Privacy Policy
At Compose, your privacy isn't just a feature — it's a principle. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what rights you have. We've written it to be clear and honest, because we believe you deserve to know exactly what's happening with your data.
Compose is operated by Samir Thapa, a sole trader based in the United Kingdom. Compose is available worldwide, and this policy applies to all users regardless of location. We comply with applicable data protection laws including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the US Children's Online Privacy Protection Act (COPPA).
If you have any questions about this policy, you can reach us at contact@trycompose.app.
1. What Data We Collect
Data You Provide
- Account information: Your name and email address when you sign up (via Apple Sign In, Google Sign In, or email).
- Journal entries: The text you write in your journal, including any thoughts, reflections, or responses to prompts.
- App preferences: Your settings, colour theme, blocklist/allowlist configuration, and schedule preferences.
Data We Collect Automatically
- Anonymous analytics: We collect anonymised usage data through Firebase Analytics to understand how the App is used and to improve the experience. This data cannot be linked back to you or your journal entries. This includes general usage patterns and feature engagement.
- Crash reports: We collect anonymous crash and error reports through Firebase Crashlytics to help us identify and fix bugs. These reports contain technical information about the crash (such as device state and stack traces) but do not contain your journal entries or personal content.
- Pre-account analytics: We collect anonymised analytics data during onboarding, before you create an account, to help us improve the setup experience.
Data We Collect With Your Permission
- Location data: If you grant Compose permission to access your location, we may collect your geographic location to enable geotagging features (such as tagging journal entries with where you were when you wrote them). You can revoke this permission at any time through your device settings. Location data is never collected without your explicit consent.
Data We Do Not Collect
- We do not collect advertising identifiers.
- We do not use cookies, tracking pixels, or marketing tools.
- We do not collect data from other apps on your device. The Screen Time API is used solely to block and unblock apps you've selected — we do not access or store your usage data from other apps.
Sale of Personal Information
We do not sell your personal information, and we have never sold personal information. We do not share your personal information with third parties for cross-context behavioural advertising. This applies to all users, including California residents under the CCPA/CPRA.
Do Not Track
Some browsers send "Do Not Track" (DNT) signals. Since Compose is a mobile app and does not track users across websites, DNT signals are not applicable. However, for clarity: we do not track you across third-party websites or services.
2. How We Use Your Data
We only use your data to provide and improve Compose. Here's a clear breakdown:
| Data | Purpose | Legal Basis (UK & EU GDPR) |
|---|---|---|
| Account information | To create and manage your account, and to contact you about important changes | Performance of contract; Legitimate interest |
| Journal entries | To store, display, and let you search your journal | Performance of contract |
| Journal entries (AI processing) | To power smart search and auto-tagging features | Legitimate interest (improving your experience) |
| Anonymous analytics | To understand usage patterns and improve the App | Legitimate interest |
| Crash reports | To identify and fix bugs | Legitimate interest |
| Location data | To geotag journal entries (only with your permission) | Consent |
We will never use your data to:
- Train any AI or machine learning models.
- Sell to third parties.
- Serve you advertisements.
- Build a profile of you for marketing purposes.
3. AI-Powered Features
Compose uses AI to provide smart search and intuitive tagging (for example, identifying emotions, people, and topics in your entries). To power these features, your journal entries are processed by a third-party AI service.
Here's how we protect your data during this process:
- Anonymisation: Data is anonymised before being sent to our AI provider for processing.
- Stateless processing: Our AI provider does not retain any of your data after processing is complete. There is no logging, no storage, and no persistence of your content.
- No AI training: Our AI provider does not use your data to train or improve any AI models. This is a contractual requirement of our agreement with them.
If you'd prefer not to use AI-powered features, you can restrict the App's internet access through your device settings, which keeps all your data entirely on your device.
4. How We Store and Protect Your Data
- Encryption at rest: Your journal entries are encrypted when stored on our servers.
- Secure infrastructure: We use Firebase for authentication and cloud storage, which provides enterprise-grade security including encryption in transit (TLS) and at rest.
- Face ID: You can enable Face ID to add a biometric lock to your journal within the App.
- Access controls: Only essential infrastructure has access to stored data. We do not manually access your journal entries.
5. Where Your Data Is Stored
Our cloud infrastructure is hosted on Firebase servers located in the United States. This means your data may be transferred to and stored in the United States, regardless of where you are located.
If you are in the United Kingdom or European Economic Area (EEA), these international transfers are protected by appropriate safeguards, including Google's data processing terms which incorporate Standard Contractual Clauses (SCCs) approved for international data transfers under both UK GDPR and EU GDPR.
If you are located outside the US, UK, or EEA, by using Compose you acknowledge that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
6. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Journal entries | Until you delete your account |
| Anonymous analytics | Retained according to Firebase Analytics default retention settings (currently 14 months), then automatically deleted |
| Crash reports | Retained according to Firebase Crashlytics default retention period (currently 90 days) |
When you delete your account through the App, your journal entries and personal data are deleted from our servers immediately. Anonymous analytics data that has already been collected cannot be linked back to you and may persist within Firebase's default retention window.
