Privacy Policy

Last updated: 12/5/2025

The Short Version

We can't read your journal. No one can.

Your journal entries are encrypted before they're stored. We don't have admin tools to view your content. AI analysis happens within your session only. Your data belongs to you and can be exported or deleted at any time.

How Your Data is Encrypted

When you record a journal entry, here's what happens:

  1. Your audio is sent to OpenAI's Whisper API for transcription
  2. The transcript is encrypted using AES-256-GCM with your unique data key
  3. Your data key is itself encrypted (wrapped) with our master key
  4. Only the encrypted data is stored in our database
  5. Decryption only occurs server-side within your authenticated session

This means even if our database were compromised, your journal entries would remain unreadable without both the master key (stored separately) and valid authentication.

What We Store

  • Encrypted transcripts - Your journal text, encrypted
  • Audio files - Optional, can be deleted after transcription
  • Metadata - Timestamps, sentiment analysis, tags (also encrypted where possible)
  • Account info - Email address for authentication
  • Embeddings - Vector representations for semantic search (cannot be reversed to text)

Third-Party Services

OpenAI

We use OpenAI's APIs for:

  • Audio transcription (Whisper)
  • Entry analysis (sentiment, tags, mood)
  • Summary generation
  • Semantic search embeddings

Per OpenAI's API data usage policy, data sent to their API is not used to train their models and is retained for a maximum of 30 days for abuse monitoring purposes.

Supabase

We use Supabase for authentication and database hosting. All data is stored encrypted, and Supabase provides additional security through Row Level Security (RLS) policies that ensure users can only access their own data.

Vercel

Our application is hosted on Vercel. They process web requests but do not have access to your encrypted journal content.

Your Rights

  • Access - You can view all your data within the app
  • Export - Download your complete journal as Markdown/JSON at any time
  • Deletion - Delete individual entries or your entire account
  • Portability - Your exported data is in open formats you can use anywhere

What We Don't Do

  • We don't analyse your journal content for advertising
  • We don't sell your data to third parties
  • We don't have admin tools to view decrypted content
  • We don't track your behaviour within the app for marketing
  • We don't share your data with anyone except the services listed above

Contact

If you have questions about this privacy policy or how your data is handled, please contact us at privacy@tellit.app.

Return to Tellit