Last Updated: February 11, 2026
Welcome to Remembrance ("we," "us," "our," "Service," or "Platform"). We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and otherwise process information in connection with our voice journaling web application.
This Privacy Policy applies to all users of Remembrance, including those in the European Union, California, and worldwide. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
Our Privacy Principles:
- We collect only the data necessary to provide our service
- We never sell or share your journal content with advertisers
- You maintain full control over your data
- We use industry-standard security measures
- We are transparent about our data practices
Data Controller/Service Operator:
Remembrance Journal
Email: hello@remembrancejournal.com
Response Time: We respond to data requests and inquiries within 48 hours
For data protection inquiries, GDPR requests, or privacy concerns, please contact us at the email address above.
What we collect:
- Username (alphanumeric, 3-50 characters)
- Email address (optional, for account recovery)
- Password (securely hashed, never stored in plain text)
- Account creation date and last login timestamp
How we use it: To authenticate your account, manage your access, and provide customer support
Legal basis: Contractual necessity (required to provide the service)
Storage: MongoDB database with AES-256 encryption at rest
Retention: Until you delete your account
What we collect:
- Voice recordings (audio files in MP3, WAV, M4A, WebM, or MP4 format; maximum 25MB per file, 15-minute maximum duration)
- Transcribed text converted from your voice recordings
- Manually typed journal entries
- Entry timestamps and dates
- Edit history of your entries
How we use it: To provide core journaling functionality, enable transcription, power semantic search, and generate summaries
Legal basis: Contractual necessity and your explicit consent
Storage:
- Audio files are temporarily stored only during transcription processing and permanently deleted immediately after
- Text entries and edit history are encrypted at rest in MongoDB using AES-256
- Transcriptions remain your property and are never used for training purposes
Retention: Until you delete individual entries or your entire account
Important Note: Your journal entries may contain sensitive personal information. We treat all journal content with the highest level of confidentiality.
What we generate:
- Text embeddings (mathematical vectors used to enable semantic search)
- Weekly, monthly, and yearly AI-powered summaries of your journal entries
- Semantic search results and contextual answers to your queries
How we use it: To enable intelligent search, organize your thoughts, and provide automated insights
Legal basis: Contractual necessity (part of our service features)
Storage: Encrypted at rest in MongoDB
Retention: Until you delete the associated journal entries or your account
AI Processing Transparency: All AI processing is performed using OpenAI's APIs (see Section 6 for details). These summaries and search results are generated based on your entries but are never used to train AI models.
What we collect:
- API usage metrics (transcription duration, number of embeddings generated, summary generation frequency)
- Transaction IDs for cost tracking
- Operation timestamps
- Feature usage patterns (which features you use and how often)
How we use it: To improve our service, optimize performance, manage costs, prevent abuse, and provide better user experience
Legal basis: Legitimate business interest
Storage: MongoDB database
Retention: Raw usage data retained for 12 months; after that, it is aggregated and anonymized
Your Control: You can request that your usage data not be used for analytics by contacting us at hello@remembrancejournal.com
What we collect:
- Internet Protocol (IP) addresses (for security and rate limiting)
- Browser type and version (from HTTP headers)
- Session cookies (for authentication)
- Error logs and diagnostic data (for debugging and system maintenance)
- Device information (limited, only browser-level data)
How we use it: To maintain security, prevent fraud and abuse, diagnose technical issues, and ensure service stability
Legal basis: Legitimate business interest and contractual necessity
Storage: Application logs (rotated every 10MB, maximum 10 backups retained)
Retention: 30 days for security logs and session data; session cookies expire automatically after 24 hours of inactivity
Under GDPR, we rely on the following legal bases for processing your personal data:
| Data Type | Legal Basis | Reason |
|---|---|---|
| Account Information | Contractual Necessity | Required to provide the service |
| Journal Content | Contractual Necessity & Consent | Core service functionality |
| AI-Generated Content | Contractual Necessity | Service features you use |
| Usage Analytics | Legitimate Interest | Service improvement and optimization |
| Technical Data | Contractual Necessity & Legitimate Interest | Security and service stability |
We use your data to:
We also use your data to:
We explicitly do not:
We share your data with the following service providers. These companies process data on our behalf and are contractually obligated to protect your information:
