Privacy Policy
Jottii is built around a zero-knowledge end-to-end encryption model. Your journal entries and notes are encrypted on your device using a key derived from your master passphrase before they are uploaded for sync. We can't read your content, even if compelled to.
1. Who we are
Jottii is operated by FestivLabs ("we", "us"). This policy explains what data we collect when you use jottii.com and the Jottii web app (the "Service"). Native desktop and mobile apps are not yet available; this policy will be updated when they ship.
2. Data you give us
Account: email address only. Sign-in is by 6-digit code we email you on each request - we do not store passwords or third-party OAuth identifiers. Subscription: when you upgrade through Dodo Payments, we receive a customer ID, plan, billing cycle, and status. We do not see or store your full card number - that stays with Dodo Payments.
3. Data Jottii uploads on your behalf
Encrypted journal and note content (ciphertext only), per-entry metadata required for sync (random IDs, version numbers, updated-at timestamps), and an encrypted preferences blob (e.g. accent color). Plaintext content, titles, and tags never leave your device.
4. Data we collect automatically
Standard server logs (IP, user-agent, timestamps) generated by Supabase, Vercel, and Dodo Payments for security, abuse prevention, and billing. We do not run ad SDKs, marketing trackers, or session replay tools anywhere in the Service.
5. How we use data
Provide and sync the Service across your devices, authenticate you (sending the 6-digit sign-in code to your email each time you sign in), process subscriptions and refunds via Dodo Payments, send transactional email (sign-in codes, payment receipts, security notices), prevent abuse, and meet legal obligations. We do not sell or rent your data and we do not use it to train models.
6. Subprocessors
We rely on the following processors to operate the Service:
- Supabase - auth, database, realtime sync (US/EU regions)
- Vercel - web hosting and serverless functions
- Dodo Payments - Merchant of Record for subscription billing and tax
7. Data retention
We keep your encrypted content and account record for as long as your account exists. Deleting your account permanently removes your account row and your encrypted entries within 30 days. Billing records retained by Dodo Payments and tax records we are legally required to keep may persist longer.
8. Your rights
You can request export, correction, or deletion of your personal data, and you can withdraw consent at any time. Email jottii@festivlabs.com from the address on file and we will respond within 30 days. Residents of the EEA, UK, and California have additional rights under GDPR / CCPA, including the right to lodge a complaint with your local supervisory authority.
9. Security
Content is encrypted client-side with XSalsa20-Poly1305 (via tweetnacl) using a key derived from your master passphrase with Argon2id / scrypt. Transport uses TLS. We cannot recover your content if you forget your master passphrase - there is no backdoor and no reset path.
10. Children
Jottii is not directed at children under 13 (or under 16 in the EEA). Do not create an account if you are below the applicable age.
11. Changes
We will update the "Last updated" date at the top of this page when we change this policy. Material changes will be announced via in-app notice or email.
12. Contact
Privacy questions: jottii@festivlabs.com