Skip to main content

Trust & Privacy

Our System Sanctuary, LLC ("Our System Sanctuary," "we," "us," "our") was built because this community deserves a place that actually takes privacy seriously. This page tells you exactly what we collect, who can see it, and what we will and will not do with it. We wrote it to be read, not to be skimmed past. If something here is ever unclear, email us.

Our System Sanctuary is operated by Our System Sanctuary, LLC, a Florida limited liability company. The legal terms governing your use of the platform live on our Terms & Disclaimer page. This page is the companion to those terms. It is the human explanation of how we handle your data.

Who this is for

Our System Sanctuary is open to people who are 13 and older, and the experience is tailored to age. Adults (anyone 18 and older) have the full platform. Younger members, 13 to 17, have a more private, system-focused version designed for them, and the privacy details that apply to a younger member are written plainly in the version of this page shown inside their own account. Those accounts start with the most private settings already on, and the most sensitive tracking, such as health conditions, turned off entirely.

People under 13 cannot create an account, and we do not knowingly collect their information. If we ever discover an account belongs to someone under 13, we will close it and delete the data.

What we store

Everything you create here belongs to you: your journal entries, your members, your front log, internal weather, identity history, supporter connections, settings, and any media you attach. That is the personal content you make; the account, security, and optional details we keep are named one by one just below, so this section is the full picture of what we hold.

For your account itself, we store your email address and a one-way hash of your password. A hash means we never store the actual password. Not us, and not anyone who might ever access our database. This is how every responsible platform handles passwords, and we are not an exception.

We also store the birth month and year you give us when you join, or ask to join, along with a timestamp of when you gave it. We never ask for or keep the day. This is the smallest amount of information that lets us confirm you are 18 or older, which the law requires us to do, and it is kept as a quiet record that the requirement was met. If someone tells us they are under 18, we do not create an account or keep what they entered.

We do not collect your IP address for analytics, advertising, device fingerprinting, location tracking, or browsing history, and we never sell it. There are two places an IP is touched, both for security, and we want to name them plainly. First, our public sign-up and waitlist forms briefly use your IP and email for rate-limiting, and store only a one-way hash of them, never the raw values, described below. Second, our authentication provider, Supabase, records the IP address and device of each sign-in as part of running the login system itself. We do not display that IP to you or use it for anything: the Devices & Sessions screen in Settings shows you only the device (its browser and operating system) and when it was last active, which is enough to recognize a sign-in you do not, and sign it out. By default we never show your location. You can optionally turn on an approximate location for your own devices on that screen; if you do, we work out a rough city or region from each sign-in's network location through our host (no outside location service), store only that short text for your own eyes, share it with no one, and delete it the moment you turn it off. It is off unless you choose it, we record your acknowledgement when you turn it on, and it is not offered to younger members. No other user can ever see any of this.

How we protect your data

Everything stored in our database is encrypted at rest by our infrastructure provider, Supabase, using AES-256, the same standard financial institutions use. Every connection between you and the app travels over HTTPS/TLS.

On top of that encryption, every table in our database has row-level security enabled. This is a second layer of protection, applied throughout the entire platform, that gates every row to your account ID at the database level. It means no other user can reach your data, even if they tried, and it stays on for every table we have, with no exceptions.

We do not use end-to-end encryption right now. We thought carefully about this. The trade-off, where losing your password would mean losing everything forever, is not safe for a community where dissociative amnesia is part of real life. We chose recovery over zero-knowledge for this version. If the community wants us to revisit that, we will.

Who can see your data

Other members of the community can only see what you choose to share. Your display name appears alongside anything you post in community spaces. Your members, journals, front log, and everything else in your sanctuary are never visible to anyone else. The only way another person sees something is if you post it publicly or share it with a supporter you have explicitly invited.

Supporters you invite see only what you grant them. By default they see nothing. You decide what each supporter can access, down to individual categories, in Settings.

As for us, we have the technical ability to query the database, the same as any web application developer. The section below is specific about when and why we would ever use that ability.

As for anyone else, there are no advertisers, no data brokers, no analytics companies. The narrow exceptions are the AI and infrastructure services described below, each in their own section.

When we access your data

We do not read your journals or your personal information. Not out of curiosity, not for marketing, not to improve our product, not for AI training, not for any reason we have not listed here.

The only times we would look at your account data:

  • You asked us to. If you reach out for help with a bug or a recovery situation and we agree together on what we need to look at.
  • We are legally required to. A valid court order or subpoena. We will tell you if we are legally allowed to.
  • A security incident. If we need to verify that nothing was tampered with during a breach, we look at metadata like timestamps and row counts, never your content.

We will tell you if any of these happen. If you would prefer we never access your account under any circumstances, email us and we will honor that, though it may mean we cannot help you recover access if something goes wrong.

