Privacy Policy
We've written this policy in plain English. We are a small UK-based studio and we take your privacy seriously. The short version: we collect the minimum data needed to run the app, we never sell your data, no human ever reads your journal, and when AI features process your entries they are never retained or used for training. You have full rights under UK GDPR to access, correct, or delete what we hold.
Contents
1. Who we are 2. What data we collect 3. How we use your data 4. Data storage and security 5. Who we share data with 6. How long we keep your data 7. Your rights under UK GDPR 8. Cookies 9. Third-party links and services 10. Children 11. Changes to this policy 12. Contact us1. Who we are
Blackbox Journal is developed and operated by Okunola Digital Studios Ltd, a company registered in England and Wales. For the purposes of UK data protection law, Okunola Digital Studios Ltd is the data controller.
We are registered with the Information Commissioner's Office (ICO) as required by the Data Protection (Charges and Information) Regulations 2018. Our ICO registration number is ZA[XXXXXXX].
Our contact details are:
- Email: privacy@okunolastudio.com
- Website: okunolastudio.com
- Jurisdiction: England and Wales
2. What data we collect
We collect the minimum data necessary to provide the service. Here's a full breakdown:
Data you provide directly
| Type | Examples | Purpose |
|---|---|---|
| Account information | Email address, name | To create and manage your account |
| Journal entries | Morning/evening check-ins, free writing, gratitude entries | Core app functionality. Encrypted on our servers — we cannot read them. When AI features are enabled, your app sends entries to Google Gemini to generate insights. Google does not retain them or use them for training. |
| Mood ratings | Mood score (Great/Good/Okay/Low/Struggling) | Mood tracking and trend analysis. This data may be health-related under UK GDPR and is processed only with your explicit consent. |
| Wheel of Life ratings | Scores for Career, Health, Finances, Family, etc. | Life balance tracking. Processed with your explicit consent. |
| Waitlist signups | Name and email | To notify you when the app launches |
Data collected automatically
| Type | Purpose |
|---|---|
| Device type and OS version | Technical support and compatibility |
| App usage data (e.g. which screens you visit, feature usage frequency) | To improve the app |
| Crash reports | Bug fixes and stability |
| IP address (at account creation) | Fraud prevention and security |
Your journal entries are private. Entries are encrypted on our servers — we cannot read them. When you enable AI features, your app sends your entries securely to Google Gemini to generate personalised insights. Google processes them for that purpose only, does not retain them after the response is returned, and does not use them to train its AI models. No human at Google or at Okunola Digital Studios reads your journal entries. You can disable AI features at any time in App Settings, after which your entries never leave our servers.
Future health and fitness data
Blackbox Journal does not currently integrate with Apple HealthKit, Apple Health, or Google Health Connect. If we introduce health or fitness data integration in a future version of the App, we will update this policy, give you prominent advance notice, and obtain separate explicit consent before accessing any health or fitness data. We will never use health or fitness data for advertising or profiling purposes.
3. How we use your data
We use your data only for the following purposes, with the legal basis for each:
| Purpose | Legal basis |
|---|---|
| Providing the app and its features | Contract performance (fulfilling our service to you) |
| Account management and authentication | Contract performance |
| Processing mood ratings and wellbeing scores | Explicit consent under Article 9(2)(a) UK GDPR. This data may be health-related. You provide consent when you enable mood tracking. You can withdraw consent and disable mood tracking at any time in App Settings. |
| AI pattern detection and insights (via Google Gemini API) | Explicit consent. You opt in at account setup and can opt out at any time in App Settings. |
| Sending product updates and launch notifications | Consent (you can unsubscribe at any time) |
| Improving the app and fixing bugs | Legitimate interests (making a better product for our users) |
| Fraud prevention and security | Legitimate interests and legal compliance |
| Complying with legal obligations | Legal obligation |
How AI insights work: When you enable AI features, your journal entries are sent securely to Google Gemini to generate personalised reflections and insights. Google processes your entries for this purpose only — it does not retain them after returning a response, does not use them to train its AI models (per Google's Gemini API terms), and no human at Google reads them. We do not use your entries for advertising or share them with anyone else. You can disable AI features at any time in App Settings, at which point no entries are sent to Gemini.
We will never use your data for advertising, profiling for third parties, or any purpose not listed above.
4. Data storage and security
Your data is stored using Supabase, a secure backend platform with data centres in the EU (Frankfurt, Germany). All data is stored within the European Economic Area (EEA) unless explicitly noted in section 5.
Security measures
- Journal entries are encrypted at rest on our servers
- When AI features are enabled, entries are transmitted to Google Gemini over TLS 1.2+ encrypted connections. Google does not retain them after processing.
- All other connections use TLS 1.2+ encryption in transit
- Passwords are hashed using bcrypt. We never store plaintext passwords
- Access to production data is restricted to essential personnel only
- We perform regular security reviews of our codebase and infrastructure
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay, as required by UK GDPR Article 34.
