We want to be explicit about what Vapor does not collect, because the absence of data collection is central to how the app works.

Vapor does not collect, store, process, or transmit:

• Your name, email address, phone number, mailing address, or date of birth
• Your journal entries, notes, letters, or any content you write in the app
• Your location, IP address, or device identifiers for advertising
• Analytics events, behavioural data, session recordings, or usage telemetry
• Contact lists, calendar entries, photos, or any other data from other apps on your device
• Payment information (payments are processed entirely by Apple or Google)

We do not use advertising identifiers (IDFA on iOS, GAID on Android) and we do not display the App Tracking Transparency prompt on iOS because we do not track users across other apps or websites.

The app stores the following information exclusively on your device, using SQLite and platform-provided secure storage (Keychain on iOS, Keystore/EncryptedSharedPreferences on Android):

• Your journal entries (the single word you write each day, any optional note, and the date)
• Letters you have written to your future self, including the text and scheduled reveal date
• Your streak history and milestone progress
• Optional profile fields you enter in Settings (name, nickname, email, age, pronouns), used only to personalise your experience within the app and never transmitted anywhere
• Appearance preferences (dark or light mode) and reminder preferences
• Whether biometric lock is enabled (biometric data is managed entirely by your operating system)

You control this data completely. You can view, edit, export, or delete any of it from within the app. Uninstalling the app removes all of it.

Premium includes an encrypted backup that you export to your own storage, such as the Files app. The backup is encrypted, it stays under your control, and it is never sent to us. We cannot read it, and we never receive a copy.

When you tap a saved word to view its definition, the app sends an anonymous HTTPS GET request to the public dictionary API at https://api.dictionaryapi.dev. This is one of two kinds of network request the app can make. The other relates to Premium subscriptions and is described in Section 05.

The request contains only the word you tapped and standard HTTPS headers including your IP address. It does not contain any identifier for you, your device, or your installation of the app.

The response is cached in memory for the duration of your current session and discarded when the app is closed. It is not stored on disk. You can avoid this request entirely by not tapping saved words.

Separate from the app itself, you may choose to give us your email address through our website (vaporjournal.app), a newsletter signup form, a waitlist, a product update list, or by emailing us directly.

When you provide your email address this way:

• We store it in a third-party email service provider (currently Buttondown) for the sole purpose of sending you the communications you signed up for
• We do not share or sell your email address to any third party
• We do not use your email address to identify you within the app. The app does not know whether you are also on our email list
• You can unsubscribe from any email we send you using the unsubscribe link in every message, or by emailing [email protected]
• The legal basis for sending you these emails is your consent. You can withdraw it at any time by unsubscribing

If you are in the EU, EEA, or UK: your email data is processed by our email service provider, which may store or process data in the United States or other jurisdictions. Appropriate safeguards (such as Standard Contractual Clauses) are in place with our provider.

Vapor Premium is an optional paid subscription, available on iPhone and Android. The free app does not require it. When you buy or restore Premium, the app store you bought from (Apple on iPhone, Google on Android) and RevenueCat are involved.

Apple, on iPhone, or Google, on Android, processes the payment. We never see or store your payment details. The app store handles billing, renewals, and refunds, and holds your subscription record under its own terms and privacy policy.

RevenueCat helps us confirm and restore your subscription. It is the only subscription infrastructure provider we use. To validate your subscription, RevenueCat receives:

• A randomly generated app user ID that is not linked to your name or email
• Purchase and receipt data from Apple or Google
• Your device model
• Your country
• Your IP address

RevenueCat uses this solely to validate and restore your subscription. We do not use it to build a profile of you, run analytics, track you across other apps or websites, or collect an advertising identifier. The app contains no advertising identifier.

Other than Apple and RevenueCat for subscriptions, and the dictionary service described in Section 03, the app does not communicate with any third party. It contains no analytics SDKs, no crash reporting SDKs, no advertising SDKs, no social login providers, and no customer support tools.

You can manage or cancel your subscription at any time in your App Store account settings on iPhone, or your Google Play account settings on Android. To restore a previous purchase, open Settings inside the app and tap Restore Purchases.

Because we do not store your data on any server, the security of your journal depends primarily on the security of your device. We strongly encourage you to use a device passcode and to enable Vapor's optional biometric lock in Settings.

The network requests the app makes, the dictionary lookup and any subscription validation, are made over HTTPS. We do not retain logs of these requests.

Your data is retained on your device for as long as you keep the app installed, unless you delete it sooner. You may delete your data at any time:

• Individual entries: tap the entry in Calendar view and edit or clear it
• All data: open Settings, then Delete All Data
• Uninstall the app: all app data is removed

We do not retain a copy of your data after deletion or uninstall. We cannot recover deleted data because we do not have it.

Vapor is rated 4+ on the App Store and suitable for all ages. Because the app does not collect personal information from any user, including children, it is compliant with COPPA, the GDPR provisions regarding children, and Australia's Privacy Act 1988.

If you are a parent or guardian with concerns about your child's use of the app, please contact us at [email protected].

Vapor is available globally, and your journal entries never leave your device. The app sends data off your device in only two situations: the dictionary lookup (Section 03), and, if you subscribe to Premium, the subscription validation handled by Apple or Google and RevenueCat (Section 05). The servers involved, including RevenueCat's, may be located outside your country of residence, such as in the United States. Appropriate safeguards are in place with RevenueCat for any such transfer.

Because Vapor does not collect or store your journal content on any server, most privacy rights are satisfied by the app's design. You already have complete access, correction, deletion, and portability of your data through the app itself. The limited subscription data described in Section 05 is held by Apple or Google and RevenueCat as our processors, and you can reach us using the contact details below to exercise your rights over it.

Australian Privacy Principles

You have rights to access and correct personal information we hold about you. Because we do not hold your personal information on any server, these rights are satisfied through the app's built-in functions. If you believe we have mishandled your personal information, you may contact us or lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

European Union and United Kingdom (GDPR)

You have rights to access, rectify, erase, restrict processing of, and receive a portable copy of your personal data. For your journal content, these rights are satisfied by the app's built-in functions, because that content stays on your device. The legal bases for the limited processing we do perform are your consent for the anonymous dictionary request, provided when you tap a word, and the performance of your subscription contract for Premium subscription validation.

California (CCPA / CPRA)

We do not collect, sell, or share your personal information, so there is nothing to opt out of. The rights to know and to delete are satisfied trivially.

Other jurisdictions

If you are in a jurisdiction with similar privacy rights (including Virginia, Colorado, Connecticut, Utah, Canada under PIPEDA, Brazil under LGPD, and others), those rights are similarly satisfied by the app's design and your direct control over your data on your device.

Because we do not track you, we honour Do Not Track signals by design.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you within the app on next launch. The current version is always available at vaporjournal.app/privacy.

If you continue to use the app after a material change takes effect, you are accepting the updated policy.

In the unlikely event that Vapor is acquired by or merged with another company, or in the event of a sale of assets, we will ensure that this Privacy Policy continues to apply to your information, or we will provide you with notice and the opportunity to delete your data before any change of ownership takes effect. Because we do not hold your data on any server, a business transfer would not in itself transfer any of your personal information.