OWLY ← Back to home
Privacy

How OWLY handles your data.

Last updated: 25 April 2026 · Effective immediately

Plain English summary — we collect what we need to make OWLY work. We never sell your data. We never use your journal entries to train third-party AI models. You can export or delete everything any time.

1. Who we are

OWLY is operated by CRUD.IT Solutions Inc., registered in the Philippines. The data controller for the purposes of GDPR / UK GDPR / PH DPA / KR PIPA is the same entity. You can reach us at privacy@owlyco.app.

2. What data we collect

CategoryExamplesPurposeLegal basis
AccountEmail, display name, hashed password, date of birth (optional)Create + secure your accountContract
PreferencesCountry, language, tone, purpose tagsPersonalise content + surface local crisis linesContract + legitimate interest
Mood + journalEmoji, score, notes, journal text, voice transcriptsCore app functionality; you write it, we store itContract
ScreeningPHQ-9, GAD-7 answers + scoresGive you progress feedbackContract + explicit consent
Peer + group messagesFree-text you send to AI or real peersDeliver the chat featureContract
PaymentsApple / Google subscription identifiers + statusOperate PremiumContract
DevicePush notification token, OS, app versionSend reminders + diagnose crashesLegitimate interest
UsagePage views, feature taps (aggregate)Product analyticsLegitimate interest

We do not collect: precise location, contacts, calendar, photos, biometric data, or advertising identifiers. We do not sell data. We do not run ad networks.

3. Third parties with access

  • MongoDB Atlas — data hosting; region: Singapore (ap-southeast-1). Encryption at rest.
  • Amazon Web Services — application hosting (ECS Fargate, ALB, CloudFront, S3 in ap-southeast-1). TLS in transit, AES-256 at rest.
  • OpenAI — journal text is sent to analyse sentiment + generate uplift. OpenAI retains content for 30 days then deletes per their Enterprise API policy. You may opt out in Profile → Privacy → "Disable AI analysis".
  • SendGrid (Twilio) — transactional email delivery (verification + password reset).
  • Apple App Store + Google Play — payment processing for subscriptions. We never see your card number.
  • Apple Push Notification Service + Firebase Cloud Messaging — push delivery.

We have signed Data Processing Agreements with each. If you require the current sub-processor list, email privacy@owlyco.app.

4. How long we keep data

DataRetention
Account + preferencesUntil you delete your account
Mood + journal + voice entriesUntil you delete your account (or purge individual entries)
Voice recording audio blobs90 days, then auto-deleted from S3 (lifecycle policy)
Peer / group messages90 days after you leave the match / group, then anonymised
Crisis-flagged messages1 year, for safety audit
Payment records7 years (tax law)
Push tokensUntil you log out or uninstall
Email verification + password reset tokens24 hours / 30 minutes respectively, then auto-deleted

5. Your rights

You can at any time:

  • Access — Profile → Export Report (JSON + PDF).
  • Correct — Profile → Edit Profile.
  • Delete — Profile → Danger Zone → Delete Account, or via this web form. This wipes every personal collection (mood, journal, habits, goals, sleep, screening, voice, wearable, onboarding, push tokens, family shares, challenge enrolments, buddies, therapist bookings, peer matches, safety plans, CBT entries, gratitude, verification tokens) and anonymises your messages to others. Some records (payment history) are retained for tax compliance.
  • Portability — Export Report is machine-readable JSON.
  • Restrict / object — email privacy@owlyco.app; we respond within 30 days.
  • Withdraw consent for AI sentiment analysis via Profile → Privacy. Screening (PHQ-9, GAD-7) requires explicit consent on first use.

EEA / UK residents can lodge complaints with their national Data Protection Authority. Philippines residents: National Privacy Commission. South Korea: Personal Information Protection Commission. Singapore: PDPC. Taiwan: MOJ Personal Data Protection.

6. Security

  • TLS 1.2+ for every request.
  • Passwords hashed with bcrypt (cost 12+).
  • JWT access tokens expire in 60 minutes; refresh tokens in 7 days.
  • Email verification required before posting to peers / groups.
  • MongoDB encryption at rest (Atlas default).
  • S3 encryption at rest (AES-256), private buckets, IAM-only access.
  • AWS WAF on the public load balancer (CommonRules + KnownBadInputs + SQLi + IP rate-limit).
  • Access logs retained 30 days in CloudWatch.

7. Children

OWLY is for users 13 and older. We verify date of birth at registration. Under-13 accounts are blocked. Users aged 13–17 see a parental-consent reminder in-app.

8. International transfers

Your data is stored in the region closest to your registered country. Transfers outside that region are covered by Standard Contractual Clauses.

Mental-health disclaimer — OWLY is a wellness tool, not a medical device. It does not diagnose, treat, or prescribe. If you are in crisis, tap the SOS button in the app for local helplines, or contact emergency services (112 / 911 / 119 / 988).

9. Changes

We will notify registered users by email and in-app banner at least 30 days before any material change to this policy.

10. Contact

privacy@owlyco.app · CRUD.IT Solutions Inc., the Philippines