5. Who we share your data with
We do not sell your data. We do not share it with advertisers. We share data only with the following service providers, who are contractually bound to process it only as we instruct:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database and authentication | EU (Frankfurt, Germany) | Within EEA — no international transfer |
| Apple Inc. | App Store distribution and push notifications | USA | Standard Contractual Clauses (SCCs) |
| Google LLC (Gemini API) | AI insight generation. When AI features are enabled, journal entries are sent to Gemini for processing. Google does not retain entries after generating the response, does not use them to train its models, and no human at Google reads them. | EU-region servers where available; otherwise USA | Standard Contractual Clauses (SCCs) |
| RevenueCat Inc. | Subscription management and in-app purchase processing | USA | Standard Contractual Clauses (SCCs) |
We may also disclose data where required by law, court order, or regulatory authority.
Business transfers
If Okunola Digital Studios Ltd is involved in a merger, acquisition, asset sale, or other business transfer, your personal data may be transferred as part of that transaction. In such circumstances, we will ensure the receiving party is bound by the terms of this privacy policy and will notify you of any change in data controller before it takes effect. If the acquiring party intends to process your data in a manner materially different from this policy, we will provide you with notice and, where required by UK GDPR, seek your consent before any such change applies to you.
6. How long we keep your data
We retain data only for as long as necessary for the purpose for which it was collected. Specific retention periods are as follows:
| Data type | Retention period |
|---|---|
| Account information (email, name) | Duration of your account, plus 30 days after deletion to allow for reactivation requests. Permanently deleted after this period. |
| Journal entries (encrypted) | Duration of your account. Permanently deleted within 24 hours of account deletion. |
| Mood ratings and Wheel of Life scores | Duration of your account. Permanently deleted within 24 hours of account deletion. |
| AI-generated insights and pattern summaries | Duration of your account. Permanently deleted within 24 hours of account deletion. |
| App usage analytics | Rolling 12 months. Data older than 12 months is automatically deleted. |
| Crash reports | Rolling 90 days. Automatically deleted after this period. |
| IP address (collected at account creation) | 90 days from collection. Automatically deleted after this period. |
| Waitlist contact details | Until your first app login or until you unsubscribe, whichever comes first. Deleted within 30 days of either event. |
| Subscription and payment records | 7 years from the date of the transaction, as required by UK tax and financial records law. |
| Aggregated, anonymised statistics | Indefinitely. Aggregated statistics that cannot reasonably be used to identify any individual fall outside the scope of UK GDPR and may be retained without a time limit. |
7. Your rights under UK GDPR
Under UK data protection law, you have the following rights:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can ask us to correct inaccurate or incomplete data.
- Right to erasure: You can ask us to delete your personal data ("the right to be forgotten").
- Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
- Right to data portability: You can request your data in a structured, machine-readable format.
- Right to object: You can object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: Where we process your data on the basis of consent, including explicit consent under Article 9 for mood and wellbeing data and consent for AI features, you can withdraw that consent at any time through App Settings. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.
- Rights related to automated decision-making: You can request human review of any automated decisions that significantly affect you.
How to exercise your rights
To exercise any of these rights, contact us at privacy@okunolastudio.com with the subject line "Data Subject Request." We will acknowledge your request within 5 business days.
To protect your data, we will ask you to verify your identity before we process any request. We will typically ask you to contact us from the email address registered to your account. We will not release or delete data until identity is confirmed.
We will respond to all requests within 30 days. In complex cases we may extend this by a further two months, in which case we will notify you within the first 30 days and explain the reason. We will not charge a fee for responding to requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.
If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling their helpline on 0303 123 1113.
8. Cookies
The Blackbox Journal mobile app does not use cookies.
Our website (okunolastudio.com) uses only the following essential cookie:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| cookie_consent | Essential | Remembers your cookie consent choice | 1 year |
We do not currently use analytics cookies, advertising cookies, or any tracking that follows you across other websites. If we introduce analytics in the future, we will use a privacy-preserving tool that does not require consent under PECR (the UK's Privacy and Electronic Communications Regulations). We will update this policy and provide you with notice before any such cookies are set.
You can manage or withdraw your cookie consent at any time using our cookie settings banner.
9. Third-party links and services
This privacy policy applies only to Blackbox Journal (the App) and our website at okunolastudio.com. It does not apply to third-party websites, applications, or services, even if you reach them through links on our website or within the App.
We have no control over the content, privacy policies, or data practices of any third-party websites or services. When you leave our website or click a link to a third-party destination, we encourage you to read that site's privacy policy before submitting any personal information. We are not responsible for any information you choose to share with third parties or for how those third parties use it.
The third-party service providers we actively work with are listed in section 5 above, with links to their privacy policies. All other third-party websites linked from our site are entirely independent of Okunola Digital Studios Ltd and we accept no responsibility for their privacy practices or data handling.
10. Children
Blackbox Journal is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@okunolastudio.com and we will delete it promptly.
Users between 13 and 17 should use the app with parental awareness. The app contains self-reflection prompts about mood, stress, and emotional wellbeing and is primarily designed for adults.
11. Changes to this policy
We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of the page. For significant changes, we will notify you by email (if you have an account) or by a notice within the app, giving you reasonable advance notice before changes take effect.
Continued use of Blackbox Journal after changes take effect constitutes acceptance of the updated policy.
12. Contact us
For any questions about this privacy policy or how we handle your data:
- Email: privacy@okunolastudio.com
- General enquiries: hello@okunolastudio.com
- Website: okunolastudio.com
- ICO (supervisory authority): ico.org.uk · 0303 123 1113
We aim to respond to all privacy-related queries within 5 business days, and we are required by law to respond to formal data subject access requests within 30 days.