Privacy Policy

Last updated: 3 April 2026 · Effective date: 3 April 2026

1. Who We Are

Memoria Voice Diary (“App”, “Service”) is operated by:

Mike Keller (Data Controller)
Ginsterweg 13
71229 Leonberg, Germany
Email: info@my-diary.app
Telefon: +49 177 8364712
USt-IdNr.: DE362000323

This Privacy Policy explains what personal data we collect, why we collect it, who receives it, how long we keep it, and what rights you have. It applies to all users of the Memoria mobile app on iOS and Android.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address — from your Google account or entered during registration
• Display name — from your Google account or entered by you
• User ID — a unique identifier generated by our authentication system

2.2 Diary Content

• Diary entry text — the transcribed text of your voice entries and AI-generated diary entries
• Conversation history — your back-and-forth exchanges with the AI companion during entry creation
• Chat messages — messages exchanged with the “Chat with your past” feature

2.3 Mood & Analytics Data

• Mood data — emotional valence, energy levels, and mood themes derived by AI from your diary entries
• Usage statistics — monthly entry count and token usage (for subscription limit tracking only)

2.4 Technical Data

• Device language and locale — to serve the App in your preferred language
• App version

2.5 What We Do NOT Collect

• Voice audio — your voice recordings are transcribed entirely on-device using your phone’s built-in speech recognition. Audio never leaves your device and is never stored.
• Location data
• Contact lists, photos, or browsing history
• Advertising identifiers or tracking data
• Payment card information — all payments are handled by Apple or Google

3. Why We Collect Your Data (Legal Basis)

Data	Purpose	Legal Basis (GDPR)
Email, name, user ID	Account creation & authentication	Art. 6(1)(b) — Contract performance
Diary text, conversations	Providing the diary and AI features	Art. 6(1)(a) — Explicit consent; Art. 9(2)(a) for special category data
Mood data	Mood tracking and analytics features	Art. 6(1)(a) — Explicit consent; Art. 9(2)(a) for special category data
Usage statistics	Enforcing subscription limits	Art. 6(1)(b) — Contract performance
Device language	Localization	Art. 6(1)(f) — Legitimate interest

Special Category Data (GDPR Article 9)

Diary entries may reveal information about your mental health and emotional state. This is classified as special category data under GDPR Article 9. We process this data solely to provide the App’s features to you, on the basis of your explicit consent, which you provide during the onboarding process. You may withdraw this consent at any time by deleting your account.

4. Who Receives Your Data

We share your data only with the following third-party service providers (“sub-processors”), each under a Data Processing Agreement (DPA):

Service Provider	Data Shared	Purpose	Location
Google Gemini AI	Diary text, conversation history	AI diary writing, mood analysis, reflection questions	USA (covered by DPA with SCCs)
Supabase	All account and diary data	Cloud database, authentication, vector search	EU (Frankfurt) or USA (covered by DPA with SCCs)
Google Sign-In	Authentication tokens	Account sign-in	USA (covered by Google DPA)
Apple / Google	Purchase receipts	Subscription payment processing	USA (their own privacy policies apply)

We do not sell, rent, or share your data with advertisers or data brokers. We do not use any third-party analytics or tracking SDKs.

5. International Data Transfers

Some of our sub-processors are located in the United States. For these transfers, we rely on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, included in each provider’s DPA
• EU-US Data Privacy Framework certification where applicable

All data is encrypted in transit (TLS 1.2+) and at rest.

6. How Long We Keep Your Data

Data	Retention Period
Account data	Until you delete your account
Diary entries & conversations	Until you delete the entry or your account
Mood data	Until you delete the associated entry or your account
Usage statistics	Reset monthly; deleted with account

When you delete your account, all personal data is permanently erased from our systems within 30 days, except where retention is required by law (e.g., billing records for tax purposes may be retained for up to 10 years as required by German tax law).

7. Your Rights Under GDPR

As a user in the EU/EEA, you have the following rights regarding your personal data:

• Right of access (Art. 15) — Request a copy of all personal data we hold about you
• Right to rectification (Art. 16) — Correct inaccurate personal data
• Right to erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”)
• Right to data portability (Art. 20) — Receive your data in a machine-readable format
• Right to restrict processing (Art. 18) — Request that we limit how we use your data
• Right to object (Art. 21) — Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)) — Withdraw your consent at any time without affecting the lawfulness of processing before withdrawal

How to Exercise Your Rights

You can exercise your rights in the following ways:

• In the App: Settings → Privacy & Security → Export My Data / Delete Account
• By email: info@my-diary.app

We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

8. Data Security

We implement the following technical and organisational measures to protect your data:

• All data is encrypted in transit using TLS 1.2 or higher
• Data at rest is encrypted in our cloud database (Supabase)
• Voice transcription is performed entirely on-device — audio is never transmitted
• Authentication is handled through secure OAuth 2.0 flows (Google Sign-In) and Supabase Auth
• Access to production systems is restricted and requires multi-factor authentication
• We do not store payment card information

9. Children’s Privacy

The App is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you are under 16, you must not use the App without verifiable parental or guardian consent. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete that data promptly.

10. Cookies and Tracking

The Memoria mobile app does not use cookies, web beacons, or any tracking technologies. We do not use any third-party analytics SDKs (no Google Analytics, no Firebase Analytics, no Sentry, no crash reporting tools). This website uses no cookies or tracking.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via:

• Email to the address associated with your account
• In-app notification

The “Last updated” date at the top of this page will always reflect the most recent revision.

12. Complaints

If you believe that we have not handled your personal data correctly, you have the right to lodge a complaint with a data protection supervisory authority. For Germany:

Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
Website: www.baden-wuerttemberg.datenschutz.de

13. Contact

For any questions about this Privacy Policy or to exercise your data protection rights:

Mike Keller
Ginsterweg 13
71229 Leonberg, Germany
Email: info@my-diary.app
Telefon: +49 177 8364712

This Privacy Policy was last reviewed on 3 April 2026.