OWLY — Privacy Policy

_Last updated: 2026-04-19_

This is a plain-language summary of how OWLY handles your data. It is required reading before you submit this app to the Apple App Store or Google Play. A lawyer should sign off a final version in the jurisdictions you ship to.

1. Who we are

OWLY is operated by [Company Name, registered address, registration number]. The data controller for the purposes of GDPR / UK GDPR / PH DPA / KR PIPA is [Company Name]. You can reach us at privacy@owly.app.

2. What data we collect

| Category | Examples | Purpose | Legal basis |

|---|---|---|---|

| Account | Email, display name, hashed password, date of birth (optional) | Create + secure your account | Contract |

| Preferences | Country, language, tone, purpose tags | Personalise content + surface local crisis lines | Contract + legitimate interest |

| Mood + journal | Emoji, score, notes, journal text, voice transcripts | Core app functionality; you write it, we store it | Contract |

| Screening | PHQ-9, GAD-7 answers + scores | Give you progress feedback | Contract + explicit consent |

| Peer + group messages | Free-text you send to AI or real peers | Deliver the chat feature | Contract |

| Payments | Stripe customer ID, subscription status | Operate premium | Contract |

| Device | Push notification token, OS, app version | Send reminders + diagnose crashes | Legitimate interest |

| Usage | Page views, feature taps (aggregate) | Product analytics | Legitimate interest |

We do not collect: precise location, contacts, calendar, photos, biometric data, advertising identifiers. We do not sell data. We do not run ad networks.

3. Third parties with access

• MongoDB Atlas (data hosting; region: Singapore / Frankfurt depending on your country) — encryption at rest.
• OpenAI — journal text is sent to analyse sentiment + generate uplift. OpenAI retains content for 30 days then deletes per their Enterprise API policy. You may opt out in Profile → Privacy → "Disable AI analysis".
• SendGrid (Twilio) — transactional email delivery (verification + password reset).
• Stripe — payment processing. We never see your card number.
• Apple Push Notification Service + Firebase Cloud Messaging — push delivery.

We have signed Data Processing Agreements with each. Full list + current sub-processors: https://owly.app/sub-processors.

4. How long we keep data

| Data | Retention |

|---|---|

| Account + preferences | Until you delete your account |

| Mood + journal + voice entries | Until you delete your account (or purge individual entries) |

| Peer / group messages | 90 days after you leave the match / group, then anonymised |

| Crisis-flagged messages | 1 year, for safety audit |

| Payment records | 7 years (tax law) |

| Push tokens | Until you log out or uninstall |

| Email verification + password reset tokens | 24 hours / 30 minutes respectively, then auto-deleted |

5. Your rights

You can at any time:

• Access — Profile → Export Report (JSON + PDF).
• Correct — Profile → Edit Profile.
• Delete — Profile → Danger Zone → Delete Account. This wipes every personal collection (mood, journal, habits, goals, sleep, screening, voice, wearable, onboarding, push tokens, family shares, challenge enrolments, buddies, therapist bookings, peer matches, safety plans, CBT entries, gratitude, verification tokens) and anonymises your messages to others. Some records (payment history) are retained for tax compliance.
• Portability — Export Report is machine-readable JSON.
• Restrict / object — email privacy@owly.app; we respond within 30 days.
• Withdraw consent for AI sentiment analysis via Profile → Privacy. Screening (PHQ-9, GAD-7) requires explicit consent on first use.

EEA / UK residents can lodge complaints with their national Data Protection Authority. Philippines residents: National Privacy Commission. South Korea: Personal Information Protection Commission. Singapore: PDPC. Taiwan: MOJ Personal Data Protection.

6. Security

• TLS 1.2+ for every request.
• Passwords hashed with bcrypt (cost 12+).
• JWT access tokens expire in 60 minutes; refresh tokens in 7 days.
• Email verification required before posting to peers / groups.
• MongoDB encryption at rest (Atlas default).
• Access logs retained 30 days in CloudWatch.
• Annual third-party penetration test (once revenue exceeds threshold).

7. Children

OWLY is for users 13 and older. We verify date of birth at registration. Under-13 accounts are blocked. Users aged 13–17 see a parental-consent reminder in-app.

8. International transfers

Your data is stored in the region closest to your registered country. Transfers outside that region are covered by Standard Contractual Clauses.

9. Mental-health disclaimer

OWLY is a wellness tool, not a medical device. It does not diagnose, treat, or prescribe. If you are in crisis, tap SOS for local helplines or contact emergency services (112 / 911 / 119 / 988).

10. Changes

We will notify registered users by email and in-app banner at least 30 days before any material change to this policy.

11. Contact

privacy@owly.app · [Company Name, Postal Address]