7. Third-Party Services
We use the following third-party services to operate Compose:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase Authentication | Account creation and login | Email address, authentication tokens |
| Firebase Cloud Storage | Storing your encrypted journal entries | Encrypted journal data |
| Firebase Analytics | Anonymous usage analytics | Anonymised, non-identifiable usage data |
| Firebase Crashlytics | Crash reporting and bug fixes | Anonymous crash/error logs |
| Apple Screen Time API | App blocking functionality | None — processed entirely on-device |
| AI processing service | Smart search and auto-tagging | Anonymised journal content (stateless, not retained) |
We do not share your data with any advertising networks, data brokers, or marketing platforms. We do not use any third-party cookies, tracking pixels, or attribution tools.
Each third-party provider has their own privacy policies, and we encourage you to review them. We select providers who meet our standards for data protection and security.
8. Your Rights
For All Users
Regardless of where you live, you can always:
- Export your data in JSON format directly from the App.
- Delete your account and all associated data at any time through the App.
- Revoke location permissions at any time through your device settings.
- Use Compose offline to opt out of AI processing.
UK and EEA Residents (UK GDPR & EU GDPR)
If you are in the United Kingdom or European Economic Area, you have the following additional rights:
Right of access — You can request a copy of all personal data we hold about you. To make a Subject Access Request, email us at contact@trycompose.app. We will respond within 30 days.
Right to rectification — You can ask us to correct any inaccurate personal data we hold about you.
Right to erasure — You can delete your account and all associated data at any time through the App. You can also email us to request deletion.
Right to data portability — You can export your journal entries in JSON format directly from the App at any time.
Right to restrict processing — You can ask us to restrict how we process your data in certain circumstances.
Right to object — You can object to processing based on legitimate interest. If you object to AI processing of your entries, you can restrict the App's internet access through your device settings.
Right to withdraw consent — Where we process data based on your consent (such as location data), you can withdraw that consent at any time through your device settings.
If you'd like to exercise any of these rights, email us at contact@trycompose.app. We won't charge you a fee for exercising your rights, and we aim to respond to all requests within 30 days.
If you're not satisfied with how we handle your request, you have the right to lodge a complaint with:
- UK residents: The Information Commissioner's Office (ICO) at ico.org.uk
- EEA residents: Your local Data Protection Authority (DPA). A list of EEA DPAs is available at edpb.europa.eu
California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you specific rights regarding your personal information:
Right to know — You have the right to request that we disclose what personal information we collect, use, and share about you. The categories of personal information we collect are detailed in Section 1 of this policy.
Right to delete — You can request deletion of your personal information. You can do this directly by deleting your account in the App, or by emailing us at contact@trycompose.app.
Right to correct — You can request that we correct inaccurate personal information we hold about you.
Right to opt out of the sale or sharing of personal information — We do not sell or share your personal information as defined under the CCPA/CPRA. We have never sold personal information and have no plans to do so.
Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories under CCPA: For transparency, the categories of personal information we collect (as defined by the CCPA) are: identifiers (name, email address), geolocation data (with your consent), and internet or electronic network activity information (anonymised analytics). We do not collect any additional categories beyond what is described in this policy.
To exercise your rights, email us at contact@trycompose.app. We will verify your identity and respond within 45 days as required by law.
Other Regions
If you live outside the UK, EEA, or California, you may have additional rights under your local data protection laws. We are committed to honouring your rights under applicable law. If you'd like to exercise any data protection rights available to you, please email us at contact@trycompose.app and we will do our best to assist you.
9. Children's Privacy
Compose is available to users aged 13 and over, as indicated on our App Store listing. We do not knowingly collect personal data from children under 13, in compliance with the US Children's Online Privacy Protection Act (COPPA) and equivalent protections under UK and EU law.
We do not collect any additional data from users aged 13–17 beyond what is described in this policy, and all the same protections apply equally. We do not sell the personal information of users under 16.
In some jurisdictions, the minimum age for data processing consent may be higher than 13 (for example, 16 in some EU member states). If you are below the age of digital consent in your country, you should review these terms with your parent or guardian before using Compose.
If you are a parent or guardian and believe your child under 13 is using Compose, please contact us at contact@trycompose.app and we will delete their account and data promptly.
We are committed to complying with the UK Age Appropriate Design Code (Children's Code) and ensuring that our App is designed with the best interests of young users in mind.
10. Data Breaches
In the unlikely event of a data breach that affects your personal data, we will:
- Notify the relevant supervisory authority (the ICO in the UK, or the relevant Data Protection Authority for EU users) within 72 hours of becoming aware of the breach, where required by law.
- Notify affected users by email without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
- Take immediate steps to contain the breach and prevent further unauthorised access.
- Comply with any additional breach notification requirements under applicable law, including US state breach notification laws where relevant.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the App, our practices, or legal requirements. When we make changes, we'll notify you by email before they take effect.
The latest version of this Privacy Policy will always be available at trycompose.app/privacy.
12. Contact Us
If you have any questions or concerns about this Privacy Policy, your data, or how we handle privacy at Compose, please get in touch:
Email: contact@trycompose.app
Website: trycompose.app
We're a small team and we genuinely care about getting this right. If something doesn't seem right, please tell us.
This Privacy Policy is effective as of 11 March 2026.