Privacy Policy

Last updated: 2026-04-22

This policy describes how Cabrillo Club LLC ("we," "us") collects, uses, and protects your information when you use Self Forge, including the iOS app and this website (together, the "Service").

1. Our privacy stance

Self Forge is a local-first app. The substantive content you create — journal entries, assessment answers, goals, vision drafts, partner/therapist sharing settings — is stored on your device in an encrypted database (SQLCipher, AES-256) unlocked only by your biometrics or passcode. We cannot read it and neither can anyone else.

[Confirm before launch: no server-side copy of user journal/assessment data exists for v1.0. If any server-side sync is enabled, update this section.]

2. What we collect

Account data

Email address (used to sign in and communicate with you).
Password (stored as a hash; we never see the plaintext).
First and last name (optional profile fields).
Date of birth (used to verify 18+ for dating features).
Subscription tier and billing status (if you purchase a subscription).

Device data

iOS version, device model, app version — for diagnostics only.
Crash reports (via Sentry) — attached to an anonymous device ID, not your account.

Content you choose to share

If you link a therapist or partner and grant them access to specific data types, those types are transmitted to their device over an authenticated, TLS-encrypted channel. You choose what's shared, per data type, and you can revoke access at any time.

Dating module (optional)

If you opt into dating features (disabled by default), additional data is processed:

Profile photos you upload are stored in our object storage and automatically moderated (Amazon Rekognition) before anyone else can see them. Photos you delete are removed from storage within 7 days.
Match preferences and assessment summaries (not the raw answers) are used to generate compatibility matches.
Messages you send to matched users are stored on our servers to deliver them and to investigate abuse reports. Messages are TLS-encrypted in transit and encrypted at rest.
Reports and blocks you submit are retained as long as the reported account exists, plus 90 days, for safety enforcement.

[Verify 7-day deletion window for photos matches the actual backend retention config before launch.]

AI provider

Self Forge uses third-party AI providers (OpenAI, Anthropic, or a self-hosted endpoint you choose) to generate chapter content, microquests, and goal suggestions. When you use AI features, the specific prompts (which may include recent journal or assessment text you've authored) are transmitted to the provider to produce a response. Providers have their own privacy terms. Self Forge does not send your entire journal, assessment history, or account data to AI providers — only the content needed for the specific request.

If you bring your own AI provider key, responses go directly between your device and the provider under your account. If you use the managed option, we route requests on your behalf but do not retain prompts or responses after delivery.

3. What we do NOT collect

No advertising identifiers. No ad networks.
No third-party analytics SDKs that transmit user journal / assessment content.
No location tracking.
No device microphone / camera access except when you explicitly upload a profile photo (dating module, opt-in).

4. How we use your data

To operate your account (sign-in, subscription, notifications).
To provide the features you've enabled (AI generation, matching, messaging, sharing).
To investigate abuse reports and enforce safety policies.
To diagnose crashes and bugs (anonymized telemetry only).
To comply with legal obligations.

We do not sell your data. We do not use your content to train AI models.

5. Clinical data (HIPAA-aligned)

Self Forge is not a covered entity under HIPAA. However, when you link a therapist, we apply HIPAA-aligned practices to data shared with that therapist: authenticated channels, per-data-type consent, and a complete access audit log (§164.312(b)) that you control and can export.

[Lawyer review: precise HIPAA language vs. "HIPAA-aligned" marketing claim. Confirm whether any aspect of the therapist-sharing flow qualifies us as a Business Associate under §160.103.]

6. Your rights

Regardless of where you live, you can:

Access — request a copy of your account data.
Correct — update or correct inaccurate data in-app or by emailing support.
Delete — erase your account and all associated data via Settings → Account → Delete Account, or by emailing support.
Port — request an export of your account data in a machine-readable format.
Withdraw consent — revoke sharing with any therapist or partner at any time.

California residents have specific rights under the CCPA / CPRA, including the right to know, delete, correct, and limit the use of sensitive personal information. EU / UK residents have rights under GDPR. To exercise any of these rights, email [email protected].

7. Children

Self Forge is not directed to children under 13. Dating features require users to be 18 or older, verified by date of birth. We do not knowingly collect data from anyone under 13. If you believe a minor has created an account, email [email protected] and we'll remove it.

8. Security

On-device database encrypted with SQLCipher (AES-256).
Encryption key held in iOS Keychain, unlocked by Face ID / Touch ID / passcode.
TLS for all network traffic.
No plaintext of clinical or journal content ever written to disk unencrypted.

No system is perfectly secure. We disclose material security incidents affecting your account within 72 hours of discovery.

9. Data retention

Account data: retained while your account is active.
After you delete your account: purged within 30 days (backups cleared within 90).
Profile photos: 7 days after you delete them.
Messages: retained as long as both participants' accounts exist; deleted within 30 days of either account being deleted.
Abuse reports: reported account's lifetime + 90 days.

10. Third parties

We share limited data with service providers only as necessary to run the Service:

OpenAI, Anthropic (optional AI providers) — see section 2.
Amazon Web Services (GovCloud) — hosting, object storage, photo moderation.
Sentry — anonymized crash reporting.
Apple, Google — subscription billing and app distribution.

These providers process data on our behalf under data processing agreements. We do not sell data to any third party.

[Lawyer review: list must match actual sub-processors before launch. Add / remove services as appropriate.]

11. International transfers

Self Forge is hosted on AWS GovCloud (US). If you use the Service from outside the United States, your data is transferred to and processed in the US. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

12. Changes to this policy

We update this policy when we add features or change practices. Substantive changes are communicated via an in-app notification and an email to the address on your account. Continued use after a change constitutes acceptance; you can always delete your account if you disagree.

13. Contact

Questions, requests, or complaints: [email protected].

Cabrillo Club LLC
[Registered address placeholder — add before launch.]