SEEN:app Privacy Policy

Version: 4.0

Effective Date: June 30, 2026

Last Updated: June 30, 2026

Our Commitment to Your Privacy

At SEEN:app, your reflections are sacred. This policy explains, in plain language, what stays on your device, what leaves it and why, who processes it, and the control you have over all of it. We have tried to be honest rather than flattering, because a privacy policy that overpromises is worse than one that tells the truth.

Quick Summary

  • 🔒 Your on-device journal is encrypted. Entries on your phone use AES-256 with a key held on your device. Cloud backup and web journaling work differently, and are described below.
  • ✍️ Reflecting sends your words out to be understood. When you tap Reflect, your entry and recent session context are sent securely to our server and our AI provider to generate Fathom's response.
  • ☁️ Backups are optional and premium. You can back up to our cloud Vault or to your own iCloud. Vault offers a zero-knowledge Privacy Mode where even we cannot read your entries.
  • 🛟 Safety is always on. Crisis detection runs anonymously and surfaces resources to you. Analyzed text is not retained.
  • 📊 We do not mine or sell your writing. No content profiling, no ads, no selling your data.
  • 👤 Your account holds a small set of profile data so your setup follows you across devices.

How Your Journaling Data Flows

  1. You write an entry. It is saved on your device, encrypted with AES-256.
  2. When you tap Reflect, your entry and recent session context are sent over an encrypted connection to our proxy server, which forwards a sanitized version to our AI provider to generate Fathom's response.
  3. Optionally, if you turn on a premium backup, your entries can also be stored in our cloud Vault or your private iCloud.

The rest of this policy details each step.

On Your Device

  • Journal entries: stored in the app's secure container, encrypted with AES-256-GCM. The encryption key is generated on your device and stored in the iOS Keychain. Entries cannot be read without that device-specific key.
  • What is not encrypted on device: your profile and preferences (name, pronouns, birthday, avatar, engagement style, subscription tier) are stored in the app's shared settings in readable form, not encrypted at rest. This is profile data, never your journal content.
  • Unlocking: opening the app requires Face ID, Touch ID, or your device PIN every time, so your journal stays protected even if your phone is already unlocked.

When You Reflect (What Goes to Our Server and AI)

When you tap Reflect, the following is sent over HTTPS to our proxy server at api.seen.place, which forwards it to our AI provider:

  • your current entry text and the recent session context needed for a coherent response.

Our proxy sanitizes content before it reaches any AI provider. Our AI providers do not retain or train on your content under their API terms.

We do not retain your journal or reflection text on our servers. A review of our proxy server code confirmed that reflection text and voice transcription are never written to our database. They are processed to generate Fathom's response, and then gone.

We also store, on our server, a small amount of non-content data tied to your use: completion analytics (session type, the step you finished on, and duration).

Your Account

When you create an account, we store this in our secure cloud database so your setup follows you across devices and survives a reinstall:

  • Email address (your sign-in identity)
  • Device ID
  • Name, pronouns, and birthday (month and day only, never the year), if you provide them
  • Fathom avatar, engagement style, and voice preferences
  • Subscription tier

Sign-in is by a one-time code sent to your email. There is no password.

Optional Cloud Backup: The Vault (Premium)

If you enable Vault backup, your journal entries are backed up to our servers as encrypted blobs. There are two modes:

  • Standard mode: your entries are encrypted with AES-256, and we hold the key. This means your backup is encrypted in transit and at rest, but our systems are technically capable of decrypting it. Access is restricted and controlled.
  • Privacy Mode (zero-knowledge): the encryption key is derived from your own secret using PBKDF2 and never reaches our servers. In this mode, we cannot read your backed-up entries. Only you can.

If reading your own backup matters to you and you do not want us to be able to access it, use Privacy Mode.

Optional iCloud Backup (Premium)

If you enable iCloud backup, your full journal entries, chat history, Echoes reports, profile, and settings are synced through Apple CloudKit to your own private iCloud database. This data lives in your iCloud account, governed by Apple's privacy terms, not on our servers. Data prepared for iCloud backup is currently protected with a legacy encryption method that we are upgrading to AES-256. For the strongest protection in the meantime, use the on-device store or Vault Privacy Mode.

Web Journaling (Optional)

You can journal from a computer at web.seenjournal.app. You sign in by scanning a QR code in the app, secured by your one-time email code. Web journaling uses the same account and the same Vault described above, through our proxy server. The same protections and modes apply.

AI and Third-Party Services

All AI requests go through our proxy, which sanitizes content first. We use:

  • Anthropic (Claude): generates Fathom's reflections, Echoes pattern reports (analysis across a time span you choose), and runs crisis detection. Not retained or trained on per Anthropic's API terms.
  • OpenAI: backup model for Fathom reflections, plus voice text-to-speech, voice transcription, and the real-time audio stream for voice chat. It also reads the emotional tone of Fathom's own reply (not your message) and of avatar images, using GPT-4 and GPT-4o Vision, so Fathom's avatar can match the moment with a fitting expression and pose. This is cosmetic, is separate from crisis detection, and does not involve sending your own writing to OpenAI. Not retained or trained on per OpenAI's API terms.
  • xAI (Grok): generates custom Fathom avatars from the description you provide.
  • Apple (CloudKit): powers optional iCloud backup to your private iCloud.
  • Firebase (Google): anonymous analytics and crash reporting. No journal content.
  • RevenueCat: manages subscriptions and reconciles your access tier. Receives purchase transactions and your email.
  • Notification service: stores your device token and reminder schedule to deliver notifications.
  • Hosting provider: SOC 2-compliant infrastructure.

