My Evening

Privacy Policy

Last updated: July 9, 2026

Our Commitment to Your Privacy

My Evening is built on a simple principle: your personal reflections belong to you alone. We designed the App to be on-device first — your journal content is created and stored on your iPhone, not in our cloud. A small number of features (signing in, voice transcription, and the AI that helps you recognize the people you mention) require limited off-device processing, and we describe each of those flows plainly below.

This Privacy Policy explains how My Evening ("we", "us", "our") handles information when you use our iOS application ("the App") and our website at myevening.app ("the Website"). By using the App or Website, you agree to the practices described in this policy. We do not use advertising or cross-app tracking; the only analytics we use is anonymous and aggregate — an anonymous first-run (onboarding) funnel and anonymous, counts-only ritual usage summaries, both sent to our own servers — described in the Analytics section below.

Data Controller

My Evening is operated by Ivan Sokalskyi, prowadzący jednoosobową działalność gospodarczą pod firmą "My Evening" (sole proprietorship registered in Poland), NIP 8982299245, REGON 526716694, EU VAT ID PL8982299245, wpisany do CEIDG. Registered office: ul. Edwarda Abramowskiego 45, 51-663 Wrocław, Poland.

For questions about data handling, contact us at privacy_myevening@rongan.me or by post at the address above. Full operator details are also published on our Legal Notice page.

Information We Do Not Collect

We want to be clear about what we do not collect:

  • We do not store the body of your journal content on our servers. Your gratitude entries, tomorrow plans, session history, and the profiles of people you thank are stored on your device. (Limited exceptions when you use specific features: your spoken audio is transmitted for transcription, and — when you save a gratitude entry — your gratitude-entry text plus the names of people you mention are sent to an AI provider so we can suggest who you thanked. Both flows are described in detail below.)
  • We do not keep recordings of your voice. Audio is streamed in real time for transcription and is not written to disk on our side. (How the transcription provider handles audio on its side is described in the Voice section below.)
  • Your phone number, postal address, contacts, photos, location, or other device data
  • Your HealthKit data (read/written on-device only, never transmitted off your device)
  • Your browsing history, cookies, advertising identifiers, or cross-app tracking signals
  • Your payment information (handled entirely by Apple)

We do receive your Apple identity through Sign in with Apple, and we operate a backend that stores account, subscription, and operational data — see the On-Device Data Storage and Backend Account Data sections below for exactly what is stored, where, and for how long.

On-Device & iCloud Data Storage

The journal content you create in My Evening — gratitude entries, tomorrow plans, session and breathing history, the profiles of people you thank (display names, preferred names, aliases including relational/kinship terms, how often you thank them, and any avatar photos you add), and your app settings — is stored on your device using Apple's SwiftData framework and, when iCloud is available, syncs through Apple's CloudKit to your own iCloud private database so it follows you to your other devices. That synced copy lives in your personal iCloud account under your Apple ID. Journal content is never stored on our servers, and we cannot read it — it exists only on your device and in your own iCloud. Your HealthKit bedtime is held on-device only.

Your Sign in with Apple token is held in the iOS Keychain on your device (no email or name — any cached email from an older version is deleted automatically).

What leaves your device. On-device storage is the default, but three specific flows transmit data off your device. We summarize them here and explain each in its own section below:

  • Voice transcription (when you choose to speak). Microphone audio streams to our backend, which forwards it to ElevenLabs in the United States for real-time transcription. See the Voice section.
  • AI person detection (when you save a gratitude entry). Your gratitude-entry text and the names of people you mention are sent to OpenAI in the United States to help recognize people across nights. This is a core part of the feature. See the Person Detection section.
  • Account, subscription & operational data. A limited set of account and service-operation records are stored on our backend in Microsoft Azure (North Europe — Ireland). See the Backend Account Data section.

On-device data retention: data stored on your device remains as long as the App is installed. If you delete the App, iOS removes the locally stored data; we cannot recover on-device data because it was never on our servers. Backend retention is described in the Backend Account Data and Account Deletion sections below.

Data backup: Your on-device data may be included in your iCloud or local device backups as managed by Apple and your device settings. We do not control or access these backups.

Voice Data and Transcription

When you choose to speak instead of type, microphone audio streams from your iPhone over an authenticated WebSocket connection to our backend in Microsoft Azure (North Europe — Ireland), which proxies the audio to ElevenLabs, Inc. (Scribe v2 model) for real-time transcription. The transcript is returned to your device and saved locally.

Where the audio goes. ElevenLabs is currently reached at its global endpoint in the United States. We (the App and our backend) do not write your audio to disk. How ElevenLabs handles the audio on its side — including any logging or retention — is governed by our agreement with ElevenLabs and its standard terms / Data Processing Addendum.

Improvements in progress. Our code supports a zero-retention mode (which instructs ElevenLabs not to log requests) and EU data residency. These are not yet active: they depend on an ElevenLabs Enterprise plan and operator configuration, which we are in the process of putting in place. Until then, please assume voice audio is transmitted to ElevenLabs in the United States under its standard (default-logging) terms.

Names as recognition hints. To improve transcription accuracy, the display names and non-relational aliases of people in your person list may be sent to ElevenLabs as recognition keyterms. These are names of third parties — see "People You Mention" below.

