Privacy Policy

WeKintsugi · wekintsugi.com

Effective Date: May 19, 2026 Last Updated: May 19, 2026 Version: 1.1


1. Data Controller

This service is operated by YI STUDIO, based in Copenhagen, Denmark (EU).

For any privacy-related inquiries, please contact us at: privacy@wekintsugi.com


2. Our Core Privacy Commitment

WeKintsugi is a dual-blind parallel writing application. Two people each write privately about a shared memory, and neither can see what the other has written until both have finished and chosen to reveal their words together.

Privacy is not a feature of this product — it is the product. The entire mechanism depends on each person's words remaining invisible to the other, and to us, until both sides are ready.

To uphold this commitment:

  • Your sealed writing content is encrypted using AES-256-GCM with a unique encryption key generated for each card. The platform is designed so that your writing content is not accessed in readable form before the mutual reveal ("flip").
  • We do not serve advertising, and we do not sell, rent, or trade your personal data to any third party for marketing or profiling purposes.
  • We do not use tracking cookies or cross-site trackers.
  • We collect only the data necessary to operate the service, and we tell you exactly what that data is in this policy.

3. Data We Collect and Process

3.1 Account Data

When you create an account, we collect and store:

  • Email address — your primary identity on the platform, used for authentication and transactional notifications.
  • Display name (optional) — a name you choose to show to your counterpart instead of your email address.
  • Language preference — your preferred interface and email language (English, Simplified Chinese, Traditional Chinese, or Japanese).
  • Adult attestation timestamp — a record that you confirmed you are 18 years of age or older.
  • Authentication method — whether you signed in via magic link, Google, or Apple. We do not store OAuth tokens from third-party providers; authentication is delegated to Supabase, our database and authentication provider.

3.2 Card Metadata (Unencrypted)

When you create a card (an invitation to write together about a shared memory), the following metadata is stored in unencrypted form:

  • Time marker — a human-scale time reference you provide (e.g., "That summer," "2024年春天"). This is a brief phrase, not a precise date.
  • Scene description — a short phrase identifying the shared moment (e.g., "The afternoon the vase broke"). This field is user-authored and may contain personal details such as names or locations.
  • Emotional tone word — selected from a preset list; visible only to the card creator, never shown to the other party.
  • Invitation recipient's email address — the email of the person you are inviting.
  • Card status and lifecycle timestamps — records of when the card was created, accepted, sealed, revealed, and archived.
  • Card language — the language in which the card was created.

These fields are stored in unencrypted form because they are needed for notifications, interface display, and invitation delivery. We want to be transparent: while your writing content receives strong encryption, the time marker and scene description do not.

3.3 User-Authored Writing Content (Encrypted)

Your writing — the emotional core of this product — receives the strongest protection we offer:

  • After you seal (finalize) your writing, it is encrypted using AES-256-GCM before being stored on our servers. Each card uses a unique encryption key.
  • The platform is designed so that your writing content is not accessed in readable form before the mutual reveal. Decryption occurs only when both parties have sealed their writing and one of them initiates the reveal.
  • We store the encrypted payload, initialization vector, and authentication tag separately for each piece of writing.
  • A word count is recorded in unencrypted form as a simple metric. No part of the actual text is derivable from the word count.

3.4 Draft Content (Device-Only)

During the writing process, before you seal your work:

  • Unsent drafts are temporarily stored in your browser's local storage (localStorage) to prevent accidental loss.
  • Drafts are never uploaded to our servers. They exist only on your device, in your browser.
  • Once you seal your writing, the local draft is automatically removed.
  • If you clear your browser data, switch devices, or use a different browser, your unsaved draft cannot be recovered. We have no access to it and cannot restore it.

3.5 Cookies and Local Storage

We use only strictly necessary cookies and local storage. No consent banner is required because we do not use any analytics, advertising, or preference cookies.

Item Purpose Duration Type
sb-[projectid]-auth-token Login session management Session / auto-refresh Strictly necessary
sb-[projectid]-auth-code-verifier (localStorage) PKCE login security verification Cleared immediately after login completes Strictly necessary
kintsugi_invite_preview Allows unauthenticated users to preview an invitation card Up to 24 hours or invitation expiry, whichever is earlier Strictly necessary
localStorage draft Temporary draft storage during writing Until sealed or browser data cleared Strictly necessary

3.6 Analytics

We use Vercel Analytics, which operates without cookies and without cross-site tracking. It collects anonymous, aggregated page-view statistics using a daily-refreshed anonymous hash at the network edge. No personal data is collected, stored, or transmitted to us through this mechanism.

