Privacy Policy

Effective Date: April 27, 2026 · Last Updated: April 27, 2026

1. Introduction

Marrow Journal is a private journaling application developed and operated by family.one ("we," "us," or "our"). We built Marrow Journal on a single principle: your most private thoughts belong to you, and only you. This Privacy Policy explains what personal information we handle, why we handle it, how it is protected, and what rights you have over it.

This Policy applies to:

• The Marrow Journal iOS application (and future Android application);
• Any optional cloud services you choose to enable within Marrow Journal; and
• Our website and any related online services operated by family.one.

By using Marrow Journal you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use Marrow Journal.

2. Who We Are / How to Contact Us

The data controller responsible for personal information processed in connection with Marrow Journal is:

For users in the European Economic Area ("EEA") or United Kingdom ("UK"), family.one acts as the data controller within the meaning of the General Data Protection Regulation ("GDPR") and UK GDPR. If you are in the EEA or UK and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local supervisory authority.

For users in Canada, family.one is the organization accountable for personal information under the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation.

3. Information We Collect

3.1 Information Stored Only on Your Device

The following information is created by you, processed locally, and stored only on your device. It never leaves your device unless you explicitly enable an optional cloud feature:

• Journal entries: The full text of everything you write or speak into Marrow Journal. Voice input is transcribed on-device and the audio discarded; only the text transcript is retained.
• Entry metadata: The date and time of each entry, word count, input method (typed or voice), and any optional labels or tags you add.
• Emotional reflections: Your responses to follow-up questions generated by the app.
• Derived insights: Patterns, themes, entity associations (people, places, topics you mention), emotional arcs, and connected moments generated by the on-device AI model from your entry history.
• User preferences: Your chosen interaction mode (text or voice), notification time, question count preference, and cloud sync settings.

3.2 Information We Receive on Our Servers

Despite Marrow Journal's local-first design, a limited set of information reaches our servers:

(a) Anonymised Telemetry

We collect a small, strictly controlled set of anonymised usage events to understand how the app is used and improve it. Our telemetry schema is enforced by technical controls that prohibit string fields and block any free-text data. The only events we collect are:

• Whether you opened the journal composer (and whether from onboarding);
• Your entry length — as a size bucket only (0–50, 51–200, 201–500, or 500+ words), never the actual word count;
• Whether you answered a follow-up question, and which round (1st, 2nd, or 3rd); and
• Whether a follow-up question was generated on-device or via cloud-assisted processing.

Telemetry events contain only numeric and boolean values. No journal text, transcripts, emotion descriptions, entry content, or other free-text data is ever included.

(b) Device Integrity Attestation (App Attest)

When you use certain optional cloud features, your device generates an attestation assertion using Apple's App Attest framework. This assertion verifies that the request originates from a genuine, unmodified version of Marrow Journal running on a real Apple device. We use this assertion only to issue a short-lived access token; we do not retain personal information derived from App Attest assertions.

(c) Push Notification Token

If you enable daily reminders, your device's Apple Push Notification Service ("APNs") token is stored on our servers. This token is used solely to send your scheduled reminders. Disabling notifications removes your token from our servers.

(d) Subscription and Billing Information

When you purchase a subscription, payment is processed by Apple through the App Store. We receive an encrypted receipt or entitlement record confirming your subscription status. We do not receive your payment card number, bank account details, or full financial information.

3.3 Optional Cloud Features (Explicit Opt-In Required)

Marrow Journal offers two optional features that involve data leaving your device. Each must be explicitly enabled by you:

iCloud Sync

If you enable iCloud Sync in Settings, your encrypted journal files are copied to your personal iCloud Drive storage. Important:

• Files are encrypted on your device before upload. The encryption key is held only in your device's Secure Enclave and never transmitted to Apple or to us.
• Neither Apple nor family.one can decrypt or read your synced files.
• Apple's iCloud Privacy Policy governs Apple's handling of iCloud Drive storage.
• You can disable iCloud Sync at any time in Settings.

