Skip to main content
Moments logo Journal Jar

Privacy Policy

Effective Date: June 12, 2026

This Privacy Policy explains how Yannick Remke Web Projects, Brüggemannhof 8, 30167 Hannover ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Journal Jar mobile application ("App") or visit our website at momentsapp.org ("Website"). Together, the App and the Website are referred to as the "Service". We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for processing your personal data is:

Yannick Remke Web Projects Brüggemannhof 8 30167 Hannover, Germany Email: yannick@momentsapp.org

2. Data We Collect

2.1 Account Data

When you register for an account, we collect:

  • Email address
  • Password (stored in hashed form only)

2.2 User-Generated Content

When you use the App, you may provide:

  • Text entries (journal entries, moment descriptions)
  • Photos attached to entries (Premium feature)
  • Mood ratings and significance ratings
  • Collection names and descriptions

2.3 Technical and Usage Data

We automatically collect certain data when you use the App:

  • Device type and operating system version
  • App version
  • Crash reports and error logs
  • Usage data (such as app events, screens viewed, features used, and session duration)
  • Push notification tokens (if you enable notifications)

2.4 Subscription Data

If you subscribe to Journal Jar Premium, payment processing is handled entirely by Apple through the App Store. We do not collect or store your payment information (such as credit card numbers). We receive from our payment provider only:

  • Subscription status (active, expired, cancelled)
  • Subscription plan type
  • Purchase and expiration dates

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR)
Providing and operating the App Performance of contract (Art. 6(1)(b))
User authentication and account management Performance of contract (Art. 6(1)(b))
Storing and synchronizing your entries and photos Performance of contract (Art. 6(1)(b))
Managing your Premium subscription Performance of contract (Art. 6(1)(b))
Sending push notifications (e.g., moment reminders) Consent (Art. 6(1)(a))
Diagnosing technical issues and improving the App Legitimate interest (Art. 6(1)(f))
Analyzing aggregate app usage to improve the App Legitimate interest (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

4. Third-Party Services

We use the following third-party services to operate the App. Each provider processes data on our behalf and is contractually obligated to handle your data in accordance with applicable data protection laws.

4.1 Supabase Inc.

  • Sub-processor: Supabase Inc., a third-party service provider for backend infrastructure, database hosting, and authentication
  • Purpose: Supabase is used to securely store user data, manage login credentials (authentication), and host media files (such as photos attached to entries) necessary for the App to function
  • Categories of data processed: Email addresses, hashed passwords, IP addresses (for security logging), login timestamps, user-generated content (text entries, mood and significance ratings, collection metadata), and uploaded photos
  • Identity management: We use Supabase Auth to manage user identities. This involves storing email addresses, IP addresses for security logging, and login timestamps.
  • Security measures: User passwords are cryptographically hashed using bcrypt before storage. Neither we nor Supabase have access to your actual password at any time.
  • Session tracking: The App uses JSON Web Tokens (JWTs) issued by Supabase Auth to maintain secure login sessions. These tokens are stored locally on your device and are used to authenticate requests to our servers.
  • Server location: European Union (Germany)
  • International transfer safeguards: Supabase Inc. is a US-based company. Data is hosted on servers in Germany, but international data transfers to Supabase Inc. are protected by EU Standard Contractual Clauses (SCCs) in accordance with GDPR requirements
  • More information: https://supabase.com/privacy

4.2 PowerSync (JourneyApps)

  • Processor: PowerSync, a product of JourneyApps, is a third-party service provider used to facilitate real-time data synchronization and offline app capabilities
  • Purpose and legal basis: PowerSync enables the App's core offline-first and cross-device synchronization features, ensuring your data is available even without an internet connection and stays consistent across sessions. The legal basis for this processing is the performance of a contract (Art. 6(1)(b) GDPR) — delivering the expected functionality of the App to you
  • Categories of data processed: Account identifiers, user-generated content (text entries, mood and significance ratings, collection metadata and membership), and associated timestamps
  • Sub-processors and hosting: Synced data is processed and stored on cloud infrastructure utilized by PowerSync, specifically Amazon Web Services (AWS) and MongoDB
  • More information: https://www.powersync.com/privacy-policy