Services Provided:
- Whisper-1 API for voice-to-text transcription
- Text-Embedding-3-Small API for semantic search embeddings
- GPT-4o Mini API for summary generation and semantic query responses
Data Shared:
- Audio files (during transcription only, immediately deleted after processing)
- Journal entry text (for embeddings and summaries)
OpenAI's Data Practices:
- OpenAI retains API data for 30 days only (as of their current policy)
- Your data is NOT used to train OpenAI's models (API users benefit from this policy)
- Data transmitted via encrypted HTTPS connection
- OpenAI is located in the United States
Safeguards:
- We only send data necessary for specific tasks
- OpenAI has robust security and privacy practices
- Standard Contractual Clauses in place for EU data transfers
OpenAI Privacy Policy: https://openai.com/policies/privacy-policy
Service Provided: Cloud database hosting and management
Data Stored:
- Your account information
- All journal entries and transcriptions
- AI embeddings and summaries
- Usage tracking data
Safeguards:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Regular automated backups
- Access controls and authentication
- Compliance with SOC 2 Type II standards
Location: Multi-region deployment (you can specify region)
Service Provided: Secure payment processing for subscriptions
Data Shared:
- Email address
- Billing address
- Payment information (handled by Stripe, we never see full card details)
- Subscription tier and status
Safeguards:
- PCI-DSS Level 1 compliance
- We do NOT store credit card numbers or CVV codes
- Stripe handles all sensitive payment data
- Encrypted payment transmission
Stripe Privacy Policy: https://stripe.com/privacy
Important: We never have direct access to your payment credentials.
Service Provided: Application hosting and deployment
Data Shared:
- Technical logs (IP addresses, error logs)
- Session data
- Non-sensitive operational metrics
Safeguards:
- Infrastructure-level encryption
- DDoS protection and security monitoring
- Regular security audits
- Compliance certifications
Since our service is cloud-hosted and we use international service providers, your data may be transferred to and processed in countries outside your country of residence, including the United States.
For users in the European Union and European Economic Area (EEA):
We ensure that data transferred internationally receives the same level of protection as required in the EU through contractual safeguards.
While your account is active:
- Journal entries, transcriptions, and embeddings are retained indefinitely
- Account information retained until you delete your account
- Usage data retained for 12 months, then aggregated/anonymized
When you delete your account:
1. All journal entries are immediately deleted from active systems
2. All account information is immediately deleted
3. All usage analytics associated with your account are anonymized
4. Database backups are purged within 30 days
5. OpenAI's retained data is deleted per their policy (maximum 30 days)
Deletion Process:
- Go to Account Settings → Privacy & Security → Delete Account
- Confirm deletion (this action is irreversible)
- All data permanently deleted within 30 days
We maintain automated backups for disaster recovery purposes:
- Backups are retained for up to 30 days
- Backups are encrypted with the same safeguards as active data
- When you delete your account, backups are purged within 30 days
If you are located in the EU or EEA, you have the following rights under GDPR:
Right of Access:
- You can request a copy of all personal data we hold about you
- Response provided within 30 days in a portable format
- Request email: hello@remembrancejournal.com
Right of Rectification:
- You can correct inaccurate personal data
- Use Account Settings to update your information directly
- Contact us to correct data you cannot update yourself
Right of Erasure (Right to be Forgotten):
- You can request deletion of your data
- We will delete within 30 days unless legal obligations require retention
- Some data may need to be retained for legal compliance
Right of Data Portability:
- You can request your data in a machine-readable format (JSON export)
- Available in Account Settings → Data Export
- Provides portability to move to another service
Right to Restrict Processing:
- You can ask us to limit processing of your data
- Useful if you dispute accuracy or object to processing
- We will maintain data but not actively use it
Right to Object:
- You can object to processing based on legitimate interest
- You can opt-out of analytics and aggregated data collection
- Request via Account Settings or email
Right Not to be Subject to Automated Decision-Making:
- We do not use automated decision-making on your journal content
- We do not perform profiling for purposes beyond stated features
Right to Withdraw Consent:
- You can withdraw consent for processing at any time
- Withdrawal does not affect processing before you withdrew
- Contact us or use Account Settings to withdraw
To Exercise Rights: Contact hello@remembrancejournal.com with "GDPR Request" in the subject line. We will verify your identity and respond within 30 days.
