Jorai Back to jorai.app

Privacy Policy

Last updated: June 20, 2026 · Applies to the Jorai iOS app and jorai.app

The short version: your journal lives on your iPhone, not on our servers. If you turn on cloud sync, a copy is kept in your own iCloud (still never ours), and your voice recordings sync end-to-end encrypted. When you use cloud-powered analysis, your text is processed transiently by an AI provider acting for us and isn't stored. On our side we keep only a minimal account record — your Apple sign-in identifier, subscription status and usage counters. No ads, no trackers, no selling of data — ever. You can delete your account and everything tied to it in one tap inside the app.

1. Who we are

Jorai ("Jorai", "we", "us") is a voice-first journaling app for iPhone. The data controller responsible for your personal data is an independent developer based in Ukraine, operating as Jorai. For anything related to your privacy — including any of the rights in section 17 — write to [email protected]; a human reads it.

This policy explains, in plain English, what data the app handles, where it lives, and what choices you have. It is intentionally specific: where we say something is not stored, that is how the system is built, not just a promise.

2. What stays on your device

Jorai is built "on-device first". The following is created and kept on your iPhone and is never stored on our servers:

  • Your journal entries — text and voice recordings.
  • Audio — recordings are kept and processed locally. Transcription uses Apple's on-device speech recognition; your voice is not uploaded to us. Unless you turn on audio cloud sync (section 7), recordings never leave your iPhone at all; either way, they are never uploaded to our servers.
  • Voice analysis — vocal signals (such as tension and liveliness) are computed on your device.
  • Apple Health data — if you grant access, sleep, heart-rate and activity data are read by the app locally. We never store your Health records on our servers, and we never use Health data for advertising or share it with third parties.
  • App lock — Face ID / biometric protection happens entirely on the device, via Apple's frameworks. We never see your biometric data.

Because entries live on your device, deleting the app deletes local data with it (unless you've turned on cloud sync — see section 7). We recommend normal iPhone backups, or cloud sync, if you want to keep your journal safe.

3. What we store on our servers

To run accounts, subscriptions and fair-use limits, our server keeps a minimal record per user:

  • Apple sign-in identifier — the pseudonymous ID Apple issues when you use Sign in with Apple. We never see your password.
  • Email address — only if you chose to share it during Sign in with Apple (Apple's "Hide My Email" relay works fine with Jorai).
  • Subscription status — whether your account has an active Pro subscription.
  • Usage events — which API feature was called and when (an endpoint name and a timestamp). Used for rate limiting and abuse prevention. These events do not contain your journal content.
  • Device push token, platform and language — only if you enable notifications (see section 9).
  • Session & refresh tokens — short-lived records that keep you signed in and let us revoke access when you sign out or delete your account.
  • Security timestamps — account creation, last activity, and sign-out/revocation markers.

That is the complete list. We do not maintain any store of journal entries, transcripts or audio — there is no such database table.

4. What is processed transiently

Some features use cloud-powered AI. When you use them, your device sends a request that is processed in memory to generate a response, and is not written to our database:

  • Entry text — the words you wrote or spoke (as on-device transcribed text), when you ask for cloud analysis, reflections or chat follow-ups.
  • Derived signals — emotion scores and summary voice metrics computed on your device.
  • Optional context you've allowed — for example summary health statistics (such as hours slept or average heart-rate variability — never raw Apple Health records), an approximate place label, your schedule density (such as a meeting count), or short snippets of related past entries sent from your device to make reflections more relevant.

The server is stateless by design: each request carries what's needed, gets processed, and the content is discarded. Your device remains the only home of your journal.

5. AI processing

Cloud-powered analysis is performed by large-language-model providers acting as our processors. When you use a cloud feature, the content described in section 4 is sent to the provider's API for processing and the result is returned to your device. Depending on the feature and our current configuration, that provider is one of:

  • OpenAI (GPT models) — our current default for entry analysis, reflections, voice analysis and Pro insights.
  • Anthropic (Claude models) — used for guided chat follow-ups and as a fallback.
  • Google (Gemini models) — available as an alternative provider we may route to.
  • Under each provider's commercial API terms, your inputs and outputs are not used to train their models.
  • A provider may retain API data briefly for trust-and-safety purposes under its own policy, after which it is deleted.
  • We send the provider only what is needed for the feature — never your name, email or Apple identifier alongside your entry text.

Features marked as on-device (such as transcription and voice-signal analysis) involve no AI provider at all. See our sub-processors list for the current set of providers and where they process data.

Some of what you write — reflections on your mood, stress, sleep or wellbeing — and the optional summary signals you may choose to share (such as hours slept or heart-rate variability) are treated under data-protection law as special-category "health" data. The law requires your explicit consent before such data is processed in the cloud.

