Privacy Policy

Effective: February 24, 2026

Mindful Momentum ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our mindfulness journaling platform ("the Service").

1. Information We Collect

Account Information

When you create an account, we collect:

  • Your name and email address
  • Password (stored in hashed form; we cannot read your password)
  • Timezone preference

Journal & Reflection Data

As you use the Service, we collect and store:

  • Journal entries and daily reflections
  • Weekly reflection responses and summaries
  • Custom ritual prompts you create
  • Carry-forward reflections and follow-up notes

This may include highly personal or sensitive information. We treat all journal content with the highest level of care and security.

Usage Data

We collect information about how you interact with the Service, including:

  • Prompt engagement (e.g., which prompts you respond to, thumbs up/down feedback)
  • Feature usage patterns (e.g., which modes you use, frequency of journaling)
  • Settings and preference choices

Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. We receive only a transaction reference, subscription status, and billing period information from Stripe.

2. How We Use Your Information

We use your information for the following purposes:

  • Providing the Service: Storing and displaying your journal entries, generating prompts, managing your account
  • Product Improvement: Analyzing anonymized and aggregated usage patterns to improve prompts, features, and the overall experience
  • Communications: Sending daily/evening reminder emails (which you can disable or unsubscribe from at any time), service announcements, and important account notifications
  • Security: Detecting and preventing fraud, abuse, or unauthorized access

We do not transmit your journal entries to third parties for advertising, marketing, or any purpose beyond the infrastructure services necessary to operate the Service (see Section 3). Your reflections are never used for advertising purposes.

No AI or automated content analysis. We do not use artificial intelligence, machine learning, or automated content analysis systems to analyze, interpret, summarize, score, or generate insights from your private journal entries or reflections.

No behavioral profiling. We do not build user profiles based on your journal content, emotional themes, or reflection patterns.

Staff access limitations. Our team does not access or read your private journal entries except where strictly required for technical troubleshooting with your explicit consent, or where required by law, including valid legal process such as subpoenas or court orders.

3. Third-Party Services

We share limited data with the following categories of third-party services:

Payment Processing

Stripe processes all payments. Your payment data is subject to Stripe's Privacy Policy.

Email Services

We use Mailgun to deliver reminder notifications and account communications. Mailgun receives your email address and the content of the messages we send you. Reminder emails contain only generic motivational text — we do not include journal entries, reflections, or personal content in any emails. Mailgun's privacy practices are described in Mailgun's Privacy Policy.

Contextual Advertising

The free tier of the Service displays contextual advertisements. Our advertising partner receives only:

  • The URL or content category of the page being viewed (e.g., "mindfulness" or "journaling")
  • Coarse geographic information (city-level or broader)

Our advertising partner does not receive:

  • Your journal entries, reflections, or any personal content
  • Your name, email address, or account information
  • Your browsing history on other websites
  • Your device fingerprint or unique identifiers for the purpose of building an advertising profile

Contextual ads are selected based on the general topic of the page, not your personal data or behavior. Our advertising partner may use limited cookies for ad frequency capping and aggregated reporting — see our Cookie Policy for details. Pro subscribers receive an ad-free experience with no advertising cookies.

Infrastructure & Error Monitoring

The Service is hosted on cloud infrastructure provided by Amazon Web Services (AWS). Your data is stored on AWS servers in the United States, encrypted at rest and in transit. We use Laravel Nightwatch for application error monitoring, which may capture technical request metadata such as URLs, error stack traces, and exception context. While we take steps to minimize the capture of personal data in error reports, error monitoring tools may incidentally process limited personal information as part of diagnostic data. This data is used solely for identifying and resolving technical issues and is subject to the same security controls as all other personal data.

Subprocessor List

The following third-party services process data on our behalf:

  • Stripe — Payment processing
  • Mailgun — Email delivery
  • Amazon Web Services — Cloud hosting and data storage
  • Laravel Nightwatch — Application error monitoring
  • Contextual advertising partner — Ad delivery on the free tier (see above)

We will update this list if our subprocessors change and notify affected users where required by applicable law.

We do not sell, share, or license your personal data to third parties. We do not share your identifiable journal entries with advertisers, marketing companies, or any external service.

Business transitions. In the event of a merger, acquisition, or sale of assets, your data will remain subject to the commitments made in this Privacy Policy. We will notify you before your data is transferred to a new entity or becomes subject to a different privacy policy.