What is stored on our side: only the resulting transcript, which lives on your device.

Voice transcription requires an authenticated session and a network connection. If neither is available, you can switch to text input. There is no on-device speech-recognition fallback at this time, and the Apple Speech framework is not used.

AI Person Detection

My Evening uses an AI model to recognize the people you mention across nights, so the same person is linked consistently in your private person list. This is a core part of how the App works — seeing who keeps showing up in your gratitudes is one of the things My Evening is for. It runs automatically for everyone, every time you save a gratitude entry; there is no separate toggle to turn it on or off.

What is sent. After a gratitude entry is saved we send to OpenAI (gpt-5-nano via the Responses API, in the United States): the gratitude-entry text (up to the first 1,000 characters) plus structured information about people in your list — their display names, preferred names, all aliases (including relational/kinship terms), and how often you have thanked them. The model returns suggestions about which person each entry mentions.

Provider handling. We send these requests with store=false, which instructs OpenAI not to persist the request or response for retrieval or standard retention, and OpenAI does not train on data submitted through its API by default. One caveat we want to be honest about: OpenAI applies standard, transient abuse-monitoring logging (up to roughly 30 days) at the account/contract level, which is not something we can disable in code. The OpenAI EEA contracting party is OpenAI Ireland Ltd.; inference runs at OpenAI L.L.C. in the United States.

Suggestions, not decisions. The model output is a suggestion you can accept, reject, edit, or ignore. It produces no legal or similarly significant effect, so we do not treat it as automated decision-making under GDPR Art. 22 (see the AI Features section below).

People You Mention (Third-Party Data)

Your person list contains information about other people — their names, the names you call them (including relational or kinship terms), and how often you thank them. This is personal data about third parties, processed so the App can help you reflect on and recognize the people in your life.

Where these names can travel. Names may be sent to ElevenLabs as transcription recognition hints (whenever you use voice), and names and aliases are sent to OpenAI as part of AI person detection (whenever you save a gratitude entry), as described above.

Legal basis. For users in the EEA/UK, we process the information you record about the people you thank to deliver a feature that is central to the App — performance of our contract with you (GDPR Art. 6(1)(b)). To the extent this involves personal data about those third parties themselves, we additionally rely on our legitimate interest (GDPR Art. 6(1)(f)) in providing a personal-reflection feature, balanced against the limited, non-public nature of the data.

If you are someone a user mentions. Because this data lives in an individual user's private journal on their device (and is transmitted only transiently for the features above), we usually have no way to identify you or link you to a request. If you believe a My Evening user holds information about you and you wish to object, or to ask about access or deletion (GDPR Art. 14, 15, 17, 21), contact us at privacy_myevening@rongan.me. The most direct remedy is for the user to edit or delete that person from their list, and we will help facilitate this where we reasonably can.

AI Features and Person Detection

My Evening uses two AI systems. Under the EU AI Act (Regulation (EU) 2024/1689), our assessment — recorded internally and available to supervisory authorities on request — is that both are minimal-risk: neither is a prohibited practice, neither is a high-risk system, and neither is the kind of conversational or content-generating system covered by the Act's Article 50 transparency obligations (applicable from 2 August 2026). Speech-to-text faithfully renders your own words into your own private journal, and person detection produces only suggestions that you confirm. We nevertheless disclose both here — and mark AI-generated suggestions in the app — so you always know when AI is involved in producing what you see:

  • Voice transcription (ElevenLabs Scribe v2, United States). Converts audio you speak into the corresponding transcript. Used for transcription only; not used to identify you as a speaker.
  • Person detection (OpenAI gpt-5-nano via the Responses API, United States) — a core feature that runs whenever you save a gratitude entry. The entry's text and your existing person list are sent to the model, which returns suggestions about which person each entry mentions. You remain in control of the result: the model output is a suggestion — not a decision — that you can accept, reject, edit, or ignore. See the AI Person Detection section above for what is sent and how it is handled.

No automated decision-making with legal or significant effects. The AI features do not produce legal effects (e.g., approval / denial decisions, eligibility scoring, contractual changes). They are user-interface aids. We therefore do not consider them to fall within GDPR Art. 22 ("decisions based solely on automated processing").

We do not use AI to generate text for you, to impersonate a real person, to produce deepfakes or synthetic media, or for emotion recognition or biometric categorization.

The operator maintains an internal Data Protection Impact Assessment covering these AI features and the off-device transfers they involve. The DPIA is held internally and provided to supervisory authorities on request.

Backend Account Data

To sign you in, verify your subscription, and run the service safely, we operate a backend in Microsoft Azure (North Europe — Ireland) that stores a limited set of records. None of this includes the body of your journal entries.

