Skip to main content
Talking Paper

Privacy Policy

Last updated: May 2026 (P-17 GDPR Art. 8 age floor disclosure) | Version: 3.9

1. Information We Collect

Information You Provide

  • Account Information: Email address, username, password (encrypted)
  • Profile Information: Name, profile picture (optional)
  • Journal Entries: Text content, mood data, timestamps. Each individual entry body is capped at 20,000 characters as a data-minimisation measure (GDPR Art. 5(1)(c)); the first time you visit the journal page we show a one-time inline awareness banner reminding you that entry text is processed by our AI provider chain — see section 2a above (P-24).
  • Payment Information: Processed securely through Paddle.com (we don't store card details)
  • Support Communications: Messages sent to our support team

Information We Collect Automatically

  • Usage Data: Features used, frequency of use, interaction patterns
  • Device Information: Browser type, operating system, IP address
  • Log Data: Access times, pages viewed, app crashes
  • Cookies: See our Cookie Policy

2. How We Use Your Information

We use your information to:

  • Provide and maintain our journaling service
  • Process AI-powered insights and memory extraction
  • Send service-related communications (account updates, security alerts)
  • Process payments and prevent fraud
  • Improve our services based on usage patterns
  • Comply with legal obligations
  • With your consent, send marketing communications

2a. How AI Processes Your Journal Text

Talking Paper's AI features — memory extraction, personality-trait scoring, mood scoring, AI reply, and paragraph reflection — are produced by sending the relevant portion of your journal text to a third-party large-language-model (LLM) API. Your text is transmitted over TLS to our LLM gateway, OpenRouter (operated by OpenRouter, Inc., United States). OpenRouter then dispatches each request to one of several underlying model providers depending on its routing policy. The underlying providers your text may reach include OpenAI, Anthropic, Mistral, DeepSeek, and others that OpenRouter supports. The current authoritative list of every recipient of journal text is published on our Subprocessors page (rows for OpenRouter and “Per-model providers fronted by OpenRouter”).

Retention. Prompts and completions sent to OpenRouter (and onward to the underlying model provider) may be retained by those providers per the contractual terms each provider publishes. We have not negotiated a zero-data-retention (ZDR) agreement with OpenRouter or with the underlying providers at this time, and our application code does not transmit a per-request ZDR signal. Earlier versions of this policy claimed that AI processing left no copy of your journal text with the model provider — that claim was inaccurate and has been retracted in this version (see the version stamp at the top of this page). When ZDR is in place, this paragraph and the corresponding rows on the Subprocessors page will be updated and the policy version will be bumped so that consents captured under the new posture are distinguishable from prior consents. For the full vendor disclosures including retention windows and transfer safeguards, see our Subprocessor list and our Data Processing Agreement at /legal/dpa/.

AI-subprocessor erasure on account deletion. Every OpenRouter request carries a per-user identifier (the OpenAI-compatible user field in the request body) so that prompts already shipped to the AI provider chain can be associated with your account when you request erasure under GDPR Art. 17. When your account is anonymised by our daily retention cron (enforce_data_retention), the cron then issues a best-effort selective deletion of your Langfuse traces using that identifier. Because OpenRouter does not currently expose a per-user delete API, prompts and completions previously routed through OpenRouter remain subject to that vendor's contractual retention as published in the Subprocessor list and our Data Processing Agreement — we will issue an upstream per-user deletion to OpenRouter once that capability becomes available. The Langfuse selective delete runs on a best-effort basis within the next daily cron pass; transient provider outages are retried on subsequent passes and do not block the local-DB erasure.

Observability (Langfuse). When the operator enables observability (the LANGFUSE_ENABLED setting; disabled by default in this deployment), redacted traces of prompts and completions may additionally be sent to Langfuse Cloud (operated by Langfuse GmbH). Before transmission, content is masked of email addresses and phone numbers and truncated to 4 000 characters. The Subprocessor list documents Langfuse's data categories, region, and transfer mechanism whenever it is enabled.

Observability is currently ENABLED in this deployment. The Langfuse paragraph above describes what data flows to Langfuse Cloud.

For the lawful basis, risk classification, and impact-assessment artefacts that govern this AI processing under the EU AI Act and GDPR Art. 35, see section 8b. To exercise your right of access (GDPR Art. 15) over what was sent to the AI provider chain, contact support@talkingpaper.app or our Data Protection Officer at dpo@talkingpaper.app.

