We do not see what you write in your diary. Ever. The diary is end-to-end encrypted on your device, and your encryption key never leaves it.
The only data we collect is what you explicitly send us — your email when you reserve a license, your payment information when you check out (handled by Stripe, not stored by us), and the bare minimum needed to deliver the software and provide support.
We don't sell your data. We don't advertise. We don't analyze your writing. If we had to read your diary to make money, we would have built a different product.
This policy describes how Sagentica ("we," "us," "our"), the maker of Encrypted Diary, collects and handles information about people who visit encrypteddiary.com, reserve a license, or use the Encrypted Diary application.
The headline, before the details: we never possess your passphrase, your keys, or your readable entries. Not at purchase, not at backup, not ever. We have signed a formal declaration to that effect — read The Key Custody Declaration. Everything below concerns the ordinary business data around the diary; the diary itself is beyond our reach by design.
| Data | Why | How long |
|---|---|---|
| Email address (reservation, purchase, support) | To notify you when the diary ships, deliver your license, and respond to support requests. | Until you ask us to delete it, or 24 months after your last interaction — whichever comes first. |
| Name (if you provide one) | To address you politely in email; for receipts. | Same as email. |
| Payment information (card details, billing address) | To process your purchase. This is handled entirely by Stripe. We never see or store your full card number. | We store only a Stripe customer ID and the last four digits of your card, for your account view and refund processing. |
| Support messages (emails to us) | To answer your questions and improve the product. | 3 years, then deleted. |
When you visit our website, our network provider (Cloudflare) and our origin host (OVH) automatically record standard web logs: IP address, browser type, pages visited, referring site. This is used for security (detecting abuse), basic traffic counts, and required network operation. We do not use Google Analytics, Facebook Pixel, or any cross-site tracking tools.
We may use a privacy-respecting analytics tool (e.g., Plausible or Cloudflare Web Analytics) to count visitors and see which pages people read. These tools do not use cookies and do not identify individual visitors.
Fonts are self-hosted. The typefaces on this site (Cormorant Garamond and JetBrains Mono, both open-source) are served from our own infrastructure. We do not load fonts from Google Fonts or any third-party font service, so your IP address and browser are never shared with a font provider when a page loads.
The application does not phone home. It does not send your entries, your prayers, your photos, or any analytics about how you use it to any server. The on-device Companion runs locally; nothing it sees ever leaves your computer.
The only exceptions:
We do not use your information for advertising. We do not sell, rent, or share it with marketing partners.
If you are in the EU or UK, we rely on the following lawful bases under Article 6 of the GDPR:
| What we process | Lawful basis |
|---|---|
| Your email when you reserve a license, and the single launch email we send you | Consent — which you may withdraw at any time by asking us to delete your reservation. |
| Email, name, and license delivery when you purchase | Performance of a contract — we cannot deliver the product you bought without it. |
| Payment and transaction records | Performance of a contract and legal obligation (tax and accounting law). |
| Support messages | Legitimate interest in answering you and improving the product. |
| Security logs, fraud prevention, basic cookieless traffic counts | Legitimate interest in keeping the service secure and operational. |
| Records we must keep by law | Legal obligation. |
Encrypted Diary is operated from outside the EU, and some of our service providers are based outside the European Economic Area. Where your personal data is transferred internationally, we rely on legally recognized safeguards:
You may request details of the specific safeguards that apply to any transfer by contacting us at the address below.
We use the following service providers, each with their own privacy practices:
| Provider | What they see |
|---|---|
| Stripe (payment processing) | Card details, billing address, transaction history. Stripe privacy policy. |
| Cloudflare (CDN, DNS, security) | Standard web logs (IP, user agent). Cloudflare privacy policy. |
| OVH (origin web hosting) | Standard web logs (IP, user agent) reaching the origin server. OVH privacy policy. |
| Email provider (transactional email) | Email addresses we send messages to and the contents of those messages. |
We do not use your data for any other purpose, and we do not share it with anyone else — except where legally required (e.g., subpoena), in which case we will notify you unless prohibited.
Our website uses minimal cookies, only when strictly necessary (e.g., to remember you are signed into your account, once we offer accounts). We do not use advertising or tracking cookies. We do not use third-party analytics that set cookies.
You have the right to:
To exercise any of these rights, email us at the address below. We respond within 30 days, usually much sooner.
If you are in the EU, UK, or California, you have additional rights under GDPR/UK GDPR/CCPA — you may also lodge a complaint with your local data protection authority. We honor all such requests regardless of where you live.
Encrypted Diary is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.
The Encrypted Diary application uses end-to-end encryption (XChaCha20-Poly1305) with keys derived from your password using Argon2id. We use HTTPS everywhere. Our infrastructure uses industry-standard security practices. Payment data is handled exclusively by Stripe, which is PCI-DSS Level 1 certified.
That said: no system is perfectly secure. If a breach ever occurs, we will notify affected users within 72 hours of discovery, as required by law and as we would expect ourselves.
If we materially change this policy, we will email everyone we have an email address for at least 30 days before the change takes effect. The current version is always available at this URL, with the version number and effective date at the top.
Encrypted Diary is designed to let you designate entries to be released after your death, to specific people, on a schedule. This legacy-release service is rolling out after launch; the description below explains how it will handle your data once available, so you can understand it before you rely on it. It is one of the most sensitive things software can do. Some things to understand:
If you wish to know exactly what we hold about your legacy plan, request a copy at any time.
For privacy questions, requests, or to exercise any right above: