Your words are yours.

We collect what we need to run a journaling app, nothing else. We never use your entries to train AI— ours, our providers’, or anyone else’s. We don’t sell data. You can export or delete everything any time, and we’ll honor every data right EU/UK law gives you.

The rest of this page is the detail.

Yewmark is operated by an individual based in the US Midwest (the “data controller” under UK and EU GDPR for users in those jurisdictions). Service infrastructure runs on a single-tenant VPS in the Netherlands — chosen so stored data sits under EU data-protection law. Contact: [email protected].

We’re a small operation and don’t have a Data Protection Officer — not required at our scale. The same email handles all data-protection requests; no special form needed.

Your account. Email, chosen name, and a bcrypt-hashed password. We never see the plaintext password. Legal basis: contract performance.

Your entries and digests. The journal entries you write (title, content, mood/energy tags, kind), plus AI-generated summary/insight/next-step when you ask for them. Legal basis: contract performance.

Chat conversations. Chat threads live only in your browser tab. Nothing about a thread is stored server-side. Each message is sent to the chosen AI provider for inference; the reply comes back and is shown to you. We log the number of tokens consumed (for usage accounting) but not the content of the chat. Legal basis: contract performance.

Voice recordings. When you use voice journaling, audio is uploaded, transcribed, and the audio is not stored. Only the transcript text reaches the database as your entry content. Legal basis: contract performance.

Payment data. If you upgrade to a paid plan, Stripe (our payment processor) handles billing. Stripe receives your card details directly from your browser; we receive only a customer ID and subscription status. We never see or store your card. Legal basis: contract performance.

Operational logs. Request method, status code, path, timestamp, and IP address. Used for debugging, abuse mitigation, and capacity planning. Retained for 30 days, then rotated out. Legal basis: legitimate interests (operating a secure service).

AI call records. Per-call metadata only — user ID, kind of call, model, provider, token count, timestamp. Never the content. Used for daily quota and abuse rate-limiting. Retained 90 days. Legal basis: legitimate interests.

Error reports. When something crashes, a stack trace and request metadata go to our error-tracking provider. It is configured to never receive entry content, message bodies, or any personally identifying detail beyond the user id of the affected session. Legal basis: legitimate interests.

When you ask the AI to digest an entry, write a daily/weekly summary, or chat with you, your text is sent over TLS to a third-party model provider for inference. The reply is returned and (for entry digests) stored alongside the entry.

We route through a chain of providers with automatic failover. We deliberately don’t list specific vendor names here — the chain shifts as providers go down, change terms, or get replaced. What does not shift is the contractual posture we hold every provider to before any of your data reaches them:

• No training on traffic. Every provider in our chain is on a business-APItier whose terms of service explicitly forbid training on inputs. We don’t use consumer-product tiers (where training opt-outs are optional or off-by-default).
• No retention beyond the call.Providers don’t store your text past the inference call. Retention longer than ~30 days for the audit log is contractually disallowed.
• Geographic disclosure.Our primary text-generation provider is hosted in mainland China; our failover providers are US-based. The embedding provider (used for finding related earlier pages) is US-based. Voice transcription failover sits at edge locations worldwide. These transfers happen under standard contractual clauses (SCCs). If you have a specific compliance requirement (US-only, EU-only) and you’re on a paid plan, write to us and we’ll route you to a chain that matches.
• Listed by role, not name. If you want to know which company sat at a position in our chain on a given day, email [email protected]and we’ll tell you. We just don’t advertise it, because the answer changes.

People extraction.The digest also identifies the names of people you’ve mentioned in your entry so we can build the People view (so you can manage “Gramma” and “Grandma” as the same person, etc.). Those names go to the model provider in the same call as the entry text and aren’t stored anywhere else — they live in your account, scoped to your user id. You can rename, merge, or delete any person from /journal/peopleat any time, and your full export (Settings → Export everything) includes them.

You can turn AI features off entirely in Settings, in which case no entry text leaves our servers. (Voice transcription inherently requires a transcription provider; without AI you can still write by typing.)

Per-entry “keep AI off this” toggle. For entries you don’t want any AI features touching at all, mark the entry private from the Saved view (the chip row below the digest) or from any expanded entry on the Timeline. A private entry is never sent to a model provider for the digest, never included in the daily/weekly AI summaries, never used by the Reflect insights or patterns passes, and never contributes to the People view. Toggling private on a previously-digested entry also purges the digest output we’d already stored and the entry-person links the AI had extracted. This is not end-to-end encryption — the entry text itself stays server-readable so you can read it back from any device — but it is an enforceable “no AI features on this specific entry, ever” commitment.

Crisis-content safeguards.Yewmark applies a simple keyword check to AI inputs and outputs so we can append a pointer to professional crisis resources (988, findahelpline.com, samaritans.org) when appropriate. This runs in-process on our server before/after the AI call. It is a safety feature, not a moderation system — nothing is reported to anyone, no list of “flagged users” exists, and no result is stored.

A sub-processor is a third party that may handle your personal data on our behalf so we can deliver Yewmark. We list them by categoryrather than by company name — the specific vendor at each position can change, but the role, data shared, and jurisdiction don’t. If you need the current vendor at any of these positions for compliance reasons, email [email protected] and we’ll send you the list.