2b. How AI processes your data — models, training posture, and opt-out

Section 2a above describes the route your journal text takes through our AI provider chain. This section goes deeper on the specific models in use, our training-data posture, and how to opt out of LLM-based features entirely.

Models currently in use

The models below are reached through OpenRouter (we never call a model provider directly). We may add or replace models with notice via a version bump on this Privacy Policy and a corresponding row update on the Subprocessor list.

  • Reply / reflection: openai/gpt-4o-mini (default; cost-optimised for short conversational generations).
  • Memory and trait extraction: openai/gpt-4o-mini (same default; structured-output prompts).
  • Embeddings (semantic retrieval over your past entries): openai/text-embedding-3-large (configurable via EMBEDDING_MODEL_NAME; vector representations only, not raw text).
  • Available via OpenRouter routing on request: Anthropic Claude family (anthropic/claude-3-haiku, -sonnet, -opus), OpenAI GPT-4o family, Mistral and DeepSeek models, and others OpenRouter supports. The authoritative current list is the price table at talking_paper/observability/costs.py — comment marker F-15: keep in sync with config/settings/base.py:EMBEDDING_MODEL_NAME and free_spirit/intelligence.py:reply_model.

Training opt-out posture

We do not opt in to model training on your data. OpenRouter does not, by default, share customer prompts or completions with the underlying model providers for training. Per-provider data-use links:

Vendor-written confirmation of each provider's no-training stance is kept in our internal evidence vault at business-docs/legal/processors/ (per-vendor folder; not publicly readable). If you are a B2B customer and need a copy as part of due diligence, request via dpo@talkingpaper.app.

Opting out of AI features

To opt out of LLM-based processing entirely, email our Data Protection Officer at dpo@talkingpaper.app from the address attached to your account. Opting out:

  • Stops memory extraction, AI reply, paragraph reflection, mood scoring, and personality-trait inference for your entries going forward.
  • Does not retroactively delete memories, traits, or embeddings already inferred (those are subject to the deletion path described in section 5).
  • Removes a core part of the service — consider the deletion path under section 5a if your goal is to leave Talking Paper entirely rather than to keep journaling without AI features.

For the lawful basis under GDPR Art. 6 / Art. 9 governing this AI processing, the EU AI Act risk classification, and our evaluation-suite artefacts, see the internal AI Governance memo (link sent on Art. 15 access request) and the Data Processing Agreement.

3. Data Sharing and Disclosure

We do not sell your personal data. We share information only in these circumstances:

Service Providers (Subprocessors)

We engage third-party processors to operate the service. Examples include Render (hosting), OpenRouter and the underlying model providers it routes to (AI processing of journal text), Paddle (payments / merchant of record), and Zoho Mail (transactional email).

The complete, current list — including each vendor's purpose, data categories processed, region, transfer mechanism (Standard Contractual Clauses or other Art. 46 GDPR safeguard), and Data Processing Addendum status — is published and maintained at our Subprocessors page. That page is the authoritative recipients list for the purposes of GDPR Art. 13(1)(e). We commit to a 30-day notice before adding or materially changing a subprocessor — see section 8a below.

Live chat support (Crisp). Our in-app live-chat widget is provided by Crisp IM SAS (EU, crisp.chat) for the purpose of routing and answering support conversations. When the widget loads, the following data may be shared with Crisp: your email address, display name, and account identifier (to route the conversation back to your account), together with the content of any chat message you send. The widget is only loaded after you have granted preferences cookies through the cookie banner — until then, no Crisp script is loaded and no identifying attributes are transmitted. See the Subprocessors page for Crisp's region, transfer mechanism, and Data Processing Addendum status.

