Privacy Policy

Last Updated: March 28, 2026
Contact: alignappeu@gmail.com

1. Scope

This Privacy Policy applies to the Align mobile application, related web experiences, and connected services we operate (collectively, the "Services"). Align is a personal development product designed to help users build self-awareness, define identity, journal, complete rituals, track behavioral change, and use AI-assisted tools.

By using Align, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

2. How Accounts Work

Align supports more than one account state:

  • Anonymous / guest sessions - the app may create an anonymous account automatically so you can begin using the product before linking a login provider.
  • Linked accounts - depending on platform and availability, you may later link or sign in with Google or Apple.

If you link a provider account after starting anonymously, your existing data may remain attached to the same underlying account so your journals, setup answers, and progress carry forward.

When you link Google or Apple, we may receive:

  • Your email address
  • Your display name or name components, if provided by the provider
  • A stable provider user identifier
  • In Apple's case, a private relay email if you choose to hide your real email address

We do not collect or store your Google or Apple password.

3. Data We Collect

3.1 Account and Identifier Data

  • Your Supabase authentication user ID
  • Anonymous account/session status
  • Linked provider identifiers from Google or Apple
  • Email address and display name when you link an account
  • Support contact details if you email us

3.2 Profile, Onboarding, and Planning Data

  • Core Identity responses
  • AI Baseline Setup / filling quiz answers, such as dream life, goals, defining traits, weekly targets, and initial daily actions
  • Personal context or profile notes used to personalize AI outputs
  • Self-ratings, calibration inputs, and other setup values used for AI assessments

3.3 Journaling and Reflection Data

  • Daily journal entries
  • Morning pages
  • Morning ritual responses and daily action plans
  • Evening ritual reflections and action completion data
  • Weekly recalibration answers
  • Proofs, progress markers, and other behavior-tracking inputs you choose to save

3.4 Vision and Media Data

  • Vision board text and captions
  • Uploaded images used in your vision board or related gallery experiences

3.5 AI Inputs, Outputs, and Derived Insights

When you use AI features, we may process and store:

  • Frequencies chat messages and responses
  • Awareness Report outputs from onboarding
  • AI Baseline Setup drafts and generated identity copy
  • Alchemist outputs based on your journal text
  • Observer reports
  • Identity Score calculations and score history
  • Chronicle entries
  • Daily Signal outputs
  • Day Architect outputs
  • Tier Review and similar structured AI-generated assessments
  • Saved affirmations, summaries, or other AI-assisted text shown in the app

3.6 Subscription and Purchase Data

Subscription and purchase handling is provided through RevenueCat, the Apple App Store, and Google Play. We may receive:

  • Subscription status
  • Plan type, including monthly, annual, or lifetime access where offered
  • Renewal status and expiration date for recurring subscriptions
  • Store product identifiers and package identifiers
  • Purchase and restore events

We do not receive or store your full payment card number or full billing instrument details.

3.7 Device, Security, and Technical Data

  • A device fingerprint composed of your platform, a hardware-derived hash, and an install identifier
  • IP address and request metadata used for anti-abuse controls, replay protection, and rate limiting
  • App version, operating system, and platform
  • Error, crash, and diagnostic information

We do not use the device fingerprint for advertising or cross-app tracking.

3.8 Analytics Data

We use PostHog for product analytics and diagnostics. This may include:

  • Screen views
  • App lifecycle events
  • Feature usage events
  • Performance metrics and crash diagnostics

We do not intentionally send your private journal text, chat content, or full quiz answers to PostHog as product analytics events.

4. How We Use Your Data

Purpose Data Used Legal Basis (GDPR)
Create and maintain your account Account identifiers, linked-provider data, profile data Performance of contract
Sync your journals, rituals, plans, and saved content User-generated content, profile and setup data Performance of contract
Generate AI-assisted outputs and insights Relevant prompts, journaling data, setup data, action history, saved context, previous reports Performance of contract / Legitimate interest
Determine feature availability, cooldowns, and paid access Subscription status, linked account status, usage records, device/security metadata Performance of contract / Legitimate interest
Prevent abuse, fraud, and automated misuse Device fingerprint, IP address, request metadata, security logs Legitimate interest
Process purchases, renewals, restores, and lifetime access Subscription and purchase events from RevenueCat and stores Performance of contract
Diagnose bugs and respond to support requests Email address, diagnostics, limited account records relevant to the issue Legitimate interest
Understand product usage and improve the app PostHog analytics and diagnostics Legitimate interest

5. AI Data Processing

Align currently uses Google's Gemini 2.5 Flash through secure server-side infrastructure to power AI-assisted features.

5.1 AI Features Covered by This Policy

  • Onboarding Awareness Report
  • AI Baseline Setup / Core Identity drafting
  • Frequencies chat
  • Alchemist journal transformation
  • Observer weekly analysis
  • Identity Score generation
  • Chronicle entries
  • Daily Signal generation
  • Day Architect outputs
  • Tier Review and other structured AI assessments shown in the product

5.2 Data That May Be Sent to the AI Provider

Depending on the feature you use, a request may include some or all of the following:

  • Your current prompt, message, or form answers
  • Core Identity answers and AI Baseline Setup responses
  • Recent journal entries, morning pages, or ritual answers
  • Daily actions, action completion data, proofs, and behavior history
  • Personal context notes and saved goals
  • Vision board text or related goal descriptions
  • Recent chat history
  • Prior AI outputs that are relevant to the next feature, such as a previous Observer report or Identity Score
  • Basic profile context such as your first name

Not every feature uses every category of data.

