Lost in Thought

Privacy Policy

Our Privacy Pledge

Lost in Thought will never sell your data. We will never use your journal entries, mood data, or any personal health information to train AI or machine learning models, our own or anyone else's. Your mental health data belongs to you. Full stop.

This is not a legal formality. It is a founding principle. In an industry where companies have repeatedly treated mental health data as a product to be monetized. Many healthtech companies are tech first, privacy and compliance second. The industry has a trust problem. Lost in Thought makes the opposite choice.

Mental health data is among the most sensitive personal information a person can generate. The moment you journal about your anxiety, your relationships, or your experiences, you are extending trust. We take that trust seriously.

Introduction

Lost in Thought ("we," "our," "LiT," or "us") is a privacy-first mental health journaling platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application.

By using the App, you agree to the practices described in this Privacy Policy.

Information We Collect

Information You Provide

• Account information: Email address, username, and password when you create an account
• Journal content: Text entries, voice recordings, photos, and any other content you add to your journal
• Profile information: Optional profile details you choose to provide

Information Collected Automatically

• Usage data: How you interact with the App, features used, and time spent — used only in de-identified form for product improvement (for example onboarding completion, first entry milestones, journal feature opens, and notification reminder preferences)
• Device information: Device type and operating system version
• Log data: IP address and access times for security purposes
• Advertising and campaign measurement (optional): Under Apple's App Tracking Transparency (ATT) framework on iOS, if you tap "Allow" on the system prompt, an advertising identifier may be used with our measurement partners in line with Apple's rules—so we can understand whether ads led to an install or subscription. On Android, limited device and app activity data may be used for similar measurement under platform rules. This never includes your journal entries, mood logs, photos, or voice recordings.

Information from Third-Party Authentication

• Authentication services: If you sign in through Apple Sign-In or Google, we receive only the basic profile information those services provide and you authorize

How We Use Your Information

Core App Functionality

• Journal storage and sync: Storing and synchronizing your journal entries across your devices
• Account management: Creating and maintaining your user account
• Intelligent features: Providing AI-powered insights, summaries, and pattern detection features

What Our Intelligent Features Do and Do Not Do

Lost in Thought uses AI to power features like weekly insight summaries, mood pattern detection, and personalized prompts. These features process your journal content to deliver value back to you. They do not feed your data into any training pipeline.

Specifically:

• Your journal entries are sent to a dedicated Google Vertex AI processing service solely to generate your personal insights. They are processed in real time and not retained by AI providers for training or any other purpose.
• No journal content, mood data, or personal health information is ever used to train AI or machine learning models. Not our own, not third-party providers', not anonymized, not aggregated.
• All AI features are optional. A user who never reads an insight summary still receives full value from the journaling practice itself.

De-Identified Analytics

We use analytics and measurement tools to understand how the product is used, to improve it, and—when enabled—to measure the effectiveness of our advertising. This pipeline never touches raw journal content. No personal health information or journal text flows through these systems.

PostHog (product analytics)

PostHog receives de-identified usage events from the Lost in Thought mobile app.

• What we send: Event names and coarse properties only. For example: onboarding completed, first entry saved by type, push permission granted, and notification scheduled type.
• What we do not send: Journal text, moods, goals, prompts, summaries, display names, or email in analytics payloads.
• Identity: Authenticated users are identified by Supabase user ID only. We do not include email in PostHog person properties by default.
• Region: Data is sent to the host configured for our project (for example https://us.i.posthog.com or an EU equivalent).
• Session replay: Disabled in the mobile app.

See PostHog's privacy policy for PostHog's own disclosures.

We also use:

• Google Firebase Analytics for de-identified app usage and product analytics — not journal content or personal health information. See Firebase privacy and security for Google's disclosures.
• Meta (Facebook) App Eventsvia Meta's SDK for installs, sessions, and campaign measurement, consistent with platform rules and your iOS tracking choices where applicable — not journal content. Meta's privacy practices are described at facebook.com/privacy/policy.
• RevenueCat for subscriptions and entitlements. If we enable the Meta Ads integration in RevenueCat, RevenueCat may send subscription lifecycle events (such as trials or purchases) to Meta for attribution and measurement—not journal content.

Data Storage and Security

Infrastructure

Lost in Thought stores your data on Supabase, a secure cloud database provider. All data is encrypted in transit and at rest.

