Privacy Policy
Last Updated: May 17, 2026
Rejourney ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and share information when you use our Service.
Policy Overview
1. Information for Website Visitors
When you visit rejourney.co, we collect standard log data and use first-party cookies and local storage identifiers to understand how you interact with our site. This may include your IP address, browser type, and pages visited. We use this information to improve our website and marketing efforts.
We use the Rejourney web SDK on rejourney.co to capture optional first-party website analytics, performance signals, and session replay so we can improve our website and product experience. We load Rejourney website analytics and replay only after you provide explicit consent through our cookie consent banner. The SDK masks text inputs by default and does not load third-party session replay tooling.
2. Information for Customers
If you create a Rejourney account, we collect information necessary to provide the Service, including your name, email address, and billing information. We use this to manage your account, process payments, and send you Service-related notifications.
3. Information for End-Users
Rejourney processes data about your mobile application's end-users on your behalf. This data is collected via the Rejourney SDK and may include session replays, device metadata, approximate geolocation (country, region, city derived from IP address), and interaction events. You (our Customer) are the Data Controller for this data, and Rejourney is the Data Processor. You are responsible for ensuring your end-users are informed about session recording and that you have a valid legal basis for such processing.
4. Data Scrubbing & Minimization
Privacy is built into Rejourney by design. Our SDK automatically scrubs:
- Password fields and sensitive text inputs.
- Camera views and credit card entry fields.
- Personally Identifiable Information (PII) in user IDs (automatically hashed).
Console logs: When console log capture is enabled (on by default), the SDK captures up to 1,000 console log entries per session. Console logs may contain PII depending on your application's logging practices. We recommend disabling this feature or sanitizing logs if sensitive data may appear in console output.
Disclaimer:
While Rejourney provides these automatic privacy measures, they are provided as default tools to assist you. You (the developer/customer) are responsible for verifying that your specific implementation does not capture sensitive data and that you have configured masks or redactions as necessary for your unique UI and data flow.
5. Data Sharing & Sub-processors
We do not sell your data. We share information with the following sub-processors to provide the Service:
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Cloud Infrastructure & Hosting | Germany (EU) | EU — no transfer |
| Cloudflare R2 | Session Data Backups | EU (Guaranteed) | EU — no transfer |
| OVHcloud US | Object Storage | United States | DPA |
| ZeptoMail (Zoho) | Transactional Email Delivery | United States | SCCs (Art. 46(2)(c)) |
| Stripe | Payment Processing | United States | SCCs (Art. 46(2)(c)) |
6. Data Retention
Session Replays: Automatically deleted after 7 days on the free plan, otherwise retained for the duration detailed in your subscription.
Metadata & Analytics: Personally identifiable session metadata is retained for the duration of your active subscription. After a session recording is deleted, anonymized aggregate event data (containing no personal identifiers) may be retained indefinitely for product analytics, research, benchmarking, and public trend reporting.
Backups: Encrypted backups are retained for up to 90 days for disaster recovery.
7. Anonymized Studies & Public Reports
We may analyze Customer Data and service telemetry to create anonymized, aggregated, or de-identified datasets. We may use those datasets to study usage patterns, performance, reliability, product friction, adoption trends, and other findings, and we may publish articles, reports, benchmarks, or similar public materials based on those findings.
Public materials will not include raw session recordings, screenshots, request payloads, personal data, customer confidential information, or information that reasonably identifies or singles out a particular customer, application, or end-user unless we have separate permission.
Under GDPR, pseudonymized data remains personal data when it can be attributed to an individual using additional information. We treat pseudonymized data as personal data unless and until it has been rendered anonymous so that the individual is not or no longer identifiable by means reasonably likely to be used.
8. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
- Objection (Art. 21): Object to processing based on legitimate interests.
To exercise any of these rights, please contact contact@rejourney.co. We will respond within 30 days of receiving your request.
You also have the right to lodge a complaint with the data protection supervisory authority in your country of residence. A full list of EU supervisory authorities is available at edpb.europa.eu.
9. Security
We use industry-standard security measures, including TLS 1.3 encryption for data in transit and AES-256 for data at rest. We conduct regular security audits to ensure your data remains protected.
10. Lawful Basis for Processing
We rely on the following legal bases under GDPR Article 6 for our processing activities:
- Performance of a contract (Art. 6(1)(b)): Processing customer account data, billing information, and service-related communications necessary to provide the Service.
- Consent (Art. 6(1)(a)): Loading optional Rejourney website analytics, session replay, and related first-party storage on rejourney.co — only after you provide explicit consent via our cookie consent banner.
- Legitimate interests (Art. 6(1)(f)): Processing server log data for security, fraud prevention, and site improvement where our interests are not overridden by your rights.
- Controller's legal basis (end-user data): Rejourney processes end-user session data as a Data Processor on behalf of our Customers (Data Controllers). The lawful basis for this processing is determined by the Customer and must be established by the Customer before deploying the Rejourney SDK.
- Anonymous information: Once information has been rendered anonymous so that it no longer relates to an identified or identifiable person, it is no longer personal data under GDPR. The processing used to create anonymized aggregate datasets follows the applicable legal basis above and, for end-user data, the Customer's instructions under the DPA.
11. Updates
We may update this policy periodically. Material changes will be notified via email or a prominent notice on our website.