Privacy Policy
Effective date: May 27, 2026 · Last updated: May 27, 2026
This Privacy Policy describes how Gratitude Galaxy (“Gratitude Galaxy,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you download, install, access, or use the Gratitude Galaxy mobile application (the “App”) and our website at gratitudegalaxy.space (collectively, the “Service”).
We have designed the Service to be private by default. Your journal entries are stored locally on your device. We do not sell your personal information. We do not use third-party advertising or behavioral tracking. This policy explains these practices in detail and your rights under applicable privacy laws including the European General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), and other U.S. state privacy laws.
1. Summary at a glance
- Your journal content (gratitude entries, magic moments, feelings, galaxy names, intentions) never leaves your iPhone. It is stored only in your device’s secure local storage and your standard iCloud Backup if you have one enabled.
- We do not store, sync, or transmit journal entries to our servers. The only server-side data is the account identifier Apple shares when you Sign in with Apple — used solely to recognize you on return visits.
- We never sell, rent, or trade your personal information.
- We do not use cross-site tracking, advertising identifiers, the iOS IDFA, or behavioral profiling.
- You can export or delete all your data at any time from the Profile screen, or by emailing privacy@gratitudegalaxy.space.
- If you sign in with Apple, we receive only the identifiers Apple chooses to share (which may be a private relay email).
2. Who we are (Data Controller)
The data controller responsible for your personal data is the operator of Gratitude Galaxy. For questions, requests, or complaints, contact:
- Email: privacy@gratitudegalaxy.space
- Website: gratitudegalaxy.space
3. Information we collect
We collect only the information we need to operate the Service. Categories:
3.1 Information you provide directly
- Account identifiers (only if you sign in): your Apple user identifier and the email address Apple chooses to share with us (which may be an Apple private relay address), or — if you choose email sign-up — the email address you provide and a securely hashed password.
- Journal content: gratitude entries, magic moments, daily feelings, galaxy names, intentions, custom reminders, and any other text you enter into the App.
- Support correspondence: messages and attachments you send to our support email.
3.2 Information collected automatically
- Device and diagnostic information (limited): operating system version, device model, App version, locale, time zone, and anonymized crash and performance logs. This is used solely to maintain service quality.
- Usage events (only if you opt in to analytics in Settings): aggregated, non-identifying counts such as “entry created” or “screen viewed.” We never collect the content of entries in analytics.
3.3 Information we do not collect
- We do not access your contacts, photo library, microphone, camera, calendar, health data, or location, unless you affirmatively grant a specific permission for an in-App feature that requires it (currently: none).
- We do not use the iOS Advertising Identifier (IDFA), the Apple App Tracking Transparency tracking identifier, or any cross-site tracking pixels.
4. How we use information
We use personal data for the following purposes:
| Purpose | Categories used | Legal basis (GDPR) |
|---|---|---|
| Provide and operate the App (store entries, render your galaxy, sync between devices) | Account identifiers, journal content | Performance of a contract (Art. 6(1)(b)) |
| Authenticate you and prevent unauthorized access | Account identifiers, device info | Performance of a contract; legitimate interests (Art. 6(1)(b), (f)) |
| Diagnose crashes and improve reliability | Device and diagnostic info | Legitimate interests (Art. 6(1)(f)) |
| Send service-related notices (security alerts, policy updates) | Account identifiers | Legitimate interests; legal obligation (Art. 6(1)(f), (c)) |
| Respond to your support requests | Account identifiers, support content | Legitimate interests; consent |
| Optional analytics | Aggregated usage events | Consent (Art. 6(1)(a)) |
| Comply with law and protect rights | Any category as required | Legal obligation; legitimate interests |
5. How information is stored
5.1 On your device
Journal entries are saved in your device’s secure local storage (iOS sandbox). They are included in your iCloud or local iPhone backup if you have those enabled, in accordance with Apple’s standard backup encryption.
