Are my entries private and secure?
Short answer: Yes and yes! Your entries are visible only to you and stored securely with encryption. As long time journal-writers ourselves, we know how important it is that personal entries are private and secure.
Long answer: All user-generated application data is stored in a secure, encrypted database. All sensitive data (like journal entries) is fully encrypted before it is ever stored. This means that in the extremely unlikely chance our database is ever compromised, a hacker would only find encrypted text (aka, a whole bunch of random characters) rather than any sensitive information. Our application is served via TLS (the successor to SSL), which means that all communication between your device and Reflection.app is also secured and encrypted.
We do use third-party software tools for notifications, analytics, and customer support. The data provided to these third parties never includes the contents of your private entries, and are used to provide you with a better user experience. For example, an email that notifies you that you have completed six entries only tracks the number of entries completed, but has no access to the content of them.
The scary-to-admit, but honest, truth is that no online system is impenetrable. Often the biggest risk to user privacy is a weak password, which is why we encourage you to authenticate via Google at sign-in and enable 2-factor authentication on your Google account to further protect your account. You can revoke access to Reflection.app at any time from your Google account security dashboard (instructions here). Authenticating with Google does not give Google access to your personal entries.
Why send user data to the cloud instead of keeping it all local on the device?
There are a lot of reasons we decided to not store your data locally. The first is that we knew we wanted to build a true multi-platform app. So no matter what your device, or where you are, you can easily add entries and reflect with your journal. If entries were saved locally only — for example on your phone only, this would not be possible. Having a web app, means we can’t rely on any local data. Also if we relied only on local data, and if you lose or damage your local device all of your entries would be lost forever — which as avid journal writers ourselves is a terrifying thought. We feel confident in our approach to data privacy and security and the risks have been mitigated. Above all, the biggest risk to your data is someone else accessing your device, or someone accessing your password — both risks would exist even if your data was not stored in the cloud.
If you have any other questions about the privacy and security of your data, please don't hesitate to reach out. 🤓