What we will never do

  • We will not sell your data. Not now, not ever, not to advertisers, data brokers, researchers, or anyone else.
  • We will not share your information for advertising, profiling, or behavioral targeting.
  • We will not use your data to train AI models. The AI Insights features run only on demand, only on data you have consented to share, one member at a time.
  • We will not use third-party analytics trackers. No Google Analytics, no Meta Pixel, no session recording tools.
  • We will never require you to use your real name or provide any real-world identifier.

Keeping bots out

Our public sign-up and waitlist forms use Cloudflare Turnstile to stop automated abuse. Cloudflare represents that Turnstile works without tracking cookies and without profiling people. You can read their privacy practices at cloudflare.com/privacypolicy.

Those forms are also rate-limited. To make that work, the form briefly looks at your IP address and email to detect when the same source is submitting over and over. Only a one-way hash of those values is stored, never the raw values, and only long enough to catch abuse patterns. This happens only on logged-out public forms, never once you are signed in, and never for analytics.

AI Insights and your data

The AI Insights features (BlackoutBridge, Daily System Digest, What Did I Miss, and Our Recent Days) are optional. None of them run without your consent, and every member of your system chooses individually whether to take part. A feature includes only the members who have turned it on, so a summary can be partial, which is by design. Any member can also opt out of AI entirely: when they do, they are never included in any feature, even in a shared or co-fronted entry where someone else was the main fronter. One honest limit to know: because shared notes can mention other people, a member who is included can still name someone else in passing. We never send a row that belongs to a member who has opted out, but we cannot promise a member's name will never appear inside another member's note.

When you run one of these features, a specific, limited set of your data is sent to Google Cloud's AI service to generate the summary or message. Here is exactly what that includes:

  • Who was fronting, when, and any mood or context notes from those front log entries
  • Journal entry titles and dates, never the body of any entry
  • Entries you have marked private are flagged as such, and only the title is passed along
  • For BlackoutBridge specifically: the full text of internal messages to the returning member, up to the 20 most recent

The body of any journal entry is never sent. Anything belonging to a member who has not consented is never sent.

What Google does with that data:

Google contractually guarantees your data is never used to train its AI models. That protection has no exceptions based on what the content is. Google holds inputs for up to 24 hours for performance purposes, then deletes them.

There is one narrow exception to that 24-hour deletion. If Google's automated systems flag something as a possible violation of its usage rules, that content may be held for up to 90 days while Google reviews it, and even then it is never used for training. Those rules are about things like illegal activity, content that helps someone harm other people, hate, and harassment. They are not about someone honestly describing their own experience, their distress, or what they are living through. There is no secret list of trigger words. The check looks at whether content appears to break those rules, not at any single phrase. You can read exactly what they cover in Google's Generative AI Prohibited Use Policy. This kind of review is rare, and it has nothing to do with you personally.

We do not store the AI's output on our servers. The summary is generated, returned to you, and not saved.

These retention windows reflect Google's policies at the time this page was last updated. They may change. Current details are always at policies.google.com/privacy.

The first time you use any AI Insights feature, and again any time the disclosure or provider changes, you will be asked to confirm what gets shared. Nothing is sent until you do. Every acceptance is recorded with the exact text you saw, the version, the provider, and the timestamp. You can ask us to show you your consent history at any time.

For Our Recent Days exports, only the date range and export date are stored on our servers. The summary itself is never saved. Regenerating an export always produces a fresh result from your current data.

Learn Hub search

When you search in the Learn Hub, only the words you type go to Google Cloud's AI service (Vertex AI), the same service behind our AI Insights features. Nothing from your system, your journals, or your account is included. Google does not use this data to train its models, and holds inputs for up to 24 hours for performance purposes, then deletes them. Details at policies.google.com/privacy.

Community posts and moderation

Posts and comments in the community feed, rooms, and group chats go live the moment you submit them. Nothing is held for approval.

To help us catch content that breaks our community guidelines, the things you share in the open community, your posts, comments, polls, and room names, pass through an automated check the moment you create them. That check sends the text to Google's Vertex AI, the same service behind our AI Insights, which reads it and sorts it into a review queue for us. Google does not train on it, and deletes it within 24 hours unless their automated systems flag it for review. The check never hides anything on its own. It only raises a flag for a human, and every removal decision is made by a person, not the machine.

Private group chats are not run through this check. What you say in a group chat stays between the people in it.

The same is true of direct messages and supporter messages: the wording of your private messages is never run through any automated text check. No person and no AI reads them.

Files and attachments are handled separately from message text. Anything you upload may be automatically scanned or reviewed for security and safety, and where we believe it is necessary or the law requires, we may remove, block, or report it. This is a check on the file itself, never a reading of your words. We do not use your attachments for advertising or AI training. No automated check catches everything, so we cannot guarantee a file is safe, and we ask you to open and download files with normal care.

Posts about active suicidal thoughts or crisis feelings are never flagged. This community needs to be able to speak openly about those experiences, and we built the system with that as a non-negotiable. We tested it specifically to make sure a post reaching out in a dark moment is left for the community to hold, not hidden.

