Last updated: March 29, 2026 | Version 2.0 — GMX Quantum LLC
GMX Quantum LLC ("we," "our," or "us") operates the diAry mobile application (the "App" or "Service"). We are committed to protecting your privacy and handling your personal information with transparency and care.
This Privacy Policy explains what information we collect and why, how we use, store, and protect your information, your rights regarding your personal data, and how to exercise those rights.
By using diAry, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you must immediately cease using the Service and delete the App from your device.
We process your personal data under the following legal bases:
CCPA Business Purpose (California Users): We collect and process personal information for providing and maintaining the Service, processing transactions and managing subscriptions, detecting and preventing security incidents and fraud, debugging and repairing errors, improving and developing the Service, and complying with legal obligations.
Information You Provide Directly:
Information Collected Automatically:
Information We Do NOT Collect:
We explicitly DO NOT collect: Social Security Numbers or government identification numbers, financial account numbers (bank accounts, credit cards), biometric data (fingerprints, facial recognition data), precise geolocation (GPS coordinates), health information (HIPAA-protected health data), sexual orientation or gender identity, race, ethnicity, or religious beliefs, political opinions or affiliations, or information about children under 18 years of age.
Core Service Provision: We use your information to create and maintain your Account, store and synchronize your journal entries (Elite subscribers only), process voice transcription requests through OpenAI Whisper API, generate AI Companion responses through Anthropic Claude API, enable Burn Mode and automatic entry deletion, export journal entries to PDF format (Elite subscribers only), manage your diAry Elite subscription, process payments through RevenueCat, send subscription renewal reminders, handle refund requests, authenticate your login, send account verification emails, and process password reset requests.
Service Improvement and Development: We use anonymized, aggregated data to analyze usage patterns and identify popular features, identify and fix bugs and technical issues, develop new features and improve existing ones, optimize app performance and user experience, and conduct A/B testing of new features. We do NOT use your individual journal content for these purposes.
Communication: We may send you transactional emails (account verification and password reset emails, subscription renewal and payment confirmations, critical security alerts, important updates to Terms of Service or Privacy Policy, customer support responses) which you cannot opt out of, as they are necessary to provide the Service. We may also send marketing emails (product updates and new feature announcements, tips for using diAry effectively, special offers or promotions) which you can opt out of at any time by clicking "Unsubscribe" in any marketing email, adjusting email preferences in your Account settings, or contacting [email protected].
Voice Transcription (OpenAI Whisper API): When you record a voice journal entry, the audio file is sent to OpenAI's Whisper API for transcription. OpenAI processes the audio and returns text transcription. OpenAI does NOT store or use your audio data to train AI models (per OpenAI's API data usage policy as of March 2026). Audio data is transmitted over encrypted connections (HTTPS/TLS).
AI Companion Responses (Anthropic Claude API): When you request an AI response, your journal entry text is sent to Anthropic's Claude API. Anthropic processes the text and generates a response. Anthropic does NOT use your journal content to train AI models (per Anthropic's data processing practices as of March 2026). Journal content is transmitted over encrypted connections (HTTPS/TLS).
Third-Party Service Providers: We use Anthropic (AI response generation), OpenAI (voice transcription), Amazon Web Services/AWS (cloud hosting and database), RevenueCat (subscription management), Apple App Store (payment processing for iOS), and Google Play Store (payment processing for Android).
Your Control Over AI Processing: You can control AI processing by not using voice transcription features (type journal entries manually), not requesting AI Companion responses (journal without AI assistance), and using the free tier (diAry) instead of Elite, which stores data locally only. If you do NOT use AI features, your journal content is NEVER transmitted to third-party AI services.
We Do NOT Sell Your Personal Information: GMX Quantum LLC does NOT sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This prohibition applies to all users, including California residents under CCPA.
When We Share Your Information: We share your personal information only in limited circumstances: with your consent, with service providers (AWS, Anthropic, OpenAI, RevenueCat - these providers are contractually obligated to use your data only to provide services to us, maintain appropriate security measures, comply with applicable data protection laws, and delete or return data upon termination of services), for legal obligations (in response to valid subpoenas, court orders, or search warrants, lawful requests from law enforcement or government agencies, legal processes requiring disclosure), to protect rights (to investigate, prevent, or take action regarding illegal activity, enforce our Terms of Service, protect the rights, property, or safety of GMX Quantum LLC, our users, or the public, defend against legal claims or lawsuits), and in business transfers (if GMX Quantum LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity).
