Privacy Policy

Last updated: March 9, 2026

At CIWI ("we," "our," or "us"), operated by The Folclore Company, we are deeply committed to protecting the privacy and security of our users ("you" or "your"). This Privacy Policy explains in detail how we collect, use, disclose, retain, and safeguard your information when you use the CIWI mobile application and associated services (collectively, the "Service").

By accessing or using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We collect information to provide, maintain, and improve the Service. The types of information we collect depend on how you interact with CIWI.

1.1 Information You Provide Directly

• Account Information: When you create an account, we collect your name, email address, and authentication credentials. If you sign up via a third-party service (e.g., Apple Sign-In, Google), we receive your name and email from that provider.
• Profile Information: Any optional profile details you choose to provide, such as a profile photo or display name.
• User Content: Journal entries, contact records, notes, tags, relationship details, and any other content you create within the Service. This is your most sensitive data, and we treat it with the highest level of protection.
• Communications: If you contact our support team, we collect the content of your messages and any attachments you send.
• Payment Information: If you purchase a subscription, payment is processed by Apple (via In-App Purchase) or Stripe. We do not directly collect or store your full credit card number or payment credentials.

1.2 Information Collected Automatically

• Device Information: Device model, operating system and version, unique device identifiers, and mobile network information.
• Usage Data: How you interact with the Service, including feature usage patterns, session duration, and general navigation behavior. This data is collected in aggregate and anonymized form.
• Log Data: IP address, browser type (for web access), access times, pages viewed, and crash/error reports.
• Analytics: We use privacy-respecting analytics tools to understand usage trends. We do not use analytics to identify individual users or track personal behavior.

1.3 Information We Do NOT Collect

• We do not access your device contacts, camera, microphone, or location without explicit permission and a clearly stated purpose.
• We do not read, scan, or analyze your journal entries, contact notes, or any user content for advertising, marketing, or profiling purposes.
• We do not create behavioral profiles or sell data to data brokers.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service: To operate, maintain, and deliver the features of the CIWI app, including storing your journal entries, contacts, and relationship data.
• Account Management: To authenticate your identity, manage your subscription, and enable you to access your data across devices.
• Service Improvement: To understand aggregate usage patterns and improve the app experience. This is done with anonymized and aggregated data only.
• Security & Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, or any activity that threatens the security of the Service.
• Communications: To send essential transactional messages (e.g., password resets, billing confirmations), security alerts, and — only with your consent — occasional product updates.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Service as outlined in our Terms of Service (e.g., storing your data, authenticating your account).
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud — provided these interests are not overridden by your rights.
• Consent: Where we rely on your consent (e.g., optional marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation: Processing required to comply with a legal obligation to which we are subject.

4. Data Security

We take the security of your data extremely seriously. CIWI employs multiple layers of protection:

4.1 Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), the most current and secure protocol available.
• At Rest: All data stored on our servers is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), which is the same encryption standard used by governments and military organizations worldwide.

4.2 Access Controls

• Row-Level Security (RLS): Our database architecture enforces strict row-level security policies. Each user's data is completely isolated — no other user can access your records, even in the event of a software bug.
• Employee Access: CIWI employees do not have access to your personal content (journal entries, notes, contacts). Access to infrastructure is limited to a minimal number of authorized personnel, using multi-factor authentication and audit logging.
• Infrastructure: We use enterprise-grade cloud infrastructure providers that maintain SOC 2 Type II, ISO 27001, and other relevant certifications.

4.3 Incident Response

In the unlikely event of a data breach, we will:

• Notify affected users within 72 hours as required by applicable law (including GDPR).
• Provide clear information about what data was affected and what steps we are taking.
• Report the breach to the relevant supervisory authorities as required.

5. Data Sharing & Third Parties

We do not sell, rent, trade, or monetize your personal information. We may share limited information only in the following circumstances:

5.1 Service Providers (Sub-Processors)

We use a limited number of trusted third-party services to operate the Service. These providers are contractually obligated to protect your data and may only process it on our behalf:

• Supabase: Database hosting, authentication, and file storage (data encrypted at rest and in transit).
• Cloudflare: Content delivery, DDoS protection, and DNS services.
• Apple / Stripe: Payment processing for subscriptions (we do not store payment credentials).
• Google Analytics: Anonymized, aggregated website analytics only — no personal data is shared.