5.2 In the cloud
We do not store journal content in the cloud. Our authentication provider (Supabase Inc., United States) holds only the account identifier returned by Apple when you Sign in with Apple — used solely to recognize you on future launches. Authentication tokens travel over TLS 1.2+ and are protected at rest with industry-standard encryption.
6. Sharing and disclosure
We do not sell or rent personal data. We share information only as described below:
- Sub-processors: we use a small number of vendors that process data on our behalf strictly to operate the Service:
- Apple Inc. — App distribution, Sign in with Apple, push notifications, App Store payments.
- Supabase Inc. — authentication only (Apple Sign-In). No journal content is sent to Supabase.
- Vercel Inc. — hosting of this marketing website (US).
- Legal compliance: we may disclose information if required by valid legal process, court order, or to protect the rights, property, or safety of users or the public.
- Business transfers: if Gratitude Galaxy is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and post a notice on this Service before your data becomes subject to a different privacy policy.
- With your direction: if you choose to export and share your data (for example, via the in-App PDF export), the data goes only where you send it.
7. International data transfers
We are based in the United States. If you access the Service from outside the U.S., you understand that your data may be processed in the U.S. and other countries. Where required by law, we rely on the European Commission’s Standard Contractual Clauses or other approved transfer mechanisms to safeguard cross-border transfers.
8. Retention
- Journal content is retained until you delete it from the App, delete your account, or revoke sync.
- Account identifiers are retained for the lifetime of your account, plus up to 30 days after deletion for backup and fraud-prevention purposes, after which they are permanently erased.
- Crash logs and diagnostics are retained for up to 90 days.
- Support correspondence is retained for up to 24 months.
9. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete personal data.
- Erasure — delete your personal data (“right to be forgotten”).
- Restriction — limit how we use your data.
- Portability — receive your data in a machine-readable format (we provide JSON export in-App).
- Objection — object to processing based on legitimate interests.
- Withdraw consent — withdraw a previously granted consent at any time.
- Lodge a complaint — file a complaint with your local supervisory authority (EU/UK) or attorney general (US).
To exercise any right, use the in-App controls (Profile → Export / Delete Account) or email privacy@gratitudegalaxy.space. We will respond within 30 days. We may require you to verify your identity to protect your data.
9.1 Additional rights for California residents (CCPA/CPRA)
California residents have the right to know which categories of personal information we have collected, sold (we do not sell), or shared for cross-context behavioral advertising (we do not share), as well as the right to delete and the right to non-discrimination for exercising those rights. To submit a verifiable consumer request, email privacy@gratitudegalaxy.space. You may also designate an authorized agent to act on your behalf.
10. Security
We use industry-standard administrative, technical, and physical safeguards to protect your data, including TLS 1.2+ for data in transit, AES-256 encryption at rest, row-level access policies, hashed and salted passwords (bcrypt), least-privilege access controls, and routine security review. No method of transmission or storage is 100% secure. We encourage you to use a strong unique password, enable device-level passcode/biometrics, and keep your operating system up to date.
11. Children’s privacy
Gratitude Galaxy is rated 4+ but is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Cookies and similar technologies
Our marketing website uses only strictly-necessary functional storage. We do not set third-party advertising cookies. The App does not use web cookies; it uses encrypted device storage to remember your session and preferences.
13. Do Not Track
We honor Global Privacy Control (GPC) signals where required by law. Because we do not engage in cross-site tracking or sale of personal information, our practices do not change based on a DNT or GPC signal.
14. Third-party links
The App or website may contain links to third-party sites (e.g., the App Store). Their privacy practices are governed by their own policies. We are not responsible for the content or practices of those services.
15. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email at least 14 days before they take effect. The “Last updated” date at the top reflects the current version. Continued use of the Service after changes constitutes acceptance of the revised policy.
16. Contact
Questions, requests, or complaints regarding this policy or our data practices? Email privacy@gratitudegalaxy.space. We respond to all good-faith inquiries within 30 days.
This policy is provided in English. If a translation is offered for convenience and there is a conflict, the English version controls.