Privacy Policy

Introduction

At Mood Swings & Meows, your privacy is our top priority. This Privacy Policy explains how we collect, use, store, and protect your personal information. We are committed to transparency and giving you control over your data.

By using our service, you agree to the terms outlined in this policy. If you have questions or concerns, please contact us.

What Data We Collect

We believe in minimal data collection. We only collect what's necessary to provide our service:

• Account Information: Username, email address, and optional profile photo
• Location (Optional): General location to personalize content (not precise GPS data)
• Cycle Data: Menstrual cycle dates, phases, and preferences (stored privately, not shared)
• Mood & Quick Logs: Daily mood, energy, and productivity entries (private to your account)
• Diary Entries: Your private journal entries (encrypted client-side; see Encryption section)
• Planner Data: Scheduled meals, workouts, and rituals (private to your account)
• Usage Data: Anonymized analytics to improve our service (via PostHog)

We do NOT: Sell your data, share your diary entries, or use your personal information for advertising.

Encryption & Security

Your diary is encrypted on your device before it reaches our servers. We use AES-GCM encryption with a Data Encryption Key (DEK) generated on your device.

Two Encryption Modes

All data is transmitted over HTTPS (TLS encryption). Our database (Postgres via Neon) uses encryption at rest.

Third-Party Services

We use trusted third-party services to provide our features. Each has their own privacy policies:

• WorkOS: Authentication and user management (passwordless login, OAuth)
• Stripe: Billing and subscription management (PCI-compliant)
• Resend: Email notifications (contact form confirmations, account notifications)
• Vercel: Hosting and content delivery (serverless infrastructure)
• PostHog: Anonymized product analytics (no personally identifiable information)
• AWS KMS: Key management for diary encryption (default mode only)

These services process data only as necessary to provide their function. We have Data Processing Agreements (DPAs) with vendors handling sensitive data.

Cookies & Local Storage

We use cookies and local storage to provide our service:

• Session Cookies: Keep you logged in (required for authentication)
• Preference Cookies: Remember your settings (timezone, theme, cat personality)
• Analytics Cookies: Help us understand usage patterns (anonymized via PostHog)
• Local Storage: Offline diary edits, planner data, and sync queue

You can disable cookies in your browser settings, but this may affect functionality.

Data Retention

We retain your data as follows:

• Account Data: Retained while your account is active
• Diary Entries: Retained indefinitely unless you delete them or your account
• Archived Versions: Conflict/archived diary versions retained for 30 days by default
• Audit Logs: Security and admin actions logged for 1 year (7 years for compliance archives)
• Analytics: Anonymized usage data retained for 90 days (aggregated longer)

When you delete your account, we perform a soft delete and schedule final purge per our retention policy. Some data may be retained for legal or audit purposes.

Your Rights & Controls

You have full control over your data:

• Access: View all your data via Settings → Export Data
• Export: Download your diary, mood logs, and planner data (PDF/CSV)
• Delete: Delete individual entries or your entire account (Settings → Account)
• Correct: Edit your profile, preferences, and diary entries anytime
• Portability: Export your data in machine-readable formats
• Withdraw Consent: Change encryption mode, disable features, or revoke permissions

GDPR & CCPA Compliance

We comply with the General Data Protection Regulation (GDPR) for EU users and the California Consumer Privacy Act (CCPA) for California residents.

Your Rights Under GDPR/CCPA

• Right to know what data we collect and why
• Right to access your data
• Right to correct inaccurate data
• Right to delete your data (with exceptions for legal obligations)
• Right to data portability
• Right to opt-out of data sales (we don't sell data)
• Right to non-discrimination for exercising your rights

Data Subject Access Requests (DSAR): To exercise your rights, contact us at our contact page. We will respond within 30 days (GDPR) or 45 days (CCPA) as required by law.

Regional Data Residency

Your data is stored in the region assigned during signup (based on IP, locale, and billing country). We currently support:

• US (Primary): us-east-1 (Virginia) and us-west-2 (Oregon)
• EU/UK: eu-west-1 (Ireland) and eu-west-2 (London) — provisioned and tested

Your created_region is displayed in Settings. Region migration is only available via explicit user-initiated request with re-authentication and consent.

Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect data from children. If we discover we have collected data from a child under 13, we will delete it promptly. Parents or guardians who believe we have inadvertently collected data from a child should contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we'll notify you via email or in-app notification. The "Last updated" date at the top indicates the most recent revision.

Continued use of our service after changes means you accept the updated policy.

Contact Us

If you have questions, concerns, or requests about this Privacy Policy or how we handle your data, please reach out: