Legal

Privacy Policy

We wrote this to be read, not survived. It tells you exactly what data Spashta collects, why, where it lives, and how you can delete all of it.

Effective date: 13 March 2026  ·  Spashta

Contents

  1. Who we are
  2. Not a medical app
  3. What data we collect
  4. How we use your data
  5. Third-party services
  6. Storage and protection
  7. Data retention
  8. Your rights
  9. Children’s policy
  10. Changes to this policy
  11. Contact

1. Who we are

Spashta is a daily mental clarity app for knowledge workers. It is developed and operated by Spashta (an individual developer), and is available on Android (and in future, iOS). The app is reachable at spashta.app.

When this policy says "Spashta", "we", "us", or "our", it refers to the Spashta developer. When it says "you" or "your", it refers to anyone who creates an account or uses the app.

For any privacy-related question or request, contact us at hello@spashta.app.

2. Important: not a medical app

Medical disclaimer Spashta is a personal reflection and productivity tool. It is not a medical device, a mental health treatment, a therapy service, or a substitute for professional psychological or psychiatric care. The scores, insights, and prompts in the app are designed to support self-awareness and daily intention-setting — they are not clinical assessments. If you are experiencing a mental health crisis or need professional support, please contact a qualified healthcare provider or emergency services.

3. What data we collect

We only collect what the app needs to work. We do not collect advertising identifiers, GPS location, biometric data, financial information, phone numbers, or any form of behavioural tracking for advertising purposes.

3.1 Account data

When you create an account using a username and password, we collect:

Field Why we collect it
Username Identifies your account. Not an email address.
Password Used to verify your identity. We never store your plaintext password. It is converted to a one-way cryptographic hash (scrypt algorithm) the moment it arrives on our server.
Email address Collected at signup. Used only to send password reset codes when you request them. We do not use your email for marketing.
Display name Shown in the app to personalise your experience.
Date of birth Used to verify that you meet the minimum age requirement of 13.
Country Collected as a text field at signup. Not used for geolocation, advertising targeting, or analytics.

3.2 Journal entries (stored on our server)

Every check-in you complete is stored in our database, linked to your account. This is the core function of the app.

Morning entries

  • Brain dump text — a free-text space to offload whatever is on your mind. This is private and is never used to generate insights shown to you.
  • Priorities — up to 3 task strings you set for the day.
  • Daily promise — one small commitment you make to yourself for the day.
  • Promise completion — whether you marked your promise as kept.
  • Completed tasks — which of your priorities you marked done.
  • Gratitude note — a short note of appreciation (optional).
  • Clarity, stress, and energy scores — self-reported scores on a 1–5 scale.

Midday entries

  • One thing going well — a short free-text prompt.
  • Tasks checked at midday — which priorities you marked done at midday.
  • Priority status — whether your priorities for the day are on track or need adjusting.

Evening entries

  • One good thing — a short reflection on something positive from the day.
  • Completed tasks — tasks marked complete at the evening reflection.
  • Promise completion — whether your daily promise was kept (yes / partly / no).
  • Clarity, stress, and energy scores — self-reported 1–5 scores for the evening.
  • Overall mood — a single choice: positive, neutral, or negative.

3.3 Derived insights (not separately stored)

Weekly and monthly insight summaries — such as your average scores, return rate, and commitment completion — are computed on our server when you open the Insights screen. The results are returned to your device and are not stored separately in the database. No analytics table exists.

3.4 Preferences (stored on our server)

Your preferred display theme (light, dark, or auto) is stored on our server so it persists when you reinstall the app.

3.5 Data stored only on your device (never sent to us)

  • Authentication token — a session token stored in your device's local storage. Used to authenticate API requests. It is never logged on our server.
  • Check-in history dots — a local record of which days you checked in, used to display your streak calendar. This stays on your device.

3.6 Notifications

Spashta schedules local reminders on your device at 07:00, 13:30, and 20:00 using the Notifee library. These notifications are triggered entirely on your device. We do not collect, store, or transmit push notification tokens (APNs or FCM). No notification content or interaction data leaves your device.

3.7 What we do not collect

We do not collect any of the following Location or GPS data  ·  Device identifiers (IDFA, GAID, or similar advertising IDs)  ·  Biometric data (Face ID and Touch ID are device-level and nothing is transmitted to us)  ·  Health records or clinical data  ·  Financial or payment data  ·  Phone number  ·  Third-party analytics (no Firebase Analytics, Mixpanel, Amplitude, Segment, or similar)  ·  Session replay or interaction recordings

4. How we use your data

We use the data we collect for the following purposes only:

  • To operate the app — storing and retrieving your check-in entries so the app works as intended.
  • To authenticate you — verifying your identity at login and maintaining your session.
  • To compute your insights — generating your weekly and monthly summaries from your own entries.
  • To send password reset codes — if you request a reset, we send a one-time code to your email address via a transactional email service. We do not email you for any other reason.
  • To verify minimum age — your date of birth is checked at signup to confirm you are 13 or older.
  • To save your display preference — your theme choice is stored so it persists across devices.

