Privacy Policy
Last updated: 2026-05-31 Applicable service: BubbleClear (iOS / Android app, website) Operator: Nao Tokuta
Table of Contents
- Introduction
- Information We Collect
- How We Use Information
- Data Retention & Deletion
- Data Sent to AI (LLM)
- AI Model Improvement Participation (Opt-In)
- Third-Party Disclosure
- Third-Party Services We Use
- Cookies and Similar Technologies
- Your Rights
- Minors
- Changes to This Policy
- Contact
1. Introduction
BubbleClear (the “Service”) is a self-reflection tool that supports brain-dumping — getting everything out of your head. Providing an environment where you can safely write your thoughts is our highest priority.
This policy explains what information the Service collects, and how it is used, stored, and deleted. Your raw dump text is not stored on our servers. It is stored only on your device (encrypted with AES-256). If you opt in to AI model improvement, a separate encrypted copy is stored on our servers for up to 90 days. (See §4 and §6 for details.)
2. Information We Collect
2-1. Information You Provide
| Data | Content | Storage |
|---|---|---|
| Raw dump text | Thoughts and concerns entered as free text | Device-local only (SQLCipher / AES-256 encryption). Not stored on server. |
| Training data (opt-in only) | If you enable “AI Model Improvement,” a separate AES-256-GCM encrypted copy is stored for training purposes | Server (encrypted, up to 90 days. See §6) |
| LLM analysis results | Keywords, categories, mood scores, domain weights extracted from your text (raw text not included) | Device-local + server (persistent ※1) |
| Mood rating | Pre/post-session mood score (0–10) | Device-local + server (persistent ※1) |
| Email address | Used for account registration and Magic Link authentication | Server (persistent) |
※1 Retained long-term for trend graphs and repeated-theme detection. Deleted upon account cancellation.
2-2. Automatically Collected Information
| Data | Content | Purpose |
|---|---|---|
| Usage statistics | Session frequency, feature usage rates (anonymized) | Service improvement |
| Error logs | Crash information (Sentry) | Bug fixes |
| Device information | OS and app version (device name and UDID are not collected) | Support |
2-3. Information We Do Not Collect
- Location data
- Contacts, calendar, or photos (separate consent will be obtained if required for future features)
- Facial or biometric authentication data
- Third-party social media profiles or post content
3. How We Use Information
Collected information is used solely for the following purposes:
- Service delivery: LLM analysis, bubble map generation, past session display
- Service improvement: Usage statistics analysis, UI/UX improvements
- AI model improvement (opt-in — only for those who choose to participate): Improving accuracy of the on-device AI model (local analysis model running on your device). Only when you have explicitly consented. See §6
- Security and fraud prevention: Unauthorized access detection
- Billing and payment processing: Subscription management (Stripe / RevenueCat)
- Customer support: Responding to inquiries
- Legal compliance: Responding to laws and regulations
We do not use your data for advertising or sell it to third parties.
4. Data Retention & Deletion
The core privacy design of the Service is not retaining raw text on our servers.
Automatic Deletion Schedule
| Data Type | Retention Period | Deletion Method | Reason |
|---|---|---|---|
| Raw dump text (server) | Not retained (for non-participants) / up to 90 days (opt-in participants, see §6) | pg_cron physical deletion | — |
| LLM call logs | Not retained (zero retention) | — | — |
| LLM analysis results (keywords, categories, mood scores, etc.) | Until account deletion | Manual account deletion trigger | Used for trend graphs and repeated-theme detection |
| Mood scores | Until account deletion | Manual account deletion trigger | Used for trend graphs |
| Theme hashes | Until account deletion | Manual account deletion trigger | Used for repeated-theme detection (non-reversible) |
About Theme Hashes
To detect “the same theme has appeared 3 weeks in a row,” only the SHA-256 hash (a one-way, non-reversible value) of the theme is stored. The raw text itself is not stored.
Device-Local Data
- Data on your device is stored using SQLCipher (AES-256) encryption.
- Device-local data cannot be deleted by the Service (it is deleted by uninstalling the app or clearing data).
- Raw dump text is retained on your device as a fault-tolerance measure (allowing retry if a network or API error occurs during analysis).
Account Deletion and Full Data Removal
When you close your account, all server-side data (raw text, aggregated values, and account information) is deleted within 72 hours.
5. Data Sent to AI (LLM)
The Service sends the text you enter to a large language model (LLM) to analyze your brain dump.
