Privacy Policy

Welcome to Dear Future Me (“App”, “we”, “us”, “our”). Dear Future Me is a personal letter-writing application that allows you to write letters to your future self, seal them for a chosen period, and revisit them later with AI-powered reflections.

This Privacy Policy explains how VietByte Company Limited (“VietByte”) collects, uses, stores, and protects your personal data when you use the Dear Future Me application. This policy applies to all users worldwide and is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using Dear Future Me, you agree to the collection and use of information in accordance with this policy.

Data Controller:
VietByte Company Limited
Email: privacy@vietbyte.tech

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

• Apple Sign-In / Google Sign-In: Name and email address (as authorized by you)
• In-App Purchase Data: Transaction IDs and subscription status from Apple App Store or Google Play Store (we do not receive your full payment details)

We process your personal data for the following purposes and legal bases under GDPR Article 6:

Dear Future Me uses artificial intelligence to enhance your experience. Please see our detailed AI Policy for comprehensive information.

Summary of AI Processing:

• AI Reflection: When you open a sealed letter, your letter content, mood, and date metadata are sent to Anthropic's Claude API to generate a personalized reflection.
• AI Seal Art: Your letter's mood and theme are used to generate unique seal artwork via Claude API.
• AI Writing Prompts: Aggregated and anonymized usage patterns are used to generate writing prompts. Individual letter content is NOT used for this purpose.

Important AI Data Protections:

• Your data is processed by Anthropic's Claude API under a zero-retention API agreement. Anthropic does NOT store your letter content after processing.
• Your data is NOT used to train AI models.
• AI processing is performed via secure, encrypted connections.
• You may opt out of AI features at any time in app settings. Opting out does not affect core letter functionality.

5.1 Storage Location

Your data is stored on Supabase infrastructure hosted in Tokyo, Japan (ap-northeast-1). Japan has received an adequacy decision from the European Commission under GDPR Article 45, meaning your data benefits from an equivalent level of protection as within the EU/EEA.

5.2 Security Measures

We implement the following technical and organizational measures:

• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
• Encryption at rest: All stored data is encrypted using AES-256 encryption.
• Row-Level Security (RLS): Database-level access controls ensure users can only access their own data.
• Voice recording security: Voice recording URLs are generated on-demand with 1-hour expiration tokens.
• Access controls: Strict role-based access for development team members.
• No body logging: API request bodies containing user content are never logged.
• Regular security audits: We conduct periodic security assessments of our infrastructure.

5.3 Storage Buckets

We share data with the following third-party service providers, each acting as a data processor under GDPR:

6.1 Anthropic (Claude API)

• Purpose: AI reflection generation, seal art generation, writing prompt generation
• Data shared: Letter content, mood, date metadata (only when AI features are used)
• Data retention by Anthropic: Zero retention — data is not stored after processing
• Privacy policy: https://www.anthropic.com/privacy

6.2 Supabase

• Purpose: Backend infrastructure, database, authentication, file storage
• Data shared: All user data (as infrastructure provider)
• Location: Tokyo, Japan (ap-northeast-1)
• Privacy policy: https://supabase.com/privacy

6.3 Firebase Cloud Messaging (Google)

• Purpose: Push notification delivery
• Data shared: Device tokens, notification content
• Privacy policy: https://firebase.google.com/support/privacy

6.4 Apple App Store / Google Play Store

• Purpose: In-app purchase processing, subscription management
• Data shared: Transaction data (managed by Apple/Google)
• Note: We do not receive or store your credit card or payment method details.

6.5 Apple / Google Authentication

• Purpose: Sign-in services
• Data shared: Email, name (as authorized by you during sign-in)

We do NOT sell your personal data to any third party.

We do NOT share your letter content with other users unless you explicitly use the “Send to Friend” feature.

We may disclose your data only in the following circumstances:

• With your consent: When you explicitly authorize sharing (e.g., Send to Friend).
• Service providers: With third-party processors listed in Section 6, under data processing agreements.
• Legal requirements: When required by law, court order, or government request.
• Safety: To protect the rights, safety, or property of VietByte, our users, or the public.
• Business transfer: In the event of a merger, acquisition, or sale of assets (you will be notified).

Upon account deletion:

• All personal data is permanently deleted within 30 days.
• Anonymized, aggregated analytics data may be retained.
• Data required for legal compliance (e.g., purchase records) is retained for the legally mandated period.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

How to exercise your rights:

• In-app: Settings > Privacy > Manage My Data
• Email: privacy@vietbyte.tech
• Response time: Within 30 days of receiving your verified request

We will verify your identity before processing any request. We may ask for additional information to confirm your identity.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale: We do NOT sell your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: You may limit use of sensitive categories.

How to exercise your rights:

• In-app: Settings > Privacy > Manage My Data
• Email: privacy@vietbyte.tech
• Response time: Within 45 days of receiving your verified request

Categories of personal information collected in the preceding 12 months:

• Identifiers (email, name, device tokens)
• Internet activity information (usage data)
• Audio data (voice recordings you create)
• Visual data (images you upload, handwriting)
• Inferences drawn from the above (AI reflections)

We do NOT sell or share personal information for cross-context behavioral advertising.

Dear Future Me is rated 17+ and is NOT intended for children under the age of 17. We do not knowingly collect personal data from anyone under 17 years of age.

• An age verification gate is presented during onboarding.
• If we discover that a user under 17 has created an account, we will promptly delete the account and all associated data.
• If you believe a child under 17 has provided us with personal data, please contact us at privacy@vietbyte.tech.

This policy is in compliance with:

• COPPA (Children's Online Privacy Protection Act) — we do not collect data from children under 13.
• App Store and Google Play age rating requirements.
• GDPR Article 8 — conditions applicable to child's consent.

Dear Future Me is a native mobile application and does not use browser cookies.

We use the following technologies:

We do NOT use:

• Third-party advertising trackers
• Cross-app tracking identifiers
• Fingerprinting technologies
• Social media tracking pixels

App Tracking Transparency (iOS): Dear Future Me does NOT track you across other apps and websites. We do not request the App Tracking Transparency (ATT) permission.

Your data is stored in Tokyo, Japan. Depending on your location, this may constitute an international data transfer.

Safeguards for international transfers:

• Japan: The European Commission has recognized Japan as providing an adequate level of data protection (Adequacy Decision of January 23, 2019), ensuring GDPR-equivalent protection.
• Anthropic (USA): AI processing data is transferred to the United States under Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by Anthropic's zero-retention data processing commitment.
• Firebase/Google (USA): Push notification data is transferred under Google's Data Processing Terms incorporating SCCs.

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the “Last Updated” date at the top of this policy.
• We will notify you via in-app notification at least 14 days before the changes take effect.
• For significant changes affecting your rights, we will request renewed consent where required by law.

Your continued use of Dear Future Me after the effective date of the updated policy constitutes your acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

VietByte Company Limited
Email: privacy@vietbyte.tech
Data Protection Officer: dpo@vietbyte.tech

For GDPR complaints, you also have the right to lodge a complaint with your local supervisory authority.