  • Account profile. A SHA-256 hash of the Apple sub claim that identifies your account, and account timestamps (created, last login). We do not collect your email or name. The App does not ask Apple for them at sign-in and does not send them to us; if an older version ever transmitted them, our server discards them and stores neither. We no longer store the raw Apple identifier — it is used transiently only to compute the hash.
  • Subscription & transaction data. Your entitlement and the signed transaction details Apple sends us (product, transaction identifiers, expiry, renewal/grace status, environment, trial end, refund/revocation markers, verification timestamps), linked to your account, including a small record of your one-time introductory-offer (free-trial) redemption if you used it. This replaces any earlier statement that we receive only "anonymous transaction confirmations" — we do store subscription/transaction data tied to your user.
  • Usage counters. Per-user daily tallies (counts only — never journal content) of AI-detection calls, AI token usage and micro-cost, transcription audio bytes and session counts, and first/last activity. Retained for roughly 180 days.
  • Rate-limit & abuse counters. Per-user hourly request counters and pre-authentication per-IP-hash counters, used to prevent abuse. Retained for roughly 7 days.
  • Live connection slots. Per-user counters of active transcription WebSocket connections (transient).
  • Operational telemetry. Application Insights / Log Analytics events keyed to your hashed account identifier (for example: a person-detection request, a transcription session, a verified subscription, an account deletion, a sign-in), plus error reports and Azure's default request telemetry (which may include a masked client IP). Because these are keyed to your hashed identifier, they are pseudonymous personal data, not anonymous. Retained for the Azure default window (typically about 30–90 days).

Operator access. The operator can view per-user account, subscription/transaction, usage, and recent telemetry records through an internal admin portal protected by Microsoft Entra ID (Azure AD) sign-in. Entra ID is the operator's own identity provider for that portal; no end-user journal content flows to it.

For the full sub-processor list with locations, transfer mechanisms, and DPA references, see our Sub-processors page.

Analytics

All analytics in the App are anonymous and aggregate. There are two surfaces, both first-party and both going only to our own servers: an anonymous first-run (onboarding) funnel, and anonymous ritual usage summaries. We use no third-party analytics SDK at all — no Google Analytics, no Firebase, no Facebook SDK, no Adjust, no AppsFlyer, and no advertising identifiers.

Onboarding funnel (first-party, anonymous). When you first set up the App, it sends onboarding progress events to our own backend (Microsoft Azure, EU/Ireland): which setup step was reached, how long each step took, whether you went back or skipped, whether a failure occurred (for example, the subscription screen failing to load), your setup choices (such as the selected plan or reminder preference), and coarse context — the iOS major version, the device family (e.g. "iPhone"), the country and language set in your device settings (a setting, not your location), and a rough time-of-day bucket. These events are keyed only to random identifiers generated on your device (one per install, one per setup attempt) — never to your Apple account, email, name, device identifier, or IP address — and we never link them to your account after you sign in. Because most of onboarding happens before sign-in, this data is anonymous by construction: we can see that someone stopped at a given step, but not who. It contains no journal content, is used only in aggregate to find and fix losing steps in the first-run experience, and is deleted after 400 days. Since it cannot be tied back to you, it is not affected by (and cannot be located for) account deletion — it simply ages out.

Ritual usage summaries (first-party, anonymous). After you complete an evening ritual, the App sends one anonymous summary to our own backend (Microsoft Azure, EU/Ireland) containing only counts: which ritual steps ran and whether each was completed or skipped, how long they took, and how many items were recorded (for example, "3 gratitude entries") — never the text of your entries, never names, never any journal content. Like the onboarding funnel, these events are keyed only to the random install identifier generated on your device, never to your Apple account, email, name, or device identifier. Our server folds each summary into per-day totals and keeps only those aggregate counters — no per-device or per-person rows — so this data cannot be tied back to you and simply describes how the App's rituals are used overall. In our App Store privacy label and privacy manifest, both analytics surfaces are declared as Product Interaction and Other Diagnostic Data: "Not Linked to You" and not used for tracking.

Backend telemetry (not anonymous). Our backend does emit operational telemetry to Microsoft Application Insights, and those events are keyed to your hashed Apple identifier. Because they can be tied back to your account via that identifier, we describe them honestly as pseudonymous personal data, not anonymous analytics. They contain no journal content. See the Backend Account Data section above for what is recorded and how long it is kept.

Debug builds of the App also write diagnostic events to Apple's os.log system for engineering purposes. These logs stay on your device and contain no entry content, person names, or identifiers.

We comply with Apple's App Tracking Transparency (ATT) framework. No component of the App tracks you across other companies' apps or websites, and we do not request ATT permission because we do not engage in tracking.

HealthKit Integration

If you grant permission, My Evening uses Apple HealthKit during onboarding to help you set your bedtime. We comply fully with Apple's HealthKit guidelines:

  • Read: we read your most recent sleep sample so we can pre-fill your bedtime in the time picker.
  • Write (opt-in only): if you choose, we write a single inBed sleep sample to HealthKit so your bedtime appears in the Health app. This stays on your iPhone and is never sent to our servers.
  • HealthKit data is only used within the App to personalize your experience
  • HealthKit data is never transmitted off your device
  • HealthKit data is never shared with third parties
  • HealthKit data is never used for advertising or marketing

You can revoke HealthKit access at any time through your iPhone's Settings > Privacy & Security > Health > My Evening.

Subscriptions and Payments

Subscription purchases are processed and managed by Apple through the App Store using StoreKit 2. Apple is the merchant of record and an independent controller for your Apple ID and billing; it collects and remits any applicable consumer tax. We do not process payments, store credit card numbers, or have access to your payment-card information. Your purchase history with Apple is governed by Apple's Privacy Policy.

