Privacy Policy

Our Privacy Commitment

At Whimsical Whim, privacy is not a feature - it is our foundation. We believe your reflections, thoughts, and personal moments belong to you and only you. This privacy policy explains how we protect your data and what minimal information we do collect.

The most important thing to know: Your reflection content is encrypted on your device before it ever touches our servers. We cannot read your reflections, even if compelled to do so.

Information We Collect

Account Information

When you create an account, we collect your email address and an encrypted password hash. We use this solely for authentication purposes.

Encrypted Reflection Data

Your reflections are encrypted on your device using industry-standard encryption (XChaCha20-Poly1305). We store the encrypted data on our servers to enable sync across devices, but we cannot decrypt it. Only you hold the encryption key, which is derived from your password and never leaves your device.

Location Data (Optional)

If you enable location services, we use your approximate location to provide weather-aware prompts and accurate sunrise/sunset times. We do not store location history. You can disable this feature at any time in your device settings.

Usage Analytics (Anonymous)

We collect anonymous analytics to improve the app experience. This includes aggregate data like which features are most used and general app stability metrics. This data cannot be tied back to you personally.

What We Do Not Collect

• We do not read your reflections (they are encrypted)
• We do not sell or share your data with third parties
• We do not use your data for advertising
• We do not create user profiles for marketing
• We do not track your browsing activity outside our app
• We do not use your data to train AI models

How We Protect Your Data

We employ multiple layers of security to protect your information:

• End-to-end encryption: Your reflection content is encrypted on your device before transmission.
• Zero-knowledge architecture: Our servers never have access to your encryption keys or unencrypted content.
• TLS encryption: All data in transit is protected with TLS 1.3.
• Encrypted storage: Data at rest is stored in encrypted databases.
• Regular security audits: We conduct regular security reviews and penetration testing.

Data Retention

We retain your encrypted data for as long as you maintain an account. If you delete your account, we permanently delete all associated data within 30 days. There is no way to recover this data once deleted.

Free accounts with no activity for 12 months may be deleted after email notification. Premium subscribers retain their data indefinitely while subscribed.

Your Rights

You have the right to:

• Access your data: Export your reflections at any time from the app settings.
• Delete your data: Delete your account and all associated data permanently.
• Modify your data: Edit or delete individual reflections at any time.
• Data portability: Export your data in standard formats (JSON, PDF).
• Opt out of analytics: Disable anonymous analytics in app settings.

Third-Party Services

We use the following third-party services:

• Cloud hosting: We use secure cloud infrastructure to store encrypted data.
• Weather data: We query weather APIs using approximate location (not your exact coordinates).
• Payment processing: For premium subscriptions, we use Stripe. We do not store your payment card details.
• Push notifications: We use Apple Push Notification Service and Firebase Cloud Messaging for notifications.

These services receive only the minimum data necessary to function. None of them have access to your reflection content.

Children's Privacy

Whimsical Whim is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes via email and/or a prominent notice in the app. We encourage you to review this policy periodically.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us:

• Email: privacy@whimsicalwhim.app
• Data Protection Officer: dpo@whimsicalwhim.app

Regional Privacy Rights

For European Users (GDPR)

Under GDPR, you have additional rights including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is consent (for account creation) and legitimate interest (for security and service improvement).

For California Users (CCPA)

California residents have the right to know what personal information we collect and to request deletion. We do not sell personal information. To exercise these rights, contact us at the email above.