Privacy Policy

What Solace collects, why, where it goes, and what control you have over it.

Plain-English summary

• Solace works without an account. If you never sign in, your data (journal, moods, streak, etc.) stays on your phone only.
• Sign-in is optional. If you DO sign in (email/password or Google), your data is also backed up to our cloud (Firebase / Firestore) so you can restore it on a new device or after reinstall.
• When you chat with Pixel (the AI), your message is sent to our server which routes it to a third-party AI provider so Pixel can reply. We don’t store the conversation server-side; we don’t sell it.
• We use AdMob for non-personalized ads on the free tier. You can go ad-free with Solace Pro.
• We use Firebase (Google) for authentication and cloud backup only. We do NOT use Firebase Analytics or Crashlytics; the app has no third-party telemetry SDK.
• Voice journaling uses your phone’s microphone, but speech recognition runs on-device — your audio never leaves your phone.
• We do not sell your data to anyone, ever.
• You can wipe everything (local data + cloud backup + your account) with one tap inside the app: Settings → Account → Delete account & all data.

What data Solace collects

1. Information you provide directly

When you use Solace you may enter:

• A first name or nickname
• An ex-partner’s first name (used to personalize Pixel’s messages)
• Onboarding answers (relationship type, breakup date, emotional state, hardest time of day, healing goals, support style)
• Mood entries (mood label + intensity + optional note)
• Journal entries (text, optional tags, optional lock)
• Letters and reasons-to-leave entries
• Custom triggers and red flags

Where it lives: all of the above is stored locally on your device in a private Hive database inside the app’s sandboxed storage — other apps on your phone cannot read it. The database itself is not encrypted at rest beyond the Android app sandbox; we don’t claim stronger protection than the OS provides. Data does not leave your device unless you explicitly export it (Therapist PDF) or sign in to enable cloud backup.

2. Account & cloud backup (only if you sign in)

Sign-in is entirely optional. The app’s core features all work without an account.

If you choose to sign in (Settings → Account), we collect:

• Your email address (always, via Firebase Authentication)
• Your Google profile name + avatar (only if you sign in via Google)
• A Firebase user ID (a random string Google generates to identify your account)

After sign-in, the app uploads a full backup of your local Hive data to Firestore at user_backups/{your-user-id}. The backup contains:

• Streak history
• Mood entries
• Journal entries (yes — including ones marked as locked)
• Letters and reasons-to-leave entries
• Settings, achievements, healing-tasks progress
• Memory-vault entries

Backups happen:

• Automatically right after you sign in
• When you tap Back up now in Settings → Account
• Backups are NOT continuous — the app does not push every change in real time. If you want the latest data on the cloud, tap Back up now.

You can:

• Restore a backup on any signed-in device via Settings → Account → Restore latest backup (this overwrites local data with the cloud copy).
• Sign out at any time — this stops further backups but does NOT delete the existing cloud backup.
• Delete your entire account (cloud backup + Firebase Auth user + local data) in one tap via Settings → Account → Delete account & all data. See the Account & Data Deletion page for full details.

Where it lives: Google Firebase (Firestore + Firebase Authentication), in Google’s data centers. Google is a sub-processor; their privacy practices are governed by firebase.google.com/support/privacy and policies.google.com/privacy.

Encryption: Firestore encrypts data at rest by default. The transfer to/from Firestore is over HTTPS / TLS 1.2+.

3. AI chat (“Pixel”) messages

When you talk to Pixel:

• Your message is sent over HTTPS to our Cloud Functions proxy hosted on Google Cloud (breakup-b3f13.cloudfunctions.net).
• The proxy forwards it to one of several third-party AI providers (Google Gemini, Groq, OpenRouter, Mistral, Cerebras, Cloudflare Workers AI). The choice is made automatically by latency and health.
• The reply is streamed back to your device.
• We do not log message contents server-side. Rate-limit counters are held in memory only and are wiped on every Cloud Function cold restart (typically every 15–60 minutes). Anonymized error logs (e.g. “Provider X failed with status 500”) may be retained by Google Cloud Logging for up to 30 days under Google’s default retention, and contain only error metadata — not your prompt content.
• The third-party AI providers see the message text in transit. Their privacy policies apply to that hop:
  • Gemini: policies.google.com/privacy
  • Groq: groq.com/privacy-policy
  • OpenRouter: openrouter.ai/privacy
  • Mistral: mistral.ai/terms-of-service
• A short rolling history of your recent messages (up to 12 turns) is sent with each request so Pixel can remember context. This history is held only in memory; it isn’t persisted server-side.

4. Subscription / purchase data

If you upgrade to Solace Pro:

• The transaction is handled by Google Play Billing. Solace never sees your card or PayPal details — only a token confirming Pro is active.
• Your Pro status is stored locally so the app can unlock features offline.

