Privacy Policy

What Kept stores

All journal entries are encrypted locally on your device using SQLCipher (AES-256) with a key stored in Android Keystore hardware. Your entries never leave your device. There is no cloud sync, no server, and no account system.

What we collect

Almost nothing. Here is the complete list:

• Crash reports — Kept uses Sentry to collect anonymous crash data. This includes stack traces, device model, and OS version. It does not include journal content, personal information, or any device identifiers that could identify you.
• Anonymous usage events — We track a small number of anonymous product events (like "user enabled biometric lock" or "user created a burner entry") to understand which features are used. These events never contain entry text, titles, word counts tied to specific entries, or any personally identifiable information.
• Purchase data — If you subscribe to Kept Premium, Google Play handles the transaction. We record only the product SKU (e.g., "yearly_subscription") to verify your premium status. We do not receive or store your payment method, transaction ID, or Google account information.

What we collect vs. what we don't

Device permissions

Biometrics — strictly to unlock your encrypted database on-device. Your fingerprint or face data is processed entirely by the Android OS and is never accessible to the app.

Notifications — solely to send local reminders before a time-bomb entry dissolves, and optional reflection notifications. None of this permission data leaves your phone.

Third-party SDKs

Kept contains exactly two third-party services:

• Sentry — crash reporting and anonymous analytics. Configured with isSendDefaultPii = false. A beforeSend filter strips any user object from events before transmission. Sentry's privacy policy →
• Google Play Billing — handles premium subscriptions. Google's infrastructure processes payments; we never see your payment details. Google's privacy policy →

Kept does not include Firebase, Google Analytics, Facebook SDK, advertising SDKs, or any analytics service that links to an advertising network.

Encryption

Kept uses zero-knowledge encryption. Your journal is encrypted with SQLCipher (AES-256-CBC) using a passphrase that is itself encrypted by a hardware-backed Android Keystore key. If biometric lock is enabled, that key additionally requires your fingerprint to decrypt.

Encrypted backups use PBKDF2-HMAC-SHA256 (210,000 iterations) to derive a key from your passphrase, then AES-256-GCM to encrypt the backup file. The passphrase is never stored — you enter it manually each time (or use biometric one-tap after initial setup).

We cannot decrypt your data. If you lose your device without a backup, your journal is gone. This is by design.

Burner Mode

Standard burner entries exist only in device memory and are never written to disk. When you close the entry, the text is destroyed. Time-bomb burner entries are saved temporarily and automatically deleted by a scheduled worker after the chosen duration (1 hour, 24 hours, or 7 days). Dissolved burner entries are not recoverable.

Data export

You can export all entries as a .zip of .txt files at any time (free feature). Premium users can also create encrypted .kept backups. Exported data stays on your device — nothing is uploaded anywhere.

Data deletion

Because Kept has no servers, no accounts, and collects no personal data, there is no personal data for us to delete on our end. You are in complete control. Delete all entries via Settings → "Delete all thoughts", or simply uninstall the app. Uninstalling permanently destroys the encryption key required to read your data.

Children's privacy

Kept is not directed at children under 13. We do not knowingly collect information from children.

Changes to this policy

If this policy changes, we will update the date at the top. Because Kept has no account system, we cannot notify you directly — check this page periodically.

Contact

Questions about this policy: hello@keptjournal.app