Pre-launch draft. Final version published before paid subscriptions launch.

Legal

Privacy Policy

Last updated: 2026-04-26

1. What we collect

  • Account data: email address, hashed password (handled by Supabase Auth), and your chosen pen name.
  • Optional profile data: display name, bio, avatar. Legal name (used only for payouts when creator subscriptions launch) is encrypted at rest with AES-256.
  • Journal entries: every entry you write, plus its privacy level, mood, tags, and word count.
  • IP addresses: stored for security and abuse detection. Retained for 30 days, then aggregated.
  • Analytics events: pseudonymous usage data via PostHog (page views, feature usage). No advertising trackers.

2. How we use it

To run the service: serving your entries, gating anonymous publishing on the Anonymity Score, preventing abuse, and improving the product. We do not sell your data. We do not use your entries to train external AI models. We do not show advertising.

3. Where it's stored

Diarly runs on Vercel and Supabase (Postgres). Entries are protected by row-level security so only you — and the moderation team for flagged content — can read your private writing. Backups are encrypted and retained for 30 days.

4. What's never shared

Your private entries. Your legal name (when collected for payouts). Your raw IP address. We disclose data only when legally compelled (subpoena, court order) and we will notify you unless prohibited by law.

Public and Anonymous Public entries are visible to other users by your choice — that is the share mechanism, not data sharing.

5. Your rights (GDPR, CCPA)

You can export every entry as JSON at any time, and delete your account permanently from Settings → Data. Deletion removes your entries, profile, and analytics within 30 days. EU and California residents have the additional right to request a copy, correction, or restriction of processing — email privacy@diarly.draftlabs.com.

6. Cookies

Two kinds: essential cookies for sign-in and session, and analytics cookies for product improvement (PostHog). We do not use advertising cookies or third-party trackers today. If we ever do, it will be opt-in and announced in advance.

7. Data retention

Active accounts: indefinite, until you delete. Deleted accounts: removed within 30 days. Backups: 30 days. Server access logs: 30 days. Analytics events: aggregated and de-identified after 12 months.

8. Children

Diarly is not for users under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, email privacy@diarly.draftlabs.com and we will remove the account.

9. Changes

We'll update this page when policy changes. Material changes are emailed to you 14 days before they take effect. The “Last updated” date at the top reflects the most recent edit.

10. Contact

Privacy questions: privacy@diarly.draftlabs.com. General contact: /contact.