No advertising or social-media integrations.

Voice Features

When you use voice playback, voice transcription, or voice chat, the necessary text or audio is processed by OpenAI to generate or interpret speech. This audio is processed to provide the feature and is not stored by us.

Custom Avatar Generation

When you generate a custom Fathom avatar, the description you write is sent to xAI (Grok) to create an image in SEEN:app's style. The resulting avatar and your description are saved with your account so it can appear across your devices.

Crisis Detection and Safety

  • Crisis detection runs automatically on reflections. There is no user toggle.
  • Your reflection text is analyzed in real time by Anthropic (Claude) for signs of distress. This analyzed text is not retained.
  • If distress is detected, support resources (988 Suicide and Crisis Lifeline, Crisis Text Line, 911) are shown to you in the app. Our team receives only an anonymous flag, never your content.

Anonymous Metrics

  • A random analytics identifier (not linked to your content) for usage counts.
  • Basic event and feature-usage counts, and a coarse journal-count bucket.
  • Anonymous crash reports and performance data.
  • Retention: crash logs expire after 90 days; analytics data expires after 14 months.

Notifications

If you enable reminders, our notification service stores your device token, reminder time and rhythm, and timezone in order to deliver notifications. Device tokens are held with an expiration.

Focus Group Participants

If you join a Focus Group study through a class code, additional, consented data practices apply: we collect your email, session counts, mission completion, word counts, and survey responses for research. We never collect your journal content. Participation requires explicit consent, you can withdraw at any time, and research data is retained per the study terms unless you request earlier deletion at privacy@seen.place.

What We Never Do

  • We do not analyze, profile, or monetize what you write.
  • We do not sell your data or share it with advertisers.
  • We do not track you across the web or sell your email.

Data Security

  • On-device journal: AES-256-GCM, with the key held in your device's Keychain.
  • In transit: all communication uses HTTPS, with signed, authenticated requests.
  • Account data: encrypted in transit and at rest, with restricted, logged administrative access.
  • Vault Privacy Mode: zero-knowledge, so even we cannot read those backups.
  • Authentication: one-time email codes, with Face ID, Touch ID, or PIN required every time you open the app.
  • Hosting: SOC 2-compliant infrastructure.

Your Rights and Control

  • Access: request a copy of the account data we hold about you.
  • Correction: update your profile and preferences any time in the app.
  • Export: export your data, including a migration code and PDF reports.
  • Deletion: delete your account and associated data (see below).
  • Withdraw consent: turn off optional product emails, or Focus Group participation, at any time.
  • No selling: we do not sell your personal information. California residents: we do not "sell" or "share" personal information as defined under the CCPA.

Deleting Your Data

  • On-device entries: uninstalling removes entries on your device. You can also delete entries or all local data in the app at Back Page, then Data Management.
  • Account and Vault data: because these live in the cloud, uninstalling does not delete them. Use the in-app delete option or email privacy@seen.place to request deletion of your account and associated server data.
  • iCloud backup: managed in your Apple account; you can remove it through iCloud settings.

Data Retention

We keep your account and any Vault backup for as long as your account is active. When you request deletion, we will remove your account and associated data within 30 days, retaining only limited records where required for legal, security, or billing obligations.

International Users

Your account data and any cloud backup are stored on servers that may be located outside your country, and AI processing may transmit sanitized content to providers whose servers may be outside your country. By using SEEN:app, you understand your data may be processed in other jurisdictions with appropriate safeguards.

Children's Privacy

SEEN:app is not designed for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, please contact us and we will delete it.

Changes to This Policy

We will notify users of material changes through app updates and, where appropriate, by email. Continued use after changes take effect constitutes acceptance of the updated policy.

Contact Us

Transparency Commitment

We would rather tell you the honest shape of your data than a comforting story. Your journal is encrypted on your device. Reflecting sends your words out to be understood, and we have told you to whom. Backups are optional, and Privacy Mode keeps even us out. That is the whole of it.

Summary: Your journal entries on your phone are encrypted with a key held on your device. Your cloud backups and web journaling use server-managed keys, except Vault Privacy Mode, which only you can unlock. When you reflect, your words are sent securely to our server and our AI providers (Anthropic, with OpenAI as backup and for voice) to generate Fathom's response; AI providers do not retain or train on your content. Optional premium backups let you store entries in our Vault (with a zero-knowledge Privacy Mode where even we cannot read them) or your own iCloud. We use a small set of account and analytics data, never sell your information, and run anonymous crisis detection that does not retain content. Avatars are generated by xAI. You can export or delete your data at any time.