Privacy Policy

Last updated: 23 April 2026

ThinkWell (the "app") is a personal journaling app. This policy explains what data we collect, how we use it, and the choices you have.

Who we are

ThinkWell is operated by Luke Sarfas as an individual developer. For any privacy questions, contact luke@sarfas.com.

Data we collect

Email address — used solely to identify your account and to sign you in. Stored in AWS Cognito.
Account ID — a random identifier assigned by Cognito when you sign up. Used to associate your data with your account.
Your journal content — entries, entities (people, places, things), relationships, and preferences you create in the app. Stored in AWS DynamoDB and AWS S3 in the eu-west-1 region, tied to your account ID.
Crash and performance data — technical information (e.g. error traces, request latencies) sent to AWS CloudWatch to help us fix bugs. Tagged with your account ID so we can investigate issues tied to your account.

Data we do not collect

We do not track you across apps or websites.
We do not sell your data.
We do not share your data with advertisers or third-party analytics platforms.
We do not access your contacts, photos, location, microphone, camera, or any other device capability unless you explicitly grant permission for a specific feature.

How your content is used

Your journal entries are processed by AWS Bedrock (Anthropic Claude) to extract entities, relationships and discoveries that power the Life Map and Insights features of the app. Prompts containing your content are sent to AWS Bedrock in the eu-west-1 region. Per AWS Bedrock's terms, your content is not used to train any foundation model and is not retained by AWS Bedrock after processing.

Spotify integration

If you connect your Spotify account, ThinkWell uses the Spotify Web API under the user-read-recently-played scope to show your most recent plays, so you can attach the track you were listening to to a journal entry.

We request only the user-read-recently-played scope. We cannot control playback, read your playlists, or access your library.
Only tracks you explicitly attach to an entry are stored. The broader listening history returned by Spotify is held in memory for the duration of the picker and is not persisted.
Attached tracks are stored as the track ID, name, artist names, album art URL and play timestamp, alongside the entry they belong to. They follow the same storage and security model as your journal content above.
We do not share your Spotify data with third parties, and we do not use it for advertising, profiling, or training any model.
You can disconnect at any time in Settings → Spotify → Disconnect. This deletes the stored Spotify access and refresh tokens from your device. To fully revoke ThinkWell's access on Spotify's side as well, visit spotify.com/account/apps.
Tracks you have already attached to past entries remain in those entries after disconnecting, because they are part of your journal content. You can remove them individually from each entry's soundtrack section.

ThinkWell is not endorsed, certified, or otherwise approved in any way by Spotify. "Spotify" is a trademark of Spotify AB.

Who has access

Within the app, only your signed-in account can read your data. Access is enforced by AWS Cognito and fine-grained IAM policies that restrict each user's records to their own account ID. At the infrastructure layer, AWS and the app's administrators could technically access records at rest — see the Security section below for the honest picture.

Security

Your journal content is encrypted on your device with AES-256-GCM before being written to local storage. The encryption key is generated on your device and stored in the iOS Keychain (on iPhone/iPad) or Android Keystore, so that another app or an attacker with read access to the filesystem cannot read your entries directly off the device.

When your data syncs to our servers (AWS DynamoDB and AWS S3 in eu-west-1), it travels over TLS and is stored with AWS server-side encryption. This is not end-to-end encryption. That means AWS, and anyone with administrative access to our AWS account, could in principle read the records at rest on the server. We do not access your journal content for any purpose other than delivering the app's features (e.g. entity extraction by AWS Bedrock, described above) and restoring your data on a new device.

If you want stricter guarantees — for example an unreadable-by-anyone-but-you model — you can use the app in offline mode without signing in, in which case nothing leaves your device.

Your rights

Export your data — you can export your entries and entities at any time from the app.
Delete specific data — delete entries, entities or relationships from within the app.
Reset account — "Reset account data" in Settings permanently deletes all your content from our servers while keeping your account.
Delete your account — "Delete account" in Settings permanently deletes your account and every piece of data tied to it. This cannot be undone.

If you want to exercise any of these rights and cannot access the app, email luke@sarfas.com.

Data retention

Data is retained for as long as your account exists. Deleting your account removes all associated data within 30 days.

Children

ThinkWell is not directed at children under 13 and we do not knowingly collect data from them.

Changes to this policy

If we materially change this policy we will update the "last updated" date above and, where appropriate, notify you in-app.