Privacy Policy
InnerUmbra Last updated: April 11, 2026 Effective date: April 11, 2026
Our Commitment
InnerUmbra is built on a single foundational promise: what you write here is yours. Your journal entries, your reflections, your shadow work - none of it is sold, analyzed for advertising, shared with third parties for commercial purposes, or used to build a profile of you beyond what is necessary to run the platform. We designed this platform to be a genuinely safe container for inner work. That starts with how we handle your data.
This Privacy Policy explains what information we collect, why we collect it, how we protect it, and what rights you have over it. Please read it carefully.
1. Who We Are
InnerUmbra ("we," "us," or "our") operates the InnerUmbra platform accessible at innerumbra.com. We are the data controller for the personal information described in this policy.
For privacy-related questions or requests, contact us at: privacy@innerumbra.com
2. Information We Collect
We collect only what is necessary to operate the platform and provide you with a meaningful experience.
2.1 Information You Provide Directly
Account Information When you create an account, we collect your email address and a password (stored as a cryptographic hash - we never store your password in readable form). You may optionally provide a display name.
Journal Entries and Reflections The shadow work you write within the platform - journal entries, responses to guided prompts, dream logs, archetype notes - is stored in your private account. This content is treated as strictly confidential. It is never read by our team, never used for training AI models, never analyzed for advertising, and never shared with any third party.
Payment Information When you subscribe or purchase a course, payment is processed by Stripe, a third-party payment processor. We never receive or store your full credit card number, CVV, or billing information. Stripe provides us with a payment token, a masked card identifier (e.g., "Visa ending in 4242"), and a transaction record. For Stripe's privacy practices, see stripe.com/privacy.
2.2 Information Collected Automatically
Usage Data We collect basic technical information when you use the platform: pages visited, features used, session duration, and actions taken (e.g., completing a module, starting a journal entry). This data is used solely to understand how the product is used and to improve it. It is not used to build advertising profiles.
Device and Log Data When you access InnerUmbra, our servers automatically record your IP address, browser type, operating system, and the date and time of your request. This information is used for security monitoring and debugging. Log data is retained for a maximum of 90 days.
Cookies and Local Storage We use a small number of strictly necessary cookies to keep you logged in and to maintain your session. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies that send your data to external services. You can disable cookies in your browser, though this will prevent you from logging in.
3. How We Use Your Information
We use the information we collect for the following purposes only:
| Purpose | Legal Basis |
|---|---|
| Creating and maintaining your account | Performance of contract |
| Delivering course content and platform features | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending transactional emails (receipts, password resets) | Performance of contract |
| Monitoring for security threats and abuse | Legitimate interests |
| Debugging and fixing technical issues | Legitimate interests |
| Understanding aggregate platform usage to improve the product | Legitimate interests |
| Complying with legal obligations | Legal obligation |
We do not use your information for:
- Targeted advertising of any kind
- Selling or renting your data to third parties
- Training AI or machine learning models
- Building behavioral profiles for commercial purposes
- Automated decision-making that produces legal or significant effects
4. Data Storage and Security
4.1 Where Your Data Lives
InnerUmbra uses Supabase as its backend infrastructure. Your data is stored on servers within the United States. Supabase employs row-level security (RLS) - a database-level access control system that ensures each user can only access their own data, even at the infrastructure level.
4.2 How We Protect Your Data
We implement the following security measures:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in our database is encrypted at rest by Supabase.
- Row-level security: Database policies prevent any user - including InnerUmbra staff - from accessing another user's journal content through application queries.
- Password hashing: Passwords are hashed using bcrypt and never stored in readable form.
- Payment isolation: We do not store payment card data. All card handling is delegated entirely to Stripe's PCI-DSS compliant infrastructure.
4.3 Data Retention
- Account and journal data is retained for as long as your account is active. If you delete your account, your data is permanently deleted within 30 days.
- Log data is retained for 90 days, then deleted.
- Payment records are retained for 7 years as required by tax and financial regulations. This retention covers transaction records only - not card details, which we never store.
5. Sharing Your Information
We do not sell your personal information. We do not share your personal information with third parties for their marketing purposes. We share information only in the following limited circumstances:
Service Providers We use a small number of third-party services to operate the platform. These providers process your data only on our behalf, under strict contractual obligations, and only for the purposes we specify:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, storage | Account data, journal content |
| Stripe | Payment processing | Email, payment token |
| [Email provider] | Transactional email delivery | Email address |
Legal Requirements We may disclose your information if required to do so by law, court order, or governmental authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of InnerUmbra, our users, or the public.
Business Transfers If InnerUmbra is acquired, merged, or undergoes a change of control, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
6. Your Rights
Regardless of where you are located, we honor the following rights:
Right to Access You can request a copy of all personal data we hold about you, including your account information, journal entries, and usage records.
Right to Deletion You can delete your account at any time from your account settings. This will permanently and irreversibly delete your journal entries and personal information within 30 days. Payment records are retained as required by law (see Section 4.3).
Right to Correction You can update your email address and display name from your account settings at any time.
Right to Export You can export your journal entries and reflections from your account settings in a portable format (JSON or plain text) at any time.
Right to Withdraw Consent Where we rely on your consent to process your data (currently: marketing communications only), you can withdraw that consent at any time.
California Residents (CCPA) If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.
EU/UK Residents (GDPR) If you are located in the European Economic Area or the United Kingdom, you have rights under the GDPR including the right to lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact us at privacy@innerumbra.com. We will respond within 30 days.
7. Children's Privacy
InnerUmbra is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it immediately. If you believe a child under 13 has created an account, please contact us at privacy@innerumbra.com.
8. Third-Party Links
The platform may contain links to external websites or resources. This Privacy Policy applies only to InnerUmbra. We are not responsible for the privacy practices of any third-party sites you visit via links from our platform.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify you by email if the changes are material. Your continued use of InnerUmbra after a policy update constitutes your acceptance of the revised policy.
We will never retroactively change how we handle data you've already provided in ways that reduce your privacy protections without your explicit consent.
10. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
Email: privacy@innerumbra.com Website: innerumbra.com
We aim to respond to all privacy-related inquiries within 5 business days.
This policy is written in plain language by design. If any section is unclear, please reach out - we would rather explain it than have you confused about how your data is handled.