Privacy Policy

Last updated: 2025-10-26

This Privacy Policy explains how OneLine (“OneLine”, “we”, or “us”), a privacy-first journaling product built and operated from Bilbao, Basque Country, Spain, collects and protects your personal data when you use the OneLine application (the “Service”). We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish data protection law.

Data Controller and Contact

The data controller for the Service is the OneLine project team based in Bilbao, Basque Country, Spain. You can reach us at oneline.developerteam@gmail.com. Our lead supervisory authority is the Spanish Data Protection Agency (AEPD).

Personal Data We Collect

• Account information: email address and authentication credentials necessary to create and maintain your account.
• Journal content: the entries you choose to store in the Service. Journal entries are end-to-end encrypted (E2EE) in your browser using a passphrase only you know before they are transmitted to our infrastructure. We store only ciphertext, encryption metadata (such as IVs and key versions), and optional analytics about streak progress.
• Usage and technical data: log data, IP address, device and browser details, and diagnostics generated when you use the Service.
• Support communications: messages you send to us for help or feedback.

How and Why We Use Personal Data

• To provide, secure, and maintain the Service, including storing your encrypted entries and enabling you to decrypt them with your passphrase. We cannot read your entries because the decryption key never leaves your devices.
• To authenticate you, prevent fraud, and enforce our Terms of Service.
• To communicate with you about updates, features, or legal notices.
• To comply with legal obligations and respond to lawful requests from authorities.
• To analyse anonymised or aggregated usage trends to improve the Service.

Legal Bases for Processing

We process personal data under Article 6 GDPR on the following bases: (a) performance of our contract with you (providing the Service); (b) legitimate interests in securing and improving the Service (we balance these interests against your rights); (c) compliance with legal obligations; and (d) your consent where required, such as for optional communications.

Sharing and International Transfers

We share personal data only with trusted subprocessors that provide hosting, storage, analytics, customer support, or email delivery. Whenever data is transferred outside the European Economic Area, we rely on an adequacy decision or European Commission Standard Contractual Clauses and implement additional safeguards as necessary.

Data Retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, or enforce agreements. Journal entries are deleted when you erase them or close your account, subject to limited backups kept for disaster recovery.

Your Rights

You have the right to access, rectify, erase, and port your data, to restrict or object to certain processing, and to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To exercise your rights, contact us at oneline.developerteam@gmail.com. You also have the right to lodge a complaint with the AEPD or your local supervisory authority.

Children

The Service is not directed to individuals under 16 years old. We do not knowingly collect personal data from children. If we learn that a child has provided us with personal data, we will delete it.

Security and End-to-End Encryption

We implement technical and organisational measures, including TLS in transit, hardened infrastructure, and regular reviews, to protect personal data. Journal entries are additionally protected with end-to-end encryption: your passphrase derives a key locally, entries are encrypted with AES-GCM before leaving your device, and only ciphertext is stored. We do not store or have access to your passphrase. If you forget your passphrase you will lose access to encrypted entries, so please keep it safe.

Optional AI Summaries

We will only process decrypted journal content for AI-powered summaries when you provide explicit consent in the application and confirm the passphrase locally to decrypt the data. The decrypted text is sent to our servers solely for that request and shared with the selected AI provider. You may withdraw consent at any time.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect operational or legal changes. We will notify you of material updates through the Service or by email. Continued use after the effective date indicates your acceptance of the revised policy.