Legal

Privacy Policy

Last updated: April 6, 2026

Overview

The Flame (“we,” “our,” or “us”) is a personal growth application that helps you tend your inner life through reflection and practice. We take the privacy of your inner world seriously.

This Privacy Policy explains what data we collect, why we collect it, how we protect it, and the rights you have over it. By using The Flame, you agree to the practices described here.

Information We Collect

Account data

When you create an account we store your email address and a hashed (irreversible) copy of your password. We never store your password in readable form.

Reflection content

Journal entries, reflections, check-in notes, and synthesis writing you create in the app are stored encrypted at rest using AES-256-GCM encryption. The encryption key is never bundled with the application.

Progress data

We record which chapters you have read, which reflections you have saved, and which check-ins you have completed in order to personalise your journey.

Usage data

We do not use third-party analytics trackers. Server logs may record IP addresses and request timestamps for security purposes (rate limiting, abuse prevention). These logs are retained for no more than 30 days.

How We Use Your Data

To provide and personalise the app experience
To send password reset emails when requested
To detect and prevent abuse, fraud, and security incidents

We do not sell your data. We do not use your reflection content for AI training. We do not share your personal information with advertisers.

Data Retention

Your account data and all associated content are retained for as long as your account exists. When you delete your account, all data — including reflections, progress, check-ins, and synthesis writing — is permanently and irreversibly deleted from our systems within 30 days.

Data Security

We protect your data with:

AES-256-GCM encryption for all reflection and note content
bcrypt password hashing (cost factor 12)
HTTPS / TLS in transit
Rate limiting on all authentication endpoints
Hashed, time-limited password reset tokens

No security system is perfect. If you discover a vulnerability, please contact us at the address below.

Third-Party Services

We use the following third-party processors:

Neon (Neon Inc.) — cloud PostgreSQL database hosting. Your data is stored on Neon's servers. Neon Privacy Policy
Vercel Inc. — application hosting and edge delivery. Vercel Privacy Policy
Resend — transactional email delivery (password resets only). Resend Privacy Policy

We do not share your data with any other third parties.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access — request a copy of the data we hold about you
Portability — export your reflections at any time via Settings → Export Journal
Correction — update your email address or password in Settings
Deletion — permanently delete your account and all data in Settings → Delete Account
Restriction — contact us to restrict processing of your data

EU/EEA residents have additional rights under the General Data Protection Regulation (GDPR). California residents have rights under the California Consumer Privacy Act (CCPA). To exercise any right, contact us at the address below.

Children

The Flame is not directed to children under the age of 12 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of The Flame after a change constitutes acceptance of the revised policy. For material changes, we will notify you by email.

Contact

For privacy-related questions, data requests, or security disclosures, please contact us at:
info@theflame.app