Privacy Policy

Last updated: March 2026

Summary: Your privacy is fundamental to Cirflect. Your diary entries are yours. We collect only what's needed to run the platform, store your data in the EU, process AI locally on our server (no third-party AI services), and never sell or share your personal data with anyone.

1. Who We Are

Cirflect is a personal journaling/diary and community support platform operated from Sweden. This privacy policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR).

Contact: privacy@cirflect.com

2. What Data We Collect

We collect the following personal data when you use Cirflect:

  • Account information: Email address, username, and display name (provided during registration)
  • Profile data: Profile picture (if you choose to upload one)
  • Journal content: Titles, text entries, mood selections, tags, and privacy settings you choose for your posts
  • Circle activity: Which circles you join, support messages you send or receive
  • AI conversations: Messages you send to the AI journal assistant (processed locally, not stored permanently)
  • Technical data: Login timestamps, last active time, IP addresses (used for rate limiting and security), session cookies required for the platform to function

We do not collect: browsing history, location data, device fingerprints, or any data from third-party trackers or analytics services.

3. How We Use Your Data

We use your personal data only for the following purposes:

  • Providing and maintaining the Cirflect platform (account management, journaling, circles)
  • Processing your journal entries according to the privacy level you select (private, circle, or public)
  • Generating AI companion responses locally on our server
  • Detecting crisis keywords to display emergency support resources
  • Sending essential communications about your account (password resets, security notices)

We never use your data for advertising, profiling, automated decision-making, or any purpose beyond operating the platform.

4. AI Processing and Privacy

Cirflect uses a locally hosted AI model (Ollama with Mistral) running on our own server. Your conversations with the AI assistant are never sent to any third-party AI service such as OpenAI, Google, or others. All AI processing happens on infrastructure we control within the EU.

5. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Cirflect service you signed up for
  • Legitimate interest (Art. 6(1)(f)): Security measures, crisis keyword detection for user safety
  • Consent (Art. 6(1)(a)): For any optional features we may introduce in the future

6. Where Your Data Is Stored

All data is stored within the European Union:

  • Database: Neon.tech PostgreSQL hosted in Frankfurt, Germany
  • Application server: Hosted in EU (Germany/Finland)

Your data never leaves the EU. We do not transfer data to any third country or international organization.

7. Data Sharing

We do not sell, rent, trade, or share your personal data with any third parties. The only exceptions are:

  • Content you choose to share publicly or within circles (as per your privacy selection)
  • If required by Swedish or EU law enforcement with valid legal authority

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete all your personal data within 30 days, except where retention is required by law. Inactive accounts may be flagged for cleanup after an extended period of inactivity.

9. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Correct any inaccurate personal data
  • Right to erasure: Request deletion of your account and all associated data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to restrict processing: Limit how we use your data
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@cirflect.com. We will respond within 30 days as required by GDPR.

10. Data Security

We protect your data with the following measures:

  • Password hashing using bcrypt (your password is never stored in plain text)
  • HTTPS encryption for all data in transit
  • Input sanitization and XSS/CSRF protection
  • Rate limiting to prevent abuse
  • Security headers on all responses

11. Children's Privacy

Cirflect is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated through the platform. The "last updated" date at the top of this page will always reflect the most recent revision.

13. Contact and Complaints

For any privacy-related questions or to exercise your rights:

Email: privacy@cirflect.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se.

Terms of Service Cookie Policy