4.3 RevenueCat

  • Third-party processor: RevenueCat Inc. is a third-party service provider used to manage and validate in-app purchases and subscriptions
  • Data shared: The following data is transmitted to RevenueCat: anonymous user identifiers, purchase history, subscription status, and subscription plan type. We do not send additional personally identifiable information (such as email addresses) to RevenueCat
  • Purpose of processing: This data is used strictly to unlock Premium content, verify active subscriptions, and synchronize purchase status across devices
  • User rights: You may request the deletion or export of your data held by RevenueCat by contacting us at yannick@momentsapp.org. We will execute such requests using RevenueCat's developer tools on your behalf
  • More information: https://www.revenuecat.com/privacy

4.4 Google Firebase Cloud Messaging

  • Service provider: Google Firebase Cloud Messaging (FCM), a third-party service provided by Google LLC, is used to manage and send push notifications to your device
  • Data collected: Firebase Instance IDs (push tokens), device metadata (operating system, device model, brand), IP addresses, and app interaction data (such as whether a notification was received or opened)
  • Purpose of processing: This data is used to route notifications to the correct device, manage subscriptions to specific notification topics (such as moment reminders and anniversaries), and analyze how users interact with notifications to ensure reliable delivery
  • Data retention: Google retains Firebase Installation IDs until we make an API call to delete them, after which they are removed from Google's live and backup systems within 180 days. When you delete your account, we initiate deletion of your associated Firebase data
  • International transfers: Data is shared with Google and may be processed outside the European Economic Area (EEA), specifically in the United States. These transfers are safeguarded by EU Standard Contractual Clauses (SCCs)
  • User rights and opt-out: Push notifications are consent-based. You can withdraw your consent and opt out of push notifications at any time by changing the notification permissions in your device's operating system settings (Settings > Notifications). Once disabled, we will no longer send notifications to your device or process your push token for that purpose
  • More information: https://firebase.google.com/support/privacy

4.5 Google Firebase Crashlytics

  • Service provider: Google Firebase Crashlytics, provided by Google LLC, is used to detect and diagnose app crashes
  • Data collected: Crashlytics collects crash reports including stack traces, the device's state at the time of the crash, operating system version, device model, app version, and an automatically generated, anonymous Crashlytics Installation UUID that rotates approximately every 90 days
  • Purpose of processing: This data is used to identify crashes and stability issues and to prioritize bug fixes. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in providing a stable App
  • No access to personal content: Crashlytics does not access your journal entries, photos, account credentials, or any other personal content stored in the App
  • Data retention: Crash reports are retained for up to 90 days
  • International transfers: Data may be processed by Google outside the European Economic Area (EEA), specifically in the United States. These transfers are safeguarded by EU Standard Contractual Clauses (SCCs)
  • More information: https://firebase.google.com/support/privacy

4.6 Google Firebase Analytics

  • Service provider: Google Analytics for Firebase (Firebase Analytics), provided by Google LLC, is used to collect statistics about how the App is used
  • Data collected: App events (such as screens viewed, features used, session counts, and session duration), device and OS metadata (device model, operating system version, app version), approximate location at the country/region level (derived from the IP address), and an automatically generated, anonymous app-instance identifier (Firebase Installation ID). We do not log names, email addresses, or other directly identifying information to Firebase Analytics
  • Purpose of processing: This data is used to understand how the App is used in aggregate, identify which features are valuable to users, and improve the App's usability. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in improving the App. We do not use this data for advertising or cross-app tracking
  • No access to personal content: Firebase Analytics does not access your journal entries, photos, account credentials, or any other personal content stored in the App
  • Data retention: User-level analytics data associated with the app-instance identifier is retained for up to 14 months; aggregated, non-identifying statistics may be retained longer. When you delete your account, we initiate deletion of your associated Firebase data
  • International transfers: Data may be processed by Google outside the European Economic Area (EEA), specifically in the United States. These transfers are safeguarded by EU Standard Contractual Clauses (SCCs)
  • More information: https://firebase.google.com/support/privacy

4.7 Vercel Web Analytics

  • Service provider: Vercel Inc., used to collect aggregated, privacy-friendly usage statistics for our Website (not the App)
  • Data collected: Anonymized page views, referrers, country (derived from IP address), browser, operating system, and device type. Vercel Analytics is cookieless and does not store any information in your browser. Visitor identifiers are generated by hashing request data (including IP address) together with a daily-rotating salt, so visitors cannot be tracked across days or across websites. IP addresses are not stored
  • Purpose of processing: To understand how the Website is used in aggregate, measure the performance of content, and improve the user experience. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in operating and improving our Website
  • No personal profiles: Because no cookies or persistent identifiers are used, Vercel Analytics does not build personal profiles and cannot recognize you across sessions
  • International transfers: Vercel Inc. is a US-based company. Data may be processed in the United States. Transfers are safeguarded by EU Standard Contractual Clauses (SCCs)
  • More information: https://vercel.com/legal/privacy-policy and https://vercel.com/docs/analytics/privacy