Recipient and Retention Policy
| Item | Details |
|---|---|
| Recipient | Anthropic API (Claude Haiku) |
| What is sent | Raw dump text (no account identifiers) |
| Anthropic retention period | Promptly deleted, except for temporary retention for abuse monitoring ※1 |
| Used for training | No ※1 |
※1 Per Anthropic’s policy, data sent to the API is never used to train models. Except for temporary retention for abuse-prevention purposes, data is promptly deleted from Anthropic’s servers. See Anthropic’s Privacy Policy for details.
Important Notes
- Data is transmitted over a TLS 1.2+ encrypted connection.
- Account identifiers (email addresses, etc.) are stripped before transmission.
- For users who do not opt in to AI model improvement, raw dump text is never stored on our servers — it is processed transiently and immediately discarded after the LLM call completes.
- If the AI provider changes in the future, this policy will be updated and you will be notified in advance.
6. AI Model Improvement Participation (Opt-In)
The Service provides an on-device AI model (a local analysis model running on your device). To improve the accuracy of this model, only if you explicitly consent, we may store a copy of your raw dump text for a limited period.
6-1. Consent
- Consent is obtained via explicit opt-in (default: OFF — active only if you turn it on yourself).
- Consent can be withdrawn at any time from the Settings screen. Relevant data will be physically deleted within 24 hours of withdrawal.
- Your consent status does not affect the quality of the Service you receive.
6-2. Storage Method and Duration
| Item | Details |
|---|---|
| Encryption | AES-256-GCM (application-layer encryption, Envelope Encryption) |
| Key management | Stored in Supabase Vault. Decrypted in memory only during training batch execution |
| Retention period | Up to 90 days (no extension) |
| Deletion method | Physical deletion via pg_cron (logical deletion is not used) |
| After training | Raw text used for training is physically deleted within 24 hours of use; only labels (numeric scores) are retained |
6-3. Restricted Use
Opt-in dump text is used solely for the following purposes:
- Fine-tuning the on-device AI model (analysis model)
- Benchmarking for model accuracy evaluation
We do not use it for advertising, third-party sales, or disclosure to other users. Training is performed using appropriately anonymized data.
6-4. Transparency
The in-app “Your Data” screen lets you view at any time:
- Number of items currently stored
- “Delete all data now” button (triggers physical deletion)
- “Stop contributing to model improvement” button
For technical details, see docs/plans/privacy_model_strategy.md.
7. Third-Party Disclosure
We do not share your personal information with third parties except in the following cases:
- With your consent
- When disclosure is required by law or court order
- Service providers necessary for delivering the Service (within the scope of §8 below)
- In the event of a business transfer (you will be notified in advance and given the right to opt out)
8. Third-Party Services We Use
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication and database | supabase.com/privacy |
| Anthropic API | LLM analysis (Claude Haiku) | anthropic.com/privacy |
| Stripe | Web payments | stripe.com/privacy |
| RevenueCat | IAP management | revenuecat.com/privacy |
| Firebase Cloud Messaging | Push notifications | firebase.google.com/support/privacy |
| Sentry | Error monitoring | sentry.io/privacy |
| PostHog | Usage analytics | posthog.com/privacy |
| Railway | API server hosting | railway.app/legal/privacy |
| Cloudflare Pages | LP / Waitlist hosting | cloudflare.com/privacypolicy |
| Resend | Waitlist confirmation emails | resend.com/legal/privacy-policy |
We have reviewed the publicly available privacy policies and data processing standards of each service and confirmed that appropriate protective measures are in place.
9. Cookies and Similar Technologies
Mobile App
Browser cookies are not used. Device identifiers (Supabase session tokens) are used for authentication purposes only.
Website (Landing Page)
- Essential cookies: Session management (used without consent)
- Analytics cookies (PostHog): Anonymized usage statistics. Consent is obtained on first visit.
- Advertising and tracking cookies: Not used.
10. Your Rights
Your Rights Under Privacy Law
You have the following rights:
- Right of disclosure: Disclosure of personal information we hold
- Right to correction, addition, or deletion: When content is inaccurate
- Right to stop use or erasure: When legal requirements are met
- Right to lodge a complaint: With the Personal Information Protection Commission (Japan)
How to Exercise Your Rights
Please contact us at the email address in §13 Contact. After identity verification, we will respond within 30 days in principle.
11. Minors
The Service is intended for users aged 13 and older. Users under 13 may not use the Service. If we become aware that information has been collected from a user under 13, we will promptly delete that data.
12. Changes to This Policy
For significant changes (such as new data collection or changes to how data is used), we will notify you at least 30 days in advance via in-app notification or email. Minor changes (typo corrections, contact updates, etc.) will be updated as needed with a version date update.
Continued use of the Service after changes constitutes acceptance of the revised policy.
13. Contact
For privacy inquiries or to exercise your rights, please contact us:
Email: [email protected] Languages: Japanese and English Response time: Within 7 business days