Privacy Policy

Greyfeathers Studios ("we", "us", or "our") operates the Project Journal web application and Chrome extension (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have in relation to your data.

This policy is compliant with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA) of India. By using the Service you agree to the practices described below.

1. Information We Collect

1.1 Information you provide

• Account details — email address and password when you register or accept an invitation.
• Project content — project names, descriptions, journal entry titles, text descriptions, and images you upload.
• Invitations — email addresses of collaborators you invite to projects.

1.2 Information collected automatically

• Log and usage data — IP address, browser type, pages visited, timestamps, and error logs collected by our hosting infrastructure.
• Cookies and local storage — authentication session tokens stored in cookies. We do not use advertising or third-party tracking cookies.
• Chrome extension data — the extension captures content you explicitly submit as a journal entry. It does not read browsing history or background page content.

1.3 AI-processed content

When you use AI-powered features (such as search or insights), the text content of your journal entries may be sent to a third-party AI provider (OpenAI) for processing. Images you upload may be analysed via OCR. We do not use your content to train AI models.

2. How We Use Your Information

• Provide, operate, and improve the Service.
• Authenticate your identity and maintain account security.
• Enable project collaboration by processing invitation emails.
• Generate AI-powered summaries, search results, and insights from your journal entries.
• Send transactional emails (account invites, password resets) — we do not send marketing emails without your explicit consent.
• Detect and prevent fraud, abuse, or security incidents.
• Comply with applicable Indian laws and respond to lawful requests from governmental authorities.

3. Sharing of Information

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Service providers — we use Supabase (database and authentication), Vercel (hosting), and OpenAI (AI features). These providers process data on our behalf under data processing agreements and are bound by appropriate security obligations.
• Project collaborators — your name/email and the project content you create may be visible to other members of a project you belong to.
• Legal compliance — we may disclose data to comply with court orders, government directives, or other legal obligations under Indian law, including under Section 69 of the IT Act, 2000.
• Business transfers — in the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you before any such transfer takes effect.

4. Data Storage and Security

• Your data is stored on servers managed by Supabase and Vercel, which may be located outside India. By using the Service you consent to such cross-border transfer as permitted under the DPDPA, 2023.
• We implement industry-standard security measures including encrypted connections (TLS/HTTPS), hashed passwords, and row-level security on our database.
• Uploaded images are stored in a private or public Supabase Storage bucket with access controls.
• No method of electronic storage or transmission is 100% secure. We will notify you if a data breach materially affects your personal data, as required by applicable law.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., for tax or audit purposes) or for legitimate business interests such as fraud prevention.

6. Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable Indian laws, you have the following rights:

• Right to access — request a copy of the personal data we hold about you.
• Right to correction — ask us to correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data, subject to legal retention requirements.
• Right to grievance redressal — raise a complaint with our Grievance Officer (details below).
• Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time (this will not affect the lawfulness of processing prior to withdrawal).
• Right to nominate — nominate another individual to exercise these rights on your behalf in the event of your death or incapacity, as provided under the DPDPA.

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

7. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

8. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing any personal information.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you by email or by displaying a prominent notice within the Service. Continued use of the Service after such notice constitutes your acceptance of the updated policy.

10. Grievance Officer & Contact

In accordance with the Information Technology Act, 2000, and the DPDPA, 2023, we have appointed a Grievance Officer. If you have any complaints or concerns regarding the processing of your personal data, you may contact:

11. Governing Law & Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts in India.