Effective Date: September 12, 2025

Cloudbreak Journey – Privacy Policy

Cloudbreak is a private, local-first mobile app for growth, calm, and low-pressure connection. We designed it to keep your data on your device by default and to use end-to-end encryption (E2EE) for optional partner features. This Privacy Policy explains what we do—and deliberately don’t do—with your data.

If you have any questions, contact us at support@quantumlooplabs.com.

Summary (Plain English)

Local-first: Your journals, moods, notes, and letters are stored on your device and encrypted before they touch the local database.
No analytics or ads: We don’t use analytics SDKs, ad networks, or trackers.
Optional sync: Partner features (Kind Words, Bridge Journal, time capsules) use E2EE via a relay (Supabase). We can’t read message contents.
Backups optional: You may enable encrypted backups to iCloud or Google Drive. You control this.
Minimal metadata: We avoid collecting or storing plaintext titles/tags server-side.

Who We Are

Controller: QuantumLoop Labs LLC (“we,” “us,” “our”)
App: Cloudbreak Journey (iOS & Android)
Contact: support@quantumlooplabs.com

Scope

This policy covers the Cloudbreak Journey mobile application and any optional cloud-relay functionality used for partner features. It does not cover third-party websites or services you may access via external links.

Data We Store On Your Device

Cloudbreak Journey operates locally by default. The following items are stored on your device and are encrypted at rest using a per-device key held in the system secure enclave/keystore:

Growth Log entries and monthly reflections
Letters Unsent and Secret Letters (with fonts, tags)
Tiny Wins (including photos you attach)
Mood check-ins and notes
Self-Check Coach (CBT thought records)
Personal Notes
Partner reminders you configure locally

Local database rows are encrypted using an AEAD cipher (e.g., XChaCha20-Poly1305). Nonces and associated data are managed to prevent reuse and to bind ciphertext to its record context.

Optional Cloud & Partner Features

If you opt in to partner features, Cloudbreak Journey uses end-to-end encryption for message contents:

Key exchange: Each device generates an X25519 keypair. Pairing with a partner exchanges public keys.
Message encryption: Content is encrypted client-side (NaCl box/secretbox style) before relay to our real-time service provider (Supabase).
Time capsules: Messages intended for future unlock are stored as ciphertext until the client unlocks them locally.
We cannot read your messages. The relay stores only encrypted payloads and minimal transport metadata required for delivery.

Backups

You may optionally enable encrypted backups to your platform provider (e.g., iCloud on iOS, Google Drive on Android). Backups are controlled by you and subject to your provider’s terms. If disabled, your data remains solely on your device.

Device Permissions

Cloudbreak Journey may request the following permissions, strictly to power app features you choose to use:

Photos/Media/Storage: attach images to Tiny Wins or shared journals.
Camera: capture photos directly in-app (optional).
Notifications: partner reminders or time-capsule unlock alerts (optional).
Biometrics: device-level authentication to unlock the app.

Permissions can be revoked anytime in your system settings; features depending on them may stop working.

What We Do Not Collect

No advertising identifiers or ad tracking.
No third-party analytics SDKs.
No behavioral profiling or sale of data.
No contact list, precise location, or health data.

Limited Technical Metadata

For partner sync reliability, the relay may process minimal technical metadata (e.g., timestamps, opaque record IDs) required to route encrypted messages. We avoid storing plaintext titles, tags, or message bodies at the relay.

Third-Party Services

Supabase (real-time relay & database): carries encrypted partner messages; Row Level Security (RLS) helps restrict access. Supabase acts as a processor for transport of ciphertext.
Apple iCloud / Google Drive (optional backups): if enabled by you, your device may store encrypted backups under the platform provider’s policies.

Security Measures

Client-side encryption before storage or sync.
Per-device symmetric keys stored in secure hardware/keystore where available.
Transport security (TLS) for all network connections.
App lock with biometrics/PIN.
Privacy controls: hiding screen previews, optional “privacy blur.”

No method of transmission or storage is 100% secure. We continually refine safeguards and recommend enabling device passcodes and OS updates.

Your Choices & Controls

Local-only mode: Don’t enable partner features or backups to keep everything on-device.
Export: You can export your data (e.g., PDF) locally; consider passphrase-protecting exported files.
Delete: You can delete entries locally at any time. Uninstalling the app deletes local data.
Backups: Turn platform backups on/off in OS settings and in-app controls.

Children’s Privacy

Cloudbreak Journey is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided data, please contact us to request deletion.

International Users

Depending on where you live, data (including encrypted payloads for partner features) may be processed or relayed across regions to deliver messages. We apply encryption and access controls regardless of location.

Legal Bases (EEA/UK)

Contract: To provide the app and partner features you request.
Legitimate interests: To maintain security and functionality (e.g., service reliability, abuse mitigation).
Consent: For optional features like backups and notifications; you can withdraw consent at any time.

Your Rights

Subject to your jurisdiction, you may have rights to access, correct, delete, or receive a copy of your information. Because Cloudbreak Journey stores content locally and encrypts partner messages end-to-end, most controls are in-app on your device. For relay metadata requests, contact us at support@quantumlooplabs.com.

Do Not Track

We do not track you across third-party apps or sites, and we do not respond to DNT signals.

Changes to This Policy

We may update this Policy to reflect product, legal, or operational changes. We’ll revise the “Effective Date” above and, where appropriate, notify you in-app.

Contact

Email: support@quantumlooplabs.com