There are also two community-driven protections: if enough established members report the same post within 24 hours, or if a member reports something that the filter has also flagged, the post is temporarily hidden while we take a look. This is a hold, not a strike. Reports from accounts younger than 7 days do not count toward that threshold. An account cannot report its own post, and switching members does not let the same account report twice.

Every moderation decision is reviewable and appealable in-app. A strike only counts when we confirm a removal, not when something is flagged or reported.

Health and medical information

We treat everything health-related in your sanctuary as sensitive personal data. That includes mood, internal weather, triggers, medications, conditions, diagnoses, and any AI-generated summaries you choose to share with a clinician.

We do not sell, share, license, rent, or aggregate any of this with anyone, including advertisers, data brokers, researchers, insurers, and AI companies.

The only times health-adjacent data leaves our servers are the narrow opt-in cases already described: when you choose to run an AI Insights feature on data you have consented to share, or when you type a search into the Learn Hub.

Our System Sanctuary is not a HIPAA-covered entity and is not a substitute for clinical care. If you share an export with a therapist or other provider, that is a handoff between you and them. We have no relationship with your provider and never receive anything back.

The Health Conditions feature stores diagnosis labels, dates, severity ratings, triggers, symptoms, physician names, medications, and free-text notes. This data is encrypted at rest, gated to your account by row-level security, and treated the same as everything else when it comes to export and deletion. Entries you mark private to a specific member are readable only while that member is fronting, and this is enforced at the database level.

One important thing to know: because this data lives behind your login, it is not accessible to a first responder who picks up your phone, or to anyone without your credentials. If you want health information available in an emergency without authentication, iPhone Medical ID, Android Emergency Info, or a MedicAlert bracelet are the right tools for that. This platform is not designed for that purpose.

Your rights under the FTC Health Breach Notification Rule

Because we store health-related information you enter, we are subject to the FTC's Health Breach Notification Rule. If a breach ever affects your health data, meaning someone accessed, acquired, or disclosed it without authorization, we will notify you within 60 days of discovering it. Breaches affecting 500 or more users also require us to notify the FTC. Any notification will tell you what was affected, who may have accessed it, and what you can do.

The other services that touch your data

  • Supabase stores your data and handles authentication. supabase.com/privacy.
  • Vercel hosts the application. vercel.com/legal/privacy-policy.
  • Resend delivers transactional emails like account confirmations and password resets. Your email address is processed for delivery only. resend.com/legal/privacy-policy.
  • PluralKit syncs member and front data when you choose to connect your PluralKit account, through their API using an access token you provide. That token is stored in encrypted secret storage. We do not share anything with PluralKit beyond what the sync you initiate requires. pluralkit.me/privacy.
  • Cloudflare handles bot prevention on our public forms as described above. cloudflare.com/privacypolicy.
  • Sentry monitors the application for errors. It is configured to receive no personally identifiable information. Error reports contain only technical diagnostic data like error type, stack trace, and browser environment. sentry.io/privacy.

When you delete your account

Deleting your account starts a 10-day grace period. You can cancel the deletion any time during that window. After it closes, your personal data is removed from our active database.

Our database provider, Supabase, keeps encrypted backups for up to 7 days for disaster recovery. Once those are gone, your data is unrecoverable by anyone, including us.

Posts and messages you made in community spaces become a [deleted] placeholder after your account closes, so threads do not break. If you want those removed too, let us know before you delete your account.

One small exception, kept for legal reasons: we retain a minimal record that you agreed to our Terms and attested your age, meaning the version you accepted and the date, for up to 7 years after deletion. Nothing else: no journals, no members, no health information, no posts. We keep only this proof of agreement so we can comply with the law and defend a claim if one is ever made about an account. It is never used for anything else.

Supporters

A supporter account is its own separate, limited account. It sees only what you have chosen to share, nothing more. It has no system of its own, no dashboard, and no access to community spaces.

You control what each supporter sees, per category, in Settings. You can also choose to notify a supporter when a specific member starts fronting. That sends the member's name and their optional note to the supporter in-app and, if they have push notifications on, to their device. It is opt-in for both of you, never includes journal or private content, and stops the moment you turn it off or remove them.

Using the Emergency Override on a sealed entry logs that action in your activity feed. Every access is auditable.

Your rights

You can ask us to let you see the data we hold about you, correct anything inaccurate, export everything, delete your account, or withdraw AI consent for any member at any time. Email privacy@oursystemsanctuary.com and we will respond within 30 days.

Security

If you find a security issue, email admin@oursystemsanctuary.com. You will hear back from us within one business day.

If this page changes

We will notify you in-app before any change that affects what we can see or do with your data. For anything material, we will ask you to acknowledge the update before you continue using the platform.

See also: Terms & Disclaimer

Last updated: June 12, 2026 | Version 1.6