Privacy Policy

1. Who we are

This Privacy Policy describes how the operator of the InnerSojourn application (the “Operator,” “we,” or “us”) collects, uses, and shares information when you use our software application and website (the “Service”). The Operator is the data controller for the information described here. By using the Service, you agree to this Policy and to our Terms of Service.

The Service may be offered under more than one brand. Where you access it under a partner or organization brand (the name shown above), the Operator remains the data controller; that partner is a provider you signed up through, not a separate controller of the information held in the Service.

2. Information we collect

The Service collects three categories of information:

• Account information — your email address (for authentication) and a password if you set one. Authentication also uses one-time magic links sent to your email.
• Encrypted user content — the records you create in the Service (contacts, sessions, intentions, reflections, audio transcripts, notes, etc.). These are encrypted in your browser before being transmitted; we store only the ciphertext and the wrapping envelopes. We cannot decrypt this content without your passphrase.
• Operational metadata — timestamps of record uploads, your subscription state, your published public key (used when sharing records with another account), basic request logs (IP address, user agent, page paths), and consent acceptance records (which version of the Terms you accepted, when, and with which user agent / IP).

3. End-to-end encryption

The Service uses per-record AES-GCM-256 encryption with X25519 key wrapping for cross-account sharing. Each record is encrypted with a fresh data encryption key (DEK) that is itself wrapped under (a) a key derived from your passphrase and (b) a recovery key. When you share a record with another account, the DEK is re-wrapped under that account’s published public key.

The practical consequence: neither we, our database providers, nor any other third party with access to our servers can read your encrypted records. We can read only the limited cleartext metadata listed in Section 2 above.

4. How we use information

We use information to:

• operate, maintain, and improve the Service;
• authenticate you and protect against fraud and abuse;
• process subscription payments;
• route AI requests to providers when you trigger AI features;
• respond to support requests;
• comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your content to train AI models, run third-party advertising, or build profiles for marketing.

5. Third-party processors

The Service relies on the following third parties to operate. Each has its own privacy policy, which we recommend reviewing if you have specific concerns about their data handling:

• Supabase (database, authentication, file storage) — stores ciphertext records, authentication tokens, and operational metadata.
• Vercel (hosting + serverless functions) — serves the application and processes incoming requests. Receives request metadata such as IP and user agent.
• Stripe (payments) — processes subscription payments. We do not store credit card numbers; Stripe handles all card data on its own infrastructure.
• OpenAI(AI features) — invoked only when you explicitly trigger transcription, summarization, or similar features. Receives the audio or text you submit. See OpenAI’s privacy and data-retention terms for details on what they do with submitted content.
• Spotify (music integration) — invoked only after you explicitly connect Spotify via OAuth. We store only the OAuth tokens needed to make API calls on your behalf.
• Calendly (calendar integration) — invoked only after you explicitly connect Calendly. We store only the personal access token needed to fetch your scheduled events.

6. AI features

Some features (audio transcription, session summary, arc analysis) involve transmitting content to OpenAI for processing. These features are invoked only when you explicitly trigger them. Do not submit content through AI features that you would not want a third-party API processor to receive.

We do not configure these features to permit OpenAI to use your content to train its models, but we cannot guarantee OpenAI’s practices on your behalf. Refer to OpenAI’s policies for current details.

7. Sharing with practitioners

When a practitioner issues you an invitation and you claim it, the practitioner’s client encrypts a defined set of records (the session, the contact entry, the intention, the debrief, and similar) for your account. Decryption happens locally in your browser; we do not see the cleartext.

Either party can revoke the share from the relevant session page. Revocation removes the practitioner’s ongoing access to new updates; content the practitioner has already decrypted locally remains in their local storage until they clear it themselves.

8. Data retention and deletion

We retain account information for as long as your account is active. You may delete your account at any time from Settings; deletion cascades to your profile, your encrypted records, your envelopes, and your subscription record. Authentication logs held by Supabase for sign-in security may retain your email address for their standard retention period.

Backups may retain your data for up to ninety (90) days after deletion as part of normal disaster-recovery practice. After that period, backups roll off and your data is removed.

9. Your rights

Depending on your jurisdiction, you may have rights to:

• access the personal information we hold about you;
• request correction of inaccurate information;
• request deletion of your information;
• request a portable export of your information in a machine-readable format;
• object to or restrict certain processing;
• opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising (we do not engage in either);
• withdraw consent to processing where consent is the legal basis.

To exercise any of these rights, contact hello@innersojourn.com. We will respond within the timeframes required by applicable law and will not discriminate against you for exercising them.

California residents (CCPA/CPRA).We do not sell your personal information or “share” it for cross-context behavioral advertising, and we do not use sensitive personal information beyond the purposes permitted by law. You may exercise the access, deletion, correction, and opt-out rights above free of charge.

EEA / UK residents (GDPR / UK GDPR). Our legal bases for processing are performance of our contract with you (operating the Service), your consent (for optional features such as AI processing), and our legitimate interests (security and abuse prevention). You also have the right to lodge a complaint with your local data protection authority.

10. HIPAA

InnerSojourn is not a HIPAA-covered entity. We do not provide healthcare, bill insurance, or enter Business Associate Agreements. The Service holds health-adjacent information when users choose to record it, but it should not be treated as a HIPAA-covered medical record system. Licensed practitioners using the Service to track participants should consult their own compliance counsel about how the data stored here fits into their professional record-keeping obligations.

11. Children

The Service is not directed to children. You must be at least 18 years old to create an account. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, contact hello@innersojourn.com and we will delete it.

12. International data transfers

The Service is operated from and hosted on infrastructure located in the United States. By using the Service, you acknowledge that your information may be transferred to and processed in the United States, which may have data protection laws different from those in your jurisdiction.

Where we transfer personal information of EEA or UK residents to the United States, we rely on appropriate safeguards recognized under applicable law — such as the European Commission’s Standard Contractual Clauses — where those mechanisms are required.

13. Security

We use industry-standard security practices, including TLS in transit, end-to-end encryption for user content, hashed passwords (when used), and access controls on our infrastructure. No security measure is perfect; you are responsible for safeguarding your passphrase and recovery key, without which encrypted content cannot be recovered.

14. Cookies and similar technologies

The Service uses essential cookies and similar local storage (including IndexedDB) to authenticate your session, remember preferences, and store your encrypted records on-device. We use privacy-preserving, cookieless analytics to count aggregate page views; we do not use advertising cookies or cross-site tracking. Disabling essential cookies will prevent the Service from working.

15. Changes to this Policy

We may update this Privacy Policy from time to time. When changes are material, we will revise the “Last updated” date above and prompt you to acknowledge them where appropriate. Continued use of the Service after an update constitutes acceptance.

16. Contact

Privacy questions and rights requests can be sent to hello@innersojourn.com. A postal address for privacy notices is available on request.