We believe your diary entries are sacred. Here's how we protect them.
Last updated: December 2025
Your entries are encrypted in transit (HTTPS) and at rest using industry-standard encryption
We make money from subscriptions, not your data
We only collect what's necessary to run the service
Your diary entries, AI conversations, and personal reflections are stored with industry-standard encryption (AES-256). Access is strictly controlled and limited to authorized personnel only for specific purposes: fixing reported bugs, responding to your support requests, complying with legal obligations, or preventing fraud and security threats.
Email address, display name (optional), and account preferences. We need this to provide you access to your diary.
Anonymous usage data like "how many entries were written today" to improve the app. This data is aggregated and de-identified.
When you choose to use AI features (conversation, summary), your diary content is processed by third-party AI service providers under our instructions. These providers process data solely to deliver the requested functionality. You must actively choose to share your entry with AI features each time. Your diary content is encrypted during transmission.
Your data is stored on Supabase cloud servers (region varies by project configuration). When you use AI features, your content is temporarily sent to third-party AI service provider servers (location may vary by region). Your data remains protected regardless of where it is processed.
Provide AI conversation features and writing assistance
Sync your diary across your devices securely
Send you important account and service updates
Improve the app with anonymous usage insights
Under GDPR Article 6, we process your data based on the following legal grounds: (1) Contract - to provide the diary service you signed up for; (2) Consent - for optional AI features that you explicitly choose to use; (3) Legitimate interests - to improve our services, ensure security, and prevent fraud. You have the right to object to processing based on legitimate interests.
Sell, rent, or share your personal data with third parties for marketing
Access your diary entries except for specific authorized reasons: fixing technical issues you reported, responding to your support tickets, complying with legal obligations, or preventing fraud and security threats
Show you ads based on your diary content
Track you across other websites or apps
Your data is encrypted in transit using HTTPS (TLS 1.2+) and at rest using industry-standard encryption (AES-256). Access to encrypted data is restricted to authorized senior engineers only for specific purposes: fixing reported bugs, responding to support requests, ensuring security, or complying with legal obligations. Access is logged and monitored.
We use enterprise-grade cloud infrastructure (Supabase) with regular security audits, automatic backups, and designed for high availability.
Only essential team members have access to systems. Access to user data is strictly limited to technical troubleshooting, legal compliance, and security purposes.
We retain your data only as long as necessary to provide our services. Active account data is kept while your account remains active. When you delete your account, we provide a 90-day grace period for recovery and data export, after which all your data is permanently deleted from our systems, unless retention is required by law. Backup copies are retained for up to 90 days for disaster recovery purposes, then automatically purged.
View all your diary entries anytime in the app. Your data is always accessible to you.
Delete your account and all associated data at any time. We provide a 90-day grace period for account recovery and data export, after which all data is permanently and irreversibly deleted.
Update your account information and preferences anytime.
AI conversation feature is opt-in - it only activates when you click "Share with AI". You control when to share your entries with AI.
Request a copy of your data in a machine-readable format (JSON) that you can transfer to another service. We will provide this within 30 days of your request.
Object to processing of your personal data based on legitimate interests. You can opt-out of analytics and non-essential processing at any time.
Request that we temporarily stop processing your data in certain circumstances, such as while we verify the accuracy of your data or assess your objection to processing.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. AI features (summaries, conversations) are optional tools to assist you, not automated decisions about you.
To exercise any of these rights, email us at support@polaris-lab.net with your request. We will verify your identity and respond within 30 days (1 month as required by GDPR). There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
We're happy to answer any questions about your privacy and data protection.
Email us at: support@polaris-lab.net
We typically respond within 24 hours.
Legal Entity: Polaris Inc. (ポラリス株式会社) Representative: Lucy Kim (金賢智) Address: 2-2-15 Minami-Aoyama, Minato-ku, Tokyo, Japan
Polaris Inc. (ポラリス株式会社) is the data controller responsible for your personal information. As we are a small team, we do not currently have a dedicated Data Protection Officer (DPO). For all privacy-related inquiries, please contact us at support@polaris-lab.net.
haru is currently not available to users located in the European Union or European Economic Area. We are focusing our service on other regions at this time. If you have questions about future availability, please contact us at support@polaris-lab.net.
You must meet the minimum age required under the laws of your jurisdiction (and at least 18 years old) to use haru. We do not knowingly collect personal information from users below this age requirement. If we discover that a user below the required age has provided us with personal information, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with information, please contact us at support@polaris-lab.net.
We believe in transparency about what data we collect and how we track your usage. Here's exactly what we use:
We store your language preference (English, Korean, Japanese, or Chinese) in your browser's local storage. This is essential for providing the website in your preferred language. No personal information is stored.
We do not use advertising or cross-site tracking cookies on this landing page. Limited technical logs may be collected for security and service operation purposes.
We do not use Google Analytics, Facebook Pixel, or similar third-party tracking tools on this landing page for marketing or advertising purposes.
We do not track you across other websites or apps. Your browsing activity outside of haru remains completely private.
We may update this privacy policy occasionally. When we do, we'll notify you via email and update the "Last updated" date at the top. Your continued use of haru after updates means you accept the new terms.
This Privacy Policy and any disputes arising from it are governed by the laws of Japan, without regard to its conflict of law principles. Any legal action or proceeding related to this Privacy Policy shall be brought exclusively in the Tokyo District Court, and you consent to the personal jurisdiction of such courts. This does not affect any mandatory consumer protection rights under the laws of your country of residence.