Privacy Policy

Last updated: April 9, 2026 | Version 1.0

Journex ("the App", "we", "us", or "our") is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, and protect your information.

By creating an account, you confirm that you have read and agree to this Privacy Policy. You must be 16 years of age or older to use Journex.

1. Information We Collect

Information you provide

Category	Data types	Sensitivity
Account	Name, email address, profile photo	Personal
Journal entries	Gratitude text, mood, photos, date	Personal
Reflections	What went well, what didn't, improvements	Personal
Habits & Goals	Habit names, completions, goal progress	Personal
Nutrition	Food names, calories, macros, water intake	Health
Sport & Fitness	Session type, duration, energy, fatigue, notes	Health
Injury tracking	Injury name, body part, severity, pain levels, rehab progress	Health
Period tracking	Cycle dates, flow, symptoms, notes	Sensitive health
Daily recovery	Sleep, soreness, hydration, body weight	Health
Weight tracking	Body weight, goal weight	Health
Social data	Friend connections, shared entries, messages	Personal

Sensitive information: Under the Privacy Act, health information (including period tracking, injury data, body weight, and nutrition data) is classified as "sensitive information" and receives a higher standard of protection. We only collect this data with your explicit consent and for the sole purpose of providing the App's tracking features.

Information collected automatically

Device tokens: Firebase Cloud Messaging tokens for push notifications (if you enable reminders)
Timezone: Detected from your device for reminder scheduling

Information we do NOT collect

We do not use analytics or tracking SDKs (no Google Analytics, no Crashlytics)
We do not collect location data
We do not record audio (the app does not use your microphone)
We do not access your contacts, calendar, or other apps

2. How We Use Your Information

Purpose	Data used	Legal basis (APP)
Core app features (journaling, tracking, analytics)	All data you enter	Primary purpose of collection (APP 6.1)
AI-powered weekly insights (opt-in only)	Journal entries, reflections, habits, sport sessions, food names, sleep/hydration/soreness (see Section 4 for exclusions)	Explicit consent (APP 6.1, APP 3.3)
Social features (sharing entries with friends)	Entries you choose to share, display name, profile photo	Consent via explicit sharing action (APP 6.1)
Push notifications	FCM device tokens	Consent via enabling reminders (APP 6.1)
Subscription management	Anonymous user ID (no health data)	Contractual necessity (APP 6.1)

We do not use your data for advertising, profiling, or any purpose other than those listed above.

3. Data Storage & Security

We implement the following security measures to protect your information:

Encryption in transit: All data transmitted between the app and our servers uses HTTPS/TLS encryption.
Encryption at rest: Data stored in Firebase is encrypted at rest using Google's default encryption. Sensitive health data cached on your device is encrypted using a key stored in your device's secure enclave (iOS Keychain / Android Keystore).
Access isolation: Firestore security rules ensure each user can only read and write their own data. All sharing and social features are validated server-side.
Server-side validation: All sensitive operations (sharing entries, claiming invites, creating challenges, deleting accounts) are enforced through server-side Cloud Functions with input validation and rate limiting.
Audit logging: Sensitive account actions (account deletion, entry sharing, invite claims) are logged server-side for breach assessment purposes.
Minimal permissions: The app only requests camera permission (for food barcode scanning and journal photos). No microphone, location, contacts, or other permissions are requested.

4. Third-Party Services & Cross-Border Disclosure

We do not sell, rent, or share your personal data with advertisers or marketing companies.

Your information is shared only with the following parties:

Third party	Location	Purpose	Data shared
Google Firebase (Firestore, Storage, Auth, Cloud Functions)	United States	Data storage, authentication, server-side processing	All account and app data
Anthropic (Claude AI)	United States	AI weekly insights generation (opt-in only)	Journal text, reflections, habits, sport sessions, food names, sleep/hydration/soreness. Excludes: period data, body weight, alcohol intake, photos, macros
RevenueCat	United States	Subscription and purchase management	Anonymous user ID, purchase receipts. No health data.
Open Food Facts API	France (non-profit)	Nutritional info via barcode scanning	Barcode number only. No personal data.
Friends	N/A	Social sharing (your choice)	Only entries you explicitly share

Cross-border disclosure (APP 8): Your data is stored and processed on servers in the United States by Google, and optionally processed by Anthropic (US). We take reasonable steps to ensure these recipients handle your data in compliance with the Australian Privacy Principles, including through their published data processing terms and contractual commitments.