Other Circumstances

  • Legal Requirements: When required by law, subpoena, or court order
  • Business Transfers: In case of merger, acquisition, or sale of assets
  • Your Consent: With your explicit permission
  • Aggregated Data: Non-identifiable statistics for analytics

4. Data Security

We implement industry-standard security measures:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Regular security audits and vulnerability testing
  • Access controls and authentication
  • Daily Render-managed Postgres backups, encrypted at rest by the underlying cloud infrastructure (see Subprocessors)
  • Employee training on data protection
  • Incident response procedures

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Your Rights

Under GDPR and CCPA, you have the right to:

  • Access: Request a copy of your data
  • Rectification: Correct inaccurate data
  • Erasure: Request closure of your account and removal of your data, subject to the limits described in section 5a below
  • Portability: Export your data in a portable format
  • Object: Opt-out of certain processing
  • Restrict: Limit how we use your data
  • Withdraw Consent: For consent-based processing
  • Non-discrimination: Exercise rights without penalty

5a. What Account Closure Actually Removes

GDPR Article 17 gives you the right to request erasure. We honour that right within the limits the Regulation itself recognises (Article 17(3)) and we want to be transparent about what is removed and what is retained, in what form, and why.

When you request account deletion, the following happens:

  • 30-day grace period. Your account is scheduled for closure but remains usable. You can cancel the request at any time during this window.
  • Account anonymisation (irreversible after the grace period). Your email address, display name, and password are replaced with a non-identifying tombstone value. You will no longer be able to sign in. Active sessions on every device are revoked.
  • Journal entries and AI-derived data are removed from active service. Journal entries, AI memories, character model, and mood history are flagged as deleted and stop being shown, used, or processed. Backend copies are scheduled for hard deletion by a separate retention job.
  • Hard deletion of derived data is partial today. A scheduled cron purges journal entries you have individually soft-deleted, after 90 days. Backend copies tied to account deletion (and AI-derived data — memories, character model, mood history) are not yet on a deterministic purge timeline. We are rolling out a single retention job that will cover both paths; until then you can request an accelerated manual review at any time by contacting support@talkingpaper.app.
  • Records we retain in anonymised form, with their lawful basis.
    • Billing and tax records (payments, invoices, refunds, processor webhook history): retained for up to 7 years to comply with EU and Polish accounting and tax law (Art. 6(1)(c) GDPR — legal obligation).
    • Security and abuse-prevention records (login attempts, rate-limit violations, abuse decisions): retained for up to 12 months to defend the service and other users (Art. 6(1)(f) GDPR — legitimate interest).
    • Consent records (when you accepted which version of which policy): retained for the limitation period of any associated claim, as evidence of lawful processing under Art. 7(1) GDPR.
    • Backups may transiently retain account data for the duration of the backup retention window and are overwritten in normal rotation.

If you believe any retained record should not be kept, or you want a status update on the residual hard-deletion job for your account, contact support@talkingpaper.app. You can also lodge a complaint with your supervisory authority (in Poland, the President of the UODO).

5b. Data Retention Summary

The table below summarises how long each category of data is kept while your account is active, what happens to it after you request account deletion, and the GDPR Art. 6(1) lawful basis that justifies the processing. These retention windows reflect the current implementation of our retention cron (enforce_data_retention) and the source-of-truth operator runbook at runbooks/data_retention.md. Where deletion is logical (account flagged inactive, content stops being shown or processed) rather than physical (data removed from disk), the table says anonymised or soft-deleted, not deleted. We will tighten this language as the cascade hard-delete pipeline closes the remaining residual-purge gaps; the policy version stamp at the top of this page will be bumped at that time.

