Privacy Policy — Parts Journey

Effective date: May 12, 2026. Last updated: May 12, 2026.

1. Who We Are

Parts Journey is operated by Team Palani LLC (“we,” “us,” or “our”). This Privacy Policy describes how we collect, use, store, and share information when you use Parts Journey at partsjourney.com and related services.

Contact: [email protected]

2. About the Information You Put Into Parts Journey

Parts Journey is a journaling and mapping tool for Internal Family Systems (IFS) work. People use it to record thoughts, feelings, conversations, and reflections about parts of themselves. The content you put into Parts Journey will often touch on your mental and emotional life.

We treat that content with the seriousness it deserves. This policy explains how we handle it, who can see it, and what control you have over it.

Parts Journey is not a healthcare provider, is not subject to HIPAA, and does not create a therapist-patient or doctor-patient relationship. We are a software company, and the content you create is yours.

3. Information We Collect

Account Information

  • Email address (used for magic-link login)
  • Hashed, time-bound login tokens
  • Timezone string (auto-detected from your browser)
  • Theme preference

We do not collect or store passwords. We do not ask for your real name, age, location, or other identifying information at signup.

Content You Create

Anything you enter into Parts Journey, including:

  • Part names, descriptions, roles, ages, free-text fields, and uploaded images
  • Conversation messages, including text, attached images, and audio recordings
  • Daily check-ins, moment taps, milestones, and edge notes
  • Map layout, colors, and visual organization

This content is associated with your account and visible only to you (when logged in) and to anyone holding a valid share link you have created.

Activity Data

  • Login timestamps
  • Server access logs (IP address, browser user-agent, request paths) retained briefly for security and operational purposes
  • Event log of changes you make within the app, used to power the timeline and undo features

Information We Do Not Collect

  • We do not use Google Analytics, advertising pixels, or third-party trackers.
  • We do not fingerprint your browser.
  • We do not collect precise location data.
  • We do not capture the identity of therapists or other people who open share links you create.

4. Sensitive Categories

The content you create in Parts Journey may include information about your mental and emotional health, your trauma history, your relationships, and other categories considered sensitive under various privacy laws (including Washington’s My Health My Data Act, the California Confidentiality of Medical Information Act, GDPR Article 9, and similar statutes elsewhere).

We treat all account content as sensitive. We do not analyze it, mine it for trends, sell it, share it for advertising, or use it to train any model. The only systems that touch your content are the ones required to store it, display it back to you, and deliver it to a share link you have authorized.

5. How We Use Your Information

We use the information described above to:

  • Provide and operate Parts Journey
  • Send magic-link login emails
  • Generate and serve share links you create
  • Detect and prevent abuse of the platform
  • Comply with legal obligations

We do not use your content to train AI models, generate advertising profiles, perform aggregate analytics on individual content, or sell to third parties.

6. Share Links

You can create a share link that gives a therapist or other person read-only access to a specific date range of your Parts Journey data. Share links work as follows:

  • Each link contains a cryptographically random token. Without the exact token, the link cannot be guessed or brute-forced.
  • The link grants read-only access to a date range you select.
  • The link expires automatically on a date you choose (1, 7, 30, or 90 days from creation).
  • You can revoke any active share link instantly from your account.
  • Anyone who holds the link can open it. There is no login, no account, and no identity verification on the viewer side. This is intentional — it lets you share with a therapist without forcing them to create an account.

You are responsible for where you send your share links. Treat a share link the way you would treat a copy of a personal journal: send it through a channel you trust, to the person you intend, and revoke it if anything feels wrong.

We log the timestamp and IP address of accesses to share links for security and abuse prevention. We do not collect the name or identity of the viewer.

7. How We Share Data With Third Parties

We do not sell your personal information or your content. We use a small number of service providers to operate the platform:

  • Brevo — Transactional email delivery (magic-link login emails). Brevo receives your email address and the login link. Brevo’s privacy policy applies to data they handle.
  • Cloudflare R2 — Storage for uploaded images and audio recordings. Files are referenced by URL and served back to you and your authorized share viewers.
  • Hosting provider — The infrastructure that runs the application. (Final provider to be confirmed prior to public launch.)
  • Law enforcement or legal process — We may disclose information if compelled by valid legal process, or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Parts Journey, our users, or the public.

We do not share content with advertising networks, data brokers, or any third party for marketing purposes.

8. Data Retention

  • Account data and content are retained for as long as your account is active.
  • You may delete individual parts, messages, conversations, or other content at any time from within the app.
  • You may request full account deletion at any time by contacting [email protected]. Account deletion removes your account, your content, and any associated files from our active systems within 30 days. Server backups containing deleted content roll off within a further 90 days.
  • Server access logs are retained for up to 90 days for security and operational purposes.
  • Revoked or expired share links are retained as inert records (token, expiry, owner) for audit purposes, but no longer grant access.

9. Security

We implement reasonable technical and organizational measures to protect your data, including:

  • HTTPS for all platform traffic
  • Magic-link authentication (no stored passwords)
  • Access controls so that only you and your authorized share viewers can access your content
  • Read-only enforcement on the share view enforced at three independent layers in the application
  • Date-range clamping on share queries so a share viewer cannot reach content outside the window you authorized
  • Encrypted storage at rest for uploaded files

No system is perfectly secure. You are responsible for the security of the email account you use to receive magic-link logins, and for where you send share links.

In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

10. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account and content
  • Export your content in a portable format
  • Withdraw consent for any optional processing
  • Lodge a complaint with a data protection authority

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

Residents of Washington State have additional rights under the My Health My Data Act, including the right to know what consumer health data has been collected and to withdraw consent for its collection. Residents of California have rights under the CCPA and the CMIA. Residents of the EU, UK, or other GDPR jurisdictions have the rights described in Articles 15–22 of the GDPR.

11. International Users

Parts Journey is operated from the United States. If you access the platform from outside the United States, your information will be transferred to and processed in the United States, which may have data protection rules different from your home country. By using Parts Journey, you consent to this transfer.

12. Cookies

Parts Journey uses a small number of strictly necessary cookies to maintain your logged-in session and remember your theme preference. We do not use advertising cookies, analytics cookies, or third-party tracking pixels.

13. Children

Parts Journey is not directed at and is not intended for children under 18. We do not knowingly collect information from minors. If you are under 18, please do not create an account. If you believe a minor has created an account, contact us at [email protected] and we will delete the account.

14. Changes to This Policy

We may update this policy from time to time. Updated terms will be posted at partsjourney.com/privacy with a stated effective date of no less than 30 days from posting. For material changes, we will also send an email notice to the address on your account. Continued use of the platform after the effective date constitutes acceptance.

15. Contact

Team Palani LLC / Parts Journey Privacy inquiries: [email protected]