To verify and manage your subscription, our backend receives signed StoreKit 2 transactions and App Store Server Notifications from Apple (including renewals, refunds, and revocations) and stores the resulting entitlement and transaction details linked to your account (see the Backend Account Data section). This replaces any earlier statement that we receive only "anonymous transaction confirmations" or store nothing — we do store subscription data tied to your user. We do not receive your payment-card details.

Current pricing: Monthly $2.99 USD/month; Annual $24.99 USD/year, after a 7-day free trial. After the trial, you have read-only access to your history; active ritual features require a subscription. Subscriptions auto-renew through Apple unless cancelled; manage or cancel anytime in your Apple ID settings.

Third-Party Services

My Evening minimizes third-party dependencies. We share personal data only with the following categories of recipients — our platform, authentication and billing provider (Apple), AI processing providers (currently ElevenLabs and OpenAI), and cloud infrastructure and hosting providers (currently Microsoft) — each under contract and always itemized on our Sub-processors page. The services currently involved are:

  • Apple Sign In — Authentication. Apple returns an identity token; we hash the sub claim with SHA-256 to form your account ID. We do not receive or store email or full name: the App requests no name or email at sign-in, and if an older App version ever transmitted them our server discards them and stores neither.
  • Apple StoreKit 2 — Subscription management on Apple's servers.
  • Apple HealthKit — Bedtime read and optional inBed write, on-device only, if you grant permission.
  • ElevenLabs, Inc. (Scribe v2, United States) — Voice transcription. Audio is streamed transiently; we do not retain it on our side. Provider-side handling is governed by our agreement with ElevenLabs (see the Voice section).
  • OpenAI (Responses API, gpt-5-nano, United States) — AI person detection on saved gratitude entries (a core feature that runs for every user). Requests are sent with store=false; OpenAI does not train on API data by default (see the AI Person Detection section). OpenAI Ireland Ltd. is the EEA contracting party.
  • Microsoft Azure (North Europe — Ireland) — Hosting for the myevening.app backend (authentication, transcription proxy, subscription verification) and storage of the account/subscription/operational data described above. This website's static hosting is in Azure West Europe and holds no personal data.
  • Microsoft Entra ID (Azure AD) — Sign-in for the operator's internal admin portal only. No end-user journal content flows to Entra ID.

We do not use advertising networks, social media SDKs, crash reporting services that transmit personal data, data brokers, or any other third-party services that collect user information.

For a complete dated list of sub-processors with locations, transfer mechanisms, and DPA references, see our dedicated Sub-processors page. We give at least 30 days' notice on that page before adding a new sub-processor that processes personal data.

Last sub-processor change: 2026-06-14.

Notifications

My Evening sends local notifications as bedtime reminders if you enable them. These notifications are scheduled and delivered entirely on your device by iOS. They are never processed by our servers. You control notification permissions through your iPhone's Settings.

Children's Privacy

My Evening is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. The App requires Sign in with Apple and is intended for adults observing an evening ritual. If you believe a child under 13 has provided us personal information, please contact us at privacy_myevening@rongan.me and we will delete the associated account data.

For users in the European Economic Area, GDPR Article 8 requires parental consent for children under 16 (or the age set by the relevant EU member state, which may be as low as 13). If you are under 16 and located in the EEA, you must have your parent or legal guardian's consent before using the App. We do not perform age verification; we rely on parents and guardians to supervise use of the App and on Apple's account-level age settings.

Your Rights Under GDPR (European and UK Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the equivalent UK GDPR + Data Protection Act 2018:

  • Right to access (Art. 15) — Your journal content is on your device and fully accessible to you within the App at all times. For backend-stored data (hashed Apple identifier, subscription/transaction records, usage counters, telemetry — we hold no email or name), email privacy_myevening@rongan.me and we will respond within 30 days.
  • Right to rectification (Art. 16) — Edit your entries directly in the App. We hold no email or name to correct — our backend records are limited to your hashed identifier and service data; for anything else, contact us via the email above.
  • Right to erasure (Art. 17) — Delete individual entries in the App, or delete your account via Settings → Delete Account. This removes your account and all per-user backend records. As permitted by Art. 17(3), a minimal fraud-prevention marker is retained if your account was banned, and pseudonymous operational logs persist for a limited period — see the Account Deletion & Retention section below. Uninstalling removes on-device data.
  • Right to portability (Art. 20) — Your journal content is stored on your device (and, when iCloud sync is enabled, in your personal iCloud account) — it is already in your possession, and we hold no copy to port. For the backend data we do hold (hashed Apple identifier, subscription/transaction records, usage counters), email privacy_myevening@rongan.me and we will provide a machine-readable JSON copy.
  • Right to restrict processing (Art. 18) — Most processing happens on your device, where you control it. You can choose to type instead of speak (which avoids the voice flow). AI person detection is part of the core service; to restrict backend-side processing, contact us — we may suspend your account.
  • Right to object (Art. 21) — You may object to processing based on legitimate interest (e.g. security logs, third-party names). You can stop using the App at any time; after account deletion only the limited records noted below remain.
  • Right to withdraw consent (Art. 7(3)) — Where we rely on consent (your use of voice, granted through the microphone permission), you can withdraw it by switching to text, without affecting prior processing. AI person detection is provided on the basis of our contract with you, not consent (see the legal bases below).
  • Right not to be subject to automated decision-making (Art. 22) — Not applicable: our AI features produce suggestions, not decisions with legal or significant effects.