Data category Retention while account active Retention after account deletion Lawful basis
Account profile (email, display name, password hash) For the life of the account. Anonymised at T+30 days after the deletion request: email replaced with a non-identifying tombstone, name cleared, password unusable, account flagged inactive, sessions revoked. The row is retained in anonymised form so foreign keys on retained records (billing, consent, security) remain valid. Art. 6(1)(b) — contract
Journal entries (text content, paragraphs, mood tags) For the life of the account, unless you delete individual entries (which soft-deletes them and queues them for hard deletion 90 days later). Soft-deleted at T+30 days alongside account anonymisation; hard-deleted at T+120 days by the existing soft-delete purge cron, which cascades to source-linked AI-derived data (see below). Art. 6(1)(b) — contract
Embeddings and paragraph vectors (numeric representations of journal text used for similarity search) For the life of the parent journal entry. Hard-deleted at T+120 days via database CASCADE when the parent journal entry is hard-deleted. Art. 6(1)(b) — contract
AI memories (MemoryBlock rows extracted from journal text) For the life of the account. Orphan rows (no source entry on file) hard-deleted at T+30 days in the same transaction as account anonymisation; source-linked rows ride the journal-entry CASCADE and are hard-deleted at T+120 days. Art. 6(1)(b) — contract
Mood inferences (MoodScore rows derived from journal text) For the life of the account. Orphan rows hard-deleted at T+30 days; source-linked rows hard-deleted at T+120 days via the journal-entry CASCADE. Art. 6(1)(b) — contract
Character model and rolling summary (TraitSnapshot, RollingSummary) For the life of the account. Hard-deleted at T+30 days in the same transaction as account anonymisation — these are direct user-summary records with no retention value once the user is gone. Art. 6(1)(b) — contract
Cancellation feedback (free-text reason submitted when cancelling a subscription) 90 days, then the free-text field is scrubbed from the subscription-event row (other event metadata is kept). As per active retention — scrubbed 90 days after the cancellation event regardless of account status. Art. 6(1)(f) — legitimate interest (product feedback)
Support tickets and communications (messages sent to support, replies, attachments) For the life of the account, plus the limitation period of any unresolved support matter. Retained in anonymised form for the limitation period of any associated claim, then deleted. Art. 6(1)(f) — legitimate interest (service delivery and dispute defence)
Billing and tax records (payments, invoices, refunds, Paddle webhook history) For the life of the account. Retained in anonymised form for up to 7 years to comply with EU and Polish accounting / tax law. Art. 6(1)(c) — legal obligation
Security and abuse-prevention logs (login attempts, rate-limit violations, abuse decisions) Up to 12 months on a rolling basis. Retained in anonymised form for up to 12 months to defend the service and other users. Art. 6(1)(f) — legitimate interest
Consent records (ConsentRecord — which policy version you accepted, when) For the life of the account. Retained for the limitation period of any associated claim, as evidence of lawful processing. Art. 7(1) — demonstrable consent; Art. 6(1)(c) where consent is the legal-obligation evidence trail
Analytics and observability data (aggregate usage events, Sentry error reports, Langfuse traces where enabled) Per processor retention (see Subprocessors page). User identifiers are scrubbed on processor calls invoked from account anonymisation; underlying processor-managed retention windows continue to apply to anonymised records. Art. 6(1)(f) — legitimate interest
Landing-page visitor sessions (VisitorSession — hashed IP and parsed user-agent bucket; browser/OS family and version, screen size, language, timezone, returning-visitor flag, hour and day of week, scroll depth, engagement time, interaction count and mouse-movement count only when analytics cookies have been accepted) Up to 60 days. The strictly-necessary slice (hashed IP, UTM attribution, device-type bucket, referrer, country, bot signals) is recorded on every landing-page visit; the analytics-only fields above are only written when you accept analytics cookies in the cookie banner. Hard-deleted at T+60 days from the visit date by the retention cron (enforce_data_retention) regardless of account status. Art. 6(1)(f) — legitimate interest (security and abuse prevention, aggregate traffic measurement) for the strictly-necessary slice; Art. 6(1)(a) — consent for the analytics-only slice
Backups (encrypted Postgres backups managed by Render) Per backup-rotation window (see runbooks/backups.md). Backups may transiently retain data for the duration of the rotation window and are overwritten in normal rotation. Art. 6(1)(f) — legitimate interest (service continuity)

Definitions used in the table: anonymised means the row remains in the database but identifiers have been replaced with non-identifying values so the row can no longer be linked back to you; soft-deleted means the row is flagged as deleted and is no longer shown, used, or processed, but is still on disk pending the next hard-delete cycle; hard-deleted means the row has been physically removed from the database. The full operator reference, including cron schedule and source-code pointers, is at runbooks/data_retention.md.

See the Refund & Cancellation Policy export-window section and the Data Export page for the export-window mechanics after cancellation: data is retained for 30 days after cancellation, you may request an export at any time during that grace period, and each generated export is downloadable for 7 days.

Exercise Your Rights

Export My Data Delete My Account

6. Cookies and Tracking

We use cookies for:

  • Essential: Authentication, security, site functionality
  • Analytics: Understanding how you use our service (with consent)
  • Preferences: Remembering your settings (with consent)
  • Marketing: Relevant advertisements (with consent)

You can manage your cookie preferences at any time. Manage Cookie Settings

For more details, see our Cookie Policy.

7. Children's Privacy

This service is intended for users aged 16 and over. You must be 16 or older to use Talking Paper. We do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe we have collected information from your child, please contact us immediately at support@talkingpaper.app.