4. Data Storage & Security

We are committed to storing your data safely and securely:

  • We maintain security practices aligned with industry best practices, including access controls, encryption, monitoring, and incident response procedures
  • All data is encrypted in transit (TLS/HTTPS) and at rest
  • Passwords are hashed using industry-standard algorithms and cannot be read or recovered by our team
  • Access to production data is restricted and audited
  • Two-factor authentication is available for your account

5. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify affected users via email without undue delay, as required by applicable law
  • Provide details about the nature of the breach and the categories of data affected
  • Describe the measures taken and proposed to address the breach
  • Report the breach to relevant supervisory authorities as required by GDPR (Article 33), applicable state laws, and other regulations

In the event of a breach affecting a third-party service provider that processes your data on our behalf (see Subprocessor List in Section 3), we will notify you as soon as reasonably practicable after being informed by the provider.

6. Data Retention, Deletion & Portability

Retention Periods

We retain different categories of data for different periods:

  • Journal entries and reflections: Retained for the lifetime of your account
  • Account information: Retained for the lifetime of your account
  • Usage data and analytics: Retained in identifiable form for up to 12 months, then anonymized and aggregated
  • Payment records: Transaction references, subscription status, and billing metadata (as described in Section 1) retained as required by applicable tax and financial regulations (up to 7 years)
  • Application logs: Retained for up to 90 days for security and debugging purposes

Account Deletion

You can delete your account through your account settings at any time. Upon requesting deletion, your account is deactivated immediately. All personal data — including journal entries, reflections, and custom prompts — is permanently deleted within 30 days of your request. Data may persist in encrypted, access-restricted backup systems for up to an additional 60 days, after which it is permanently purged from all systems. We recommend exporting your data before requesting deletion, as it cannot be recovered after the purge.

Data Deletion Request

You can contact us at privacy@mindfulmomentum.com to request deletion of specific data or your entire account. We will process requests within 30 days.

Data Portability & Export

You have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format. To request an export of your journal entries, reflections, and account data, contact us at privacy@mindfulmomentum.com. We will fulfill export requests within 30 days.

Some anonymized, aggregated data may be retained for analytics purposes after account deletion. This data cannot be re-identified or linked back to your account.

7. Your Rights Under GDPR (EEA & UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) provides you with specific rights regarding your personal data.

Lawful Basis for Processing

  • Contract Performance: Processing necessary to provide the Service you signed up for (storing entries, generating prompts, managing your account)
  • Legitimate Interest: Anonymized usage analytics to improve the Service and security monitoring, where our interests do not override your rights
  • Consent: Sending optional marketing communications (you may withdraw consent at any time); non-essential advertising cookies (frequency capping) on the free tier, managed through our cookie consent mechanism

Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Data Portability: Receive your data in a structured, machine-readable format
  • Restriction: Request that we limit processing of your data
  • Object: Object to processing based on legitimate interest
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@mindfulmomentum.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

International Data Transfers

Your data is processed in the United States. For transfers from the EEA/UK to the US, where applicable, we rely on recognized transfer mechanisms such as the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).

8. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Portability: You may request your personal information in a portable format
  • Right to Opt Out of Sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. Our contextual advertising model does not constitute a "sale" or "sharing" of personal information under the CCPA/CPRA, as ads are selected based on page content — not your personal data. If regulatory guidance from the California Privacy Protection Agency changes this determination, we will update this policy and provide appropriate opt-out mechanisms.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise your California privacy rights, contact us at privacy@mindfulmomentum.com. We will verify your identity before processing your request and respond within 45 days.

9. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will promptly terminate their account and delete all associated data. If you believe someone under 18 is using the Service, please contact us at privacy@mindfulmomentum.com.

10. Cookies & Tracking

We use essential cookies necessary for the Service to function (session management, security tokens, authentication). Our contextual advertising partner may set limited cookies for ad frequency capping and aggregated reporting on the free tier. These cookies do not track your behavior across other websites and do not access your personal content. We do not use behavioral tracking pixels or cross-site tracking technologies. For full details, see our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the Service at least 30 days before the changes take effect. The "Effective" date at the top of this page indicates when the policy was last updated.

12. Contact Us

For privacy-related questions or to exercise your data rights, contact us at:

privacy@mindfulmomentum.com

Mindful Momentum
State of Michigan, United States

We use essential cookies to make this site work. See our Cookie Policy for details.