Skip to content
Restorae

Privacy Policy

Effective: May 9, 2026

This Privacy Policy explains how Restorae ("Restorae," "we," "us") collects, uses, stores, and shares information when you use the Restorae mobile application or visit restorae.app (together, the "Service"). Restorae is a lifestyle app for emotional self-awareness — it is not a medical, mental-health, or clinical service. This policy is written to satisfy the App Store Privacy Nutrition Label, the Google Play Data Safety declaration, the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and applicable Canadian, UK, and Australian privacy laws. If anything here is unclear, email privacy@restorae.app.

Who is the data controller

Restorae is the data controller for personal information processed in connection with the Service. For GDPR purposes, data-subject requests can be sent to privacy@restorae.app. We do not have an EU or UK representative; our processing is consumer-direct and we do not operate local establishments.

What we collect and why

Account information

When you create an account we collect an email address and, optionally, a display name and profile photo. If you sign in with Apple or Google, we receive the identifier and email those providers release. We do not receive your provider password. Your email address is stored encrypted at rest; the lookup key we use to log you in is an HMAC of the lower-cased address, so a database breach exposes neither your address nor an offline-brute-force path to it. Legal basis: performance of the contract you enter when you create an account (GDPR Art. 6(1)(b)).

Emotional check-ins, journal entries, and reflections

The core of Restorae is your daily emotional check-ins: the quadrant you select, an optional short note, and the time and timezone you recorded the check-in. Journal entries, journal prompts, program-day written reflections, and direct messages between you and a companion are stored alongside check-ins. This is the most sensitive category of data we hold. Every one of those fields is encrypted at rest with AES-256-GCM, with a per-row initialization vector, an authentication tag, and a key identifier that lets us rotate the encryption key without re-uploading anything. The plaintext is accessible only to you through your authenticated account. Journal entries you flag as biometric-locked are additionally gated by a device-local biometric check before they decrypt on screen. Legal basis: performance of the contract.

Usage telemetry

When the app is active we may send product-interaction events (for example, check-in completed, tool session started) to our own backend so we can understand what is being used and what is not. Telemetry is gated by your consent toggle in Settings → Share anonymous usage and error telemetry. Turning it off suppresses the events at the source; we receive nothing. We do not run any third-party analytics SDK and we do not enrich telemetry with profile information. Legal basis: your consent (GDPR Art. 6(1)(a)), revocable at any time.

Crash and diagnostic data

We use Firebase Crashlytics to receive stack traces and device metadata (OS version, app version, device model, a per-installation identifier) when the app crashes. Crashlytics payloads are not linked to your user account in our systems; we use them to fix bugs. Crashlytics retains crash traces for 90 days and then expires them. Legal basis: legitimate interests in maintaining a working service (GDPR Art. 6(1)(f)).

Purchase history

Subscriptions are processed by Apple on iOS and Google on Android. We see the resulting entitlement state via RevenueCat (a subscription-management processor): which product you purchased, when it renews, and whether it is active. We do not receive your payment card or banking details; those stay with Apple, Google, or your card network. Legal basis: performance of the contract.

Device identifiers, sync secrets, and push tokens

We store a per-device identifier and — if you grant notification permission — a Firebase Cloud Messaging (FCM) push token, used to deliver scheduled reminders, account-security alerts, and (if you opt in) crisis-resource nudges from a companion. We also store a per-device sync secret which is encrypted at rest and used to verify that an offline batch of check-ins genuinely came from your device. We do not use advertising identifiers (IDFA, AAID) and we do not track you across apps or websites.

What we do not collect

  • Contacts, calendar, location (GPS or coarse), microphone, camera, or photo library.
  • Health data (Apple HealthKit, Google Fit) or any clinical record.
  • Advertising identifiers (IDFA, AAID).
  • Browsing history or analytics from other apps or websites you use.
  • Anything from third-party apps installed on your device.

Third-party processors (sub-processors)

The following service providers process personal information on our behalf under written data-processing agreements. They act as "sub-processors" under GDPR and "service providers" under CCPA/CPRA; none of them sells your data, and none receives your check-ins, journal entries, or reflections. A maintained list of sub-processors with effective dates lives at restorae.app/sub-processors.