• Encryption at rest: All data is encrypted at rest using industry-standard encryption
• Encryption in transit: All data in transit uses TLS encryption
• Access controls: Access to your data is strictly limited to systems and team members with a specific need
• Data minimization: Raw journal content is never accessible in any analytics pipeline

Third-Party Services

Journal entries, mood logs, photos, recordings, and other journal content are not shared with PostHog, Google Firebase Analytics, Meta, or RevenueCat for analytics or advertising. Only technical and subscription-or-entitlement signals flow to those vendors as described here and in De-Identified Analytics.

• Supabase: Database storage and user account management
• Authentication services: Supabase authentication. Additional optional services users can leverage include native biometric authentication for iOS and Android devices to authenticate with Supabase.
• AI language model services: AI processing for insight features; your content is processed in real time and not retained for training
• Product analytics: PostHog for de-identified usage events from the mobile app (event names and coarse properties only; no journal content; session replay disabled)
• Analytics services: Google Firebase Analytics for de-identified app usage
• Advertising measurement: Meta Platforms Technologies (Facebook SDK / App Events) for campaign and conversion measurement in accordance with platform rules and your choices (e.g. App Tracking Transparency on iOS)
• Subscriptions and billing analytics: RevenueCat for in-app purchases and entitlements; RevenueCat may forward subscription-related events to integrations we enable (such as Meta for ads attribution)

Data Sharing and Disclosure

Our Baseline Commitment

We do not sell, trade, or rent your personal information to third parties for money. We do not share your journal entries, mood logs, photos, voice recordings, or other journal content with advertisers or data brokers. We do not use your journal content for advertising or to train ad models.

We may share limited technical information with advertising and analytics partners to measure app installs, subscriptions, and campaign performance, and to operate product analytics — for example app events, device identifiers where permitted, and subscription-status signals through RevenueCat. PostHog, Google Firebase Analytics, Meta, and RevenueCat (including RevenueCat→Meta integrations we enable) do notreceive your journal content for analytics or ads; they receive only the technical and subscription-measurement signals described in this Privacy Policy. You can decline tracking on iOS via Apple's App Tracking Transparency prompt (and adjust related choices in Settings); doing so limits certain measurement but does not affect core journaling features.

Limited Sharing Circumstances

• Service providers: Infrastructure and authentication providers (Supabase, Apple, Google) for the sole purpose of operating the App
• Advertising and attribution providers: Meta and related measurement tools as described above; RevenueCat integrations configured for subscription attribution — limited to non-journal technical and billing signals
• AI insight providers: AI processing services to generate your personal insights, as described above. These providers do not retain your content.
• Legal requirements: We may disclose data as required by law, in response to valid court orders, or to protect the safety of our users or the public
• Business transfers: In a merger or acquisition, your data would transfer to the new entity subject to the same privacy protections. You will be notified before any such transfer.

Your Rights and Choices

Data Access and Control

• Access: Request a copy of all personal data we hold about you, including analytics data associated with your account
• Correction: Update or correct inaccurate information in your profile
• Deletion: Request permanent deletion of your account and all associated data. Contact us at jack@lostinthoughtapp.com for analytics access or deletion requests
• Portability: Export your complete journal history in a standard format at any time
• Analytics reset: Signing out of the App resets your PostHog analytics identity on that device

Account Deletion

You can delete your account at any time through App settings. Upon deletion:

• All journal entries are permanently deleted
• Account information is removed from our systems
• Some data may be retained for legal or security purposes as required by law

Research and Future Partnerships

If Lost in Thought ever pursues research partnerships that would involve user data, we will obtain explicit, informed, separate consent. Never bundled into Terms of Service or assumed from app usage. Any such partnerships will be disclosed publicly.

Children's Privacy

Our App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided personal information, please contact us at jack@lostinthoughtapp.com.

Data Retention

We retain your information only for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

Journal entries are retained until you delete them or close your account. Account information may be retained for a reasonable period after account closure for legal and administrative purposes.

PostHog analytics data is retained according to our PostHog project settings. We review retention periods periodically and adjust them as needed for product analytics purposes.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of the sale of personal information — we do not sell personal information
• Right to non-discrimination for exercising your CCPA rights

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy in the App and on our website
• Sending an email notification if you've provided an email address
• Displaying a notice when you next open the App

Your continued use of the App after any changes constitutes acceptance of the updated Privacy Policy.

Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: jack@lostinthoughtapp.com

Website: https://lostinthoughtapp.com/privacy_policy

Your data belongs to you. Always.