We apply the GDPR Article 8(1) default age of 16 to every user worldwide. This single global floor exceeds the lowest national digital-consent ages across the EU/EEA (which range from 13 in some member states to 16 in others) and removes the need for per-country branching or parental-consent flows at signup.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Sending an email to registered users
  • Displaying a prominent notice on our service
  • Updating the "Last updated" date at the top of this policy

Continued use of our service after changes constitutes acceptance of the updated policy.

8a. Subprocessor Change Notice

Under GDPR Art. 28(2) we are required to give you a meaningful opportunity to object before a new subprocessor begins processing your personal data. We commit to publishing notice of any addition or material change to the Subprocessors list at least 30 days before the change takes effect.

To object to a planned change, email support@talkingpaper.app within the 30-day window. Where an objection cannot be reconciled, you have the right to terminate your subscription under our Terms of Service.

8b. AI Governance Documents and Data Protection Impact Assessments

The AI features in Talking Paper (memory extraction, personality-trait scoring, mood scoring, AI reply, paragraph reflection) are governed by an internal AI policy, an EU AI Act risk-classification record, and a GDPR Art. 35 data protection impact assessment (DPIA) dedicated to those AI features. In addition, an umbrella DPIA covers every other processing activity Talking Paper performs (account creation and authentication, journaling storage, payments and billing, transactional email, support, security and abuse-prevention logging, analytics and observability, and backups). Together these documents record the lawful basis for our processing, our role under the EU AI Act, the risks we have identified, and the mitigations we apply.

The canonical artefacts are maintained in our source repository at docs/governance/AI_POLICY.md, docs/governance/AI_RISK_CLASSIFICATION.md, docs/governance/AI_DPIA.md (AI-feature DPIA), and docs/governance/DPIA.md (umbrella DPIA covering all other processing). To request a copy for due diligence, regulatory, or personal-rights purposes, email support@talkingpaper.app or our Data Protection Officer at dpo@talkingpaper.app.

9. Contact Us

For privacy-related questions or to exercise your rights:

Privacy Contact Information

Email: support@talkingpaper.app

Data Protection Officer: dpo@talkingpaper.app

Address:
Talking Paper
Ahmet Cem Akgül
Zygmunta Modzelewskiego 46/50/508
02-679 Warsaw
Poland

Privacy Notice for California Residents

This section applies to California residents and supplements the rest of this Privacy Policy. It is provided under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

  • Identifiers — name, email address, IP address, account ID.
  • Commercial information — subscription tier, payment status (handled by Paddle).
  • Internet / network activity — pages visited, device type, referrer.
  • Sensitive personal information (CPRA §1798.121) — journal entries about mental and emotional state, which we treat as sensitive PI by default given the mental-health context.
  • Inferences — character traits, mood scores, and memories extracted by AI from your journal entries.

Sale / Share Determination

We do not sell personal information for monetary consideration. We may "share" personal information for cross-context behavioral advertising as defined by CCPA where third-party analytics tags (e.g. Google Analytics, Plausible) are present and you have not opted out. You can opt out at any time via the Do Not Sell or Share My Personal Information page. We do not knowingly sell or share the personal information of minors under 16.

Retention

We retain personal information only as long as needed for the purposes described in Section 2 (How We Use Your Information). Journal content is retained until you delete it or request account deletion; account-deletion retention is described in the "Your Rights" section above and in our data-retention runbook.

Your California Rights

  • Right to know what personal information we have collected, used, disclosed, and "shared."
  • Right to delete personal information collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sharing" for cross-context behavioral advertising — exercise via the Do Not Sell or Share page.
  • Right to limit use of sensitive personal information (CPRA §1798.121) — exercise via the same page.
  • Right to non-discrimination for exercising any of the above.

Verifiable Consumer Request

To exercise rights to know, delete, or correct, submit a Verifiable Consumer Request by emailing dpo@talkingpaper.app from the email address registered on your account, or by using the in-app data export and account-deletion controls. We will verify your identity to the standard of reasonable certainty before fulfilling the request and will respond within 45 days.

Authorized Agent

You may designate an authorized agent to make a request on your behalf by providing the agent with written, signed permission and verifying your identity directly with us.

Terms of Service Cookie Policy