  • Apple, Inc. — App Store billing, Sign in with Apple, Apple Push Notification service. Data: subscription state, Apple user identifier, push token. Region: United States.
  • Google LLC (incl. Firebase) — Play Store billing, Google Sign-In, Firebase Cloud Messaging push delivery, Firebase Crashlytics for crash reporting. Data: subscription state, Google user identifier, FCM push token, crash traces, a Firebase installation identifier. Region: United States.
  • RevenueCat, Inc. — subscription reconciliation across iOS and Android. Data: our user identifier, store transaction metadata. Region: United States.
  • DigitalOcean, LLC — cloud hosting for the backend, the database, the object store (audio and avatar files), and a dedicated server inside our own network that runs the language model used for written reflections and personalized programs. Region: United States.
  • Twilio Inc. (SendGrid) — transactional email only: account verification, password reset, account-deletion confirmation, and security alerts. We do not send marketing email. Data: email address, message body. Region: United States.

Where AI is used in Restorae

Some features (the Analyzing daily insight on Premium, personalized program generation, and the monthly/quarterly/yearly reflection narratives) call a small open-source language model. The model runs on a server that we operate inside our own infrastructure on DigitalOcean, behind authentication and a strict network firewall. Your prompts and the model's responses do not leave our infrastructure. We do not send any of your content to OpenAI, Anthropic, Google, or any other third-party AI provider. We never use your content to train any machine-learning model — ours or anyone else's. The language-model prompt for these features sees aggregated counts and your emotion-word vocabulary, but does not see raw note content or journal entries unless you explicitly opt in via Settings → Insights → Use journals in reflections.

Data security

Network traffic is encrypted in transit with TLS 1.2 or higher, and the mobile app pins the leaf certificate by SHA-256 in release builds. Sensitive fields — your email address, check-in notes, journal entries, journal prompts, program-day written reflections, companion direct messages, and per-device sync secrets — are encrypted at rest with AES-256-GCM using keys held in our server-side key management. Database backups inherit the same encryption. Production access is restricted to the engineering team, gated by SSH keys, and every administrative action is recorded in an append-only audit log that the application itself cannot edit.

Retention

  • Active accounts: retained for the duration of your use.
  • Deleted accounts: soft-deleted for 7 days so you can reverse the decision, then the encryption keys associated with your data are destroyed. Backups containing deleted data age out within 30 days.
  • Crash traces: 90 days in Firebase, then expire.
  • Server-side request logs: 30 days, then expire. Email addresses are redacted by a regex pre-processor before logs are stored.

Your rights

You have the right to:

  • Access — request a copy of the data we hold. In-app: Settings → Data & Privacy → Export Data.
  • Rectify — correct inaccurate data. In-app: Settings → Profile.
  • Erase — delete your account and all associated data. In-app: Settings → Data & Privacy → Delete Account. You can also request deletion without signing in via restorae.app/delete-account.
  • Portability — receive your data in machine-readable form (CSV).
  • Object / restrict processing — disable telemetry, or write to us for other processing objections.
  • Withdraw consent — in-app for telemetry; email us for anything else.
  • Lodge a complaint — with your local supervisory authority (EU residents) or the Information Commissioner's Office (UK residents).

We respond to requests within 30 days. If you are an EU/UK resident and prefer to email, write to privacy@restorae.app.

California residents (CCPA/CPRA)

We do not sell or share personal information as those terms are defined by the CCPA/CPRA. California residents have the right to know what we collect, to delete, to correct, to opt out of sale or sharing (not applicable here), to limit the use of sensitive personal information (which our telemetry toggle supports), and to non- discrimination for exercising these rights. You can exercise any of them through the in-app controls above or by emailing privacy@restorae.app. An authorized agent can act on your behalf with signed written authorization.

Children

Restorae is not directed at children under 13 in the United States or under 16 in the European Union, and we do not knowingly collect personal information from them. If you are a parent or guardian and believe your child has used the Service without your consent, email us and we will delete the account.

International transfers

Restorae is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses with our sub-processors for transfers out of the EU/UK.

Lifestyle disclaimer (not medical or therapeutic)

Restorae is a lifestyle app for self-reflection and emotional vocabulary. It is not a medical device, a mental-health service, or a substitute for professional care, and it does not diagnose, treat, prevent, or manage any condition. If you are in crisis, contact 988 (United States and Canada Suicide & Crisis Lifeline), 111 option 2 (United Kingdom), 13 11 14 (Australia Lifeline), 000 (Australia emergencies), or your local hotline at findahelpline.com.

Changes to this policy

We may update this Privacy Policy. Material changes will be notified in-app at least 14 days before they take effect; the effective date at the top of this page always reflects the current version. Past versions are available on request.

Contact

Privacy questions, data-subject requests, regulator correspondence: privacy@restorae.app. Sub-processor list and effective dates: restorae.app/sub-processors. Tracking practices: restorae.app/cookies.