Legal bases for processing. We rely on different bases for different processing:

  • Authentication & subscription — contract performance (Art. 6(1)(b)): your hashed Apple identifier and subscription/transaction data are needed to provide and maintain the App.
  • Voice transcription — consent (Art. 6(1)(a)) via the microphone permission and your choice to speak, together with contract performance for delivering the dictated text. You can use text instead at any time.
  • AI person detection — performance of our contract (Art. 6(1)(b)). Recognizing and linking the people you thank across nights is central to the service you sign up for, so we process your gratitude-entry text and your person list to provide it. We disclose this at onboarding and here, and apply store=false and data minimization (only the entry being saved is sent).
  • Security, abuse prevention & the minimal ban marker — legitimate interest (Art. 6(1)(f)) in operating and protecting the service.
  • Information about people you mention — performance of our contract (Art. 6(1)(b)) for the feature itself, and legitimate interest (Art. 6(1)(f)) as to the third parties' own data; see "People You Mention" above, including how a mentioned person can object or request access/deletion (Art. 14, 21).

Retention. Usage counters are kept for roughly 180 days; rate-limit windows for roughly 7 days; Application Insights and Azure Front Door edge logs for the Azure default window (typically about 30–90 days). Account, subscription, and profile records are kept while your account exists and are removed on deletion, subject to the limited exceptions in the Account Deletion & Retention section.

Voice audio and AI text are transmitted to the providers transiently to deliver those features and are not retained on our side. Provider-side handling is governed by our agreements with ElevenLabs and OpenAI (see the Voice and AI Person Detection sections).

UK consumers. If you are in the UK, your rights under the UK GDPR and Data Protection Act 2018 mirror those listed above. You may complain to the Information Commissioner's Office at ico.org.uk if you believe we have mishandled your personal data.

EEA consumers. You may complain to the supervisory authority in your member state, or to the Polish data-protection authority (Urząd Ochrony Danych Osobowych — UODO) at uodo.gov.pl as our lead supervisory authority.

Swiss consumers. If you are in Switzerland, the Federal Act on Data Protection (FADP) applies and your rights mirror those above; US transfers additionally rely on the Swiss addendum to the EU Standard Contractual Clauses. You may complain to the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

International transfers. Our backend, storage, and operational logs are in Microsoft Azure North Europe (Ireland). Two transfers leave the EEA for the United States: voice audio (and name hints) to ElevenLabs whenever you speak, and gratitude text and names to OpenAI whenever you save a gratitude entry. The intended safeguards per provider are:

  • ElevenLabs (United States) — voice audio. ElevenLabs, Inc. is certified under the EU-US Data Privacy Framework (including the UK Extension), which provides the transfer basis while that certification remains active; EU Standard Contractual Clauses (Module 2: controller → processor) in the ElevenLabs Data Processing Addendum are the fallback mechanism, with the UK International Data Transfer Addendum where applicable, alongside our Transfer Impact Assessment. We are finalizing the signed DPA with ElevenLabs; until it is in place, the required processor contract (GDPR Art. 28(3)) and the SCC fallback for this flow are not yet complete, and we are also enabling zero-retention mode and EU data residency for transcription (see the Voice section).
  • OpenAI (United States) — gratitude text & names. Transfer is intended to rely on EU SCCs (and the EU-US Data Privacy Framework where applicable) in OpenAI's Data Processing Addendum; the OpenAI EEA contracting party is OpenAI Ireland Ltd. (Dublin). We are finalizing the signed DPA with OpenAI; until it is in place, the required processor contract (GDPR Art. 28(3)) and the SCC fallback for this flow are not yet complete (the EU-US Data Privacy Framework provides the transfer basis in the interim). This flow is part of the core service and occurs whenever you save a gratitude entry.
  • Microsoft Azure (North Europe — Ireland) — backend hosting. Backend resources run in the EU. Where Microsoft acts as a sub-processor outside the EEA, the Microsoft Online Services DPA includes EU SCCs and the UK IDTA.

See our Sub-processors page for the full list. Our internal Transfer Impact Assessments are available to supervisory authorities on request.

Account Deletion & Retention

You can delete your account at any time from Settings → Delete Account in the App. This removes your account and all per-user backend records — your profile row, subscription entitlement and transaction binding, usage counters, rate-limit windows, and live connection slots. Uninstalling the App removes your on-device journal data.

What we retain by design (and why). A few records are kept for limited, lawful purposes:

  • A minimal fraud-prevention marker — only if your account was banned. It contains just a "blocked" status and the reason, with all other data stripped. Because the account identifier is a stable hash that would recur if you deleted and signed in again, retaining this marker is necessary to prevent abuse (GDPR Art. 17(3), Art. 6(1)(f)).
  • Your introductory-offer record — if you redeemed the one-time 7-day free trial, we keep a small record of that redemption (its start date and a transaction reference, keyed to your hashed identifier). Because the identifier is a stable hash that would recur if you deleted and re-created the account, this record is retained so the one-per-person free trial cannot be reset by re-creating an account (GDPR Art. 17(3), Art. 6(1)(f)). It is never used to block access to anything you have paid for.
  • Pseudonymous operational logs — Application Insights events keyed to your hashed identifier cannot be deleted row-by-row; they age out under the Azure retention window (typically about 30–90 days).
  • Anonymous aggregate totals — service-wide usage totals not tied to any individual.
  • Unbound Apple notifications — App Store notification records that were never linked to any user.

