ai
We aim to respond to all data protection inquiries within 30 calendar days.