When you choose to use a cloud-powered feature, you give your explicit consent for the related content of that request to be processed transiently by us and our AI sub-processors solely to generate your result. The content is processed in memory and is not stored on our servers (section 4).

You can withdraw this consent at any time by not using cloud features — on-device journaling, transcription and voice-signal analysis keep working without any cloud processing. Withdrawing consent does not affect processing that already took place.

7. Cloud sync (Apple iCloud)

Jorai offers optional cloud sync so your journal survives a lost or replaced iPhone and can appear on your other Apple devices. It is free, you turn it on yourself in Settings, and it is built entirely on Apple iCloud, so it does not change our no-journal-on-our-servers promise.

  • It is your own iCloud, not ours. Synced data is stored in your private iCloud database, inside your personal Apple account, using Apple CloudKit. The developer has no access to it and cannot read your entries.
  • It never passes through our servers. Sync happens directly between your device and Apple iCloud. Your entries, transcripts and audio do not travel through, and are not stored by, the Jorai backend at any point.
  • What syncs. If you enable Sync data, your entries and their derived content (text, transcripts, summaries, emotion and topic labels, voice metrics and insights) sync. A separate Sync audio switch controls whether your voice recordings sync too; you can keep text in sync while leaving audio off.
  • Encryption. Text and metadata sync into your private iCloud database, which Apple encrypts and scopes to your account. Your audio recordings are end-to-end encrypted by Jorai with a key only your own devices hold (shared between your devices through iCloud Keychain), so iCloud only ever stores encrypted audio that no one — including Apple and us — can play without your key.
  • Conflicts. If you edit on two devices before they sync, the most recent change wins.
  • Turning it off / deleting. Switching a sync toggle off stops new changes from syncing but never deletes anything already on your device. Deleting an entry on a synced device removes it from iCloud and your other devices. Deleting your Jorai account (section 15) erases the minimal record on our servers; it cannot reach into your private iCloud, which you clear by deleting it on-device or in your iCloud settings.

Apple iCloud and CloudKit are governed by Apple's own privacy policy and terms.

8. Apple services

  • Sign in with Apple — authentication is handled by Apple; we receive a pseudonymous identifier and, if you allow it, an email address.
  • Speech recognition — transcription uses Apple's on-device frameworks.
  • HealthKit — read only with your permission, processed locally, never stored by us, never used for advertising.
  • iCloud / CloudKit — only if you enable cloud sync (section 7); your journal lives in your own private iCloud database, not ours.
  • App Store purchases — payments are processed entirely by Apple. We never see your payment details; we receive a signed receipt that proves your subscription is active.

Apple's own privacy policy governs these services on their side.

9. Push notifications

If you enable reminders, we store your device's push token (a random identifier issued by Apple), platform and preferred language so we can deliver notifications via Apple's push service. Notification content is generic by design (gentle reminders) — it never includes your journal content. You can turn notifications off anytime in iOS Settings; tokens of inactive devices are removed.

10. Crisis detection

Jorai includes an automated safety feature: if an entry appears to express thoughts of self-harm, the app shows supportive resources (such as crisis hotlines for your region). This detection is automated, exists only to show you resources, and:

  • is never reviewed by humans,
  • is never reported to authorities, employers, family members or anyone else,
  • does not create any record on our servers about you.

This safety feature and our AI reflections do not make any decision that produces legal or similarly significant effects about you, and they build no profile of you.

11. Operational logs, website & error reports

  • Access logs — like virtually every web service, our server keeps short-lived technical logs (timestamp, endpoint, response status, account identifier, request duration and originating IP address) to detect abuse and debug outages. They rotate automatically within days and never contain journal content.
  • Error monitoring — if the server hits an error, a technical report (stack trace, endpoint, account identifier) may be sent to Sentry, our error-monitoring provider, so we can fix it. These reports are scrubbed of personal content and do not include your journal text.
  • Our website — jorai.app uses no cookies, no third-party analytics and no advertising trackers. It stores only a single local preference in your browser for your light/dark theme choice.

The app itself contains no third-party analytics or advertising SDKs. We don't track how you use the app, build behavioral profiles, or share data with data brokers.

  • Running your account & subscription (Apple sign-in identifier, email if shared, subscription status, session/security records) — to provide the Service you asked for. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Rate-limiting, abuse prevention, access logs and error monitoring (usage events, short-lived technical logs, Sentry reports) — to keep the Service secure, available and affordable. Legal basis: our legitimate interests (Art. 6(1)(f)).
  • Push reminders (device token, platform, language) — only if you turn them on. Legal basis: your consent (Art. 6(1)(a)), withdrawable in iOS Settings.
  • Cloud-powered AI analysis of health-related entry content — only when you use a cloud feature. Legal basis: your explicit consent (Art. 6(1)(a) and Art. 9(2)(a)); see section 6.