In short: deletion removes your account and all per-user records, except a minimal fraud-prevention marker (if applicable), a record that the one-time free trial was used (if applicable), and pseudonymous operational logs that are retained for a limited period.

Your Rights Under CCPA / CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") gives you the following rights with respect to your personal information ("PI").

Notice at Collection

We collect the limited categories of PI listed below at the moment you sign in or use voice/AI features. We use this PI only for the business purposes described, retain it only as long as needed for those purposes (see retention discussion above), and do not sell it or share it for cross-context behavioral advertising.

Categories of PI Collected

  • Identifiers — SHA-256 hash of your Apple sub claim (we no longer store the raw identifier). We do not store email or full name; if shared at sign-in, our server discards them.
  • Commercial information — subscription and transaction records (product, transaction identifiers, status) we store to verify and manage your subscription.
  • Audio/electronic information — voice audio, transmitted transiently to ElevenLabs (United States) for transcription; we do not retain it.
  • Internet/network activity — backend usage counters, rate-limit data, and Application Insights telemetry keyed to your hashed identifier (pseudonymous, not anonymous; retained for a limited period and surviving account deletion within the Azure log window), plus standard Azure server/edge logs (which may include a masked IP).
  • Other user-provided content — gratitude entries, tomorrow tasks, breathing-session metadata, and the people you thank. These are stored on your device. As part of AI person detection, when you save a gratitude entry its text and the names you mention are sent transiently to OpenAI with store=false and are not retained there.
  • Geolocation: none.
  • Sensitive personal information: we do not use any data to infer characteristics such as race, religion, health, or sexual orientation. We do not sell or share PI, and we do not use sensitive PI beyond providing the service you requested.

Sources

  • Directly from you (entries, voice input, app interactions).
  • From Apple via Sign in with Apple (the hashed identifier; any name/email you chose to share is discarded by our server, not stored).

Business and Commercial Purposes

  • Authenticate your account and provide the App's features (gratitude, planning, breathing, history).
  • Transcribe voice input (ElevenLabs) and detect mentioned people in gratitude entries (OpenAI).
  • Operate the service: rate limiting, fraud prevention, security monitoring, application logs.
  • Provide subscription billing via Apple StoreKit 2.

Categories of Recipients

We share PI only with service providers in the following categories, each acting as a service provider under written contract: platform, authentication and billing (currently Apple), AI processing (currently ElevenLabs and OpenAI), and cloud infrastructure and hosting (currently Microsoft Azure) — the current, complete list is maintained on our Sub-processors page, with at least 30 days' notice before any addition. We do not share PI with advertisers or data brokers. We use no third-party analytics provider; our first-party analytics (the onboarding funnel and ritual usage summaries, stored on our own Microsoft Azure backend) are anonymous and not linked to your identity (see the Analytics section), and we do not share identifiable personal information with analytics companies.

Your Rights

  • Right to know the categories and specific pieces of PI we have collected about you.
  • Right to delete the PI we hold about you (Settings → Delete Account in the App, or contact us by email/postal mail).
  • Right to correct inaccurate PI (CPRA-added right, effective Jan 2023).
  • Right to opt out of sale or sharing for cross-context behavioral advertising.
  • Right to limit the use of sensitive PI — N/A as we do not collect or use sensitive PI for inference.
  • Right to non-discrimination for exercising any of the above.

Do Not Sell or Share My Personal Information

We do not sell or share your PI as those terms are defined under the CCPA/CPRA, and we have not in the preceding 12 months. Because we do not engage in sale or sharing for cross-context behavioral advertising, no "Do Not Sell or Share" link is required (per CCPA Reg. § 7026). We honor Global Privacy Control (GPC) signals for any future change in posture. We do not knowingly collect or sell PI of consumers under 16 without affirmative opt-in.

Automatic Renewal

Subscriptions are sold and billed through Apple and renew automatically until cancelled. Consistent with California's Automatic Renewal Law and "click-to-cancel" expectations, you can cancel at any time through Apple's subscription management — in your Apple ID settings on the device — which is the same medium used to enroll. We do not separately charge or store your payment method.

Financial Incentives

We do not offer financial incentives in exchange for the collection, sale, or retention of personal information.

How to Submit a Request

Designated request methods:

Because we store no email, name, or raw Apple identifier, we cannot verify identity by email matching. Instead, we verify requests by confirming you control the account — for example, by asking you to perform a confirmable action while signed in to the App, or to provide account details only the account holder would reasonably know (such as your subscription product or approximate sign-up date). Where we cannot verify a request with reasonable certainty, we will tell you and explain why. We aim to respond within 45 days (with one 45-day extension if necessary, as permitted by the CCPA). Authorized agents may submit requests on behalf of consumers with written authorization.

