Data & Security
Effective: 22 April 2026 · Last updated: 22 April 2026
This page describes the technical and organisational security measures Clarity uses to protect your data. It complements our Privacy Policy.
Cloud vs Device Control (User Choice)
- User-controlled sync: for eligible modules, users can choose device-only mode or cloud sync mode.
- Multi-device rule: if you want eligible data to appear on multiple devices, cloud sync must be enabled.
- Leaderboard rule: leaderboard participation requires cloud publication because ranking data must be processed in cloud services.
- Content-creation sync exclusion: Creator Studio outputs/history, PDF Studio signature vault/output state, Resume Builder drafts, and E-Sign Vault signatures are not cloud-synced.
- StatementIQ confidentiality rule: StatementIQ files and extracted outputs are not allowed to cloud-sync as personal historical records.
1. Data categories and storage locations
| Category | Where it lives | Encryption at rest |
|---|
| Account identity (email, auth tokens) | Firebase Authentication (Google Cloud) | Google-managed AES-256 |
| Journal, Track, Mind, StepUp, Vault records | On-device by default; cloud storage only for features where user enables cloud sync or leaderboard participation | Google-managed AES-256 (cloud) + AES-256 at device-level |
| Creator Studio, PDF Studio signatures/state, Resume Builder drafts, E-Sign Vault | On-device only; not cloud-synced | Device-level encryption |
| Bank statement PDFs (StatementIQ) | Ephemeral — processed in memory, deleted within 60 minutes; not cloud-synced for cross-device storage | TLS in transit; never written to long-term storage |
| Generated images (Canvas) | Cloudflare R2 object storage | AES-256 |
| Voice recordings (when cloud STT is used) | Ephemeral — sent to provider, discarded after transcription | TLS in transit; provider does not retain |
| On-device model packs | Your device only | Device-level encryption (Android StrongBox / iOS Secure Enclave) |
2. Encryption in transit
- All traffic between your device and Clarity servers is TLS 1.3.
- Transport is HTTPS/TLS-only with strict backend origin controls for API access.
- Cloud AI sub-processors are called over TLS 1.2+ with HSTS.
3. Authentication
- Firebase Authentication with email, Google, and Apple Sign-In.
- Short-lived (1-hour) ID tokens with automatic refresh.
- Optional device-level biometric / passcode lock at app entry (fingerprint, Face ID, or system passcode fallback).
- Server enforces per-user rate limits and anomaly detection.
4. Access controls
- Production database access is restricted to a named list of engineers with hardware-key MFA.
- All production access is logged and reviewed monthly.
- No customer support agent can read your journal, Vault, or financial content.
5. Secret and key management
- API keys and service credentials live in Google Secret Manager, rotated quarterly.
- No secrets are stored in the mobile binary or in git history (we scan with
trufflehog on every PR).
6. Backup and disaster recovery
- PostgreSQL automated backups every 6 hours, retained for 30 days.
- Point-in-time recovery up to 7 days.
- Backups are stored encrypted in a second region.
7. Incident response
We maintain an incident-response runbook covering detection, containment, eradication, recovery, and post-mortem. In the event of a personal-data breach, we will notify affected users and relevant regulators within 72 hours of awareness, in line with GDPR Article 33.
8. Vulnerability management
- Dependencies scanned weekly (Dependabot + GitHub Advanced Security).
- Static analysis on every PR.
- Annual third-party penetration test; report summary available on request under NDA.
9. Deleting your data
You can delete your account at any time from Settings → Account → Delete account in the app, or by emailing privacy@jscreatorpro.app. Deletion removes your identifiable data within 30 days (some backup copies may persist for up to 90 days before rolling off). Anonymised aggregate usage statistics are retained.
10. Reporting a vulnerability
Security researchers: please email security@jscreatorpro.app. We do not run a bug bounty programme, but we acknowledge responsible disclosures and aim to triage within 5 business days.