Your data may also be disclosed when required by law or to comply with legal process.

5. AI-Powered Insights

Journex offers optional AI-powered weekly insights, generated by Anthropic's Claude AI. This feature is opt-in only and disabled by default.

What is sent to Anthropic

Journal entry text and mood
Reflection text (what went well, didn't go well, improvements)
Habit names and completions
Sport/climbing session details (type, duration, energy, fatigue)
Food names (without macros or serving quantities)
Sleep hours, hydration, soreness, perceived strength

What is NOT sent to Anthropic

Period tracking data (cycle dates, flow, symptoms)
Body weight
Alcohol consumption
Photos
Nutritional macros (calories, protein, carbs, fat)
Your name, email, or any account identifiers

Anthropic processes this data solely to generate your insight and does not use it for model training on paid API tiers. You can opt out at any time in Settings, which takes effect immediately — no further data will be sent to Anthropic.

6. Health & Sensitive Data

The App collects certain health-related information including period/cycle tracking, sleep data, hydration metrics, body weight, and injury records. This data is:

Classified as "sensitive information" under the Australian Privacy Act and given a higher standard of protection
Collected only with your explicit consent
Encrypted on your device using keys stored in the secure enclave (iOS Keychain / Android Keystore)
Never shared with third parties for advertising or marketing purposes
Only visible to you (and friends you explicitly share with)
Deletable at any time through your account settings

7. Your Rights

Under the Australian Privacy Act, you have the right to:

Access (APP 12): All your data is viewable within the app at any time
Correction (APP 13): You can edit journal entries (same-day), update your profile, and modify all tracking data directly in the app
Deletion: Delete individual entries at any time, or delete your entire account and all associated data via Settings > Delete Account
Opt out of AI insights: Disable AI insights at any time in Settings — this immediately stops all data processing by Anthropic
Withdraw consent: Delete your account at any time, which removes all your data

When you delete your account, we delete:

All Firestore documents (entries, reflections, habits, goals, nutrition, sport, injuries, period logs, recovery data, messages, insights, preferences)
All photos stored in Firebase Storage
All shared entries you authored
Your friend connections
Your Firebase Authentication account

8. Data Retention

Your data is retained for as long as your account is active, subject to the following automatic retention limits:

Data type	Retention period
Food log entries	2 years
Daily recovery records	2 years
Period log entries	3 years
Sport / climbing sessions	3 years
Weight log entries	3 years
Journal entries, reflections, habits, goals	Retained while account is active

Records older than the retention period are automatically deleted on a weekly basis. You can delete individual entries at any time within the app.

9. Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, if we become aware of a data breach that is likely to result in serious harm to any individual, we will:

Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
Notify affected individuals as soon as practicable
Include in the notification: a description of the breach, the type of information involved, and recommended steps for affected individuals

10. Children's Privacy

Journex is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. Users must confirm they are 16 years or older during registration. If we become aware that we have collected data from a child under 16, we will delete the account and all associated data promptly.

11. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including:

The right to data portability
The right to restrict processing
The right to object to processing
The right to lodge a complaint with a supervisory authority

Our legal basis for processing your data is your consent (provided when you create an account) and the performance of the contract (providing the App's services to you).

12. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

The right to know what personal information is collected
The right to request deletion of personal information
The right to opt out of the sale of personal information — we do not sell your personal information
The right to non-discrimination for exercising your privacy rights

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via an in-app notice or email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the app after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to make a complaint, or want to exercise your rights, contact us at:

Email: privacy@journex.io

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992