Privacy Policy

Last updated: 26 September 2025

1. Introduction

Elora ("the App", "we", "our", "us") is a voice-first, emotionally intelligent journaling app. We are committed to protecting your privacy and ensuring your personal data is handled responsibly.

Data Controller: Samuel McCarthy
Contact Email: samrmccarthy6@gmail.com

This Privacy Policy explains what information we collect, how we use it, and the rights you have. If you do not agree with this Policy, please do not use the App.

2. Information We Collect

We collect the following categories of information:

Voice Recordings – spoken journal entries, processed for transcription and analysis, then deleted from our servers shortly after processing.
Text Entries – typed journal entries, stored locally and synced when online.
AI Summaries & Insights – summaries, themes, and prompts generated by Anthropic's Claude and OpenAI's GPT-4.1 Mini.
Embeddings – AI vector representations of summaries stored in PostgreSQL (pgvector). Embeddings are mathematical representations and cannot be reversed to recreate the original text.
Metadata – timestamps, device type, app version, and limited technical logs for debugging.
Account Data – if you choose to sign up, we collect your email address and authentication tokens via Supabase Auth (email/password or OAuth).
App Usage Data – aggregated feature-use metrics to help improve the user experience (only if enabled; no advertising identifiers).

We do not collect precise location, contact lists, or advertising IDs. We do not show ads.

3. How We Use Your Information

We use your data only to provide and improve Elora, including:

Enabling journaling via text and voice
Providing AI-generated summaries, themes, and insights
Creating your personal graph visualization ("Soul Map")
Storing entries securely and syncing across devices
Running background analysis jobs (e.g., profile regeneration based on journaling volume)
Managing authentication and account security
Improving functionality, reliability, and fixing issues

We do not sell your data or share it for advertising.

4. Data Storage and Processing

Local (Offline-First)

Entries are first saved locally on your device using expo-sqlite, so you can journal offline.

Cloud Sync

When online, entries/summaries/embeddings sync to a PostgreSQL database hosted on Railway.

Queueing & Authentication

Redis schedules summarization and analysis jobs. Authentication managed by Supabase Auth.

5. Third-Party Services (Processors)

To deliver AI-powered journaling, we securely transmit data to trusted processors:

Anthropic (Claude)
Summarization & emotional theme extraction

OpenAI (GPT-4.1 Mini)
Prompts, contextual insights & reflection suggestions

Supabase
User authentication & session management

Railway
Managed hosting for backend database & infrastructure

When you submit a journal entry, the content (text or transcribed voice) may be transmitted securely to Anthropic and/or OpenAI solely to generate summaries, insights, or prompts. These providers may retain requests and outputs temporarily for safety/abuse monitoring and operational reliability, but do not use your data to train their models when accessed via their APIs. We do not permit any processor to use your data for advertising.

6. AI Model Training

Your entries, summaries, and embeddings are not used to train Anthropic, OpenAI, or any external AI models. Processing is limited to providing the App's features back to you.

7. Data Retention

Voice Recordings: processed for transcription and deleted from our servers shortly after processing.
Text Entries, Summaries, Embeddings: retained until you delete the content or delete your account.
Metadata & Technical Logs: retained for a limited period necessary for debugging, security, abuse prevention, and service reliability.

8. Your Rights (GDPR / CCPA / Australia Privacy Act)

Depending on your location, you may have the right to:

Access your personal data

Correct inaccurate data

Delete your data ("Right to be Forgotten")

Restrict or Object to certain processing

Data Portability – request an export in a portable format (e.g., JSON)

To exercise these rights, email samrmccarthy6@gmail.com. We will verify your identity and respond within applicable legal timeframes.

9. Delete My Account (Apple Requirement)

You can delete your account and associated data at any time:

In-App: Settings → Delete Account

Email: samrmccarthy6@gmail.com with subject "Delete My Account"

Upon deletion, your journal entries, summaries, embeddings, and personal data are permanently removed from our systems within up to 30 days (subject to limited delays from backups and processor queues). Some minimal records may be retained where legally required (e.g., fraud prevention, safety logs) and are then securely deleted.

10. International Data Transfers

Your data may be processed in or transferred to countries outside your own (including the United States and the European Union). Where required, we rely on safeguards such as Standard Contractual Clauses (SCCs) embedded in our processors' terms to ensure an adequate level of protection.

11. Security

We employ industry-standard technical and organizational measures, including TLS (HTTPS) in transit and encryption at rest where applicable (e.g., in PostgreSQL). Despite these measures, no method of transmission or storage is completely secure; you use the App at your own risk.

12. Legal Bases for Processing (GDPR)

For users in the EEA/UK, we rely on the following legal bases:

Consent – when you submit entries or enable AI features

Contract – to provide the App's core services you request

Legitimate Interests – improving reliability, security, and functionality

Legal Obligation – where we must comply with applicable laws

You may withdraw consent at any time (e.g., by disabling features or deleting content/account), but this will not affect processing already performed.

13. Children's Privacy

Elora is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided personal data, contact us and we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Policy from time to time. The "Last updated" date reflects the current version. Material changes will be communicated in-app and/or by email (if you have an account). Continued use of the App after an update constitutes acceptance of the revised Policy.

15. Contact Us

Data Controller: Samuel McCarthy
Email: samrmccarthy6@gmail.com