4.8 Apple App Store

  • Purpose: App distribution and processing of in-app purchases, including Premium subscription payments
  • Payment processing: All in-app purchases are processed securely by Apple. We do not collect, store, or have access to your financial information, such as credit card numbers or billing details. We only receive subscription status information (active, expired, or cancelled) from our payment provider to manage your access to Premium features
  • Subscription management: Premium subscriptions are auto-renewing. To manage or cancel your subscription, go to your device's Settings > [Your Name] > Subscriptions, or manage it through your Apple ID Account Settings. Cancellation must occur at least 24 hours before the end of the current billing period to avoid renewal
  • More information: https://www.apple.com/legal/privacy

We do not sell your personal data to any third party.

5. Data Storage and Security

5.1 Storage Location

Your data is stored exclusively on servers located in the European Union (Germany).

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL)
  • Secure password hashing
  • Access controls limiting data access to authorized systems
  • Regular security assessments

5.3 Local Data Storage

The App stores a local copy of your data on your device using an encrypted SQLite database to enable offline access. This local data is synchronized with our servers when a connection is available.

6. Data Sharing

We do not share your personal data with third parties except:

  • With the third-party service providers listed in Section 4, solely to operate the Service
  • With other users through shared collections, as described in Section 6.1
  • When required by law or to comply with a legal process
  • To protect our rights, privacy, safety, or property

6.1 Shared Collections

You can create or join shared collections with other users. When you do so, the following data becomes visible to all members of that shared collection:

  • Your display name
  • Entries you create within the shared collection, including text, mood ratings, significance ratings, and any attached photos
  • The dates of your entries

Only content you add to a shared collection is visible to its members. Your private collections, account details (such as your email address), and entries in other collections are never shared. You control which collections you share and can leave a shared collection at any time.

When you leave or are removed from a shared collection, other members will no longer see your future entries. Previously contributed entries may remain visible to the collection unless you delete them before leaving.

7. Data Retention

  • Account data and user content: Retained for as long as your account is active.
  • After account deletion: All data is irreversibly deleted within a maximum of 30 days.
  • Subscription data: Retained for the duration required by applicable tax and accounting regulations.
  • Technical logs: Retained for a maximum of 90 days for diagnostic purposes.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you. You can export your data at any time within the App.
  • Right to rectification (Art. 16): You may correct inaccurate personal data by editing your entries and account information within the App.
  • Right to erasure (Art. 17): You may delete your account and all associated data at any time within the App.
  • Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data under certain circumstances.
  • Right to data portability (Art. 20): You may export your data in a portable format at any time within the App, regardless of your subscription status.
  • Right to object (Art. 21): You may object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., push notifications), you may withdraw consent at any time by adjusting your device settings or contacting us.

To exercise any of these rights, you can:

  1. Delete your account and data: Open the App, navigate to your account settings, and select the option to delete your account. All associated data will be irreversibly deleted within a maximum of 30 days. This includes requesting deletion of your data from our third-party processors (RevenueCat, Firebase).
  2. Export your data: Use the data export feature within the App to download a copy of your data at any time.
  3. Revoke consent for push notifications: Go to your device's Settings > Notifications > Journal Jar and disable notifications.
  4. Contact us directly: For any other requests, including restriction of processing or objection, email us at yannick@momentsapp.org. We will respond within 30 days as required by GDPR.

9. Push Notifications

Push notifications (such as moment reminders and anniversaries) are optional. You can enable or disable them at any time through your device settings. If you disable push notifications, we will stop sending them and will no longer process your device's push notification token for that purpose.

10. Children's Privacy

The App is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete that data promptly.

11. International Data Transfers

Your data is stored and processed within the European Union. In cases where third-party providers may process data outside the EU (e.g., Firebase Cloud Messaging, Firebase Crashlytics, and Firebase Analytics), we ensure that appropriate safeguards are in place, such as EU Standard Contractual Clauses, in accordance with GDPR requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or via email. The effective date at the top of this document indicates when it was last revised. Your continued use of the App after changes constitutes your acceptance of the updated Privacy Policy.

13. Contact and Complaints

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Yannick Remke Web Projects Brüggemannhof 8 30167 Hannover, Germany Email: yannick@momentsapp.org

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is:

Die Landesbeauftragte für den Datenschutz Niedersachsen