Gresh Privacy Policy
Effective Date: March 22, 2026
Last Updated: March 22, 2026
Scope: Gresh iOS App and related services (collectively, the "Service")
This Service is provided by Mustica LLC ("Mustica," "we," "us," or "our").
Website: https://mustica.io/
Email: [email protected]
This Privacy Policy explains how we collect, use, store, share, and protect your information, and how you can exercise your privacy rights. We design our products with a "privacy-first" approach and provide end-to-end encryption protection.
Please read and understand this Privacy Policy before using the Service. If you have any questions or requests regarding this Policy, please contact us using the information above.
1. Information We Collect
1.1 Information You Provide
- Account Information: Email address (used for registration, login, account management, and security verification).
- User-Generated Content (UGC): Journal text, titles, tags, images/attachments, and any other content you enter in the App.
- Feedback and Support Communications: Content and contact information you provide when you contact us or submit feedback.
1.2 Information We Collect Automatically
To ensure the security and stability of the Service, we may collect the following information (which may appear in log form):
- Device and System Information: Device model, operating system version, App version, language and timezone settings, etc.
- Network and Technical Information: IP address, network type, request timestamps, error logs, crash reports, performance metrics, etc.
- Usage Information: Feature usage frequency, page visits, interaction events, and other anonymous/aggregated statistical data (used to improve experience and performance).
1.3 Permissions and Device Features (At Your Discretion)
Depending on the features you use, we may request the following system permissions. You can disable any permission at any time in your system settings; disabling a permission may affect the availability or experience of the corresponding feature:
- Notifications: For reminders and service notifications (if you enable the reminder feature).
- Camera: For taking photos as journal attachments or profile picture.
1.4 Sensitive Information We Do Not Actively Collect
- We do not request government-issued identification numbers, bank card information, or other sensitive personal information.
- We do not sell your personal information to advertisers.
2. How We Use Your Information
We use your information only for the following purposes:
- Providing and Maintaining the Service: Registration, login, content storage and synchronization, cross-device access.
- Security and Risk Management: Detecting unusual logins, abuse, and attacks to protect account security.
- Product Improvement: Performance monitoring, crash fixes, feature optimization (typically in anonymous/aggregated form).
- Customer Support and Communication: Handling your inquiries, feedback, and complaints.
- Legal Compliance: Complying with applicable laws, regulations, and regulatory requirements.
2.1 No Advertising Tracking
We process information to improve the Service and ensure security. We do not sell or share your personal information for the purpose of displaying cross-app or cross-site targeted advertising. If we ever need to perform "Tracking" as defined by Apple, we will request your explicit authorization in accordance with platform rules (e.g., ATT authorization).
3. Encryption and Security
3.1 Transmission and Storage Security
- Data Transmission: We use industry-standard encrypted transmission protocols (e.g., HTTPS/TLS) to protect data transmitted between your device and our servers.
- Data Storage: We employ reasonable technical and organizational measures to protect data security, including access controls, encrypted storage, and least-privilege principles.
3.2 End-to-End Encryption (E2EE)
Gresh provides end-to-end encryption:
- Your journal content is encrypted on your local device before being uploaded to the server.
- In end-to-end encryption mode, we cannot read your plaintext journal content. Please safeguard your recovery/decryption credentials (such as your recovery passphrase); losing them may result in permanent loss of content.
Important: Once end-to-end encryption is enabled, if you lose your decryption credentials, we may be unable to help you recover your content.
4. Information Sharing and Third Parties
We share necessary information with third parties only in the following circumstances:
| Category | Provider | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|---|
| Crash & Performance Monitoring | Firebase Crashlytics (Google) | Device information, crash logs | Troubleshooting, improving stability | https://firebase.google.com/support/privacy |
| Cloud Infrastructure | Google Cloud Platform | Encrypted journal content, account information | Service hosting and storage | https://cloud.google.com/security/privacy |
We do not sell your personal information to advertisers, nor do we use journal content for advertising targeting.
We may disclose necessary information as required by applicable laws, regulations, or lawful requests from governmental authorities.
5. Account Deletion and Data Removal (7-Day Cooling-Off Period)
To prevent irreversible data loss due to accidental operations, Gresh uses a 7-day cooling-off period for account deletion:
- You can initiate a "Delete Account" request in the App's settings.
- After submitting the request, your account will enter a "pre-deletion/cooling-off" state and may be forcibly logged out (to protect account security).
- During the cooling-off period (within 7 days), you can log in to restore your account and cancel the deletion request.
- After the cooling-off period ends, your account and related data (including journal content, etc.) may be permanently deleted or irreversibly processed and cannot be recovered.
The actual scope and method of deletion may be affected by legal requirements, audit obligations, or technical limitations, but we will follow the principle of "minimum retention and timely cleanup."
6. Data Retention
| Data Category | Retention Period | Notes |
|---|---|---|
| Account Information (email, etc.) | Duration of account; deleted after cooling-off period ends | |
| Journal Content (encrypted ciphertext) | Duration of account; deleted after cooling-off period ends | |
| Security and Log Data | Up to 180 days | Used for security and troubleshooting; automatically cleaned after expiration |
| Crash and Analytics Data | Subject to Firebase data retention policies | Anonymous/aggregated data |
We retain information for the minimum period necessary to provide the Service and delete or anonymize it when it is no longer needed.
7. Your Rights
Under applicable law (such as GDPR/CCPA), you may have the following rights:
- Access, correct, and update your personal information.
- Request deletion of your account and data (subject to the 7-day cooling-off period and compliance requirements).
- Data portability/export (where applicable).
- Object to or restrict certain processing (where applicable).
You can exercise these rights through in-app options or by emailing [email protected].
7.1 Supplemental Notice for California Residents (If Applicable)
If you are a California resident, under applicable law you may have the right to know about, access, delete, and correct your personal information, as well as the right to opt out of the sale or sharing of personal information. We do not sell your personal information. You may contact us at [email protected] to submit a request.
8. Children's Privacy
Gresh is not intended for children under 13 years of age (or the minimum age required by the laws of your jurisdiction). If you believe we have inadvertently collected information from a child, please contact us so we can delete the relevant information.
9. International Transfers
We may use service providers located in different countries or regions for data processing and storage (including but not limited to Google Firebase's analytics and crash reporting services). Where cross-border transfers occur, we will take reasonable measures to ensure that your data is adequately protected.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Updated versions will be published through the App or website with an updated "Effective Date." If changes are material, we will notify you in a more prominent manner.
11. Contact Us
If you have any questions, comments, or requests regarding this Privacy Policy, please contact:
- Email: [email protected]