3.7 Server Access Logs

Our hosting provider (Vercel) automatically collects standard server access logs, which may include IP addresses, user agent strings, and response codes. Log retention periods are determined by our current Vercel plan and may change; please refer to Vercel's privacy policy for details. We do not extract or store personal data from access logs.

3.8 Safety and Moderation Data

If you submit a safety report (e.g., reporting abusive behavior or content), we collect the structured information you provide, which may include a description of the concern and a cryptographic hash of any evidence. Safety reports may be retained for extended periods, including beyond account deletion, where required for legal compliance or the protection of other users.


4. How We Use Your Data

We process your personal data for the following purposes:

Purpose Data Used Legal Basis (GDPR Art. 6)
Providing the core service (card creation, writing, reveal) Account data, card metadata, encrypted writing Performance of contract — Art. 6(1)(b)
Sending transactional notifications Email address, card metadata (scene/time fragments) Performance of contract — Art. 6(1)(b)
Authentication and session management Email address, session cookies Performance of contract — Art. 6(1)(b)
Delivering an invitation to someone you invite Recipient's email address, card metadata Legitimate interest — Art. 6(1)(f) (see Section 5)
Preventing abuse and ensuring safety Account data, safety reports, relationship blocks Legitimate interest — Art. 6(1)(f)
Anonymous aggregated analytics None (anonymized at collection) Legitimate interest — Art. 6(1)(f)
Complying with legal obligations (e.g., responding to lawful requests, mandatory reporting) Any data as legally required Legal obligation — Art. 6(1)(c)

5. When You Invite Someone: Processing a Third Party's Email

When you create a card and enter another person's email address, you are providing us with someone else's personal data. We process this email address to deliver the invitation and to verify the recipient's identity upon acceptance.

Our legal basis for this processing is legitimate interest (Art. 6(1)(f)): enabling the core function of the product — a mutual, consensual writing exchange initiated by one party and accepted or declined by the other.

The invited person:

  • Receives a single invitation email. If the invitation nears expiry, an expiry reminder will be sent to both parties (the person who invited you and you as the recipient).
  • Is never added to any mailing list, marketing database, or public directory.
  • May decline the invitation or simply let it expire. Declining does not create an account.
  • Upon accepting, gains full rights as a user, including all rights described in Section 9 of this policy.

If you receive an invitation you did not expect, you may ignore it. If you believe your email was used without your knowledge or consent, please contact us at privacy@wekintsugi.com.


6. Third-Party Services

We use the following third-party service providers to operate WeKintsugi. Each processes data only as necessary to provide their specific function.

Provider Function Data Shared Privacy Policy
Supabase (AWS infrastructure) Database hosting, user authentication Email addresses, all database-stored content (including encrypted writing), authentication data supabase.com/privacy
Vercel Application hosting, serverless functions Server access logs (IP addresses, user agents) vercel.com/legal/privacy-policy
Resend Transactional email delivery Recipient email addresses, email content including card metadata fragments (time marker, scene description) resend.com/legal/privacy-policy
Google (OAuth) Optional authentication OAuth exchange data; we do not store Google tokens policies.google.com/privacy
Apple (Sign In with Apple) Optional authentication OAuth exchange data; we do not store Apple tokens apple.com/legal/privacy

We do not share your data with any other third parties. We do not sell your data. We do not use your data for advertising.


7. Data Retention

Data Category Retention Period Rationale
Account data Until you request deletion Necessary for ongoing service
Active card data (metadata + encrypted writing) Until you request account deletion Core product function
Archived card data Retained per your archive choice; "released" cards are removed from your personal view but underlying data is retained until account deletion User-controlled archive destiny
Draft content (localStorage) Until sealed or browser data cleared Device-only; we have no control over retention
Safety reports May be retained beyond account deletion Legal compliance and user protection
Server access logs Per Vercel's current plan retention policy Platform-managed; not under our direct control
Email delivery logs Per Resend's retention policy Managed by Resend for deliverability monitoring

When you delete your account, your personal data (account information, card metadata, and writing content) will be permanently deleted within 30 days. Where a card involves two parties, your writing content will be permanently removed and marked as unavailable to the other party; the other party's own writing remains intact.


8. Local Storage Disclaimer

Unsaved draft content exists only in your browser's local storage. Please be aware:

  • Clearing your browser data will permanently delete any unsaved drafts.
  • Safari's Intelligent Tracking Prevention (ITP) may automatically clear local storage for sites not visited within 7 days.
  • Switching devices or browsers means your draft will not follow you.
  • Device loss or failure may result in permanent draft loss.

