Privacy Policy
This policy explains what NewsDiary collects, why, who processes it on our behalf, how long we keep it, and what rights you have. It applies to the iOS app, the Chrome extension, and the backend API operating at *.newsdiary.app.
If you read only one paragraph: we keep what you save in NewsDiary (articles you ingest, annotations you write, audio you record, diary entries). We do not train models on it, we do not sell it, and we delete it on request. The full list and our processors are below.
1. Data we collect
From you, directly
- Account identity — email address; password hash (Argon2id, never the password itself); for Sign in with Apple, the stable Apple subject identifier (
sub) returned by Apple. - Article content — text, HTML, and PDF documents you choose to ingest via the extension, the share extension, or paste into the app.
- Annotations — highlights, written notes, voice recordings, and their automated transcripts.
- Diary entries — text and (when added) audio you write in your personal journal.
- Profile — handle, display name, bio (only if you set them and only if you choose to make a profile public; default is private).
- Locale preference —
froren, derived from your device or set explicitly.
Generated by our systems
- LLM usage metadata — model name, tool name (summary, bias, fact-check, context, glossary), input/output/cached token counts, cost estimate, timestamp. We do not log prompt or response text.
- Engagement metadata — last engagement timestamp per article; count of articles and annotations per month; full-text search index of your own content (Postgres
tsvectorcolumns). - Diagnostic events — error reports captured by Sentry (stack trace, route, HTTP method, anonymous user id). PII scrubbing is enabled on the SDK.
We do not collect
- Browsing history outside articles you explicitly capture.
- Location data.
- Advertising identifiers, IDFA, IDFV.
- Tracking cookies. The marketing site uses a single first-party session cookie to remember whether you dismissed the banner; no third-party cookies are set.
2. Why we process your data (lawful basis under GDPR Art. 6)
| Purpose | Basis |
|---|---|
| Create and maintain your account | Contract (Art. 6(1)(b)) |
| Store and sync your articles + annotations | Contract |
| Run the LLM tools you trigger | Contract |
| Send transactional email (verify, magic) | Contract |
| Send marketing email | Consent, opt-in only (Art. 6(1)(a)) |
| Diagnostics and error monitoring | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal requests | Legal obligation (Art. 6(1)(c)) |
3. Sub-processors
We use a small number of vendors. None receive more than the data strictly needed for their function.
| Processor | Purpose | Location | Notes |
|---|---|---|---|
| Anthropic, PBC | LLM inference (Claude API) | US | No-training agreement; prompt caching enabled. |
| Brave Software | Web search grounding | US | Default since Tavily was acquired by Nebius (2026). |
| Resend, Inc. | Transactional + marketing email | US | Verify, magic link, weekly digest if opted in. |
| Functional Software (Sentry) | Error monitoring | DE/US | PII scrubbing on. |
| Fly.io | Application hosting | EU (cdg) | Single-replica backend, Postgres database. |
| Cloudflare R2 (planned) | Object storage for audio/PDFs | EU | When migrated from inline Postgres storage. |
| Whisper (self-hosted) | Audio transcription | EU (cdg) | Runs on our own Fly.io app, not a third party. |
We do not transfer data outside processors listed here. Apple Foundation Models, when used, run on-device and no data leaves your phone.
4. Retention
- Active account: indefinitely, until you delete the account.
- Pending deletion: 30 days from the moment you trigger deletion. During that window you can log in to cancel; mutations are blocked but reads and exports remain available so you can recover data. After 30 days the account row is hard-deleted and cascades through every owned table.
- LLM usage metadata: retained for billing reconciliation, 24 months.
- Sentry error reports: 90 days.
- Server logs: 14 days.
5. Your rights
Under GDPR you may:
- Access — request a copy of your data. Use
GET /export?format=jsonin-app or email us. - Rectify — edit your profile, annotations, diary entries, and consents directly in-app.
- Erase —
POST /me/deletein-app, or email us. - Portability — the JSON export at
GET /export?format=jsonis a complete, machine-readable snapshot. - Object —
POST /me/consentstoggles marketing consent off immediately. Revoking the privacy consent triggers account deletion (it is the lawful basis for processing). - Lodge a complaint with your data protection authority. In France: CNIL, www.cnil.fr.
Requests sent to services@capewesley.com are answered within 30 days.
6. Security
- Passwords are hashed with Argon2id and never stored in plaintext.
- All API traffic is over HTTPS with a wildcard certificate.
- Audio blobs and PDFs are stored encrypted at rest by the hosting provider's disk encryption.
- BYO LLM keys (when enabled) are encrypted at rest using AES-GCM with a per-installation key (separate ticket; flag-gated until Sprint 4-bis lands).
7. Children
NewsDiary is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, write to services@capewesley.com and we will delete the account.
8. Changes
We may update this policy. The current policy_version is shown above and recorded with every consent you give. If we bump the version, you will see a re-consent screen on your next session.
9. Contact
Cape Wesley — services@capewesley.com