Other U.S. State Rights

Several U.S. states have privacy laws that grant similar rights to those listed above. Even where we do not meet a specific statutory threshold, we extend the same posture to residents of these states as a matter of policy:

  • Colorado (CPA) — access, correction, deletion, portability, opt-out of sale / targeted advertising / profiling. Effective 1 Jul 2023.
  • Connecticut (CTDPA) — access, correction, deletion, portability, opt-out of sale / targeted advertising / profiling. Effective 1 Jul 2023.
  • Utah (UCPA) — access, deletion, portability, opt-out of sale / targeted advertising. Effective 31 Dec 2023.
  • Oregon (OCPA) — access, correction, deletion, portability, opt-out, plus the right to know specific third parties to whom we have disclosed PI. Effective 1 Jul 2024.
  • Texas (TDPSA) — access, correction, deletion, portability, opt-out. Effective 1 Jul 2024. We are subject to TDPSA from day one as it has no quantitative threshold.
  • Virginia (VCDPA) — access, correction, deletion, portability, opt-out of sale / targeted advertising / profiling. Effective 1 Jan 2023.
  • Iowa (ICDPA) — access, deletion, portability, opt-out of sale / targeted advertising. Effective 1 Jan 2025.
  • Montana (MCDPA) — access, correction, deletion, portability, opt-out. Effective 1 Oct 2024.
  • Florida (FDBR) — primarily applies to controllers with $1B+ revenue; we are out of scope for the privacy provisions but extend the same rights here for transparency. Effective 1 Jul 2024.
  • Other 2025–2026 effective laws: Delaware (DPDPA, 1 Jan 2025), New Hampshire (1 Jan 2025), New Jersey (15 Jan 2025), Tennessee (1 Jul 2025), Indiana (1 Jan 2026), Kentucky (1 Jan 2026), Maryland (1 Oct 2025), Minnesota (31 Jul 2025), Rhode Island (1 Jan 2026). Rights are similar to the laws listed above; contact methods are the same.

Universal Opt-Out Mechanisms. We honor Global Privacy Control (GPC) signals universally on this website, even where state law does not strictly require it.

To exercise any of these state rights, contact us via the methods listed in the CCPA section above. We will route requests to the appropriate state's framework based on your stated residency.

Canadian Users (PIPEDA)

For Canadian residents, our processing is governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and we follow its 10 fair-information principles:

  1. Accountability. Ivan Sokalskyi (operator) is responsible for all personal information under our control, including information transferred to sub-processors.
  2. Identifying purposes. Purposes are stated in this Privacy Policy at or before collection.
  3. Consent. We obtain meaningful, express consent for microphone/voice and HealthKit access. AI person detection is part of the core service you sign up for — we disclose it clearly at onboarding and in this policy before any gratitude text or names are sent to the AI provider — and is provided to deliver the App's central feature rather than as an optional add-on. Implied consent is relied on only for core transactional and operational processing.
  4. Limiting collection. We collect only what is necessary for the App's features.
  5. Limiting use, disclosure, retention. Voice audio and AI text are transmitted transiently and not retained on our side. Account and operational records are kept while your account exists; on deletion we remove your per-user records, subject to a minimal fraud-prevention marker (if applicable) and pseudonymous logs retained for a limited period (see Account Deletion & Retention).
  6. Accuracy. You can edit your entries directly in the App.
  7. Safeguards. Personal information is protected by the measures described in the Data Security section of this policy: iOS device protections (encryption, Keychain, sandboxing) for on-device data, TLS for all connections, Azure Key Vault secret management, credential-based access control, and operational security logging.
  8. Openness. This Privacy Policy and our Sub-processors page are publicly available.
  9. Individual access. Email privacy_myevening@rongan.me to request access to information we hold about you.
  10. Challenging compliance. Concerns can be sent to the email above. You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Quebec Users (Law 25)

If you reside in Quebec, the Act respecting the protection of personal information in the private sector (as amended by Law 25, "Bill 64") applies in addition to PIPEDA.

  • Person in Charge of the Protection of Personal Information. The operator, Ivan Sokalskyi, acts as the Person in Charge. Contact: privacy_myevening@rongan.me.
  • Confidentiality incidents. Where required, we will notify the Commission d'accès à l'information (CAI) and affected individuals of confidentiality incidents posing serious risk of injury, in accordance with the Act.
  • Right to data portability (Art. 27). Your journal entries are stored on your device and in your personal iCloud account, not on our servers — you already hold them. For computerized personal information we do hold (account, subscription, and usage records), we will provide it in a structured, commonly used technological format on request to privacy_myevening@rongan.me.
  • Automated processing transparency (Art. 12.1). Our AI person-detection feature produces suggestions, not decisions with legal effects, and we disclose it at onboarding and in this policy before any such processing — so the required transparency precedes the processing, and each suggested link is confirmed by you.
  • Cross-border transfer assessment. Voice audio (when you speak) and gratitude text and names (when you save a gratitude entry) are sent to U.S.-based ElevenLabs and OpenAI. These transfers are subject to a privacy impact assessment (alongside the GDPR Transfer Impact Assessments above). The provider data-processing agreements that establish adequate safeguards are being finalized; until signed, we treat the transfer basis as still in progress.
  • French-language considerations. Contracts and privacy notices are currently provided in English. We can provide translations or summaries on request to legal_myevening@rongan.me; we are evaluating full French versions of our policies for Quebec users.

You may file a complaint with the CAI at cai.gouv.qc.ca.

Australia (Privacy Act 1988 / Australian Privacy Principles)

For users in Australia, we comply voluntarily and in full with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Given the reflective wellbeing nature of the journal, we do not rely on any small-business exemption.

