privacy policy.

Flow Through the Spiral (“the App,” “we,” “us”) is operated by Diana Cook in the State of New York. We respect your privacy. This policy explains what we collect, why, and the choices you have.

what we collect

• account information — email address, an optional first name, and a securely hashed password.
• your in-app activity — feelings you select, flows you save or complete, journal entries you write, messages you post in the group chat, and Sunday check-in responses. Journal entries and private notes are stored on your account and not shared.
• payment information — if you subscribe, our payment processor (Stripe, Inc.) collects your card details directly. We never see or store your full card number.
• device and usage data — basic analytics such as pages visited, time spent, and approximate location derived from IP address. Used to improve the App.
• cookies and local storage — see our cookie notice.

how we use it

To operate the App, deliver flows and messages, process subscription payments, prevent abuse, respond to your questions, and improve the product. We do not sell your personal information. We do not share it with advertisers. We do not use journal entries or check-in responses to train third-party AI models.

who we share with

We share only what is necessary, only with vetted service providers bound by confidentiality:

• Supabase — database, authentication, and storage hosting.
• Stripe — payment processing and subscription billing.
• Cloudflare — content delivery and security.
• Resend or a comparable provider — transactional email (welcome, password reset).
• Analytics providers we may use for aggregate usage metrics.

We will also disclose information when required by law, to protect the safety of any person, or in connection with a corporate transaction (in which case this policy continues to apply).

your rights

You can request a copy of your data, ask us to correct or delete it, or close your account at any time. Write to diana.r.cook@gmail.com and we will respond within thirty (30) days. Residents of California, Colorado, Connecticut, Virginia, and similar states have additional rights under their state laws, including the right to opt out of “sales” or “sharing” of personal information. See our do not sell or share page.

data security

We follow reasonable safeguards designed to protect personal information, as required by the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). This includes encryption in transit and at rest, access controls, security training, and ongoing review of our practices. No system is perfectly secure; if a breach affecting your information occurs, we will notify you as required by law.

data retention

We keep account information for as long as your account is active. After you delete your account, we remove personal content within ninety (90) days, except where we are required by law to keep records (for example, tax records related to payments).

children

The App is intended for adults. We do not knowingly collect information from anyone under sixteen (16). If you believe a child has provided us with information, write to us and we will delete it.

international users

The App is operated from the United States. If you use it from elsewhere, your information is processed in the United States and subject to U.S. law.

changes

We will update this policy from time to time. If we make material changes we will notify you by email or in-app notice before they take effect.