Privacy Policy

ListeningDiary ("we", "us", "our") operates the website at listeningdiary.com and the associated mobile application. We are the data controller for personal information collected through the platform. For any privacy-related questions or requests, contact us at: privacy@listeningdiary.com

We collect the following categories of personal data: Account data • Email address and username, collected when you register • Password (stored as a secure hash — we never see your plaintext password) • Role (Member or Listener) and any profile information you choose to provide Usage data • Pages visited, features used, and session duration — collected to improve the platform • Device type, browser, and approximate location (country/region) via anonymised analytics Support session data • One-to-one chat messages are transmitted through an encrypted channel and are not stored on our servers after a session ends Community room data • Messages you post in community rooms are stored to enable the chat experience and for moderation purposes Journal data • Journal entries (title, content, mood rating) you create — stored securely and accessible only to you Progress data • Your growth path progress — stored against your account to personalise your experience Cookies & similar technologies • See Section 7 for full details

We use your personal data to: • Create and manage your account • Provide the listening session matching service • Operate community rooms and enforce community standards • Store your journal entries and growth progress • Send you transactional emails (e.g. session notifications, password reset) • Detect and prevent abuse, fraud, or safety risks • Improve the platform through aggregated, anonymised analytics • Comply with legal obligations We do not sell your personal data. We do not use your data for advertising or share it with advertising networks.

We process your personal data on the following legal bases: UK & EEA users (UK GDPR / EU GDPR) • Contract: to perform the service you signed up for • Legitimate interests: to keep the platform secure and prevent abuse • Consent: for optional cookies and analytics (you can withdraw at any time) • Legal obligation: where required by applicable law Users in other regions While UK GDPR / EU GDPR applies to our processing as a UK-based controller, we apply equivalent privacy standards to all users regardless of location. Where local laws (such as CCPA in California, PIPEDA in Canada, PDPA in parts of Asia, or LGPD in Brazil) grant additional rights, we will honour those rights on request. Contact us at privacy@listeningdiary.com for any region-specific request.

We share data only with: Supabase (database & authentication) Our primary data store and authentication provider. Data is stored in the EU. Supabase is GDPR-compliant. Stream (real-time chat) Powers our live chat features. Messages are transmitted through Stream's infrastructure. Stream processes data in accordance with its privacy policy. Resend (transactional email) Used to send account and notification emails. Only your email address is shared for this purpose. Vercel (hosting) Our website is hosted on Vercel's infrastructure. Vercel may process request logs. We require all third-party processors to maintain appropriate data protection standards. We do not share your data with any other third parties except where required by law or to protect the safety of users.

Account data: retained for as long as your account is active, then deleted within 30 days of account deletion. Journal entries: deleted immediately when you delete them, or within 30 days of account deletion. One-to-one chat messages: not stored after session ends. Community room messages: retained for up to 12 months for moderation purposes, then deleted. Anonymised analytics data: may be retained indefinitely as it cannot be linked back to you.

We use the following types of cookies: Strictly necessary cookies These are required for the platform to function. They include authentication session cookies set by Supabase. You cannot opt out of these without logging out. Analytics cookies We use privacy-friendly, anonymised analytics to understand how people use the platform (e.g. which pages are popular, what devices are used). No personally identifying information is collected. You can decline these via our cookie banner. We do not use advertising cookies or track you across other websites. You can manage your cookie preferences at any time using the cookie settings link in the footer, or by clearing cookies in your browser settings.

Depending on where you are located, you have some or all of the following rights: • Access: request a copy of the personal data we hold about you • Rectification: ask us to correct inaccurate or incomplete data • Erasure: ask us to delete your data ("right to be forgotten") • Restriction: ask us to limit how we process your data • Portability: receive your data in a structured, machine-readable format • Objection: object to processing based on legitimate interests • Withdraw consent: for any processing based on your consent (e.g. analytics cookies) UK users These rights are provided under the UK GDPR. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. EEA users These rights are provided under the EU GDPR. You may lodge a complaint with your local data protection authority (DPA). Users in other regions We apply equivalent rights to all users where technically and legally feasible. Californian residents may additionally exercise rights under the CCPA (including the right to know and the right to opt out of sale — we do not sell your data). Contact us for any region-specific request. To exercise any of these rights, email privacy@listeningdiary.com. We will respond within 30 days.

ListeningDiary is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has registered, please contact us immediately at privacy@listeningdiary.com and we will delete the account. Users aged 13–17 may use the platform with parental consent. We encourage parents to discuss online safety with their children.

We take data security seriously. Measures include: • Passwords stored as salted hashes (never in plaintext) • All data in transit encrypted via TLS • Row-level security on our database so users can only access their own data • One-to-one chat messages not persisted after sessions end • Regular security reviews of our infrastructure No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@listeningdiary.com.

We are based in the UK. Your data may be processed by our third-party providers in the EU or US. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or adequacy decisions).

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice on the platform. The "Last updated" date at the top of this page reflects the most recent version.

For any privacy questions, requests, or complaints: Email: privacy@listeningdiary.com For general support: support@listeningdiary.com