13. Sub-processors

We use a small number of trusted service providers ("sub-processors") to run the Service. We keep this list current; the date below reflects the latest review.

ProviderPurposeRegion
AppleSign in with Apple, push notifications, App Store billing, and (if you enable it) iCloud/CloudKit cloud syncEU / US
OpenAIAI processing of cloud-feature requests (default)US
AnthropicAI processing (conversational follow-ups / fallback)US
GoogleAI processing (alternate)US
SentryError monitoring (technical reports, no journal content)US

Transfers to US providers are protected as described under International data transfers. Last reviewed: June 20, 2026.

14. International data transfers

Our servers are located in the United Kingdom. If you are in the EU/EEA, transfers from the EEA to the UK are covered by the European Commission's adequacy decision for the UK.

Some of our processors are based in the United States — specifically our AI providers (OpenAI, Anthropic, Google) and our error-monitoring provider (Sentry). Where personal data is transferred to them, the transfer is protected by an appropriate safeguard under Chapter V of the GDPR / UK GDPR — typically the EU-US / UK Data Privacy Framework where the provider is certified, and Standard Contractual Clauses (plus the UK International Data Transfer Addendum) in their data-processing agreements. You can request a copy of the relevant safeguard for any sub-processor by emailing [email protected].

15. Retention & deletion

  • Your device data — under your control; delete entries or the app whenever you like.
  • Account data — kept while your account exists.
  • Deleting your account — in the app: Settings → Account → Delete Account. This promptly and permanently erases your account record and everything attached to it (usage events, push tokens, session records) from our database. You can also email [email protected] and we'll do it for you. (Deleting your Jorai account does not erase copies you keep in your own iCloud — see section 7.)
  • Logs — operational access logs rotate automatically within days.
  • Error reports — retained by Sentry for a limited period (around 90 days) and then deleted.
  • AI provider data — any short-term trust-and-safety retention by an AI provider follows that provider's policy (typically up to ~30 days), after which it is deleted.

16. Security

  • All traffic uses TLS encryption; the app additionally pins our server's certificate, so it will refuse connections it cannot verify.
  • Authentication uses short-lived signed tokens stored in the iPhone's Keychain; tokens can be revoked server-side on sign-out or deletion.
  • Servers are hosted in the United Kingdom (London) with a hardened configuration: administrative access is possible only over a private encrypted network, never from the public internet.
  • Rate limiting and abuse protection are enforced on every endpoint.

No system is perfectly secure, but our architecture keeps the most sensitive thing — your journal — off our servers entirely, which is the strongest protection we can offer.

17. Your rights

Depending on where you live (including under GDPR and UK GDPR), you have the right to access, correct, export (data portability, Art. 20) or erase your personal data, and to object to or restrict its processing. With Jorai this is mostly self-service:

  • Access / export — your journal is already in your hands, on your device; account data we hold is described in section 3 and we'll provide a copy on request.
  • Erasure — one tap in the app (section 15).
  • Anything else — email [email protected]. If you believe we've handled your data improperly, you also have the right to complain to your local data-protection authority — in the UK the Information Commissioner's Office (ico.org.uk), or in the EU/EEA your national authority (find yours via edpb.europa.eu).

18. Your US privacy rights (California and other states)

We do not sell your personal information, and we do not share it for cross-context behavioral advertising — and we have not done so in the preceding 12 months. We don't use third-party advertising or analytics SDKs at all.

The categories of personal information we collect are listed in section 3; we collect them to operate accounts, subscriptions and fair-use limits, and for security — not for advertising. If you are a California resident (or live in a state with similar laws), you may have the right to know, delete and correct the personal information we hold, and not to be discriminated against for exercising those rights. Because we do not sell or share, there is no opt-out to exercise. Email [email protected]; we may verify your identity via your Apple Sign in.

19. Children

Jorai is not directed at children under 16, and we do not knowingly collect personal data from them. Age is self-attested; we do not otherwise verify it. If you believe a child under 16 is using Jorai with an account, contact us and we will delete it.

20. Changes to this policy

If we change this policy in a meaningful way, we'll update the date at the top and, for significant changes, let you know in the app before they take effect. We will never quietly weaken the core promises: no journal storage on our servers, no ads, no selling of data.

21. Contact

Questions, concerns, requests: [email protected]