Privacy Policy

1. Introduction

Welcome to Stoxia, a minimalist Stoic journaling app designed with privacy at its core. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding your personal information.

Stoxia is a personal project developed and operated by Naim Dridi Podadera as an individual developer. This is not a commercial entity or registered company.

By using Stoxia, you agree to this Privacy Policy. If you do not agree, please do not use the app.

2. What Data We Collect

2.1 Local Data (Stored on Your Device)

• Journal Entries: All your journal text, reflections, and notes are stored locally on your device in an encrypted SQLite database using SQLCipher encryption. This data never leaves your device unless you explicitly enable backup or export features.
• App Settings: Your preferences (notification times, theme settings, etc.) are stored locally in secure storage.
• Encryption Keys: If you enable encrypted exports or backups, encryption keys are stored in secure device storage (iOS Keychain / Android Keychain) and never transmitted to our servers.

2.2 Data We Collect on Our Servers

• Anonymous User ID (UID): We use Firebase Anonymous Authentication to generate a persistent anonymous identifier for your device. This UID does not contain any personal information and is used solely to enable optional features like anonymous feedback submission and subscription management.
• Subscription Data (RevenueCat): We use RevenueCat to manage premium subscriptions. RevenueCat collects your anonymous user ID, purchase receipts from Apple/Google, subscription status, and device information (platform, OS version, app version) to verify entitlements and sync subscriptions across devices. RevenueCat does not have access to your payment information (credit card, billing address), which is processed exclusively by Apple App Store or Google Play Store. Learn more: RevenueCat Privacy Policy.
• Remote Configuration Data: We use Firebase Remote Config to deliver feature flags and settings. This service logs minimal anonymous usage data (device type, app version) to determine which configuration to serve.
• Anonymous Feedback: If you choose to submit feedback or feature suggestions through the app, your message is stored in Cloud Firestore with your anonymous UID. No journal content or personally identifiable information is collected unless you explicitly include it in your feedback message.
• Anonymous Diagnostic Data: We use Firebase Crashlytics to collect anonymous crash reports and diagnostic data to improve app stability. This includes crash logs, device information (model, OS version), and app state at the time of crashes. No personal data, journal content, or user-generated text is included in these reports. You can disable crash reporting in the app's Settings at any time.

2.3 Data We Do NOT Collect

• We do not collect your name, email address, or phone number for core app functionality (except if you voluntarily provide it in feedback messages or support requests).
• We do not use analytics SDKs or tracking pixels.
• We do not collect behavioral data, location data, contacts, photos (except when you explicitly choose to attach an image to a journal entry, which is stored locally and encrypted).
• We do not use third-party advertising networks or sell your data to anyone.
• We do not include personal data, journal entries, or user-generated content in crash reports.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Core Functionality: To provide journaling features, store your entries securely, and enable AI-generated Stoic insights.
• Product Improvement: Anonymous feedback (when you choose to submit it) helps us understand user needs and improve features.
• Feature Flags: Remote Config allows us to test new features and roll them out gradually without requiring app updates.
• App Stability: Anonymous crash reports help us identify and fix bugs to improve app reliability and performance.

We do not use your data for advertising, profiling, behavioral tracking, or any purpose other than those listed above.

4. Data Sharing & Third Parties

4.1 Third-Party Services

Stoxia uses the following third-party services to operate:

• Firebase (Google): For authentication (anonymous UID), remote configuration (Remote Config), anonymous feedback storage (Cloud Firestore), and crash reporting (Crashlytics). Firebase processes data according to Google's privacy policies. Learn more: Firebase Privacy.
• RevenueCat: For subscription management and entitlement verification. RevenueCat receives your anonymous user ID, purchase receipts (from Apple/Google), subscription status, and basic device information to manage premium access. RevenueCat does not receive payment details (credit card information, billing address), which remain with Apple/Google. See RevenueCat's privacy policy: RevenueCat Privacy.
• Apple App Store / Google Play Store: For processing subscription payments. All payment information (credit card, billing address) is handled exclusively by Apple or Google. We never have access to your payment details. Apple and Google share only purchase receipts with us (via RevenueCat) to verify subscription status.
• OpenAI / AI API Provider: When you use the AI insight feature, your journal reflection text is sent to OpenAI's API over an encrypted connection (TLS). We recommend avoiding personally identifiable information in your reflections. OpenAI's API terms state that data is not used to train their models and is retained for a maximum of 30 days for abuse monitoring. See Section 5 for details.

