Privacy Policy

Last Updated: February 2026
Contact: alignappeu@gmail.com

1. Who We Are

This Privacy Policy applies to the Align mobile application ("App," "Services"), operated by Align App ("Align," "we," "us"). Align is a personal development app that helps users build self-awareness, set goals, journal, and grow through AI-powered tools.

By using Align, you agree to this Privacy Policy. If you do not agree, please do not use the App.

2. What Data We Collect

2.1 Account Data (from Sign-In Providers)

We offer sign-in exclusively through Google and Apple. When you sign in, we receive:

  • Your email address
  • Your display name (if provided by the sign-in provider)
  • A unique user identifier from the sign-in provider

We do not collect passwords. Authentication is handled entirely by Google or Apple.

2.2 Data You Enter in the App

Align collects the personal content you voluntarily create within the App, including:

  • Core Identity Quiz responses — answers about your values, identity, life purpose, goals, and lifestyle vision
  • Daily journal entries — free-form text entries you write each day
  • Morning pages — free-form morning writing entries
  • Morning & evening ritual responses — reflection and alignment check-in data
  • Weekly recalibration responses — weekly self-assessment answers
  • Vision board images — photos you upload to visualize your goals
  • AI chat conversations — messages you send to the AI assistant ("Frequencies" chat)
  • Personal context notes — optional context you provide to personalize AI responses
  • Affirmations — AI-generated and user-saved affirmations
  • Vault tool history — results from personal development exercises (Seven Layers, Alchemist Forge, Goal Action Plan, Flow Command)
  • Observer reports — AI-generated periodic insight reports based on your journal and activity data

This data is highly personal and is treated as sensitive information.

2.3 Device & Technical Data

We collect limited technical data for anti-abuse protection and app functionality:

  • Device fingerprint — a locally generated identifier combining your device platform, a hardware-derived hash, and an installation ID. This is used solely to detect re-installation abuse of free trial periods. It is not used for advertising or cross-app tracking.
  • IP address — used for rate limiting AI requests to prevent abuse. Not stored persistently.
  • App version and platform (iOS or Android)

2.4 Subscription & Payment Data

Subscription billing is handled entirely by RevenueCat, which integrates with the Apple App Store and Google Play. We receive from RevenueCat:

  • Subscription status (active, expired, trial, etc.)
  • Plan type and pricing tier
  • Trial eligibility
  • Renewal status

We do not receive or store your credit card number, billing address, or other payment instrument details. Those are handled exclusively by Apple or Google.

2.5 Analytics Data

We use PostHog for anonymous product analytics to understand how features are used and to improve the App. PostHog may collect:

  • Screen views and feature usage events
  • App performance metrics
  • Crash and error reports

Analytics data is aggregated and does not include your journal content, quiz responses, or other personal entries.

3. How We Use Your Data

Purpose Data Used Legal Basis (GDPR)
Provide the App and its features All user-generated content (journals, quizzes, vision boards, etc.) Performance of contract
Generate AI-powered insights, affirmations, and chat responses Your journal entries, Core Identity data, personal context, chat messages Legitimate interest / Consent
Prevent abuse of free trials Device fingerprint Legitimate interest
Rate-limit AI usage User ID, IP address Legitimate interest
Process subscriptions Subscription events from RevenueCat Performance of contract
Improve the App Anonymous analytics via PostHog Legitimate interest
Respond to support requests Email address Legitimate interest

4. AI Data Processing — Google Gemini

Align uses Google's Gemini 2.5 Flash AI model to power several features, including chat ("Frequencies"), affirmation generation, Observer reports, journal alchemy, and the Day Architect.

What is sent to Gemini:

When you use an AI-powered feature, the following data may be included in the request to generate a personalized response:

  • Your current message or prompt
  • Your Core Identity quiz responses (identity, purpose, goals)
  • Your recent journal entries (up to the last 14 entries, limited excerpts)
  • Your personal context notes (if you have provided any)
  • Your recent chat history within the current session (up to 15 prior messages)
  • Your morning/evening ritual responses (for relevant features)

How Gemini processes this data:

  • Requests are sent server-side from our secure Edge Functions — your API key is never exposed to the client.
  • Google's Gemini API processes the data to generate a response and does not use your data to train its models under the API terms of service.
  • We do not store the AI-generated responses server-side beyond what is saved in your chat history or reports.

