NothingBox Privacy Policy
Last updated: May 25, 2025
NothingBox is a private calm space. This policy explains what we collect, what we don't, and how your data is handled — in plain language, not legalese.
1. What NothingBox collects
If you use the app without signing in:
Everything stays on your device. Your journal entries, mood selections, breathing sessions, sound preferences, and theme choice are stored in your browser's local storage. Nothing is sent to our servers. We never see it.
If you choose to sign in with Google:
We store your name, email address, and profile picture (provided by Google when you sign in), your journal entries so they sync across your devices, and a session token to keep you signed in for 7 days.
We do not store your Google password. We never see it.
What we do not collect:
- We do not track you across websites
- We do not use advertising cookies or third-party analytics
- We do not sell, share, or monetise your data in any way
- We do not read your journal entries for any purpose other than syncing them to your devices
- We do not use your journal entries to train AI models
Anonymous aggregate usage (added May 2026):
We collect anonymous, aggregate usage data to improve NothingBox: approximate country/region (derived from your IP address, which is not stored), device type, browser, and how you found us (the referring website or UTM parameters in the URL). This data cannot identify you personally. We do not use cookies or third-party analytics for any of this.
2. How AI features work
When you write or speak a reflection, the text is sent to an AI model (GPT-4.1-mini) to generate a 1–2 sentence empathetic response. Voice journaling is transcribed using OpenAI Whisper. Weekly summaries use up to 15 recent entries.
Important limits:
- AI responses are not stored beyond your session
- Your entries are never used to retrain AI models
- If AI takes longer than 1.8 seconds it is silently skipped — the app works fully without it
- The AI is configured to never give advice, never diagnose, and never suggest clinical action
3. Your journal entries
Your entries belong to you. We do not read, analyse, or act on their content. You can delete entries at any time. If you delete your account, all stored entries are permanently deleted within 30 days.
Known limitation: deleting an entry on one device may not immediately propagate to other devices. We are working to fix this.
4. Cookies and local storage
We use a session cookie (httpOnly, expires after 7 days, never accessible to JavaScript) and browser local storage (stores entries and preferences locally, only readable on your device). No third-party tracking or advertising cookies of any kind.
5. Children
NothingBox is intended for people aged 13 and above. We do not knowingly collect information from children under 13. If you believe a child under 13 has signed up, email us and we will delete their account.
6. Your rights
You can request access to, deletion of, or correction of your data at any time. Email us at privacy@nothingbox.app and we will respond within 14 days.
7. Data retention
- Journal entries: retained until you delete them or close your account
- Session tokens: expire automatically after 7 days
- AI responses: not retained beyond your active session
8. Changes to this policy
If we make significant changes we will update the date at the top of this page. Continued use of NothingBox after changes means you accept the updated policy.