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
Right to Know:
- You can request what personal information we collect
- You can request the sources of that information
- You can request how we use it
Right to Delete:
- You can request deletion of personal information we have collected
- Exceptions: Information necessary to provide services, legal compliance
- We will delete within 45 days
Right to Opt-Out:
- We do not sell your personal information, so there is nothing to opt-out of
- You can limit data processing for analytics
Right to Non-Discrimination:
- We will not discriminate against you for exercising CCPA rights
- You will receive the same service and pricing
Right to Correct:
- You can request correction of inaccurate information
To Exercise Rights: Contact hello@remembrancejournal.com with "CCPA Request" in the subject line. We will respond within 45 days.
No special request needed:
- Access: You can view all your data in-app anytime
- Edit: You can edit your account information directly
- Delete: You can delete individual entries or your entire account
- Export: You can export your data in standard formats
- Opt-Out: You can disable optional features (analytics, summaries)
Essential Cookies:
- Session Authentication Cookie: Maintains your login session (expires after 24 hours of inactivity)
- Security Tokens: CSRF protection cookies (prevents cross-site request forgery)
- Preferences: Remembers your UI preferences (dark mode, language, etc.)
Purpose: These cookies are required for the service to function. Without them, you cannot use Remembrance.
Control: Essential cookies cannot be disabled as the service will not work without them.
We explicitly do not use:
In Your Browser:
- You can manage cookies in your browser settings
- Disabling essential cookies will prevent the service from working
- Instructions: [Browser-specific instructions available on most browser vendor websites]
Important: We do not track you across the web or use cookies for marketing purposes.
We implement comprehensive security measures to protect your data from unauthorized access, alteration, disclosure, or destruction.
Encryption:
- All data encrypted in transit using HTTPS with TLS 1.2 or higher
- Database encryption at rest using AES-256
- Passwords hashed with SHA-256 plus unique salt for each user
- Audio files encrypted during transmission and temporarily storage
Access Control:
- All access requires authentication
- Session-based authentication with secure, HTTPOnly cookies
- Complete data isolation between users (users cannot access other users' data)
- Minimal privilege principle (only essential personnel have access)
Rate Limiting:
- 100 requests per minute for general API usage
- 10 requests per minute for transcription (to prevent abuse)
- IP-based rate limiting to detect suspicious activity
Input Validation:
- All user inputs are validated and sanitized
- Protection against SQL injection (MongoDB parameterized queries)
- Protection against Cross-Site Scripting (XSS) attacks
- CORS protection (only configured origins can access the API)
Infrastructure:
- Automated daily database backups
- 30-day backup retention for disaster recovery
- Infrastructure-level DDoS protection
- Automated security updates and patches
- Health monitoring and alerting systems
Access Policies:
- As an individual operator, I have minimal access to user data
- No routine access to journal content
- Access logged and auditable
- Secure credential management using environment variables
Incident Response:
- Security incidents logged and tracked
- Breach notification procedures in place
- User notification within 72 hours if high risk
- Regulatory notification as required
- Public transparency report maintained
No System is 100% Secure:
- While we implement industry-standard security measures, no internet transmission or electronic storage is completely secure
- You use Remembrance at your own risk
- We cannot guarantee absolute protection against all threats
Your Responsibilities:
- You are responsible for maintaining the confidentiality of your password
- Do not share your account credentials with others
- Report suspicious activity immediately to hello@remembrancejournal.com
- Use strong, unique passwords
- Keep your device secure and updated
Remembrance is not intended for:
- Children under 13 years old (United States)
- Children under 16 years old (European Union)
We do NOT:
- Knowingly collect data from children under these age thresholds
- Market to children
- Provide features designed specifically for children
If we discover that a user is below the minimum age requirement:
1. We will immediately disable the account
2. We will delete all associated data within 30 days
3. We will notify the account holder (or parent/guardian if identifiable)
Parents and Guardians: If you believe your child has created an account, please contact us immediately at hello@remembrancejournal.com with proof of age. We will take prompt action.