Aggregated and Anonymized Data: We may share aggregated, anonymized data that cannot identify you individually, such as overall app usage statistics, anonymized feature adoption rates, and aggregated mood tracking trends. This data does not constitute "personal information" under GDPR or CCPA.
We retain your personal information for the following periods: Account Information (until you delete your Account + 30 days), Journal Entries - Local Storage (stored on your device until you delete them), Journal Entries - Cloud Sync/Elite (until you delete them or delete your Account + 30 days), Burn Mode Entries (automatically deleted after the time period you specify), Subscription Data (7 years - required for tax/accounting compliance), Payment Transaction Records (7 years - required for tax/accounting compliance), Customer Support Emails (3 years), Security Logs (90 days), and Anonymized Usage Analytics (indefinitely - cannot be linked to you).
Account Deletion: You may delete your Account via the App (Settings → Account → Delete Account, confirm deletion by entering your password - your Account and cloud-stored data will be deleted within 48 hours) or via email (send a request to [email protected] with subject "DELETE MY ACCOUNT" - we will process your request within 30 days).
What Happens When You Delete Your Account: Immediately deleted (within 48 hours): your email, name, and Account credentials, all cloud-synchronized journal entries (Elite users), all mood tracking data stored on our servers, your subscription status (subscription will be canceled). Deleted within 30 days: backup copies stored for disaster recovery, cached data in content delivery networks. NOT deleted (legal/regulatory requirements): transaction records (subscription payments) - retained for 7 years for tax compliance, anonymized usage analytics (cannot be linked to you), communications with customer support (retained for 3 years). Cannot be deleted: data you stored locally on your device - you must manually delete the app and clear app data.
Burn Mode – Automatic Deletion: When you enable Burn Mode for journal entries, entries are permanently and irreversibly deleted after the specified time period, deleted entries are removed from both local storage and cloud storage (if applicable), and we cannot and will not recover Burn Mode entries under any circumstances.
We implement industry-standard security measures to protect your information:
Encryption: In Transit (all data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.3), At Rest (journal entries stored on AWS are encrypted using AES-256 encryption), Passwords (stored using bcrypt hashing with salt - never stored in plain text).
Access Controls: Role-based access control (RBAC) for internal systems, multi-factor authentication (MFA) required for administrative access, principle of least privilege (employees access only data necessary for their role).
Network Security: Firewalls and intrusion detection systems, DDoS protection via AWS infrastructure, regular security audits and penetration testing.
Application Security: JWT (JSON Web Token) authentication with expiration, rate limiting to prevent brute force attacks, input validation and sanitization to prevent injection attacks, secure coding practices and regular code reviews.
Device-Level Security (Your Responsibility): Ghost Mode (prevents screenshots and screen recordings within the app), Biometric Authentication (support for Face ID, Touch ID, fingerprint if you enable it), Local Encryption (journal entries stored locally on your device use device-level encryption).
Limitations of Security – Important Disclaimer: No security system is impenetrable. We cannot guarantee absolute security. Despite our security measures, unauthorized access, hacking, data breaches, or security incidents may occur. You are responsible for choosing a strong, unique password, securing your device with a passcode/biometric lock, not sharing your account credentials, installing security updates for your device OS, using antivirus/anti-malware software, and being vigilant against phishing attacks.
Regardless of your location, you have the following rights: Right to Access (request a copy of all personal information we hold about you), Right to Correction (correct inaccurate or outdated personal information - update directly in Settings → Profile), Right to Deletion (request deletion of your personal information via [email protected] or delete Account via app), Right to Object (object to processing of your personal information for direct marketing - opt out by clicking "Unsubscribe" in marketing emails), and Right to Data Portability (request a machine-readable copy of your journal entries - Elite users can export to PDF directly in-app).