  • Open & transparent management (APP 1). This policy describes the personal information we collect (your hashed Apple identifier, subscription/transaction data, usage and operational logs — we do not store email or name), how it is held and secured (encrypted in transit; backend in Microsoft Azure North Europe; secrets in Azure Key Vault), the purposes for collection, how to seek access or correction, how to complain, and the fact that some personal information is disclosed overseas.
  • Notification at collection (APP 5). We notify you at or before collection — including that voice audio is transmitted off your device whenever you choose to speak, and that, as part of AI person detection, your gratitude text and the names you mention are sent to an overseas AI provider whenever you save a gratitude entry.
  • Use & disclosure (APP 6). We use and disclose personal information only for the purposes described here or within your reasonable expectations, or with your consent.
  • Cross-border disclosure (APP 8 and s.16C). We disclose personal information to recipients in the United States — ElevenLabs and OpenAI (AI providers), Microsoft (Azure infrastructure), and Apple (authentication and billing). The likely country of overseas recipients is the United States. We remain accountable for that information and take reasonable steps to ensure recipients handle it consistently with the APPs.
  • Security (APP 11). We protect personal information with encryption in transit, access controls, and secret management. We are candid that our backend storage is reachable over the network (access is gated by credentials rather than IP allow-listing) and that account deletion is a cascade with limited, disclosed exceptions — see the Account Deletion & Retention and Data Security sections.
  • Access & correction (APP 12 and APP 13). You may request access to, or correction of, the personal information we hold by emailing privacy_myevening@rongan.me.

Notifiable Data Breaches. If we become aware of an eligible data breach under the NDB scheme (Part IIIC of the Privacy Act) that is likely to result in serious harm, we will assess it and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required.

2024 amendments & automated decisions. We are tracking the 2024 Privacy Act amendments, including the new statutory tort for serious invasions of privacy and emerging transparency expectations for automated decision-making. We have assessed our AI person-detection feature: its outputs are suggestions you control, not automated decisions, so it does not engage automated-decision restrictions.

Complaints. Please contact us first at privacy_myevening@rongan.me. If unresolved, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

This Website

This website (myevening.app) is a static site hosted on Microsoft Azure Static Web Apps. The website:

  • Does not use cookies (first-party or third-party)
  • Does not collect personal data or form submissions
  • Does not use analytics or tracking scripts
  • Does not use fingerprinting or any identification technology
  • Does not store any data on your device (no localStorage, no sessionStorage)

Standard web server logs may be recorded by Azure, which may include IP addresses, browser type, and pages visited. These logs are managed by Microsoft under their privacy practices and are not accessed by us for any purpose.

For more information about how this website handles cookies and similar technologies, see our Cookie Policy.

Data Security

On your device. Your journal content is protected by iOS's built-in security — device encryption, the Secure Enclave, the Keychain (which holds your sign-in token), and app sandboxing. We recommend:

  • Keeping your iPhone software up to date
  • Using a strong device passcode or biometric authentication (Face ID / Touch ID)
  • Enabling Find My iPhone for remote data protection

On our backend. The account, subscription, and operational data we hold runs in Microsoft Azure (North Europe — Ireland). All connections — between the App and our backend, and between our backend and providers — use TLS. Secrets are kept in Azure Key Vault, which holds no end-user personal data. Access to our backend storage is controlled by credentials (access keys) rather than IP allow-listing, so we treat key management and least-privilege access as the primary control. The internal admin portal is protected by Microsoft Entra ID sign-in. We log operational events to support security and abuse prevention.

No system is perfectly secure, and we cannot guarantee absolute security. We continue to improve our posture, including enabling zero-retention transcription and EU data residency (see the Voice section).

Data Breach Notification

Most of your journal content stays on your device, which limits the personal data exposed by any breach of our backend. We nevertheless hold account, subscription, and operational data on our servers, so we maintain a breach-response process and take our notification obligations seriously:

  • If we become aware of a security incident affecting our backend, storage, logs, or any part of our infrastructure, we will investigate promptly and contain it
  • If a breach affects personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33 (and the UK GDPR)
  • If a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay as required by GDPR Article 34
  • For Australian users, we will assess any eligible data breach under the Notifiable Data Breaches scheme and notify the OAIC and affected individuals where required; for Quebec users, we will notify the CAI of confidentiality incidents posing a serious risk of injury
  • We document security incidents and the measures taken in response

If you believe your device has been compromised and your locally stored My Evening data may be at risk, we recommend changing your device passcode and reviewing Apple's guidance on securing your iPhone.

Do Not Track and Global Privacy Control

Our website respects Do Not Track (DNT) browser signals and Global Privacy Control (GPC) preferences. Since our website does not use cookies, tracking scripts, or analytics of any kind, there is no tracking behavior to disable — your preferences are honored by default.

The My Evening iOS App does not track you across other apps or websites. We do not participate in cross-app tracking and have declared zero tracking to Apple in our App Store privacy nutrition labels.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and may provide notice within the App. We encourage you to review this page periodically.

Continued use of the App after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us using any of the channels below:

We aim to respond to all privacy inquiries within 30 days. For GDPR/UK GDPR data-subject requests we use the same email and postal channels.