In the event of a data breach, we will:
Immediate Response (Within 24 hours):
1. Investigate the breach to determine scope and impact
2. Contain the breach to prevent further unauthorized access
3. Secure affected systems
4. Begin notification process
User Notification (Within 72 hours if high risk):
1. Email notification to all affected users
2. Clear explanation of what happened
3. Information on how you can protect yourself
4. Confirmation of remediation steps
5. Contact information for questions
Regulatory Notification:
- Notify regulatory authorities as required by law (GDPR: 72 hours to supervisory authority)
- Provide transparency reports on our website
- Cooperate with investigations
Notification will include:
- What data was affected
- When the breach occurred
- What we discovered and confirmed
- Steps we have taken
- Steps you should take to protect yourself
- Our contact information
You will be notified via:
- Email to the address on file
- In-app notification
- Public announcement on our website/status page (if widespread)
If we make material changes to this Privacy Policy, we will:
When we make significant changes:
- Accept: Continue using the service (implies acceptance)
- Reject: Delete your account before changes take effect
- You cannot use the service while refusing new terms
Minor clarifications or corrections may be made without advance notice. Last updated date at the top of this policy indicates when changes were made.
We build privacy protection into Remembrance from the start:
- Collect only necessary data
- Minimize data retention
- Provide user controls
- Encrypt sensitive data
- Regular security audits
We are transparent about:
- What data we collect
- How we use it
- Who we share it with
- Your rights
- Our security practices
We take responsibility for:
- Complying with privacy laws
- Responding to data requests
- Investigating breaches
- Maintaining security
- Improving our practices
Since Remembrance uses artificial intelligence for transcription, embeddings, and summaries, here are important considerations:
What AI Does:
- Converts your voice to text (OpenAI Whisper)
- Creates semantic representations of your entries (embeddings)
- Generates summaries of your journal entries
- Provides semantic search results
Limitations You Should Know:
- Transcription may have errors: AI transcription is highly accurate but not perfect, especially with accents, background noise, or technical terms
- Summaries may be incomplete: AI-generated summaries may miss nuance or context
- Search may not be perfect: Semantic search understands meaning but may miss exact keyword matches
- Not professional advice: AI outputs are NOT substitutes for professional medical, legal, financial, or psychological advice
- AI outputs not guaranteed: We cannot guarantee accuracy or completeness of AI-generated content
You can:
- Disable AI features: Choose not to use transcription, embeddings, or summaries
- Manual entry only: Type entries directly without using voice
- Review before using: Always review transcriptions before saving
- Edit summaries: Summaries are suggestions; edit as needed
- Request human review: Contact us if you need human verification of AI outputs
Your Data and AI Training:
- Your journal entries are NOT used to train OpenAI models
- OpenAI API data policy excludes training by default
- We do not use your content for any AI model training
- Only you access and benefit from your data analysis
For privacy questions, data requests, or concerns:
Email: hello@remembrancejournal.com
Subject Line: "Privacy Request" or "Data Protection Inquiry"
Response Time: Within 48 hours
In Your Email, Please Include:
- Your full name
- Account email address
- Clear description of your request
- Any supporting documentation
If you are not satisfied with our response:
EU/EEA Users: You have the right to lodge a complaint with your local data protection authority (supervisory authority). Contact information available at https://edpb.ec.europa.eu/about-edpb/board/members_en
California Users: You can contact the California Attorney General at https://oag.ca.gov/
Data Protection Inquiries: hello@remembrancejournal.com
This Privacy Policy is governed by the laws of [Your Country/State], without regard to its conflict of law provisions.
