Privacy Policy

1. Who we are (Data Controller)

Onwards Upwards ("we", "us"). For privacy questions and to exercise your rights, contact privacy@onwardsupwards.app.

Data Protection Officer (DPO): our DPO oversees compliance with GDPR, UK GDPR and equivalent regimes and is your single point of contact for data-protection matters. Reach the DPO at dpo@onwardsupwards.app. For security vulnerabilities, see /.well-known/security.txt.

EU representative (GDPR Art. 27): Onwards Upwards EU Representative, c/o Instant EU GDPR Representative Ltd, Office 2, 12A Lower Main Street, Lucan Co. Dublin, K78 X5P8, Ireland — eu-rep@onwardsupwards.app.

UK representative (UK GDPR Art. 27): Onwards Upwards UK Representative, c/o GDPR Local Ltd, 1st Floor Front Suite, 1 Quayside, Newcastle upon Tyne, NE1 3DA, United Kingdom — uk-rep@onwardsupwards.app.

While we finalise Art. 27 representative engagement, the addresses above are the intended c/o service providers. If you are an EU/UK data subject and need to escalate, email privacy@onwardsupwards.app and we will route to the representative or directly to the DPO within 5 business days.

2. Information we collect

• Account data: email, display name, password hash, timezone, birth year (if provided), consents.
• Journal content: trigger text, context, emotions, intensity ratings, traits, beliefs, integration actions, insight notes.
• Technical data: IP address, device/browser, request logs (for security and abuse prevention).
• Cookies & storage: see our Cookie Policy.

3. Special-category (sensitive) data

Journaling about emotions, triggers, and beliefs may reveal information about your mental health, which is a "special category" of personal data under GDPR Art. 9. We process it solely on the basis of your explicit consent(GDPR Art. 9(2)(a)), captured at signup. You can withdraw consent at any time by deleting your account, which permanently erases this data.

4. Lawful bases (GDPR Art. 6)

• Contract (Art. 6(1)(b)): creating and operating your account.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvement.
• Consent (Art. 6(1)(a)): sensitive journaling content, marketing emails, non-essential cookies.
• Legal obligation (Art. 6(1)(c)): responding to lawful requests.

5. How we use your data

To provide the journaling service, generate your personal insights, secure the platform, communicate about your account, and — only with your opt-in — send occasional product updates. We do not sell your data and we do not use journal content to train AI models for other users.

6. Sub-processors and international transfers

We rely on a small set of vetted sub-processors (hosting, email delivery, analytics). See the full list at /legal/subprocessors and our Record of Processing Activities at /legal/ropa. Our breach-response process is published at /legal/breach-response. Some providers are located outside the EU/UK. Transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK IDTA, with supplementary measures where required.

7. Retention

• Account & journal data: kept while your account is active.
• After account deletion: erased within 30 days from production systems and within 90 days from encrypted backups.
• Security & abuse logs: up to 12 months.
• Audit trail (consent receipts, sign-in / MFA events, export and deletion requests, processing-pause toggles): retained for up to 24 months under our legitimate interest (GDPR Art. 6(1)(f) and UK GDPR equivalent) in detecting fraud, meeting accountability obligations (GDPR Art. 5(2)), and demonstrating compliance to supervisory authorities. These records survive account deletion because they document that the deletion itself took place; they reference your user ID only and contain no journal content. You can view your own audit trail at Settings → Security activity.
• Suppressed-email and unsubscribe records: kept as required to honour your opt-out.

8. Your rights

Depending on your jurisdiction — including the EU GDPR, UK GDPR / DPA 2018, California CCPA/CPRA, Brazil LGPD, Canada PIPEDA, Australia Privacy Act 1988 (APPs), and South Africa POPIA — you have the right to access, rectify, erase, port, restrict, and object to processing of your personal data, to withdraw consent, and (in California) to opt out of sale/sharing and limit use of sensitive personal information. You can:

• Export your data from Settings → Export your data.
• Delete your account from Settings → Delete account.
• Email privacy@onwardsupwards.app for anything else.

You can also lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU, or the CNIL in France).

Right to object to automated profiling (GDPR Art. 21)

Our Insights feature is profiling within the meaning of GDPR Art. 4(4). You may object at any time and disable Insights from Settings → Insights; we will stop generating Insights from your data immediately on objection, with no impact on the rest of the service.

Global Privacy Control (GPC)

We honour the Global Privacy Control signal sent by your browser as a valid opt-out of "sale" and "sharing" under the CCPA/CPRA and as an objection to non-essential processing in other regions. When GPC is detected we automatically downgrade non-essential cookies to off and suppress marketing communications without requiring any further action from you.

Regional addenda

• California (CCPA/CPRA). "Do Not Sell or Share" and "Limit the Use of My Sensitive Personal Information" at /legal/privacy-choices. Authorised-agent submissions accepted with verifiable written permission. We do not knowingly sell or share personal information of consumers under 16. Complaints: California Privacy Protection Agency, cppa.ca.gov.
• Brazil (LGPD). Lawful basis is your explicit consent (Art. 7 IX / Art. 11 I) for sensitive data. Data subjects may exercise the rights in LGPD Art. 18 by emailing privacy@onwardsupwards.app. Complaints: Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd.
• Canada (PIPEDA). We process personal information with your knowledge and consent and limit collection to what is necessary for the purposes identified above. You may request access, correction, or withdraw consent at any time. Complaints: Office of the Privacy Commissioner of Canada, priv.gc.ca.
• Australia (Privacy Act 1988 / APPs). We comply with the Australian Privacy Principles. To make an access/correction request or complaint to us, email privacy@onwardsupwards.app. Complaints can also be made to the Office of the Australian Information Commissioner, oaic.gov.au.
• South Africa (POPIA). Onwards Upwards is the Responsible Party. Sensitive (special personal information) processing relies on your explicit consent (POPIA s. 27). Information Officer contactable via privacy@onwardsupwards.app. Complaints: Information Regulator (South Africa), inforegulator.org.za.

9. Security

Data is encrypted in transit (TLS) and at rest. Access is gated by per-user row-level security policies. We follow OWASP ASVS guidance, run security scans on every change, and maintain an incident-response process with a 72-hour breach-notification commitment (GDPR Art. 33).

10. Children

Onwards Upwards is intended for users aged 16 and over. We do not knowingly collect personal information from children under 16 (or under 13 in the United States, per COPPA).

11. Automated insights

We generate descriptive insights from your own journal entries (e.g. top triggers, recurring beliefs). These insights are not automated decisions with legal or similarly significant effects (GDPR Art. 22). You can disable insights by deleting your account, or turn them off at any time from Settings → Insightswithout losing your entries. See the full Insights methodology for inputs, formulas, limits, and the human-review path.

12. Changes

We will notify you of material changes by email or in-app notice at least 14 days before they take effect.