Privacy Policy

Some features described in this policy (subscription billing, waitlist emails, and affiliate referrals) apply to product capabilities that are planned but not active in version 1.0. Until those features ship, the corresponding data is not collected. We will note in the in-app changelog when each becomes active.

Grimoire is a mobile app (Android and iOS) and web service for solitary witches: a digital grimoire, practice journal, and esoteric toolkit. It is operated by a UK-based sole trader. Our website is getgrimoire.app. You can contact us at grimoireapp@protonmail.com. For data protection matters, please use the subject line “Privacy: [your query]”.

Account and profile data. When you create an account we collect your chosen craft name, email address (used for authentication), and any optional profile details you add: such as a bio, path, or deity associations.

Journal and practice data. Entries you create in the app, grimoire entries, spell logs, ritual records, shadow work, mood and sleep tracking, habit tracking, intentions, and any attachments (images, audio), are stored on our servers. See “Who We Share Data With” below for details of our hosting provider.

Natal chart data. If you use the Astrology Tower, you may provide a birth date, time, and location to generate a natal chart. This is stored against your account.

Deity and being records. Entries in your Deity Journal (deity names, symbols, notes, and encounter logs) are stored on our servers linked to your account.

Notification preferences. If you enable push notifications, we store your preferences and the device push token issued by your operating system, solely to deliver reminders you have requested. You can withdraw consent at any time in Settings.

Device permissions. We only request a device permission when you actively use a feature that requires it:

• ✦Camera: to photograph items for grimoire attachments or your profile picture.
• ✦Photo / media library: to attach existing images or audio to entries.
• ✦Microphone: to record audio notes for attachment to entries.
• ✦Notifications: to deliver practice reminders you have configured.

We do not access these capabilities in the background or share their output beyond what is described in this policy.

Authentication data. Sign-in is handled by Supabase Auth. We store the credentials needed to verify your identity (email plus hashed password, or OAuth provider tokens if you use social sign-in). We never see your raw password.

Subscription data. Subscription payments are processed entirely by Google Play (Android) and the Apple App Store (iOS). We do not collect, see, or store your payment card details. When you subscribe, Google or Apple notify us that your account has an active subscription. We store only the subscription status and its expiry date against your account in order to unlock premium features.

Waitlist email address. If you join the waitlist on this website, we collect your email address to notify you of launch. That is all we collect at sign-up.

Analytics data. This website uses Vercel Analytics, which collects anonymised, aggregate data including page views, referrer, and country-level location. No cookies are set. No personal identifiers are stored.

Email correspondence. If you contact us by email, we collect the information you include in that message in order to respond to you.

Account and practice data. We store your account, journal, and practice data to provide the service you signed up for: so your grimoire persists across devices. Our lawful basis is contract.

Subscription data. We process the subscription status and expiry date passed to us by Google Play or the Apple App Store in order to unlock premium features for paying users. Our lawful basis is contract.

Notifications. We send push notifications only with your explicit permission. Our lawful basis is consent. You can withdraw at any time in Settings.

Waitlist email. We use your email to notify you when the app launches. Our lawful basis is consent; you opted in by submitting the waitlist form.

Analytics. Anonymised analytics help us understand how visitors use the site and improve it. Our lawful basis is legitimate interests. Because Vercel Analytics is cookieless and collects no personal data, this processing has minimal privacy impact.

Email correspondence. We process email in order to respond to your enquiry. Our lawful basis is legitimate interests.

We do not sell your data. We do not share it with advertisers. We share it only with the following sub-processors, where necessary to operate the service:

Supabase. All app data (your account, journal entries, natal chart, deity records, notification preferences, and uploaded files) is stored in Supabase, our database, file storage, and authentication provider. Supabase runs on AWS (EU region) and is GDPR-compliant. Their privacy policy is at supabase.com/privacy.

Resend. We use Resend to send transactional emails, including the waitlist launch notification. Your email address is stored in Resend's system solely for this purpose. Their privacy policy is at resend.com/privacy.

Authentication emails (signup confirmation, password reset) are delivered via Resend (Resend, Inc.). Resend processes only the recipient email address and the contents of these transactional messages for the brief moment of delivery. We do not share journal content, profile data, or other personal information with Resend.

Vercel. This website and our admin panel are hosted on Vercel, which also provides anonymised analytics. Vercel is GDPR-compliant. Their privacy policy is at vercel.com/legal/privacy-policy.

Affiliate partners. The in-app shop contains affiliate links to Amazon (via the Amazon Associates programme), Etsy (via the Etsy affiliate programme), and other partner platforms. When you tap an affiliate link you leave Grimoire and enter the partner's environment, at which point their privacy policy applies, including any tracking cookies they set to attribute the referral. Grimoire receives only anonymised commission reports from these partners; we never see your personal purchase data. Affiliate links are clearly identified within the app.

Where data is transferred outside the UK (for example to Resend servers in the USA), those transfers are covered by Standard Contractual Clauses or the UK International Data Transfer Agreement.

Account and practice data. We keep your data for as long as your account is active. When you delete your account (via Settings → Account → Delete Account in the app, or by submitting a request at getgrimoire.app/delete-account if you can no longer sign in), all your personal data is permanently removed within 30 days. Backup copies are purged on their normal rotation, typically within 90 days.

Waitlist email addresses. Retained until the launch notification has been sent, then deleted within 30 days. If you ask to be removed before then, we will do so promptly.

Email correspondence. Retained for up to 12 months from the last exchange, unless there is reason to keep it longer (such as an ongoing dispute).

Analytics data. Anonymised and aggregated. No personal data is retained.

You have the right to:

• ✦Access the personal data we hold about you
• ✦Correct inaccurate data (most profile data you can update yourself in-app)
• ✦Ask us to delete your data; the quickest route is to delete your account in-app
• ✦Receive your data in a portable, machine-readable format
• ✦Restrict or object to processing in certain circumstances
• ✦Withdraw consent at any time, where consent is the lawful basis, without affecting prior processing
• ✦Lodge a complaint with the ICO if you believe we have mishandled your data

To exercise any of these rights, email grimoireapp@protonmail.com. We will respond within one month. The Information Commissioner's Office (ICO) is the UK supervisory authority for data protection. You can find out more at ico.org.uk.

For more information about your data protection rights, visit the Information Commissioner's Office.

All data in transit is encrypted via TLS. Data at rest is encrypted by Supabase. We enforce Row Level Security on all database tables so users can only access their own data. Authentication tokens are stored securely on device using the platform's secure storage. Despite these measures, no system is completely secure; please use a strong password and keep your device safe.

This website does not use tracking or advertising cookies. Vercel Analytics operates without cookies and does not collect personally identifiable information. No cookie consent banner is required. If this changes, this policy will be updated and a cookie notice will be added to the site.

If you have a complaint about how we have handled your personal data, please email grimoireapp@protonmail.com with the subject line “Data Protection Complaint”. We will acknowledge within 5 working days and aim to resolve within 30 days. If you are not satisfied, you have the right to escalate to the ICO at ico.org.uk/make-a-complaint.

Grimoire is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be notified via an in-app notice or email. The date at the top of this page shows when it was last updated.

Questions about this policy or your data? Email us at grimoireapp@protonmail.com.