Privacy Policy

Last updated: March 11, 2026

The short version: We collect only what's needed to run the journal. Your entries are shared only with your matched partner. We never sell your data. You can download or delete everything at any time.

1. What We Collect

When you register, we collect:

Name — displayed only to your partner if both choose to reveal on Day 21
Email address — used for login and password reset only
College name & year — used for matching (you're paired with someone from a different college)
Gender & matching preferences — used to filter partner matches
Password — stored as a bcrypt hash (we never see your plaintext password)

During your 21-day journey, we collect:

Journal entries — your daily text responses to prompts
Mood selections — the moon-phase emoji you choose each day
Scan results — your archetype and emotional scores from the 11-question assessment
Reveal choice — whether you choose "yes" or "no" to reveal your identity on Day 21

2. How Your Data Is Used

Matching: Your archetype, college, gender, and year preferences are used to pair you with a complementary partner from a different college.
Journal sharing: Your entries are shown to your matched partner (and theirs to you) after midnight each night. Previous-day entries only — never same-day.
Safety monitoring: Entries are scanned for crisis keywords (e.g., self-harm language) to surface helpline information. No human reads your entries.
PII detection: We flag entries containing social media handles or phone numbers to remind you that sharing is anonymous.

3. What We Never Do

Sell or share your data with third parties
Use your data for advertising or marketing
Track you across other websites
Use analytics or tracking pixels
Share your identity with your partner without mutual consent

4. Data Storage & Security

Data is stored on our server in a secure SQLite database
Passwords are hashed using bcrypt with a cost factor of 12
Sessions use HTTP-only cookies with SameSite protection
All API endpoints are rate-limited to prevent abuse
Security headers are set via Helmet.js (HSTS, X-Frame-Options, etc.)

5. Your Rights

Right to Access

You can download all data we hold about you at any time from Settings → Download my data. This exports a JSON file containing your profile, journal entries, and reveal choices.

Right to Deletion

You can permanently delete your account and all associated data from Settings → Delete my account. This removes your user record, all journal entries, all reveal choices, and your match record. This action is irreversible.

Right to Withdraw Consent

You gave consent when you registered. You can withdraw it at any time by deleting your account.

6. Day 21 Identity Reveal

On Day 21, both you and your partner are asked: "Would you like to know who has been writing to you?"

If both say yes — names, colleges, and emails are shared mutually
If either says no — both identities remain permanently anonymous
There is no pressure, no notification of who said what — just a quiet choice

7. Safety & Crisis Support

If our system detects crisis language in a journal entry, we surface Indian mental health helplines:

iCall: 9152987821
Vandrevala Foundation: 1860-2662-345
NIMHANS: 080-46110007

We do not store or report flagged entries to any authority. The helplines are shown only to the writer.

8. Cookies

We use a single session cookie for authentication. It is:

HTTP-only (not accessible via JavaScript)
SameSite: Strict (prevents CSRF cross-site attacks)
Expires after 30 days of inactivity

We do not use any third-party cookies, analytics cookies, or tracking cookies.

9. Changes to This Policy

If we make significant changes, we'll update the "Last updated" date at the top. Continued use of the app after changes constitutes acceptance.

10. Contact

Questions about your privacy? Reach out:

Email: privacy@mentallyprepare.in