Skip to security content

Security & Privacy Architecture

How your entries are protected.

This page explains exactly how Quiet Mirror handles your journal entries — what happens to them, where they are stored, who can access them, and what we honestly cannot claim. We prefer clarity over reassuring language.

Questions? Email us at hello@quietmirror.me.

What happens when you submit an entry

When you write and save a journal entry:

  1. Your text is transmitted over HTTPS from your browser to our servers. All connections are encrypted in transit — this is enforced by Vercel, our hosting provider.
  2. The entry is stored in our database (Supabase Postgres), where it is encrypted at rest. Row-level security policies mean the database will only return your rows to authenticated requests made by your own account.
  3. If you request an AI reflection, the text of that entry is sent to Groq (our AI inference provider) to generate the response. Groq processes the text for that request only and does not retain or train on it. See Groq's Privacy Policy.
  4. The reflection is returned to your browser and saved alongside your entry. No other party sees your text.

What we can and cannot claim

We will not use language we cannot back up. Here is an honest account:

  • Encryption in transit: Yes. All connections between your browser and our servers use HTTPS/TLS. This is enforced by Vercel.
  • Encryption at rest: Yes. Supabase encrypts data at rest in the underlying database storage.
  • End-to-end encryption (E2E): No. We do not claim E2E encryption. To generate AI reflections, our server reads your entry text before sending it to Groq. A true E2E model — where only your device holds the decryption key — would make AI reflections impossible. We chose not to claim E2E when it is not true.
  • Local AI processing: No. AI inference runs on Groq's infrastructure, not on your device. Your entry text leaves your device for that processing step.
  • Zero-knowledge architecture: No. Our server can access entry content in order to generate reflections and pattern insights. We have chosen not to access it for any other purpose, but we will not claim it is technically impossible.

Authentication

Quiet Mirror uses magic links — you enter your email address and receive a short-lived sign-in link. There is no password stored anywhere. This eliminates the risk of password reuse and reduces the attack surface compared to a traditional password system. Sessions are managed by Supabase Auth using short-lived JWT tokens with refresh rotation.

Access controls

Row-level security (RLS) is enforced at the database level. Every table that stores user content has a policy that restricts access to the authenticated user who owns that row. This means a bug in application code cannot accidentally expose one user's entries to another — the database itself enforces the boundary.

Quiet Mirror is built and maintained by a single person. There is no support team with a backdoor to your entries. Admin access to the Supabase project exists for operational purposes (schema changes, debugging infrastructure), but is not used to read entry content.

AI processing and data use

  • AI reflections are generated by Groq using the Llama 4 Scout model. Groq does not retain prompts or outputs and does not use them to train models.
  • We do not use your journal entries to train any AI model — ours or anyone else's.
  • Pattern insights and weekly summaries are generated by sending a selection of your recent entries to Groq for that specific analysis. The same data handling rules apply.
  • We do not sell, share, or transfer your entries to third parties for any purpose other than generating the features you explicitly requested.

Infrastructure and subprocessors

The services that handle your data, and what each one does:

  • Vercel — hosting, serverless functions, and edge delivery. Enforces HTTPS on all connections.
  • Supabase — Postgres database, authentication, and row-level security. Data is encrypted at rest. SOC 2 Type II certified.
  • Groq — AI inference for reflections and pattern analysis. Processes entry text for the duration of the request only.
  • Resend — transactional email (magic links). Receives your email address to deliver sign-in emails.
  • PostHog — product analytics, EU cloud. Receives anonymised usage events (page views, feature usage). Does not receive journal content.
  • Dodo Payments — payment processing for Premium subscriptions. Quiet Mirror does not store your card details.

Deletion and data export

You can request deletion of your account and all associated data by emailing hello@quietmirror.me. We will process deletion requests within 30 days.

You can request a JSON export of your journal entries by emailing the same address. We aim to fulfil export requests within 48 hours. A self-serve export option from Settings is on the roadmap.

Reporting a security issue

If you discover a security vulnerability, please email hello@quietmirror.me directly. We will acknowledge within 48 hours and work to resolve confirmed issues promptly. We do not currently run a formal bug bounty programme.

Privacy Policy →Terms of Service →

Ready to try a private check-in?

Start free. Upgrade only if it genuinely helps you go deeper with insights, timelines, and richer reflections.

Start free journalingSee what Premium adds