Privacy Policy

Last updated: 21 May 2026
Effective: at first public Play Store release

The short version

Hearth is a journal that runs entirely on your phone. Your journal entries, photos, voice memos, and AI-generated reflections never leave your device. There is no cloud account to sign up for. There is no server holding your writing.

There are three small exceptions, all of them opt-in or initiated by you:

Google Play Billing sees that you bought a subscription. It never sees your journal.
Google Drive backup, if you turn it on, sends an encrypted bundle to your own Drive — your passphrase, your storage.
The feedback form, if you choose to use it, sends the text you type to a small server we run. The journal itself is never attached.

Everything below is the long version of those three sentences.

Who runs Hearth

Hearth is built by a small independent team. We do not sell user data and we do not have advertising partners. Our business model is: optional Premium subscriptions on Google Play. That is the only money flow connected to the app.

If you need to reach us about this policy, write to contact@murcur.io. We answer in person — there is no support bot.

What stays on your device

The following are stored only on your phone, in an encrypted local database (SQLCipher):

Every journal entry (text, formatting, timestamps).
Photos and voice memos you attach to entries.
Mood tags, whether you set them manually or generated them with on-device AI.
AI reflections, summaries, topic links, and any other Premium-generated content.
Search history (in-memory only; cleared when the app is closed).
App settings (theme, notification schedule, app-lock preferences).

We do not transmit any of the above to a server we run, to Google, or to any third party. There is no analytics SDK, no Crashlytics, no Firebase, no Sentry, and no event-tracking pixel in the app.

The database is decrypted at runtime using a key sealed in the Android Keystore (and, on devices where you enable App Lock, gated behind your fingerprint, face unlock, or PIN). If your phone is lost or stolen and the device lock is set, the data on disk is unreadable without you.

On-device AI (Gemini Nano via AICore)

Hearth Premium uses Google’s Gemini Nano model running locally on your device via the AICore SDK. The model is loaded once by Play Services and lives on your phone. When the app asks it to read an entry — to suggest a mood tag, write a one-sentence summary, or compose your weekly reflection — the entry text is read from memory, the model processes it locally, and the result is written back to memory.

Your entry text is not sent to Google during this process. The AICore SDK is on-device by design; that is the entire point of using it. The same model code that Pixel devices use for the “Summarize Recording” feature is the code Hearth uses for journal reflection.

There is one limited telemetry stream worth disclosing: the AICore SDK reports to Google Play Services that the model ran (success, failure, duration). It does not include the entry content. We do not control this telemetry — it is a Play Services system stream — and we do not receive any of it. If you have AICore installed for any reason (Pixel users have it shipped), the same telemetry stream already exists; Hearth’s use of the SDK adds nothing.

If your device does not ship Gemini Nano (most non-Pixel devices, as of this writing), the AI features show a friendly “not available on this device” message in Settings → AI Insights instead of falling back to a cloud model. We do not have a cloud-AI fallback. AI is on-device or it is off.

Google Play Billing

If you buy Premium (monthly, yearly, or lifetime), the purchase is handled by Google Play Billing. Google sees the purchase event and tells Hearth one thing: “this user has Premium.” Hearth stores that entitlement locally so we can grant the Premium features offline. The card data, your billing address, and any other purchase metadata stay with Google and never reach our app.

If you start the 14-day free trial, Google Play handles the trial state. We never see your payment details. Cancel anytime via Settings → Account → Manage subscription, which deep-links you to Google Play’s subscription management screen.

We do not use RevenueCat or any other billing wrapper SDK. The Play Billing client is the only billing-side dependency.

Optional encrypted backup to your Google Drive

If you turn on Backup in Settings → Backup, Hearth bundles your journal database into a single encrypted blob and uploads it to your own Google Drive — to a folder Hearth can read but you (and Drive) cannot see in your file browser (the drive.appdata scope). The encryption uses a passphrase you set during the backup setup flow. We never see your passphrase. We do not store your passphrase anywhere on our servers (there are no servers in this flow), and we cannot help you recover it if you lose it.

This is the closest parallel to how a password manager exports an encrypted vault to iCloud: the file leaves your phone, but it leaves only as ciphertext you control. If Google’s servers were compromised, the attacker would get a blob of bytes that cannot be opened without your passphrase.

You can disable Backup at any time, which stops further uploads. The Drive folder remains as-is; you can delete it manually from drive.google.com if you want the file gone from Google’s servers. (Drive’s deletion is subject to Google’s own retention policies, which we do not control.)

Optional anonymous feedback form

Settings → Support → Send feedback opens an in-app form. The form is anonymous by default:

The text you type is sent over HTTPS to a small server (a Cloudflare Worker) that the Hearth team runs. The team reads it; nothing is forwarded to a third party.
Your email address is optional — there’s a checkbox. If you want a reply, tick it and we’ll see your email next to your message. Otherwise we see only the text.
Recent crash logs are optional too — there’s a separate checkbox, unticked by default. Crash logs are stored on-device for 30 days, then auto-purged. If you attach them, the log we receive contains stack traces and the device model; it does not contain entry content or anything from your journal.
No IP address is logged at the server. No analytics SDK is in the loop.