We do not use your data for advertising, profiling, or to train AI models. We do not sell your data to third parties. We do not share your data with third parties except as described in Section 5.

5. Third-party services

Spashta uses a small number of infrastructure services. Each one processes data only to the extent required to run the app. None of them receive your data for advertising or analytics.

Service Role Data it processes
Supabase Database hosting (PostgreSQL) All account data and journal entries, stored in a managed PostgreSQL database.
Render API server hosting Hosts the Express API. All API requests pass through Render’s infrastructure in transit.
Resend Transactional email Used to deliver password reset codes to your email address. Your email address is passed to Resend only when you request a password reset. Resend does not receive your journal data.
Notifee Local notifications library Schedules reminder notifications on your device. No data is transmitted. Runs entirely on-device.
Cloudflare DNS resolution Resolves the spashta.app domain. No user data is processed.

We do not sell your personal data to any third party under any circumstances.

6. How data is stored and protected

  • Passwords are hashed using the scrypt algorithm with a unique salt before being stored. Plaintext passwords are never written to a log, database, or any other system.
  • Sessions are single-use Bearer tokens. Each login replaces the previous token, so only one active session exists per account at any time. Sessions expire after 30 days.
  • Password reset codes are one-time OTP codes hashed using SHA-256 before storage. They expire 15 minutes after creation and are invalidated immediately after use. After 3 failed attempts, the code is automatically invalidated.
  • API communication is encrypted in transit over HTTPS.
  • Journal entries are stored in a PostgreSQL database hosted by Supabase and are accessible only to authenticated requests from your own account.
  • Rate limiting is applied to all authentication endpoints to reduce the risk of brute-force attacks.

No security system is perfect. We have applied reasonable technical measures appropriate to the sensitivity of the data. If you become aware of a security concern, please contact us at hello@spashta.app.

7. Data retention

Your data is retained for as long as your account exists. When your account is deleted, all data associated with it — your account record, all journal entries (morning, midday, and evening), all sessions, and all password reset tokens — is permanently deleted from our database via a cascade delete. There are no separate backups that retain your personal data after deletion.

Password reset tokens that have not been used expire automatically after 15 minutes and are cleaned up when you next request a reset.

8. Your rights

Depending on where you live, you may have rights under data protection law, including rights under the General Data Protection Regulation (GDPR) for users in the European Economic Area and UK. We describe how these are satisfied below.

Right to delete your data (right of erasure)

You can delete your account and all associated data at any time from within the app. Go to your profile and tap Delete Account. This performs an immediate and permanent cascade deletion of all your data. You do not need to contact us to exercise this right.

Right to access your data

You can view all your journal entries directly within the app. If you need a structured data export for GDPR or other purposes, please contact us at hello@spashta.app and we will fulfil the request manually. We do not currently have an automated export feature.

Right to data portability

If you request a copy of your data in a portable format, contact us at the email above. We will provide it. We do not currently have an automated export tool.

Right to correct your data

You can edit your journal entries directly in the app. If you need to correct account details that cannot be changed in the app, contact us and we will assist.

Right to object or restrict processing

If you wish to object to or restrict how we process your data, contact us. Because Spashta’s data processing is limited to operating the app for you, the most practical outcome of any such request is deletion of your account.

Basis for processing

We process your data on the basis of contract — it is necessary to process your data to provide the service you have signed up for. We do not rely on consent or legitimate interest as the basis for any ongoing processing.

How to exercise any right For deletion: use the in-app Delete Account button. For access, portability, correction, or objection requests: email hello@spashta.app. We will respond within 30 days.

9. Children’s policy

Spashta is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. We collect date of birth at signup to verify minimum age.

If you are a parent or guardian and believe your child under 13 has created an account, please contact us at hello@spashta.app and we will promptly delete the account and all associated data.

Users between 13 and 17 may use Spashta. The app does not contain features directed at minors and does not collect data in any way tailored to users under 18.

10. Changes to this policy

If we make material changes to this policy — meaning changes that affect what data we collect, how we use it, or with whom we share it — we will update the effective date at the top of this page.

For significant changes, we will notify users through the app (for example, a notice shown on your next login) or by email if we have your email address on file. Continuing to use Spashta after a change takes effect means you accept the updated policy.

We encourage you to review this policy periodically. Older versions can be requested by contacting us.

11. Contact

If you have any questions about this policy, want to exercise a data right, or have a concern about how your data is handled, reach us here:

Spashta

Email: hello@spashta.app

Website: spashta.app

We aim to respond to all privacy requests within 30 days. For urgent concerns or security disclosures, please mark your email subject line accordingly.