Cloud-Assisted Question Generation

On devices that cannot comfortably run the full on-device AI model, you may optionally enable cloud-assisted processing. If enabled:

• Your journal entry is converted into a semantic embedding (a numerical vector representation) on your device. The raw text of your entry is not transmitted.
• Only the embedding, not the entry text, is sent to our servers.
• Processing occurs within a Trusted Execution Environment ("TEE") — a hardware-isolated secure enclave that prevents even our infrastructure operators from accessing the data while it is being processed.
• No raw journal text is transmitted in plaintext at any point.
• Processed data is not retained after your follow-up question is returned.

4. How We Use Your Information

Information	Purpose(s)
Journal entries (on-device)	Core journaling experience; on-device AI question generation; identifying connected moments; emotional arc tracking. Not transmitted to us.
Derived insights (on-device)	Surfacing patterns, themes, and connected moments within the app. Not transmitted to us.
Anonymised telemetry	Understanding aggregate feature usage; improving Marrow Journal's design and performance.
App Attest assertion	Verifying device and app integrity for optional cloud requests; issuing short-lived access tokens.
APNs token	Delivering your scheduled daily reminder notification.
Subscription record	Verifying your entitlement to premium features.
iCloud sync (opt-in)	Backing up and synchronising your encrypted journal files across your Apple devices.
Semantic embeddings (opt-in)	Generating follow-up questions on our servers for the current entry only. Not retained.

We do not use your information for:

• Advertising, ad targeting, or building advertising profiles;
• Selling personal information to third parties;
• Training AI models on your journal content;
• Sharing with data brokers or marketing platforms;
• Making automated decisions about you with legal or significant effects; or
• Any purpose incompatible with those described in this Policy.

5. Your Privacy Rights

5.1 Rights Available to All Users

Regardless of your location, you have the following controls:

• Delete your journal data: Delete individual entries or all your data directly within Marrow Journal.
• Export your data: Your journal files are standard Markdown (.md) text files stored in iCloud Drive or Google Drive. You can export or share them at any time.
• Opt out of telemetry: Disable anonymous usage analytics in Settings → Privacy.
• Disable push notifications: Turn off reminders in Marrow Journal's Settings or in iOS Settings → Notifications → Marrow Journal.
• Disable optional cloud features: Disable iCloud Sync or cloud-assisted processing at any time in Settings.

5.2 European Economic Area and United Kingdom Rights (GDPR / UK GDPR)

If you are located in the EEA or UK, you have the following rights regarding personal data we process on our servers:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data.
• Right to restriction: Request that we limit how we process your data.
• Right to data portability: Receive the personal data you have provided to us in a structured, machine-readable format.
• Right to object: Object to processing based on our legitimate interests.
• Right to withdraw consent: Where processing is based on your consent, withdraw at any time.

To exercise any of the above rights, submit a request through our contact form and we will respond within 30 days.

5.3 California Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know: Know what categories of personal information we collect, the purposes for collection, and whether it is disclosed to third parties.
• Right to Delete: Request deletion of personal information we have collected about you.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

We do not sell personal information or share it for cross-context behavioural advertising.

5.4 Canadian Rights (PIPEDA)

If you are a Canadian resident, you have the following rights under PIPEDA:

• Access: Request access to personal information we hold about you.
• Correction: Request correction of personal information that is inaccurate or incomplete.
• Withdrawal of consent: Withdraw consent to the collection, use, or disclosure of your personal information.

6. Children's Privacy

Marrow Journal is intended for users age 13 and older (or 16 in the EEA/UK where required). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided personal information to us, please reach us through the contact form.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of Marrow Journal. For material changes, we will notify you via an in-app notice before the change takes effect. Continued use of Marrow Journal after the updated Policy is posted constitutes your acceptance of the changes.

8. Contact Us