5. Ad data (free tier only)

We use Google AdMob to show occasional ads (app-open, interstitial, rewarded). For users under 18 or in regions with strong consent rules (EEA, UK, California), we serve non-personalized ads only.

AdMob may collect a device-level advertising identifier and basic device info (model, OS version, language, IP-derived country). See policies.google.com/technologies/ads for full details.

You can:

• Reset your advertising ID at any time in Android Settings → Privacy.
• Opt out of personalized ads in Android Settings → Privacy → Ads.
• Remove ads entirely by upgrading to Solace Pro.

6. Crash logs (local only)

Solace records uncaught errors to a local Hive log so we can fix them if you choose to send the log via the in-app feedback button.

• Crash logs stay on your device. They are NOT sent automatically.
• We do not use Firebase Crashlytics or any third-party crash reporting SDK — Solace’s pubspec.yaml doesn’t include one.
• We do not use Firebase Analytics or any third-party analytics SDK. There are no event-tracking calls in the app.
• You can view, copy, or wipe the local crash log in Settings → About → Crash Logs.

6b. Voice journaling (microphone)

Solace offers an optional voice-to-text feature for journal entries. When you tap and hold the microphone button:

• The app uses Android’s on-device speech recognition engine via the speech_to_text library.
• Audio is captured by Android, transcribed locally, and the resulting text is handed back to Solace.
• Your voice never leaves your device. Solace neither records nor uploads audio.
• The OS may, depending on device settings, route on-device speech recognition through Google’s Speech service. This is a system-level setting controlled by your phone’s settings, not by Solace.
• You can revoke microphone permission at any time in Android Settings → Apps → Solace → Permissions.

7. Data we explicitly DO NOT collect

• Contacts, SMS, call logs
• Photos, files outside our own folder
• Camera (we never request that permission)
• Precise location (we don’t use GPS at all)
• Health/fitness sensor data
• Browsing history outside the app
• We DO request microphone for the optional voice-journal feature (see section 6b) — but the audio never leaves your device.

Children

Solace is rated for 18+ users. We do not knowingly collect data from anyone under 18. If you believe a minor has used the app, email us and we’ll delete their data on request.

Your rights

You can, at any time:

• View / export all data Solace has stored locally — tap Settings → Privacy → Export Data to copy a JSON dump to your clipboard.
• Delete local data — tap Settings → Privacy → Clear All Data. This is irreversible and wipes journal, mood, streak, settings, and achievements from your device. NOTE: this does NOT delete your cloud backup or Firebase Auth account if you signed in. To delete those, see the Account & Data Deletion page.
• Cancel Solace Pro from Google Play → Subscriptions.
• Delete your account, cloud backup, and local data in one tap: Settings → Account → Delete account & all data. (Or email us if you can’t access the app.)
• Revoke microphone permission at any time in Android Settings → Apps → Solace → Permissions.

EU/UK users: under GDPR you have additional rights including the right to portability, correction, and to lodge a complaint with your data protection authority. Email us to exercise any of these.

California users: under CCPA you have the right to know what we collect, the right to delete, and the right not to be discriminated against for exercising those rights. We do not sell personal information.

Data retention

• On your device: until you delete it, or uninstall the app.
• Cloud backup (if signed in): retained as long as your account exists. Use the in-app delete button or email us to request deletion.
• Firebase Auth account: retained until you (or we, on your request) delete it.
• AI proxy rate-limit counters: in memory only; wiped on Cloud Function cold restart (typically 15–60 minutes).
• Cloud Logging (Google): anonymized error metadata may be retained up to 30 days under Google’s default retention.
• Local crash log on your phone: until you wipe it via Settings → About → Crash Logs, or until the app is uninstalled.
• Subscription tokens: retained as long as your Pro subscription is active, then 90 days after cancellation for refund/dispute resolution.

Security

• All in-transit data is HTTPS / TLS 1.2+.
• Local data is stored in Hive boxes inside the app’s private storage (sandboxed by Android — other apps cannot read it). The data is not additionally encrypted at rest beyond the Android sandbox; we don’t promise stronger protection than the OS provides.
• Optional app-level biometric lock (Settings → Privacy → Biometric Lock) gates access to the entire app behind your device’s fingerprint or face. This protects against casual access if your phone is unlocked. It does NOT cryptographically encrypt the on-disk data.
• The “locked” flag on individual journal entries hides them from the list view and the Therapist PDF export. It is a UI gate, not cryptographic encryption.
• Cloud backups are stored in Firestore, which encrypts data at rest by default (Google’s standard).
• AI provider API keys are stored in flutter_secure_storage (Android Keystore-backed).

Changes to this policy

If we materially change this policy, we’ll bump the “Last updated” date and show an in-app notice on the next launch. We will not retroactively use your data for purposes you didn’t agree to.

Contact

Questions, requests, or complaints: raghebtube@gmail.com

We reply to every privacy-related email within 14 days.