Privacy Notice

Who we are

The data controller is Jørnal, sole proprietor, operating Jørnal from Norway. Contact: hi@jornal.ink.

What we collect

We try to collect as little as the Service can run on. The categories:

• From your SSO provider (Google or GitHub): your name, email address, profile image URL, and a stable provider id. This is what your provider tells us when you sign in. We don’t receive a password.
• From you, while you write: the text of your journal entries, the names and colors of any custom books you create, your preferences (locale, date/time format, font), and optional PINs on private books. Entry contents are lightly obfuscated at rest as defense-in-depth—not encryption, not a confidentiality boundary, just a friction layer.
• Automatically: a per-tab device id (a UUID stored in sessionStorage) we use to scope drafts to the tab that wrote them, plus the words of any draft you’re typing (kept in localStorage keyed by that tab id) so your writing survives a tab crash or offline interlude; the timezone your browser reports, so dates render in your clock; the IP address of your request at sensitive moments (sign-in, checkout webhook delivery) for fraud detection and country-based currency selection.
• From Lemon Squeezy when you subscribe: subscription id, customer id, current period end, and cancellation status. We don’t see or store your card details—Lemon Squeezy handles all of that as the Merchant of Record.

We keep aggregate numbers on supporter-page visits and plan clicks. To stop refreshes from inflating the count, each event records once per user—only ever summed into totals, never read individually.

We do not use cookies for tracking or analytics. The only cookie we set is the authentication session cookie.

Why we use it

Each piece of data exists for a specific operational reason:

• Identity (name/email/provider id) — to recognize you across sessions and devices.
• Entries, books, preferences — to provide the Service itself.
• Device id — to scope drafts so two devices writing the same day produce two separate entries instead of overwriting each other.
• IP at sign-in/checkout — fraud detection and pricing in the right currency.
• Subscription data — to know whether you have access to paid features.
• Supporter-page event markers — to see, in aggregate, how many people reach the supporter page and which plans they click.

Legal basis (GDPR Art. 6)

Performance of contract for everything required to actually run the Service for you (storing your entries, providing access, processing your subscription). Legitimate interest for fraud prevention, operational logging, and protecting the Service from abuse. Consent only where the law specifically requires it (e.g. enabling optional email-backup digests).

Who we share with

A short list, all bound by data-processing agreements:

• Railway (infrastructure host, Netherlands / EEA) — runs the application and the database that stores your account and entries.
• Lemon Squeezy (Merchant of Record) — processes subscriptions, taxes, and refunds. Receives your email and billing details only when you subscribe.
• Resend (transactional email, US) — delivers email backups and support correspondence. Receives your email and the email contents.
• Google / GitHub — the SSO provider you chose, for sign-in. They see what they always see: that you signed in to an app that uses their OAuth.

We do not share data with advertisers, analytics providers, AI training datasets, or third-party AI inference providers. “Recall” (semantic search) runs entirely on our own servers; your entries never leave them for AI processing.

International transfers

Your entries and account data are stored on Railway in the Netherlands and stay inside the EEA. Resend, our transactional email provider, is based in the United States; that transfer is covered by Standard Contractual Clauses adopted by the European Commission and Resend’s supplementary safeguards. Lemon Squeezy’s jurisdiction for billing data is governed by their own privacy terms, which apply when you subscribe.

Retention

We keep your account data for as long as you have an account. When you ask us to delete the account, we delete your entries, tags, preferences, embeddings, and authentication records. Some limited records may be retained longer if a law requires it (e.g. tax records of subscription payments, kept by Lemon Squeezy for their statutory period).

Locked entries are immutable but not undeletable—you can ask for account-wide deletion any time.

Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify data that’s inaccurate.
• Erase your data (the “right to be forgotten”).
• Receive your data in a portable format.
• Restrict or object to certain processing.
• Withdraw any consent you’ve given (e.g. turn off email backups).
• Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or the supervisory authority where you live.

To exercise any of these, email hi@jornal.ink. We’ll respond within 30 days.

Security

HTTPS everywhere. Entry contents are additionally obfuscated as defense-in-depth. Authentication sessions are signed and short- lived. Access to the production database is limited to the operator. No system is perfectly secure; if we discover a breach affecting your data we’ll notify you and the relevant authority within 72 hours where the law requires it.

Children

Jørnal is not directed at children under 16. If you believe a child has signed up, email us and we’ll close the account.

Updates

We’ll update this notice when our processors change, when the law changes, or when we add features that collect new categories of data. The “Last updated” date at the top reflects the most recent change. Material changes are emailed to all account holders before taking effect.