5.3 How AI Processing Works

  • AI requests are sent from our secure server-side infrastructure. The model API key is not exposed to the client app.
  • Google processes the request to generate a response under its API terms.
  • Under Google's Gemini API terms, API data is not used to train Google's models.
  • Some AI outputs are stored in your account if the feature is designed to save them for later review, history, or personalization.

5.4 Feature Gating and Availability

Some AI features may require one or more of the following before they work:

  • A linked Google or Apple account instead of an anonymous session
  • Completion of Core Identity or AI Baseline Setup
  • Enough app history to generate a meaningful output
  • A paid plan, depending on the feature

5.5 Your Choices

  • AI features are optional.
  • You can stop using AI features at any time.
  • You can delete your account and associated stored AI outputs from within the app.

For more information on Google's API terms, see Google's Gemini API Terms.

6. Data Storage and Security

6.1 Where Data Is Stored

  • User content and account records are stored in Supabase.
  • Vision board images and similar uploads are stored in Supabase Storage.
  • Images are served through time-limited signed URLs where used in the app.
  • Authentication/session tokens and certain local secure identifiers are stored on-device using secure OS-backed storage such as Expo SecureStore.
  • Subscription information is processed through RevenueCat and the relevant app store.
  • Analytics data is processed through PostHog.

6.2 How Data Is Protected

  • HTTPS / encryption in transit: Data sent between the app and our services is encrypted in transit.
  • Infrastructure encryption at rest: Hosting providers apply encryption at rest at the infrastructure level.
  • Row Level Security (RLS): Database policies are used so users can access only their own records through the application layer.
  • Server-side AI gateway: AI calls run through authenticated server-side functions instead of exposing model credentials in the app.
  • Signed media access: Uploaded images are accessed through signed URLs rather than unrestricted permanent public links.
  • Abuse protection: We use rate limiting, request freshness checks, replay protection, and device fingerprint controls to reduce misuse.
  • Subscription integrity checks: Subscription state is validated and synchronized through our billing integrations and server-side logic.

6.3 Administrative Access and Encryption Limits

We do not review private app entries or chats as part of normal analytics or ordinary product operation.

However, Align data is not currently end-to-end encrypted (E2EE). That means authorized personnel can access stored plaintext data when reasonably necessary to operate the service.

Administrative Access: Data stored in Supabase is protected with infrastructure-level encryption in transit and at rest, but it is not end-to-end encrypted. Authorized members of our team, or processors acting on our behalf, may access stored data only when reasonably necessary for technical maintenance, diagnosing bugs, investigating abuse or security incidents, responding to support requests, or complying with legal obligations.

6.4 No Absolute Security Guarantee

No service can guarantee absolute security. We work to protect your data, but you use the Services with that understanding.

7. Data Sharing

We share personal data only with service providers and processors needed to operate Align:

Processor / Provider Purpose Data Shared
Supabase Database, authentication, storage, server infrastructure Account data, user content, uploads, security logs
Google Gemini API AI-generated outputs The content included in the relevant AI request
RevenueCat Subscription and purchase processing User identifier, subscription events, product/package metadata
Apple App Store / Google Play Payments, renewals, refunds, store-side subscription handling Purchase and subscription metadata handled by the store
PostHog Product analytics and diagnostics Usage events, app lifecycle events, diagnostics

We do not:

  • Sell your personal data
  • Share your data with advertisers for ad targeting
  • Use your private content to train our own AI models
  • Publicly expose your journals, chat history, or private reflections to other users

We may also disclose data if required by law, valid legal process, or to protect the safety, security, and integrity of the Services.

8. Data Retention

  • We generally retain your account data for as long as your account exists.
  • If you delete your account, we delete the associated records and files through our deletion workflow.
  • AI usage and security logs may be retained for limited operational periods, such as around 90 days, where needed for abuse prevention, auditing, and troubleshooting.
  • Webhook and billing processing records may also be retained for limited operational periods.
  • Support communications may be retained for as long as reasonably necessary to handle the request and maintain records.

9. Your Rights and Choices

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to certain processing
  • Request portability of your data
  • Withdraw consent where processing depends on consent

You can contact us at alignappeu@gmail.com to exercise these rights. We will respond within the time required by applicable law.

You can also use in-app controls, where available, to edit journals, rituals, and saved content, stop using AI features, or delete your account from the Settings screen.

10. Account Deletion

You can delete your account from the Settings screen in the app. This deletion is designed to remove the authenticated user's account, associated stored data, storage files, and related records tied to that account.

This may include deletion of:

  • Authentication and profile records
  • Core Identity and AI Baseline Setup data
  • Journals, morning pages, and ritual responses
  • Vision board records and uploaded files
  • Personal context notes
  • AI chat history and saved AI outputs
  • Observer reports, Identity Scores, Chronicles, Daily Signals, Day Architect outputs, and Tier Reviews that are stored in your account
  • Subscription linkage records, usage records, and device-related anti-abuse records associated with your account

Deletion is irreversible.

11. Children's Privacy

Align is not directed to children under 13, or under 16 where a higher local minimum age applies. We do not knowingly collect personal data from children below the applicable minimum age. If you believe a child has created an account, contact us at alignappeu@gmail.com.

12. International Transfers

Your data may be processed in the European Union, the United States, or other countries where our service providers operate. Where required, we rely on appropriate safeguards for cross-border transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we may notify you through the app, the website, or by other appropriate means.

14. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact:

Email: alignappeu@gmail.com