How to Exercise Your Rights: Contact us at [email protected] with subject line "PRIVACY REQUEST – [Your Request Type]" and include your full name, email address associated with your Account, and specific request details. Response Time: We will respond within thirty (30) days of receiving your request.
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional privacy rights including Right to Know (request disclosure of categories and specific pieces of personal information collected, request disclosure of sources, purposes, and third parties with whom we share data), Right to Delete (request deletion of personal information we have collected - subject to legal exceptions), Right to Opt-Out of Sale (We do NOT sell personal information, so no opt-out is necessary), and Right to Non-Discrimination (we will not discriminate against you for exercising your CCPA rights - we will not deny service, charge different prices, or provide different quality of service).
How to Exercise CCPA Rights: Email [email protected] with subject line "CCPA REQUEST – [Right to Know / Right to Delete]" and include your full name, email address associated with your Account, California residency confirmation, and specific request details. Response Time: We will respond within forty-five (45) days (extendable to 90 days if complex).
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional privacy rights including Right of Access (Article 15), Right to Rectification (Article 16), Right to Erasure/"Right to Be Forgotten" (Article 17), Right to Restriction of Processing (Article 18), Right to Data Portability (Article 20), Right to Object (Article 21), Right to Withdraw Consent (Article 7), and Right to Lodge a Complaint (file a complaint with your local supervisory authority/Data Protection Authority).
How to Exercise GDPR Rights: Email [email protected] with subject line "GDPR REQUEST – [Specific Right]". Response Time: We will respond within one (1) month (extendable to 3 months if complex).
diAry is intended solely for users who are 18 years of age or older. We do NOT knowingly collect, solicit, or maintain personal information from individuals under 18 years of age.
COPPA Compliance (United States): We do not knowingly collect personal information from children under 13, we do not direct the Service to children under 13, and we do not knowingly allow children under 13 to create accounts.
Parental Notice: If you are a parent or legal guardian and believe your child under 18 has created an Account, immediately contact us at [email protected] with subject line "UNDERAGE ACCOUNT – DELETE IMMEDIATELY". We will delete the Account and all associated data within forty-eight (48) hours of verification.
Your personal information may be transferred to, stored, and processed in the United States (AWS servers in us-east-1 region, Virginia) and other countries where our service providers operate. For EU/EEA users, this means your data may be transferred outside the European Economic Area (EEA).
GDPR Safeguards for EU Users: We ensure adequate protection through Standard Contractual Clauses (SCCs) - we use EU-approved Standard Contractual Clauses with AWS and other service providers, Adequacy Decisions (where applicable, we rely on the European Commission's adequacy decisions), and Supplementary Measures (encryption in transit and at rest, access controls and authentication, regular security audits).
In the event of a data breach that affects your personal information, we will notify you within seventy-two (72) hours of discovering the breach (GDPR requirement) via email to your registered email address and via in-app notification, and notify authorities by reporting the breach to relevant supervisory authorities (e.g., EU DPAs, California Attorney General) as required by law.
Breach notifications will include description of the breach (what happened, when, how), categories and approximate number of affected users, categories and approximate number of affected records, likely consequences of the breach, measures taken to address the breach, recommended actions you should take (e.g., change password, monitor accounts), and contact information for further inquiries.
We reserve the right to modify this Privacy Policy at any time. Material changes that significantly affect your rights will be communicated by updating the "Last Updated" date at the top of this Policy, sending email notification to your registered email address, displaying an in-app notification upon your next login, and providing thirty (30) days' notice before changes take effect.
Continued use of the Service after changes take effect constitutes your acceptance of the modified Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Service and delete your Account.
GMX Quantum LLC
Registered Address: Wilmington, Delaware, United States
Email: [email protected]
Data Protection Officer: [email protected] (Subject Line: "ATTN: DATA PROTECTION OFFICER")
For questions, concerns, or requests regarding this Privacy Policy, contact [email protected] with subject line "PRIVACY POLICY INQUIRY". Response Time: We aim to respond within forty-eight (48) business hours.
Effective Date: March 29, 2026 | Version: 2.0
By using diAry, you acknowledge that you have read, understood, and agree to this Privacy Policy.