5.2 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, regulatory requirement, or valid legal process.
• Protect and defend the rights, property, or safety of CIWI, our users, or the public.
• Detect, prevent, or address fraud, security, or technical issues.

Where legally permitted, we will notify you before disclosing your information in response to legal process.

5.3 Business Transfers

If CIWI is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Your data is retained for as long as your account is active and you continue to use the Service.
• Account Deletion: When you delete your account, we will delete or anonymize all of your personal data within 30 days. Some data may be retained in encrypted backups for up to 90 days, after which it is permanently deleted.
• Legal Requirements: We may retain certain information for longer periods if required by law (e.g., financial transaction records for tax purposes).
• Anonymized Data: Aggregated, anonymized usage statistics that cannot identify individual users may be retained indefinitely to improve the Service.

7. International Data Transfers

CIWI is operated by The Folclore Company. Your data may be processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): For transfers from the EEA/UK, we rely on European Commission-approved Standard Contractual Clauses.
• Adequacy Decisions: Where applicable, we transfer data to countries recognized by the European Commission as providing adequate protection.
• Infrastructure: Our primary infrastructure providers maintain data centers in multiple regions, and we configure our services to minimize unnecessary cross-border data transfers.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EEA, UK, Switzerland)

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Right to Restrict Processing: Request that we limit how we process your data.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent for processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

8.2 Rights Under CCPA / CPRA (California, USA)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: Opt out of the sale or sharing of personal information. Note: CIWI does not sell your personal information.
• Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Information: Direct us to limit the use of sensitive personal information to specific purposes.

8.3 Rights Under LGPD (Brazil)

• Confirmation and Access: Confirm whether we process your data and request access to it.
• Correction: Request correction of incomplete, inaccurate, or outdated data.
• Anonymization, Blocking, or Deletion: Request these actions for unnecessary or excessive data.
• Data Portability: Request transfer of your data to another service provider.
• Deletion: Request deletion of data processed with your consent.
• Information on Sharing: Request information about third parties with whom we share your data.
• Revocation of Consent: Revoke consent at any time.

To exercise any of these rights, please contact us at privacy@ciwi.app. We will respond within 30 days (or the applicable statutory period).

9. Children's Privacy

CIWI is not intended for use by children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under this age.

If we become aware that we have collected personal information from a child under the applicable age without verified parental consent, we will take immediate steps to delete that information. If you believe we may have collected information from a child, please contact us at privacy@ciwi.app.

10. Cookies & Tracking Technologies

The CIWI mobile application does not use cookies. Our marketing website (ciwi.app) uses the following:

• Essential Cookies: Required for basic website functionality (e.g., session management).
• Analytics Cookies: Google Analytics cookies to understand aggregate website traffic. These are configured to anonymize IP addresses and do not track individual users across sites.

You can control cookies through your browser settings. Disabling cookies will not affect your ability to use the CIWI mobile application.

We do not use tracking pixels, fingerprinting, or any other surveillance-style tracking technologies.

11. AI & Machine Learning

CIWI may introduce AI-assisted features in the future (e.g., smart suggestions, relationship insights). Our commitments regarding AI are as follows:

• No Training on Your Data: We will never use your personal data (journal entries, contacts, notes) to train, fine-tune, or improve general-purpose AI or machine learning models.
• On-Device Processing: Where feasible, AI features will process data locally on your device to minimize data transmission.
• Transparency: If we introduce AI features, we will clearly disclose what data they use, how they process it, and provide you with controls to enable or disable them.
• No Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will provide notice through the app, via email, or through a prominent notice on our website.
• We will not reduce your rights under this Privacy Policy without your explicit consent.

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@ciwi.app
• General Support: help@ciwi.app
• Company: The Folclore Company

For data protection inquiries within the EU, you may also contact your local Data Protection Authority.