For disputes:
- Any disputes will be resolved through good faith negotiation
- If negotiation fails, disputes will be resolved through binding arbitration
- Arbitration will be conducted according to the rules of [Your Jurisdiction]
- Location: [Your City/Country]
GDPR Jurisdiction:
- For users in the EU, data protection supervisory authorities have jurisdiction
- You can lodge complaints with your local data protection authority
Personal Data: Information that identifies you or can reasonably be linked to you (name, email, IP address, etc.)
Processing: Any operation on personal data (collection, storage, use, sharing, deletion, etc.)
Data Controller: Entity that determines how and why data is processed (that's us)
Data Processor: Entity that processes data on behalf of the controller (OpenAI, MongoDB, Stripe)
Data Subject: The person whose data is being processed (you)
GDPR: General Data Protection Regulation (EU law)
CCPA: California Consumer Privacy Act (California law)
Journal Content: All entries, recordings, transcriptions, and related data you create
AI-Generated Content: Embeddings, summaries, and search results created by AI
Sensitive Data: Information about health, race, religion, political views, or other protected characteristics
Q: Do you sell my data?
A: No, absolutely not. We never sell journal entries, personal information, or any data to advertisers or third parties. Your privacy is our priority.
Q: Can I download my data?
A: Yes. We provide data export functionality in Account Settings → Data & Privacy → Export My Data. Your data is exported in JSON format.
Q: What happens if Remembrance shuts down?
A: We will provide advance notice and offer you time to download your data. We will permanently delete your data within 30 days of service closure unless you request otherwise.
Q: Can I request data deletion?
A: Yes, you can delete individual entries anytime, or delete your entire account in Account Settings. All data is deleted within 30 days.
Q: Is my data secure?
A: We use military-grade encryption (AES-256), HTTPS transmission, and secure authentication. However, no system is 100% secure. We recommend strong passwords and secure devices.
Q: Who can access my journal?
A: Only you can access your journal. We do not read, access, or share your entries. Exceptions: Legal requirements (court orders, law enforcement) with notice to you whenever possible.
Q: How do you use OpenAI?
A: We send audio and text to OpenAI's APIs for transcription, embeddings, and summaries. OpenAI does not train models on API data and retains it for only 30 days.
Q: Is this GDPR compliant?
A: Yes. We comply with GDPR Article 28 requirements, use Standard Contractual Clauses for transfers, and respect all GDPR rights. EU users have full data protection.
Q: Is this CCPA compliant?
A: Yes. California residents have all CCPA rights: right to know, delete, opt-out, correct data, and non-discrimination. We do not sell personal information.
This Privacy Policy reflects our commitment to protecting your data while providing a valuable journaling service. We understand that your journal entries may contain deeply personal information. We treat this responsibility seriously and have implemented comprehensive safeguards.
We are committed to:
- Privacy First: Minimizing data collection and maximizing protection
- Transparency: Being honest about our practices
- User Control: Giving you tools to manage your data
- Compliance: Following all applicable laws
- Continuous Improvement: Updating security and privacy practices
If you have questions about this policy or our privacy practices, please don't hesitate to contact us. We welcome your feedback.
Thank you for trusting Remembrance with your personal thoughts and memories.
Last Updated: December 11, 2025
Next Review Date: December 11, 2026
This Privacy Policy is subject to change. Users will be notified of material changes with at least 30 days advance notice.