Privacy Policy

Last updated: May 10, 2026

Creator Companion is a private daily journal. We try to write this policy the way we'd want one written for us — short, plain, and honest about what we do and don't do with your data.

What we collect

• Account info: first name, last name, email address, password (hashed via BCrypt — we never see it), and the time zone you set so streaks match your local day.
• Your entries: the journal text, photos, tags, moods, and to-do items you create.
• Subscription data: when you subscribe, Stripe processes payment. We store the Stripe customer/subscription IDs, never your card number.
• Operational logs: request IPs, timestamps, and audit events (sign-ins, password resets) — for security and abuse detection.
• Push subscriptions: if you enable notifications, the browser-issued push endpoint so we can deliver reminders.

What we don't do

• We don't sell your data. Ever.
• We don't read your entries. They exist for one person — you.
• We don't show ads or run trackers. There is no advertising layer.
• We don't use your content to train models.
• We don't share your data with third parties except the service providers below.

Service providers

We use a small set of providers to run the service. Each receives only the data they need:

• Railway — hosts the API and PostgreSQL database (US region).
• Cloudflare R2 — stores your uploaded photos.
• Vercel — serves the web app and marketing site.
• Stripe — handles all payment processing. We never see your card details.
• Resend — sends transactional emails (welcome, trial reminders, password resets).

Your rights

• Export: download all your entries any time, in JSON or plain text.
• Delete: delete your account from the account page. Your entries, photos, and Stripe subscription are removed; we purge the data within 30 days from backups.
• Access / correction: email us and we'll help you access or correct anything in your account.

Security

Traffic is encrypted in transit (HTTPS). Passwords are hashed with BCrypt — we can't read them and we can't recover them. JWT access tokens live in memory; refresh tokens live in HttpOnly Secure cookies. We rate-limit auth endpoints to slow brute-force attempts.

Cookies

We use one cookie: a single HttpOnly Secure cookie that holds your refresh token so you stay signed in across sessions. No third-party tracking cookies, no analytics cookies, no advertising cookies.

Contact

Questions? Email hello@creatorcompanionapp.com.

This is a placeholder policy intended to be honest about current practice. We'll revise as the product evolves; if you have an account, we'll email you before any material change.