• Server hosting (Netherlands) — all stored data (entries, account, logs, backups) sits on a single-tenant VPS under EU data-protection law.
• Edge / CDN (global) — DNS, TLS termination, edge proxy, admin Zero Trust gating, voice-transcription failover. Sees traffic in transit; sees voice audio only when this provider handles a transcription call.
• Payments (Stripe, US/EU) — email, card details (received directly from your browser), subscription status. We never see your card. Stripe is named here because you see it on checkout.
• Transactional email delivery (EU) — your email address and the contents of emails we send you (welcome, verification, password reset, opt-in summaries).
• LLM inference (primary, China)— entry content or chat message text at the moment of an AI call. Business-API tier; contractually no retention beyond the call; no training on API inputs. Private entries never reach this step. We chose this provider because the model demonstrably produces warmer, more literary journaling output than alternatives; we’re honest about the jurisdiction so you can make an informed choice. If you prefer your data not leave the US/EU and you’re on a paid plan, write to us and we’ll route you to the failover chain instead.
• LLM inference (failover, US) — same as primary, only when the primary is unavailable or exhausted. Same contractual terms.
• Embedding (similarity + retrieval, US) — when an entry is saved its text is turned into a numeric fingerprint so we can find related earlier pages of yours (used for both continuation suggestions and the “Mirror” take in the digest picker). Same business-tier terms as our other AI providers: contractually no training, no retention beyond the call. Private entries never reach this step.
• Voice transcription (failover, US/EU) — voice audio when both primary and edge transcription are unavailable. Same contractual terms.
• Error tracking (US/EU) — stack traces and request metadata when something crashes. Configured to never receive entry content or message bodies.

We’ll update this list as positions change. If we add a new categoryof sub-processor (e.g. add a kind of third-party service we don’t use today), or change a category’s data terms in a way that materially affects you, we’ll email registered users before the change takes effect.

Your account, entries, and digests are stored in a Postgres database on a single-tenant VPS in the Netherlands — under EU data-protection law.

AI inference happens at each provider’s data center. Our primary text-generation provider is hosted in mainland China; the failover chain and the embedding provider are US-based. Voice transcription failover sits at edge locations worldwide. These transfers happen under standard contractual clauses (SCCs). If you have a specific compliance requirement (US-only, EU-only) and you’re on a paid plan, write to us and we’ll route you to a chain that matches.

In transit: all traffic to and from yewmark.com uses TLS 1.3, terminated at our CDN edge and re-encrypted to origin.

At rest: the database disk is encrypted at the block level. Passwords are bcrypt-hashed. Password-reset tokens are stored as SHA-256 of the raw token — the raw token only ever appears in the email.

Backups: the database is backed up daily to an encrypted off-server destination. Retention: 30 daily snapshots, 12 weekly, 6 monthly. Deleted accounts are removed from the primary database immediately on hard-delete; backups holding the row are aged out within at most six months as the older snapshots retire.

Access:the operator can technically reach the database for support and administration. We log when we do; we don’t read entries casually.

Yewmark doesn’t use third-party tracking cookies. The only things we keep in your browser are:

• yewmark.token (localStorage) — your session JWT. Used to authenticate API requests. Cleared when you sign out.
• yewmark.theme (localStorage) — your day/night theme preference. Functional only.
• yewmark.restored (sessionStorage) — a one-shot flag used to show a banner after you sign back into a soft-deleted account. Cleared on dismiss or browser close.
• Draft autosave (localStorage) — any unsaved text on the write page is kept locally so a refresh doesn’t lose a paragraph. Cleared once the entry is saved.

Our CDN may set a small number of operational cookies for bot mitigation. These are functional, not tracking — they don’t personally identify you.

Yewmark is not directed at children. You must be at least 16 years oldto create an account. If we learn we have collected data from someone under 16, we’ll delete it.

We don’t auto-purge active accounts just because they’ve been quiet — your journal is still there, waiting. If an account is completely dormant for 24 months(no sign-in and no entries), we’ll email you to ask whether you still want it. If you don’t reply within 60 days, the account is hard-deleted and the data is purged.

Under UK and EU GDPR (and equivalent laws elsewhere) you have the following rights over the personal data we hold about you. We honor all of them; most are exercisable directly from Settings — no request form needed.

• Access — see what we hold. Use Export everything (JSON) in Settings.
• Portability — receive your data in a machine-readable format. JSON or Markdown export, in Settings.
• Rectification — correct anything inaccurate. Entries are editable from the timeline; account details from Settings.
• Erasure — delete your data. Delete an entry from the timeline; delete your whole account from Settings. Hard-delete happens after a 7-day grace window (signing back in cancels it).
• Restriction / Objection— limit how we process your data, or object to processing based on legitimate interests. Email us; most users won’t need this.
• Automated decisions — AI features are advisory only. No automated decision with legal or similarly significant effect is made about you on this platform.
• Withdraw consent — where we rely on consent (rare for Yewmark), you can withdraw it any time.
• Complain— if you think we’ve mishandled your data, you can complain to your local supervisory authority. In the EU, find yours at edpb.europa.eu. In the UK, the ICO at ico.org.uk. We’d rather you wrote to us first.

We aim to respond to any data-rights request within 30 days, extendable by a further 60 days for complex requests (we’ll tell you if that applies). No fee for reasonable requests.

If we suffer a personal-data breach that’s likely to result in a risk to your rights or freedoms, we’ll notify affected users without undue delay, and report to the relevant supervisory authority within 72 hours of becoming aware, per GDPR Article 33.

If we materially change how we handle your data, we’ll email registered users before the change takes effect and surface the change in-app. Non-material changes (typo fixes, clearer wording) we just publish.

This notice was last updated May 16, 2026.

One address handles everything privacy-related: [email protected]. A real person reads it. We aim to reply within five working days.