Privacy Policy
Last updated: 28 June 2026
This notice explains what personal data Kept(“Kept”, “we”, “us”) collects when you use the Kept journal, why we collect it, and the rights you have over it. It is provided as a standalone notice under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”), separate from our Terms & Conditions.
The short version
Your journal entries are end-to-end encrypted on your own device before they are saved. The key is derived from a secret only you know and never leaves your browser, so we cannot read your entries — not your habits, sleep, moods, notes, titles, or anything you write. We hold only encrypted, unreadable data.
Who is responsible for your data
Kept is the Data Fiduciary for the personal data described here. For any privacy question, data-rights request, or complaint, contact our Grievance Officer at mondaldev75@gmail.com.
What we collect, and why
- Your email address — collected by our authentication provider when you create an account, used solely to sign you in, secure your account, and send password-reset emails. If you sign in with Google, Google confirms your identity to us; we receive your email address.
- Your journal content — months, days, habits, sleep and mood entries, memorable moments, blank-page writing, titles, preferences, and avatar choices. This is encrypted on your device and stored only in encrypted form. We process it solely to provide and sync the journal service to you.
- Basic technical data — standard request information (such as IP address) is processed transiently by our hosting and authentication providers to deliver the service and keep it secure. We do not run analytics, advertising, or third-party trackers.
Consent
We process your data on the basis of your consent, which you give by a clear affirmative action when you create an account and agree to this policy. Your consent is free, specific, informed, and limited to the purposes above. You can withdraw it at any time — as easily as you gave it — by deleting your data from within the app (Settings → Reset / delete) or by writing to mondaldev75@gmail.com. Withdrawing consent does not affect processing already carried out.
Service providers we use
- Firebase Authentication (Google) — verifies your identity and manages sign-in. It does not receive your journal content.
- Supabase — stores your account record and your encrypted journal data. It cannot read your entries.
- DiceBear avatar service — if you create a journal character, your appearance choices(e.g. hair, eyes) are sent to DiceBear’s API to render the picture. These choices are not personal diary content; no journal entries are ever sent.
How long we keep it
We keep your account and encrypted data for as long as your account exists. When you delete your data or account, it is removed from our active systems. Because your content is encrypted with a key we never hold, it is unreadable to anyone — including us — at all times.
Your rights under the DPDP Act
As a Data Principal, you have the right to:
- access a summary of the personal data we process about you;
- correct, complete, update, or erase your personal data;
- withdraw consent and have your data deleted;
- nominate another person to exercise your rights in the event of death or incapacity;
- a readily available means of grievance redressal (below).
Grievance redressal
To exercise any right above or raise a complaint, contact our Grievance Officer at mondaldev75@gmail.com. We will acknowledge and respond within the timelines required by the DPDP Act and its Rules. If unresolved, you may approach the Data Protection Board of India.
Children
Kept is not directed at children under 18. We do not knowingly process a child’s data without verifiable parental consent. If you believe a child has created an account, contact us and we will remove it.
Changes to this policy
We may update this policy as the service or the law evolves. We will revise the “Last updated” date above and, where appropriate, notify you in the app.
This document is provided in good faith to explain our practices and align with the DPDP Act, 2023. It is not legal advice. We recommend an independent legal review before relying on it for compliance.