Privacy Policy

Last updated: March 11, 2026

The short version: We collect only what's needed to run the journal. Your entries are shared only with your matched partner. We never sell your data. You can download or delete everything at any time.

1. What We Collect

When you register, we collect:

Name — displayed only to your partner if both choose to reveal on Day 21
Email address — used for login and password reset only
College name & year — used for matching (you're paired with someone from a different college)
Gender & matching preferences — used to filter partner matches
Password — stored as a bcrypt hash (we never see your plaintext password)

During your 21-day journey, we collect:

Journal entries — your daily text responses to prompts
Mood selections — the moon-phase emoji you choose each day
Scan results — your archetype and emotional scores from the 11-question assessment
Reveal choice — whether you choose "yes" or "no" to reveal your identity on Day 21

2. How Your Data Is Used

Matching: Your archetype, college, gender, and year preferences are used to pair you with a complementary partner from a different college.
Journal sharing: Your entries are shown to your matched partner (and theirs to you) after midnight IST, when the next day opens. Previous-day entries only — never same-day.
Safety monitoring: Entries are scanned for crisis keywords (e.g., self-harm language) to surface helpline information.
PII detection: We flag entries containing phone numbers, email addresses, social media handles, links, addresses, hostel names, and other details that may reveal who you are.
Human review: Your entries are private by default. No human reviews journal entries unless content is reported, legally required, or flagged for serious safety risk.

3. What We Never Do

Sell or share your data with third parties
Use your data for advertising or marketing
Track you across other websites
Use analytics or tracking pixels
Share your identity with your partner without mutual consent

4. Data Storage & Security

Data is stored on our server in a secure SQLite database
Passwords are hashed using bcrypt with a cost factor of 12
Sessions use HTTP-only cookies with SameSite protection
All API endpoints are rate-limited to prevent abuse
Security headers are set via Helmet.js (HSTS, X-Frame-Options, etc.)

5. Your Rights

Right to Access

You can download all data we hold about you at any time from Settings → Download my data. This exports a JSON file containing your profile, journal entries, and reveal choices.

Right to Deletion

You can permanently delete your account and all associated data from Settings → Delete my account. This removes your user record, all journal entries, all reveal choices, and your match record. This action is irreversible.

Right to Withdraw Consent

You gave consent when you registered. You can withdraw it at any time by deleting your account.

6. Day 21 Identity Reveal

On Day 21, both you and your partner are asked: "Would you like to know who has been writing to you?"

If both choose to reveal — only the identity level each person selected is shared
Email or contact details are shared only when that person specifically chooses contact-detail reveal
If either chooses to stay anonymous — both identities remain anonymous
There is no pressure, no notification of who said what — just a quiet choice

7. Safety & Crisis Support

If our system detects crisis language in a journal entry, we surface support options. Mentally Prepare is not emergency support, therapy, counselling, or medical care.

Tele MANAS: 14416 or 1800 891 4416
iCall: 9152987821
Vandrevala Foundation: +91 9999 666 555

If you feel unsafe right now, contact local emergency services, a trusted person, or a crisis helpline immediately.

8. Cookies

We use a single session cookie for authentication. It is:

HTTP-only (not accessible via JavaScript)
SameSite: Strict (prevents CSRF cross-site attacks)
Expires after 30 days of inactivity

We do not use any third-party cookies, analytics cookies, or tracking cookies.

9. Changes to This Policy

If we make significant changes, we'll update the "Last updated" date at the top. Continued use of the app after changes constitutes acceptance.

10. Contact

Questions about your privacy? Reach out:

Email: privacy@mentallyprepare.in