Privacy
Our commitments to you.
Last updated: May 29, 2026.
What we collect
When you sign up, we collect your email address and a password (stored as a salted hash, never plaintext). During onboarding, we collect a small set of signals: how you describe your partnership situation, how conversations tend to go in your relationship, an optional birth year (which we use only to verify you're 18+, and store as a year), and an optional gender field. Your display name and pronouns, if you give them, live alongside.
As you use the app, we store: discovery module answers, the reflections those generate, daily check-in scores (mood and alignment), optional check-in notes, journal entries, your timezone, and a quiet record of which content you've seen (so the recommender can avoid repeating itself).
We do not collect: location data, device contacts, social graph data, or anything from your phone outside the app itself.
What is encrypted at rest
The following fields are encrypted using AES-256-GCM with keys held only on our server, never in our database:
- Discovery module answers
- Reflection bodies (the prose your modules generated)
- Daily check-in notes
- Free-text journal notes and journal entry titles
- The optional “another identity” gender label
- Feedback message bodies
In practice: someone with read access to our database — an engineer doing maintenance, a future acquirer doing diligence, a court order — can't read these fields. They see only ciphertext. The encryption keys are separate from the database and held in a different security perimeter.
Some data stays plain so we can use it: dates, scale numbers (the mood and alignment 1-to-5 values), tags you attach to a journal entry, and the structural metadata needed for the recommender (which step you're on, when you last advanced, etc.). None of this is the substance of what you wrote.
Who can read what
The short version: by default, no one but you reads anything.
People working on Euderos cannot read your encrypted writing. We can read the structural data needed to fix bugs and run the service — your email, when you last signed in, which step of which pillar you're on, whether your check-ins have been submitted, what your timezone is. We cannot read the prose underneath any of it.
We do not sell data. We do not share data with advertisers. We do not have ad tracking on the app surfaces. Marketing pages (this one included) have basic privacy-respecting analytics that count visits without identifying you.
The one exception to “no one but you”: if law enforcement compels us via valid legal process to produce data we hold, we will produce what we hold — but because the substance is encrypted, what they can read is the metadata, not the writing. We will resist overbroad requests, document them when we're legally permitted to, and notify you unless legally prohibited from doing so.
Partner sharing (when it exists)
When the partner flow ships, it will work like this. A partner you've explicitly invited and who has accepted can read only the specific entries you've explicitly shared with them. Nothing is shared by default. Sharing is per-entry, not blanket. You can unshare any entry at any time, silently — your partner is not notified that something changed.
The compare surfaces in the partner flow are designed around one principle: they show difference, never better or worse. They do not show how often each person checked in. They do not surface streaks. They do not enable comparison-as-pressure. If we get this wrong, please tell us.
Account deletion
You can delete your account from your account settings. When you do, here's what happens:
- Your encrypted writing is deleted from our database immediately.
- Backups are scrubbed of your data on a 30-day rolling window. After that point, your data is gone from backups too.
- We retain a minimum record of your email having existed (for legal compliance and to honor any outstanding disputes). That record contains your email and a deletion timestamp. Nothing else.
You can download a complete copy of your data at any time from your account settings. The archive is a JSON file with everything we hold on your behalf, decrypted so you can read it yourself. Generating it takes a few seconds.
You can change your mind and come back.If you delete your account and later decide to return, you can sign up again with the same email — it'll be a fresh account, with no link to the previous one. If you kept the export archive you downloaded before deletion, you can also upload it from your new account's settings, and we'll re-create your journal entries, reflections, and check-ins under the new account. Pillar progress restarts and any previous partner sharing is reset to private, but the writing you kept comes back.
Deletion of inactive accounts
Dormant accounts are a security and privacy liability, not an asset. Sitting credentials can be guessed or breached, and encrypted writing held indefinitely behind an unused account is data we'd rather not be the custodian of.
So: after 18 monthsof no sign-ins, we begin a six-month warning window. We email the address on file at least three times — about 6 months, 3 months, and 1 month before deletion — telling you exactly when deletion will occur and explaining that signing in resets the clock. The final notice includes a link to generate a data export so you can keep your writing even if you don't want to keep the account.
If you don't respond, deletion runs at the end of the window via the same process described above. To keep your account, just sign in — that's the only action required. If the email on file is no longer one you check, update it from account settings before going quiet so the warnings reach you.
What changes if you're in the EU, UK, or California
Residents of the EU, UK, and California have specific statutory rights under GDPR, UK GDPR, and CCPA respectively. We honor those rights for all users, not just residents of those jurisdictions — which means anyone using Euderos can:
- Ask what we hold about you (right of access)
- Get a copy in a portable format (data portability)
- Correct inaccurate data (right of rectification)
- Delete your data (right to be forgotten)
- Withdraw consent for processing at any time
Email privacy@euderos.com to exercise any of these.
Children
Euderos is for adults (18+). We don't knowingly collect data from anyone under 18. If you believe a child has signed up, write to privacy@euderos.com and we'll delete the account immediately.
Changes to this policy
If we materially change how we handle your data, we'll notify you by email, and the change won't apply to previously-collected data without your consent. We log every revision to this page so the older versions are reviewable on request.
Contact
For anything privacy-related, write to privacy@euderos.com. We aim to respond within five business days.