Privacy Policy

Effective date: June 3, 2026

This policy applies to the Kindred web application (kindred.app) and Android app distributed on Google Play.

1. Who we are

Kindred ("we", "us", "our") is a personal journaling app that helps you privately record memories, emotions, and moments involving the people in your life. The app is operated by Shah Muhammad Jannatul Hasan. Questions may be sent to shahmdjhm@gmail.com.

2. Data we collect

We collect only what is necessary to provide the service.

CategoryExamplesPurpose
Account dataName, email address, password (hashed by Supabase Auth)Create and secure your account
Profile dataDisplay namePersonalise your experience
Journal contentEntries, people records, tags, emotional tone labels, share linksCore product functionality
Device & usage dataIP address, browser / OS type, timestamps of authentication eventsSecurity, fraud prevention, abuse detection
Crash & error dataStack traces, error messages (no entry content included)Diagnose bugs and improve reliability

We do not collect precise location, contacts, photos, microphone input, call logs, financial information, or any Android system permission beyond what the app explicitly requests. We do not use advertising SDKs or analytics platforms.

3. How we use your data

  • Provide, maintain, and improve the journal service.
  • Authenticate you and protect your account from unauthorised access.
  • Send transactional emails: email verification, password reset, critical security notices. We do not send marketing emails.
  • Resolve bugs and incidents using anonymised crash logs.
  • Comply with applicable legal obligations.

We do not sell your data. We do not use your journal content to train AI models, build advertising profiles, or share with third parties for their own purposes.

4. Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following bases:

  • Contract performance — processing needed to operate the service you signed up for (account data, journal content, transactional email).
  • Legitimate interests — security logging and crash diagnostics, balanced against your privacy interests.
  • Legal obligation — retaining records where required by law.

5. Data sharing and sub-processors

We share your data only with the vendors needed to run Kindred:

Sub-processorRoleData sharedLocation
Supabase Inc.Database, auth, storageAll user and journal dataUSA (AWS us-east-1)
Cloudflare Inc.Edge CDN, WorkersRequest metadata (IP, headers); no journal contentGlobal edge network

No other third parties receive your personal data. We do not use Google Analytics, Meta Pixel, Firebase, or any advertising network.

6. Shared links

You may generate a shareable link for a specific person's entries. Anyone with the link can view the shared content. Links can be disabled, password-protected, set to expire, and deleted at any time from Settings → Shared links. Disabling or deleting a link immediately revokes access.

7. Data retention

Your data is retained for as long as your account is active. When you delete your account (Settings → Delete all data), we remove your entries, people, tags, and share links immediately. Your Supabase Auth record is deleted within 30 days. Anonymised crash logs may be retained for up to 90 days for debugging purposes.

8. Security

All data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by Supabase (AES-256). Passwords are never stored in plaintext — Supabase Auth uses bcrypt. We apply row-level security (RLS) policies so database queries are scoped to the authenticated user. Access to production infrastructure is limited to the maintainer.

9. Your rights

You have the following rights over your data:

  • Access — export all your data as JSON from Settings at any time.
  • Correction — update your name or email in Settings.
  • Deletion — delete all your data and close your account from Settings.
  • Portability — the JSON export is machine-readable and portable.
  • Objection / restriction — contact us to restrict specific processing activities.
  • Withdraw consent — where processing is consent-based, you may withdraw at any time without affecting prior lawful processing.

To exercise any right not reachable through the app, email shahmdjhm@gmail.com. We will respond within 30 days. EEA/UK users have the right to lodge a complaint with their local supervisory authority.

10. Children

Kindred is not directed at children under 13 (or under 16 where required by local law). We do not knowingly collect personal data from minors. If you believe a child has provided us data, contact us and we will delete it promptly.

11. Cookies and local storage

The web app uses a single session cookie set by Supabase Auth to keep you logged in. No third-party tracking cookies are used. The Android app stores your session token in secure device storage — no cookies, no advertising IDs, no IDFA/GAID accessed or transmitted.

12. Google Play — Data safety disclosure

The following reflects what is disclosed in the Google Play Data Safety section:

Data typeCollected?Shared?Encrypted in transit?Can be deleted?
NameYesNoYesYes — via Settings
Email addressYesNoYesYes — via Settings
User-generated content (journal entries)YesNoYesYes — via Settings
App interactions (auth events)YesNoYesAfter 90 days automatically
Crash logsYes (anonymised)NoYesAfter 90 days automatically

No data is used for advertising or shared with third parties for their own purposes. Data collection is required for core app functionality (authentication and storage).

13. International transfers

Your data is stored on Supabase infrastructure in the United States. If you are located in the EEA, UK, or elsewhere, your data is transferred to the US. We rely on Supabase's Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.

14. Changes to this policy

Material changes will be communicated via email to your registered address at least 14 days before the change takes effect. The "Effective date" at the top of this page will be updated. Continued use of Kindred after the effective date constitutes acceptance of the revised policy.

15. Contact

Shah Muhammad Jannatul Hasan
Email: shahmdjhm@gmail.com