We cannot recover lost drafts. To the maximum extent permitted by applicable law, YI STUDIO disclaims all liability for any loss of locally stored draft data arising from browser behavior, operating system policies, device failure, or any circumstance beyond our reasonable control.


9. Your Rights

9.1 Under the GDPR (European Economic Area)

If you are located in the EEA, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate personal data.
  • Erasure ("right to be forgotten") — request deletion of your personal data. See Section 7 for details on how deletion works in the context of shared cards.
  • Restriction of processing — request that we limit how we use your data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@wekintsugi.com. We will respond within 30 days.

If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with Datatilsynet (the Danish Data Protection Agency), our lead supervisory authority. You may also contact the data protection authority in your country of residence.

9.2 Under the CCPA / CPRA (California, USA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@wekintsugi.com.


10. Data Security

We implement the following security measures:

  • Strong server-side encryption of writing content — AES-256-GCM with per-card unique keys, random initialization vectors, and authentication tags.
  • Row-Level Security (RLS) — database-enforced access controls ensuring users can only access data they are authorized to see.
  • Signed invitation tokens (JWT) — invitation links use signed, time-limited tokens that are verified against a server-side version counter to prevent reuse after revocation.
  • No plaintext writing on servers before seal — draft content remains exclusively on your device until you choose to seal it.
  • HTTPS everywhere — all data in transit is encrypted via TLS.
  • Email deliverability monitoring — automated suppression of addresses that bounce or generate complaints, preventing unwanted email delivery.

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security against all threats.


11. Children's Privacy

WeKintsugi is designed for adults. You must be at least 18 years old to use this service. We require age attestation during registration and do not knowingly collect data from anyone under 18.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a minor has used this service, please contact us at privacy@wekintsugi.com.


12. International Data Transfers

Our infrastructure providers (Supabase, Vercel, Resend) are based in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States.

These providers maintain data processing agreements and transfer mechanisms, including Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework where applicable, as part of their standard service terms. We are committed to ensuring that appropriate data processing agreements are executed with each provider. You may request further details about these safeguards by contacting us.


13. Planned Future Features

The following provisions describe features that are planned but not yet implemented. No data flows described in this section are currently active. These provisions will apply only if and when the corresponding features are released and enabled by you.

13.1 Encrypted Draft Cloud Sync

We may introduce the ability to synchronize your draft writing across devices. If implemented, draft content would be encrypted on your device before being transmitted to our servers, using a mechanism consistent with our existing encryption architecture. You would need to opt in to this feature.

13.2 Physical Card Printing

We may offer the option to order a physical printed version of a completed card. If implemented, this feature would require you to provide a mailing address, which would be shared with a third-party printing and fulfillment partner solely for the purpose of producing and delivering the printed card. We would disclose the identity of the fulfillment partner at the time this feature becomes available.

13.3 Public Story Showcase

We may introduce an optional feature that allows anonymized or abridged versions of mutually treasured card narratives to appear in a curated public showcase on the platform. This feature would require explicit, affirmative consent from both parties to the card. Participation would be entirely voluntary, and you would be shown a clear preview of what would be displayed before consenting. You could withdraw consent at any time, and the content would be removed from the showcase. A separate, detailed consent flow would be presented at the time this feature is introduced.

13.4 Permanent Witness Credential (Blockchain)

We may explore the creation of cryptographic attestation tokens (sometimes referred to as "soulbound tokens") to commemorate mutually treasured cards. If implemented, certain metadata — but never the text of your writing — could be recorded on a public, permanent blockchain. By nature, blockchain records are public, permanent, and cannot be deleted or modified. This feature would require explicit, informed consent, and we would provide a separate detailed policy explaining the privacy implications before any data is committed to a blockchain. No such feature is active today.


14. Changes to This Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements, or new features. When we make material changes:

  • We will update the "Last Updated" date at the top of this page.
  • We will provide notice through an in-app notification at least 14 days before the changes take effect.
  • Continued use of the service after the effective date constitutes acceptance of the updated policy.

For non-material changes (e.g., clarifications or formatting), we will update the page without separate notice.


15. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

YI STUDIO Copenhagen, Denmark (EU) Email: privacy@wekintsugi.com

We aim to respond to all inquiries within 30 days.


This Privacy Policy is currently available in English and Simplified Chinese (简体中文). Additional language versions may be provided in the future.

In the event of any inconsistency between the English version and any translated version of this policy, the English version shall prevail.