4.2 No Data Selling

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

4.3 Legal Disclosures

We may disclose your data if required by law, court order, or government regulation, or to protect our legal rights, prevent fraud, or ensure the safety of users.

5. AI Usage & Data Transmission

Stoxia uses artificial intelligence to generate short Stoic insights based on your journal entries. Here's how this feature works:

• What Is Sent: When you save a journal reflection, the text of your reflection is sent to OpenAI's API to generate a brief Stoic insight. Only the reflection text is sent, not your entire journal history or other personal data.
• User Responsibility: We recommend that you avoid including personally identifiable information (names, addresses, phone numbers, email addresses, etc.) in your reflections, as this text is transmitted to OpenAI for processing.
• Encryption in Transit: All data is transmitted over TLS (HTTPS) encryption to protect it during transmission.
• API Provider Policy: OpenAI's API terms (as of October 2024) state that API data is not used to train their models and is retained for a maximum of 30 days for abuse monitoring purposes only. See OpenAI's privacy policy for details: openai.com/policies/privacy-policy
• Optional Feature: AI analysis is automatically enabled but can be disabled by not using the app or by requesting an app version without AI features. The AI feature requires an active API key to function.
• Failure Handling: If the AI service is unavailable, your reflection is still saved locally, and a fallback message is displayed instead of an AI-generated insight.

Disclaimer: AI-generated insights are for educational and reflection purposes only. They are not medical, therapeutic, or professional advice. By using this app, you acknowledge that your journal reflections may be sent to OpenAI for processing.

6. Backups, Export, and Import

6.1 Local Encrypted Backups

Stoxia allows you to create encrypted backup files (JSON format) stored on your device. These backups are encrypted using a key stored in your device's secure storage.

6.2 Optional Cloud Backup

You may optionally enable end-to-end encrypted cloud backup via iCloud (iOS) or Google Drive (Android). When enabled:

• Your encrypted database is uploaded to your personal cloud storage account (not Stoxia's servers).
• The encryption key remains on your device in secure storage and is not shared with us or the cloud provider.
• You control access to your cloud account and can delete backups at any time via iCloud/Google Drive settings.

6.3 Export & Import

You can export all your journal data as a JSON file. This file can be optionally encrypted with a password you choose. To restore data, import the JSON file back into the app. Exported files are saved to your device's local storage and can be shared via email or other methods at your discretion.

7. Data Retention & Deletion

7.1 Local Data

Your journal entries and settings are stored on your device indefinitely until you delete them. You can delete individual entries or reset the entire app (which permanently erases all local data).

7.2 Server-Side Data

• Anonymous UID: Stored indefinitely as long as you use the app. Deleted if you uninstall and do not restore from backup.
• Anonymous Feedback: Stored in Firestore indefinitely for product improvement. You can request deletion by contacting us (see Section 12).
• Crash Reports: Stored in Firebase Crashlytics indefinitely for app stability analysis. You can disable crash reporting in Settings or request deletion by contacting us.

7.3 Right to Deletion

You can request deletion of any data we hold on our servers by emailing stoxia.app@gmail.com. We will delete your anonymous UID, any associated feedback, and crash reports within 30 days.

8. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

• Right to Access: Request a copy of the data we hold about you (anonymous UID, feedback submissions, crash reports).
• Right to Portability: Export your journal data as JSON at any time via the app's Export feature.
• Right to Correction: Request correction of inaccurate data (applicable mainly to feedback messages).
• Right to Deletion: Request deletion of your anonymous UID, feedback, and crash reports (see Section 7.3).
• Right to Restriction: Request that we limit processing of your data (e.g., stop using feedback you submitted).
• Right to Object: Object to processing of your data for specific purposes (e.g., AI analysis or crash reporting, which can be disabled in Settings).
• Right to Withdraw Consent: If processing is based on consent, you can withdraw it at any time (e.g., disable optional features).
• Right to Lodge a Complaint: If you believe we have mishandled your data, you can file a complaint with your local data protection authority.

To exercise any of these rights, contact us at stoxia.app@gmail.com.

