Privacy Policy
Privacy Policy
Last updated: March 31, 2026
1. Introduction
Welcome to Encory ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and services.
Encory is a private, encrypted application for tracking intimate encounters. Given the sensitive nature of the data you entrust to us, we have implemented industry-leading security measures, including end-to-end encryption.
2. Data Controller
Encory Encory.app Czech Republic Email: privacy@encory.app
3. Information We Collect
3.1 Account Information
- Email address - Required for account creation and authentication
- Password - Stored as a secure hash, never in plain text
- Preferred language - For localized communications
3.2 Encrypted Personal Data
The following data is end-to-end encrypted using your personal PIN code. We cannot access or read this data:
- Partner information (nicknames, physical attributes, contact details)
- Intimate encounter records (dates, activities, notes)
- Custom activities and preferences
- Photos (partner photos, profile photos)
- Public profile data (when you create one)
3.3 Technical & Usage Data
- Device information - Browser type, operating system
- Log data - IP addresses, access times, pages viewed
- Cookies - Session management, language preferences
- Push notification tokens - If you enable push notifications
3.4 Membership & Payment Data
- Subscription tier and status
- Billing interval (monthly/yearly)
- Subscription start and end dates
- Promo code redemption history
- Creem.io customer ID - Links your account to payment records
Note: We do not store your payment card details. All payment information is processed and stored securely by our payment provider, Creem.io.
3.5 Profile Visit Analytics (Premium Feature)
When you create a public profile, we collect anonymous visitor data to provide you with visit statistics:
What We Collect:
| Data | Source | Privacy Measure |
|---|---|---|
| Visitor hash | SHA-256(IP + User-Agent + daily salt) | Raw IP never stored |
| Country, region, city | Vercel edge headers | No precise coordinates |
| Device type | User-Agent parsing | Categories only (desktop/mobile/tablet) |
| Browser & OS family | User-Agent parsing | Generic family names only |
| Visit timestamp | Server | Standard logging |
| URL type used | Internal | main/custom/temporary link |
Privacy Protections:
- No raw IP addresses - We only store a one-way hash that changes daily
- Daily salt rotation - The visitor hash becomes unlinkable after 24 hours
- No tracking cookies - Analytics use request headers only
- No external APIs - Geolocation from Vercel headers, no third-party services
- Owner visits excluded - Your own profile visits don't count in statistics
- Rate limiting - Maximum 1 record per visitor per profile per minute
Who Can See Analytics:
- Only Premium members can view detailed analytics
- Non-Premium members see only the total visit count
- You can only view analytics for your own public profile
- Visitors are never individually identified
4. How We Use Your Information
We use your information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain our service | Contract performance |
| User authentication and security | Contract performance, Legitimate interest |
| Send service-related notifications | Contract performance |
| Process payments and subscriptions | Contract performance |
| Process membership upgrades | Contract performance |
| Respond to support requests | Contract performance |
| Send marketing communications (with consent) | Consent |
| Improve our services | Legitimate interest |
| Comply with legal obligations | Legal obligation |
5. End-to-End Encryption
5.1 How It Works
Your sensitive data is encrypted on your device before being transmitted to our servers:
Your PIN → Key Derivation (PBKDF2) → Encryption Key → TweetNaCl Encryption → Encrypted Data
5.2 What This Means
- We cannot read your data - Only you hold the encryption key
- We cannot recover your data - If you forget your PIN, your data is permanently inaccessible
- We cannot comply with data requests - We technically cannot decrypt your intimate data, even if legally required
5.3 Optional Key Storage
You may choose to store your encryption key on our servers for convenience. In this case:
- Your key is encrypted with our master key (AES-256-GCM) before storage
- The key is only decrypted in memory when you access your data
- You can delete the stored key at any time
6. Data Sharing and Disclosure
We do not sell your personal data. We may share information only in these cases:
6.1 Service Providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | EU (Ireland) |
| Resend | Email delivery | EU (Ireland) |
| Vercel | Hosting | EU (Frankfurt) |
| Creem.io | Payment processing | EU |
6.2 Payment Processing (Creem.io)
When you make a purchase, Creem.io (Creem Technologies Ltd.) processes your payment. They may collect:
- Payment card details
- Billing address
- Transaction history
- Device and browser information for fraud prevention
Creem.io processes this data according to their own Privacy Policy. We receive only:
- A customer ID to link payments to your account
- Subscription status and billing dates
- Transaction confirmations
We never receive or store your full payment card number.
6.3 Legal Requirements
We may disclose information if required by law. However, due to end-to-end encryption, we can only provide:
- Account existence confirmation
- Email address
- IP logs and access timestamps
- Subscription and payment metadata
- Unencrypted metadata
We cannot provide your encrypted intimate data.
6.4 Business Transfers
In case of merger, acquisition, or asset sale, your data may be transferred. You will be notified of any such change.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Encrypted data | Until account deletion |
| Photos | Until manually deleted or account deletion |
| Subscription records | Until account deletion |
| Payment transaction logs | 7 years (legal requirement) |
| Server logs | 90 days |
| Backup data | 30 days after deletion |
| Profile visit records | Until account deletion |
| Visit analytics aggregates | Until account deletion |
When you delete your account:
- All your data is permanently deleted within 30 days
- Encrypted data becomes permanently inaccessible
- Photos are removed from storage
- Subscription records are anonymized or deleted
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate data |
| Erasure | Delete your account and all data |
| Restriction | Limit how we process your data |
| Portability | Export your data in a machine-readable format |
| Objection | Object to certain processing |
| Withdraw Consent | Revoke consent at any time |
To exercise these rights, contact us at privacy@encory.app or use the in-app settings.
Note: Due to encryption, we cannot access or export your encrypted data. You can export your own data using the in-app export feature (Plus/Premium).
For payment data: To exercise rights related to payment data held by Creem.io, contact them directly or request assistance from us at privacy@encory.app.
9. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
sb-* | Supabase authentication session | Session |
locale | Language preference | 1 year |
pwa-install-dismissed | Install prompt preference | 24 hours |
promo-bar-dismissed | Promo bar preference | Session |
age-verified | Age verification status | Session |
You can manage cookies through your browser settings. Disabling essential cookies may affect functionality.
10. Security Measures
We implement multiple layers of security:
- End-to-end encryption - Your data is encrypted before leaving your device
- TLS/HTTPS - All connections are encrypted in transit
- Row Level Security - Database-level access controls
- Secure password hashing - Using industry-standard algorithms
- Anonymous photo storage - Photos stored with random IDs, not user IDs
- Signed URLs - Time-limited photo access (1 hour)
- PCI-compliant payments - Payment processing via Creem.io
- Regular security audits - Ongoing security assessments
11. International Data Transfers
All your data is processed exclusively within the European Union. Our service providers operate EU-based data centers:
| Provider | Location |
|---|---|
| Supabase | Ireland |
| Vercel | Frankfurt, Germany |
| Resend | Ireland |
| Creem.io | European Union |
No personal data is transferred outside the EU/EEA.
12. Age Restriction
Encory is intended for users 18 years of age or older. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via:
- Email notification
- In-app notification
- Notice on our website
Continued use after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related questions or to exercise your rights:
Email: privacy@encory.app Data Protection Officer: dpo@encory.app
For complaints, you may also contact your local Data Protection Authority.