1. Information We Collect
Account Information
When you create an account, we collect your email address, display name, and authentication credentials (hashed). We may collect your billing information (handled by Stripe — we never store raw card numbers).
Usage Data
We automatically collect information about how you use the Service: page views, feature interactions, session duration, and error logs. This data is used to improve the Service and is stored in aggregated, anonymized form where possible.
User Content
We store the domain models, journeys, nodes, and other content you create through the Service ("User Content"). This data is stored on our servers and is subject to our security practices described below.
AI Interaction Data
When you use AI features, prompts and AI responses may be logged temporarily to improve response quality and detect abuse. We do not use your domain-specific content to train base AI models without explicit consent.
2. How We Use Your Information
We use the information we collect to: (a) provide, operate, and maintain the Service; (b) process transactions and send related information, including purchase confirmations and invoices; (c) send administrative communications, such as security alerts and support responses; (d) respond to your comments, questions, and customer support requests; (e) monitor and analyze trends, usage, and activities in connection with the Service; (f) detect, investigate, and prevent fraudulent transactions and other illegal activities.
3. Data Storage & Security
Your data is stored in encrypted databases (AES-256 at rest, TLS 1.3 in transit) hosted on infrastructure in the United States. We implement industry-standard security measures including: regular security audits, access controls with principle of least privilege, automated vulnerability scanning, and incident response procedures. No method of transmission over the internet or method of electronic storage is 100% secure — we cannot guarantee absolute security, but we work diligently to protect your data.
4. Data Sharing & Third Parties
We do NOT sell your data
Full stop. Your personal information and User Content are never sold to third parties for advertising or any other commercial purpose.
Service Providers
We share data with trusted service providers who assist in operating our Service: Stripe (payments), a cloud hosting provider (infrastructure), an email delivery provider (transactional emails), and an error monitoring provider. All service providers are bound by data processing agreements.
Legal Requirements
We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights or the safety of others.
5. Your Rights (GDPR)
If you are in the European Economic Area (EEA), you have certain data protection rights. You have the right to: (a) access — request a copy of your personal data; (b) rectification — request correction of inaccurate personal data; (c) erasure — request deletion of your personal data ("right to be forgotten"); (d) restriction — request we restrict processing of your data; (e) portability — receive your data in a structured, machine-readable format; (f) objection — object to our processing of your personal data; (g) withdraw consent at any time where we rely on consent as the legal basis for processing.
6. Your Rights (CCPA)
If you are a California resident, you have the right to: (a) know what personal information we collect about you; (b) know whether your personal information is sold or disclosed and to whom; (c) opt-out of the sale of your personal information (we don't sell it, but this right exists); (d) access your personal information; (e) request deletion of your personal information; (f) non-discrimination for exercising your CCPA rights. To exercise these rights, contact us at the email below.
7. Cookies & Tracking
We use strictly necessary cookies to maintain your session and authentication state. We do not use advertising cookies or cross-site tracking cookies. We may use a minimal analytics solution to understand aggregate feature usage — this is configured to respect Do Not Track (DNT) headers and does not create user profiles for advertising purposes.
8. Data Retention
We retain your User Content and account information for as long as your account is active, or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer. Aggregated, anonymized analytics data may be retained indefinitely.
9. Children's Privacy
The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we discover we have collected personal information from a child without parental consent, we will delete that information immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date and, where appropriate, by email notification. We encourage you to review this Policy periodically.
11. Contact & Data Requests
For privacy-related requests, questions, or to exercise your rights, contact our privacy team at: privacy@journeystorm.dev. We respond to all verified requests within 30 days (or 72 hours for security incidents). For EU residents, you also have the right to lodge a complaint with your local supervisory authority.