If you have provided an email and later want the submission deleted, write to contact@murcur.io and we will remove it. Anonymous submissions (no email attached) cannot be linked back to you and so cannot be selectively deleted — they are functionally anonymous from the moment they arrive.

Local notifications

If you turn on the Weekly reflection notification in Settings → Notifications, Hearth schedules a reminder using Android’s WorkManager / AlarmManager. The notification fires locally on your phone at the time you picked. No push token is registered, no server tells your phone to fire — the schedule is entirely on-device.

The notification permission Hearth requests is POST_NOTIFICATIONS, which is required by Android 13+ before any local notification can be shown. Decline it, or revoke it later in system settings, and Hearth simply won’t show the weekly reminder; the rest of the app is unaffected.

Permissions Hearth requests

Permission	Why	Required?
`POST_NOTIFICATIONS`	To show the weekly reflection reminder you opt into.	Optional. Decline → no weekly reminder.
`RECORD_AUDIO`	To capture voice memos attached to entries (stored on-device).	Optional. Asked only when you tap the mic in the editor.
`ACCESS_NETWORK_STATE`	To show “Will back up when on WiFi” / “Offline” badges next to the Backup row, so you know whether your scheduled backup will run.	Install-time. No runtime prompt.

No READ_CONTACTS, no ACCESS_FINE_LOCATION, no READ_SMS, no READ_PHONE_STATE, no READ_EXTERNAL_STORAGE. We do not request the Advertising ID, the Android ID, or any other persistent device identifier.

Third-party SDKs

We disclose every SDK in the app that could see user data, and what it sees:

SDK	What it sees	Where it sends it
AICore (`com.google.ai.edge.aicore`)	Entry text, but only in memory on your device.	Nowhere — runs on-device. (Google receives runtime telemetry about the model, not the content.)
Google Play Billing (`com.android.billingclient`)	Purchase events when you buy Premium.	Google, as part of the Play purchase flow.
Google Drive API (`com.google.android.gms:play-services-drive`)	Only an encrypted backup blob, only if you turn Backup on.	Your own Drive, in the appdata folder.
Kotlin / Compose / AndroidX libraries	Nothing — these are UI framework code, no network egress.	n/a

There is no Firebase, no Crashlytics, no Sentry, no Mixpanel, no Amplitude, no Segment, no Adjust, no AppsFlyer, no Branch, no Facebook SDK, no Google Analytics. We can say this categorically because the Gradle dependency list is short and is visible to anyone who inspects the published app bundle.

Children’s privacy

Hearth is not directed at children under 13. The Play Store age rating is Teen (13+). We do not knowingly collect data from users under 13. If you believe a minor under 13 has provided information through the feedback form, write to contact@murcur.io and we will remove the submission.

Your rights

Because almost all data is on your device, you have direct control:

See your data: it’s in the app; the app is the interface.
Export your data: Settings → Data → Export all entries produces an encrypted bundle (the same format used for backup).
Delete your data: Settings → Data → Delete all data wipes the entire local database (typed-confirm required, no undo).
Delete feedback submissions linked to an email: write to contact@murcur.io. Anonymous submissions cannot be linked back and so cannot be selectively deleted.
Delete Drive backups: turn Backup off, then delete the Hearth appdata folder from drive.google.com.
Cancel Premium: Settings → Account → Manage subscription, which opens Google Play’s subscription management.

We do not need to “verify your identity” before processing a deletion request because there is no account system to verify against. Whatever’s on your phone is yours to delete with a single tap; whatever you’ve sent to the feedback form with an email attached, you delete by sending us that email and the words “please delete my feedback.”

If you live in a jurisdiction with formal data-protection rights (GDPR, CCPA, UK GDPR, etc.), the rights above already exceed what those frameworks grant in the small surface where they would apply (the feedback-form data flow). We process opt-in feedback under “legitimate interest” — supporting an indie app’s users — and treat any deletion request as binding regardless of jurisdiction.

Changes to this policy

If we update this policy, the updated version replaces the file at the URL above. Significant changes will be flagged inside the app via Settings → About on next launch (a small “policy updated” marker next to the row) for 30 days after publication. We do not push notifications about policy changes — they would be more interruption than the change warrants.

The “Last updated” date at the top of this document is authoritative. If you want to track diffs, this file lives in the public hearth-www repository and every change is committed there with a normal git history.

Contact

Privacy questions or deletion requests: contact@murcur.io
App support / bug reports: in-app via Settings → Support → Send feedback.

If neither path works for you, we do not have a backup contact. We are a small team; the email and the in-app form are the only paths in.