Deutsche Version

1. At a glance

Shiru is designed as a privacy-first diary app. Your diary entries, photos, audio recordings, mood entries and location data are stored exclusively locally on your device in an AES-256-encrypted database (SQLCipher). We do not operate any servers where your diary content is processed.

Data only leaves your device in the following situations, each of which you trigger yourself:

• You enable cloud backup (iCloud on iOS, Google Drive on Android) — an end-to-end encrypted backup file is uploaded to your own cloud storage.
• The app crashes and Firebase Crashlytics sends us an anonymous crash report so we can fix bugs.
• You purchase Shiru Premium — payment is processed via Apple, Google and RevenueCat.
• You use the app as a free user — Shiru then shows personalised ads via Google AdMob.

2. Data controller

The data controller within the meaning of the GDPR is:

Dávid Müller
Ahrensburger Straße 168b
22045 Hamburg
Deutschland
E-mail: hello@shiru-journal.com

For any data protection enquiries please contact us via the e-mail address above.

3. What data we collect and why

3.1 Local on your device — never leaves the device

Everything you enter in Shiru is stored exclusively on your device. We have no access to this data. Specifically:

• Diary entries (text, title, date)
• Mood and emotion data
• Photo and audio attachments
• Location tags (only when you explicitly add them to an entry)
• Weather data attached to entries
• Profile data (name, profile picture — optional)
• App settings (theme, language, notifications)
• Authentication setup: PIN hash, password hash or biometric token (all device-local, never transmitted to us)

The local database is encrypted with a key derived from your credentials (PBKDF2). Without your authentication, no access is possible — not by us, not even in the case of forensic device access.

3.2 Location data (optional)

When you use the location feature while creating an entry, Shiru requests the device's location permission. We use the system APIs (Apple Core Location and Android Fused Location). The coordinates are converted into a readable place name via reverse geocoding (provided by your operating system) and saved locally with the entry. The coordinates and place name do not leave your device.

When you view an entry with a location, the map is loaded via OpenStreetMap tiles (OSM Tile Policy). Your device transmits its IP address and the tile requests to the OpenStreetMap Foundation Operations Working Group, UK. Legal basis: Art. 6(1)(b) GDPR (performance of a contract — providing the map as part of the app's functionality).

3.3 Cloud backup (opt-in)

When you enable cloud backup, your local database is bundled together with all media into an encrypted backup file. The file is encrypted with a password you set (AES-256-GCM) before the upload. It is then uploaded to:

• iOS: your personal iCloud container (linked to your Apple ID).
• Android: the "App Data Folder" of your connected Google account — a hidden Google Drive area that only Shiru can access.

We cannot read these backups — they are encrypted with your password, which only you know. If you lose the backup password, the backups are irrecoverable.

Legal basis: Art. 6(1)(a) GDPR (your consent by activating the feature).

3.4 Advertising — Google AdMob (free users)

Free users see ads in the app, delivered via the Google AdMob SDK. Premium users see no ads.

Google AdMob uses device identifiers (iOS: Identifier for Advertisers / IDFA; Android: Google Advertising ID), device metadata (model, OS version, language, approximate location based on IP) and interaction signals (impressions, clicks) to deliver and measure ads.

iOS App Tracking Transparency: When you first open Shiru, iOS asks whether the app may use cross-app tracking. If you decline, no IDFA is shared with Google and you see only non-personalised ads.

You can opt out of personalised ads at any time:

• iOS: Settings → Privacy & Security → Tracking → Allow Apps to Request to Track (off), and Settings → Privacy & Security → Apple Advertising → Personalised Ads (off).
• Android: Settings → Google → Ads → Opt out of ads personalisation or reset / delete your advertising ID.

The data recipient and controller for AdMob processing is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (or Google LLC for US users). More information: policies.google.com/privacy.

Legal basis: Art. 6(1)(a) GDPR (your consent via the ATT dialogue on iOS, or implicit consent through use of the app without opting out on Android) and Art. 6(1)(f) GDPR (legitimate interest in financing the free version of the app).

