Legal · Draft
Privacy Policy
Last updated: 2026-07-10 · Pending legal review.
This page is maintained by writema to answer common privacy questions about writema. It describes current practices and is not independent legal verification.
Data controller
writema is operated from the Czech Republic under the writema.com domain. For GDPR purposes, we are the data controller for your account information.
What we collect
Account data: your email address, an encryption verifier derived from your password (never the password itself), and an encrypted copy of your master key.
Content: your drafts, journal entries, mood, and weather notes are stored as encrypted ciphertext. We cannot read them.
Operational logs: minimal request logs for security and reliability, retained for up to 30 days.
What we don't collect
We don't use third-party analytics, advertising trackers, session recorders, or fingerprinting. We don't sell or share your data with any third party for commercial purposes.
Cookies
We use strictly necessary cookies for authentication and session management. These are required for the service to function and cannot be disabled. We do not use tracking, advertising, or analytics cookies.
Legal basis (GDPR Art. 6)
Contract performance (Art. 6(1)(b)) for delivering the service you requested. Legitimate interest (Art. 6(1)(f)) for security logging necessary to protect the service and its users.
Where data is stored
Encrypted content and account records are stored in the European Union via Lovable Cloud (Supabase, EU region). Data does not leave the EU.
Children
writema is not intended for users under 16 years of age. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, contact us and we will delete the account.
Your rights
Under GDPR, you have the right to access, rectify, erase, restrict processing, and port your personal data. You can also object to processing or lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů).
Because we use zero-knowledge encryption, we can access and delete your account metadata and encrypted ciphertext. We cannot fulfil requests for the plaintext of your writing, as we do not possess the key to decrypt it. If you wish to read your own content, simply sign in — your decryption key lives in your browser.
To exercise any right, contact privacy@writema.com.
Data retention
Your account and encrypted content remain stored as long as your account is active. When you delete your account, all associated data — including encrypted content — is permanently deleted within 30 days. Operational logs are retained for up to 30 days regardless.
Changes to this policy
We may update this policy as the service evolves. Material changes will be communicated via email to your registered address at least 14 days before taking effect.
Contact
Data-protection questions: privacy@writema.com
General inquiries: hello@writema.com
See How Encryption Works for technical details.