Privacy Policy
Summary
Canto does not collect, store, transmit, or sell any personal data. Your journal entries are encrypted on your device and never leave it unless you explicitly choose to export or sync them.
Data Storage
All journal data (entries, attachments, metadata) is stored locally on your device using the device file system (Android/iOS) or IndexedDB (web), encrypted with AES-256-GCM.
Your data is not stored on any server operated by Canto or its developer.
Encryption
Canto encrypts all data at rest using AES-256-GCM encryption. A device-level encryption key is generated on first launch and stored in your device's secure store (Android Keystore / iOS Keychain). Journals can be further protected with a user-chosen password via PBKDF2-SHA256 key derivation.
For full technical details, see the Security Model.
Data Collection
Canto collects none of the following:
- Personal information (name, email, phone number)
- Usage analytics or telemetry
- Crash reports
- Device identifiers
- Location data (GPS is only used locally for journal entry tagging, if you enable it)
- Advertising identifiers
Canto contains no ads, no trackers, and no third-party analytics SDKs.
Network Access
Canto makes network requests only when you explicitly initiate them.
Google Drive Sync (optional)
If you choose to enable Google Drive sync:
- Canto authenticates with your Google account using the standard Google Sign-In flow
- Your journal data is stored in your own Google Drive account, in an app-specific folder
- Canto can only access its own folder — it cannot read your other Google Drive files
- Device-level encryption is stripped before upload (the device key is unique to your device). If your journal is password-protected, the password-layer encryption is preserved — the data on Google Drive remains encrypted. If your journal has no password, the data is stored unencrypted on Google Drive.
- You can disable sync and delete the remote copy at any time
Biometric Data
If you enable biometric unlock, Canto uses the device's biometric API to verify your identity. Biometric data is processed entirely by the operating system. Canto never accesses, stores, or transmits biometric data.
Data Portability
You can export all your data at any time as an encrypted .canto.zip archive. The exported file belongs to you — store it wherever you want, import it on another device, or use it as a backup.
Data Deletion
Delete individual entries, pages, or entire journals from within the app. Uninstalling the app removes all local data. If you used Google Drive sync, you can delete the remote copy from within the app or directly from Google Drive.
Children's Privacy
Canto does not knowingly collect any data from children under 13, because Canto does not collect any data from anyone.
Third-Party Services
The only third-party service Canto integrates with is Google Drive (optional sync). Google's privacy policy applies to data stored in your Google Drive account: policies.google.com/privacy
Open Source
Canto is open source under the GPLv3 license. You can verify every claim in this privacy policy by reading the source code: github.com/pboueke/canto
Changes to This Policy
If this privacy policy changes, the updated version will be published in the GitHub repository and included in the app's next release.
Contact
For questions about this privacy policy, open an issue on the GitHub repository.