We’re boring about data on purpose.

When you write a letter: the recipient label, the subject, the body, the mode you picked, an IP-hash for rate-limiting, and a session cookie bound to that letter. If you opt in, your email for the receipt. Nothing else.

If you sign in, we also store your email address and the Supabase auth session.

We don’t store analytics on letter content. We don’t know what your letters are about. We don’t attempt to identify you from your writing. We don’t resell, share, or license anything to third parties for advertising, marketing, or model training.

An AI (Anthropic’s Claude Sonnet 4.6) reads your letter exactly once to generate the reply and reflection. The model is stateless — it does not retain your letter between requests, does not train on it, and cannot recall it after the request ends. Anthropic’s terms of service govern that request; see Anthropic’s Commercial Terms.

No human on our team has ever read your letter, and the architecture prevents us from doing so casually — vaulted rows are owner-scoped and anonymous rows auto-delete.

Anonymous letters: the row is automatically deleted 24 hours after you wrote it. Every hour, a scheduled job sweeps anything past its expiry.

If you claim a letter (vault it to the Graveyard), it lives there until you delete it.

If you schedule a receipt further out (a week, a year, a specific date), the row is kept alive only until one day after its delivery window; then the sweep collects it like any other.

Receipts are sent via Resend, which retains the sent email for its own operational logs subject to Resend’s privacy policy.

If you use the mic button on the compose page, your audio is sent to OpenAI’s Whisper API for transcription and then discarded. We never write the audio to disk and we never write it to our database — it exists in request memory on our server for the duration of the upload, and that’s all.

We keep the transcribed words in the letter body (same storage, same retention, same rules as if you’d typed them). We do not keep the voice. OpenAI’s handling of that single request is governed by OpenAI’s privacy policy; per their enterprise API terms, API audio is not used for model training.

We set exactly one functional cookie — uem_session— to bind letters to the browser that wrote them. Supabase sets additional auth cookies only when you sign in. No third-party tracking cookies. No advertising cookies.

Reflections published to the Wall are anonymous by design: we expose only the one sentence and the calendar date. No recipient label, no letter body, no user ID, no IP. You can take your reflection down at any time from the original thread page.

You can request deletion of anything we hold on you by emailing ct@ctoumbas.net. For EU residents: this also covers GDPR right-to-be-forgotten requests, which we honour.

If we change how any of this works, we’ll update the date at the top of this page. We won’t email you about it — we barely email you at all.