9. Children's Privacy

Stoxia is intended for users aged 18 and over. We do not knowingly collect personal information from children under 18. If a parent or guardian becomes aware that their child has provided us with data without consent, please contact us immediately at stoxia.app@gmail.com and we will delete the data.

If you are under 18 and wish to use Stoxia, you must obtain parental or guardian consent before using the app.

10. Security Measures

We take the security of your data seriously and implement the following measures:

• SQLCipher Encryption: Journal entries are stored in an encrypted SQLite database on your device.
• Secure Storage: Encryption keys and sensitive settings are stored in iOS Keychain / Android Keychain.
• TLS Encryption: All data transmitted to our servers or third-party APIs is encrypted in transit using TLS 1.2+.
• No Plain-Text Logs: We do not log journal content or personal information in plain text.
• Regular Security Audits: We periodically review our code and dependencies for security vulnerabilities.

While we strive to protect your data, no method of transmission or storage is 100% secure. You are responsible for safeguarding your device (use a passcode, biometric lock, etc.).

11. Cookies & Website Tracking

This website (stoxia.web.app) is hosted on Firebase Hosting and does not use cookies for tracking or analytics. The only cookies used are essential session cookies required for hosting functionality (e.g., CDN caching). We do not use Google Analytics, advertising pixels, or other tracking technologies on this website.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Email: stoxia.app@gmail.com
Developer: Naim Dridi Podadera
Project Type: Personal/Independent Project

We will respond to your inquiry within 30 days.

Note: As this is a personal project operated by an individual developer, there is no formal Data Protection Officer (DPO). All data protection inquiries should be directed to the email above.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or app features. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via an in-app message or email (if you have provided an email).
• Archive previous versions of the policy for your reference.

Continued use of Stoxia after changes indicates your acceptance of the updated policy.

Policy Archive: View Previous Versions (link to be added when versioning is implemented)

14. International Data Transfers

Stoxia uses Firebase services, which may store and process data in data centers located in the United States and other countries. If you are located in the European Economic Area (EEA) or other regions with data protection laws, your data may be transferred to countries with different privacy protections. Firebase complies with GDPR through Standard Contractual Clauses and other safeguards. Learn more: Firebase Privacy & Security.

15. Premium Subscriptions & Payment Processing

Stoxia offers optional premium subscriptions (Monthly, Annual, and Lifetime) managed through RevenueCat and processed by Apple App Store or Google Play Store billing systems.

15.1 What Data is Collected for Subscriptions

• Payment Information: Your credit card, billing address, and payment details are processed exclusively by Apple or Google. We never have access to your payment information.
• Purchase Receipts: Apple/Google provide purchase receipts to verify your subscription status. These receipts are shared with RevenueCat to manage entitlements.
• Anonymous User ID: Your anonymous UID (from Firebase) is linked to your subscription to sync premium status across devices.
• Subscription Status: RevenueCat tracks whether you have an active subscription, trial status, and expiration dates to grant or revoke premium features.

15.2 How Subscription Data is Used

• To verify your entitlement to premium features
• To sync your subscription status across multiple devices
• To manage free trials and auto-renewal
• To process refunds and handle subscription issues (via Apple/Google support)

15.3 RevenueCat's Role

RevenueCat acts as a subscription management platform. It does not process payments or store payment information. RevenueCat only receives anonymous identifiers and purchase receipts to verify subscription status. See RevenueCat's privacy policy: RevenueCat Privacy.

15.4 Subscription Data Retention

Subscription data (anonymous UID, purchase receipts, subscription status) is retained as long as you have an active or expired subscription. If you request deletion of your data (see Section 7.3), we will delete your anonymous UID and subscription status from our systems within 30 days. However, Apple and Google may retain payment and purchase history according to their own policies.

16. Summary of Key Points

• Your journal entries are stored locally and encrypted on your device.
• We collect minimal anonymous data (feature flags, optional feedback, crash reports, and subscription status only).
• RevenueCat manages subscriptions using your anonymous ID and purchase receipts. Payment details (credit card, billing) are handled only by Apple/Google, never by us.
• We do not track you, sell your data, or run ads or analytics.
• AI-generated insights require sending your reflection text to OpenAI. We recommend not including personal information in your reflections.
• You can export all your data at any time.
• You have full rights under GDPR/CCPA to access, delete, or correct your data.
• Contact us anytime at stoxia.app@gmail.com.