Privacy Policy

Last updated: March 1, 2026

1. Introduction

awfx.ai ("we," "us," "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our journaling and wellness platform. By using awfx.ai, you consent to the practices described in this policy.

2. Information We Collect

Information You Provide

  • Account data: Email address, display name, profile information
  • Journal content: Journal entries, mood logs, reflections, and personal notes
  • AI interactions: Prompts and conversations with the AI Companion
  • Community content: Posts and interactions in Community
  • Payment information: Processed by Stripe; we do not store card numbers
  • Support requests: Emails and communications with our team

Information Collected Automatically

  • Usage data: Feature usage, session duration, interaction patterns
  • Device data: Browser type, operating system, screen size
  • Log data: IP address, access times, error logs
  • Cookies: Essential (authentication, security) and optional (analytics)

3. How We Use Your Information

  • Deliver journaling, Companion, mood tracking, and wellness features
  • Process your journal entries through AI to generate insights and reflections
  • Process billing and manage your subscription
  • Provide customer support
  • Improve the Service using anonymized, aggregated data
  • Ensure platform safety, prevent abuse, and enforce our Terms
  • Send transactional emails (account, billing, security)
  • Send marketing emails (only with your explicit opt-in consent)

๐Ÿ”’ Your data is never sold. It is only shared with trusted service providers needed to operate awfx.ai, including AI providers when you choose to use AI features. Your data is not used to train public AI models.

4. AI Data Processing

When you use awfx.ai AI features, relevant app data โ€” which may include journal text, mood and wellness data, task/context data, and AI conversation content โ€” may be sent to third-party AI providers (xAI and OpenAI) to generate responses, insights, summaries, recommendations, and safety checks. By using AI features, you explicitly consent to this processing.

  • What is processed: Journal text, mood and wellness data, task/context data, AI conversation content, and community image URLs when image moderation is used
  • Who processes it: xAI (Grok) as the primary AI provider, with OpenAI as backup
  • Purpose: Generating responses, reflections, insights, summaries, recommendations, and safety checks
  • Not used for training: Your data is not used to train public AI models
  • Retention by AI providers: Subject to their data processing terms; we contractually limit retention
  • Opt-out: You may choose not to use AI features

5. Third-Party Service Providers

We share data with trusted service providers who help us operate the platform:

ProviderPurposeData Shared
SupabaseDatabase & authenticationAccount data, journal entries, app data
xAI / OpenAIAI feature processingJournal text, mood/wellness data, task/context data, AI conversation content when AI features are used
StripePayment processingBilling info, email, subscription status
VercelHosting & CDNRequest logs, IP addresses

6. Data Security

  • Encryption in transit: All data transmitted via TLS 1.2+
  • Encryption at rest: Database encrypted at rest (Supabase managed)
  • Access control: Role-based access; minimal data access principles
  • Authentication: Secure authentication via Supabase Auth
  • No card storage: Payment card data handled entirely by Stripe (PCI-DSS compliant)

We treat wellness and inferred health-related data as sensitive and continuously review evolving privacy requirements (including state consumer-health privacy laws and proposed federal reforms) to improve consent flows, user controls, and protective safeguards.

7. Data Retention

  • Active accounts: Data retained while your account is active
  • Deleted entries: Removed from production within 24 hours; from backups within 30 days
  • Deleted accounts: All personal data purged within 30 days
  • Anonymized data: May be retained indefinitely for aggregate analytics
  • Legal obligations: We may retain data longer if required by law

8. Your Rights

We aim to provide rights and controls consistent with modern consumer privacy expectations for wellness data, including access, correction, deletion, and export.

All Users

  • Access: View and download your data at any time
  • Correction: Update inaccurate profile information
  • Deletion: Delete your account and all associated data
  • Export: Download all your data in a standard format
  • Opt-out: Unsubscribe from marketing emails at any time

California Residents (CCPA)

  • Right to know what personal information we collect and how it's used
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

EU/EEA Residents (GDPR)

  • Right of access, rectification, erasure, and data portability
  • Right to restrict or object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your supervisory authority
  • Legal basis: Consent (explicit for journal/AI processing), contract (service delivery), legitimate interest (security, fraud prevention)

9. Cookies

  • Essential cookies: Required for authentication, security, and basic functionality (no consent needed)
  • Analytics cookies: Help us understand usage patterns (consent required for EU users)
  • Marketing cookies: Not currently used; if added, will require explicit consent

You can manage cookie preferences in your browser settings or through our cookie consent banner (shown to EU users).

10. Therapist Data Sharing

If you choose to share journal entries with a therapist:

  • Sharing is entirely your choice (opt-in per therapist)
  • Shared data is transmitted and stored using our standard security controls
  • You can revoke access at any time
  • The therapist's use of your data is governed by their own privacy practices

11. Children's Privacy

awfx.ai is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, contact us at support@awfx.ai.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users via email without undue delay
  • Notify relevant supervisory authorities within 72 hours (GDPR requirement)
  • Provide details on the nature of the breach, data affected, and steps we're taking
  • Offer guidance on protective measures you can take

13. International Data Transfers

Your data may be transferred to and processed in countries outside your own (primarily the United States). We ensure adequate safeguards through standard contractual clauses and data processing agreements with our providers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-app notification at least 30 days before taking effect. The "Last updated" date will be revised accordingly.

15. Contact Us

Privacy questions or data requests: support@awfx.ai

General support: support@awfx.ai