3.5 Crash reports — Firebase Crashlytics

If the app crashes, Firebase Crashlytics (Google) transmits the following to us:

• Stack trace and error type
• App version and build number
• Device model and OS version
• A non-personal installation ID (app-instance token, with no link to your Apple ID / Google account)
• Crash timestamp

We deliberately strip out all diary contents, file paths containing personal fragments and stack arguments before transmission. No diary data is transmitted to us.

Data recipient: Google Ireland Limited (Firebase / Google Analytics for Firebase / Crashlytics). A data processing agreement under Art. 28 GDPR has been concluded with Google.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in app stability and bug fixing).

3.6 In-app purchases — Apple, Google and RevenueCat

You can purchase Shiru Premium as a monthly subscription, annual subscription or one-off lifetime purchase. Payment is processed exclusively via the Apple App Store or Google Play Store. We receive no personal data from Apple or Google — only anonymous sales statistics.

To synchronise your premium status across devices we use RevenueCat (RevenueCat, Inc., USA). RevenueCat receives an anonymous app user ID, purchase receipts (from Apple/Google) and platform metadata (app version, OS version). No diary contents or directly personal data (name, e-mail) are transmitted to RevenueCat.

A data processing agreement under Art. 28 GDPR has been concluded with RevenueCat. As RevenueCat is based in the United States, the transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). More information: www.revenuecat.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — processing your premium purchase).

3.7 Push notifications (optional)

When you enable reminders, the app schedules local notifications via the operating system. No external server is involved. Reminder settings stay on your device.

3.8 Biometrics / PIN / password

Authentication data does not leave your device. Biometrics are processed via the system APIs (Face ID, Touch ID, Android BiometricPrompt) — we see neither your face nor your fingerprint. PIN and password are stored locally as hashes in the device's secure storage.

4. What we do NOT collect

The following are deliberately not collected:

• Account data — Shiru has no registration, no login, no server accounts.
• Diary contents, photos, audio — these never leave your device unencrypted.
• Behavioural data inside the app beyond crash reports — we use no analytics tracking.
• Contacts, address book, calendar.
• Ad conversions outside the app (no server-side conversion tracking).

5. Recipients / third parties — overview

6. International data transfers

The following providers process data in the United States: Google (AdMob, Crashlytics), RevenueCat. These third-country transfers are based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and, where applicable, additional safeguards by the providers (e.g. Google's participation in the EU–US Data Privacy Framework).

7. Retention periods

• Local data: kept until you actively delete it or uninstall the app. Uninstalling on Android removes all app data; iOS behaves similarly.
• Cloud backups: remain in your iCloud or Google Drive AppDataFolder until you actively delete them. If you uninstall the app, they persist — remove them via iCloud storage settings or your Google account.
• Crashlytics reports: 90 days (Google's default retention).
• RevenueCat data: up to 6 months after the end of your premium subscription (statutory tax retention periods).
• AdMob data: as per the Google Privacy Policy (typically 14 months active, then aggregated).

8. Your rights

Under the GDPR you have the following rights:

• Right of access (Art. 15 GDPR) — what data we process about you
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR) — Shiru provides a local export function in the settings
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR) — e.g. cloud backup or AdMob personalisation can be disabled at any time

To exercise your rights against Apple, Google or RevenueCat, please contact the respective provider directly — we have no independent access to your data on their systems.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence; a list can be found at the European Data Protection Board.

9. Security

Local data is encrypted with SQLCipher (AES-256). Cloud backups are encrypted with AES-256-GCM and a password of your choice before upload. The app authentication (PIN, password, biometrics) protects against unauthorised access if your device is lost. Connections to third parties always use encrypted transport (TLS/HTTPS).

10. Children

Shiru is intended for users aged 13 and over. We do not knowingly collect data from children under 13. If you believe a child under 13 has entered data in the app, please contact us — we will help you delete it.

11. Changes to this privacy policy

We may update this privacy policy as the app evolves or as legal requirements change. We will communicate material changes inside the app. The current version with its date is always available on this page.

12. Contact

For data protection enquiries, contact us at hello@shiru-journal.com.