Your control:

  • AI features are optional. You choose when to interact with them.
  • You can delete your entire account and all associated data at any time (see Section 8).

For more information on how Google handles API data, see Google's API Terms of Service.

5. Data Storage & Security

Where your data is stored:

  • All user data is stored on Supabase (hosted infrastructure). Supabase uses secure cloud servers.
  • Vision board images are stored in Supabase Storage in a private bucket accessible only to the owning user via time-limited signed URLs.
  • Authentication tokens are stored locally on your device using Expo SecureStore (encrypted device keychain).

How your data is protected:

  • Row Level Security (RLS): Every database table enforces that users can only access their own data. This is enforced at the database level — even if the API is compromised, users cannot access other users' data.
  • Private storage bucket: Vision board images require authenticated, time-limited signed URLs to access. They are not publicly viewable.
  • Server-side AI processing: All AI API calls go through authenticated Edge Functions. API keys are never sent to or stored on the client device.
  • Subscription protection: Subscription status fields are protected by database triggers that prevent client-side manipulation.
  • Rate limiting: AI features are rate-limited per user and per IP address to prevent abuse.
  • HTTPS: All data transmitted between the App and our servers is encrypted in transit.

6. Data Sharing

We share your data only with the following third-party processors, solely to provide the Services:

Processor Purpose Data Shared
Supabase Database hosting, authentication, file storage All user data
Google (Gemini API) AI-powered features Content sent in AI requests (see Section 4)
RevenueCat Subscription billing User ID, subscription events
PostHog Anonymous product analytics Anonymized usage events
Apple / Google Authentication sign-in OAuth tokens (handled by provider SDKs)

We do not:

  • Sell your personal data to anyone
  • Share your data with advertisers
  • Use your data for ad targeting
  • Share your journal entries, quiz responses, or personal content with any third party other than Google Gemini as described above

7. Your Rights

Under GDPR and similar laws, you have the right to:

  • Access your personal data — contact us at alignappeu@gmail.com
  • Rectify inaccurate data — you can edit your journals, quiz responses, and vision boards directly in the App
  • Erase your data — you can delete your entire account from the App's Settings screen. This permanently deletes all your data from all tables, your storage files, and your authentication record. This action is irreversible.
  • Restrict processing — contact us at alignappeu@gmail.com
  • Data portability — contact us at alignappeu@gmail.com to request an export of your data
  • Object to processing — contact us at alignappeu@gmail.com
  • Withdraw consent — you may stop using AI features or delete your account at any time

We will respond to data rights requests within 30 days.

8. Account Deletion

You can permanently delete your account and all associated data at any time from the Settings screen in the App. When you delete your account, the following is immediately and permanently removed:

  • Your authentication record
  • Your profile
  • All journal entries, morning pages, and ritual responses
  • All Core Identity quiz responses and personal context
  • All vision board data and uploaded images (from storage)
  • All AI chat history and observer reports
  • All vault tool history and affirmations
  • All subscription and rate-limiting records
  • All device fingerprint records

This deletion is irreversible. There is no recovery period.

9. Data Retention

  • Your data is retained for as long as your account exists.
  • When you delete your account, all data is deleted immediately (see Section 8).
  • AI usage logs older than 90 days are automatically cleaned up.
  • Webhook processing records older than 90 days are automatically cleaned up.
  • We do not retain backups of deleted user data.

10. Children's Privacy

Align is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has created an account, please contact us at alignappeu@gmail.com and we will delete the account.

11. International Transfers

Your data may be stored and processed in the United States or the European Union, depending on Supabase's hosting region. By using the App, you consent to such transfers. We ensure appropriate safeguards are in place for any international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email. Continued use of the App after changes constitutes your acceptance of the updated policy.

13. Contact Us

For any questions about this Privacy Policy, your data, or to exercise your rights:

Email: alignappeu@gmail.com