sovereignty

effective: may 20, 2026

your inner life is sovereign territory. sanctuary does not observe it, harvest it, or broker it. this page describes how that sovereignty is built into our architecture, not bolted onto it.

the commitment

sanctuary exists to harbor travelers through difficult seasons, not to harvest their data. your reflections, your cairn, your stones, your rituals: they belong to you. this is not a policy position. it is an engineering decision.

we collect as little as possible. what we do collect, we hold carefully. what we do not need, we do not take.

your digital vault

your thoughts stay on your device. cairn entries, cairn placements, compass rose progress, treasury items, and personal reflections are stored locally on your device first and foremost. they do not leave your device unless you explicitly enable cloud sync.

if you turn on cloud sync, encrypted backups are stored on our servers. these backups are encrypted in transit (TLS 1.3) and at rest (AES-256). only your device, signed in with your account, can decrypt them. we cannot read them. we designed it that way.

the principle

sanctuary was built so that if our servers disappeared tomorrow, your reflections would still be on your device, untouched and unread by us.

the minimal threshold

we collect only what is necessary to keep the path open for you:

a grove name (the pseudonym you choose)
an email address, only if you opt into cloud sync or account recovery
basic device information: device type, OS version, app version, and crash data
app preferences and settings you configure

this is the minimal threshold. nothing more.

what we will never touch

these are structural boundaries, not best-effort promises:

raw text of your cairn entries (these stay on your device)
personal cairn content or cairn details (unless cloud sync is enabled, and then only in encrypted form)
your real name, phone number, or contacts
your location, camera, microphone, or photos
advertising identifiers or biometric data
your browsing history outside sanctuary

dove and the anthropic boundary

Dove is sanctuary's conversational companion, powered by Anthropic's language model. when you speak with Dove, your messages are sent to the Anthropic API in real time so that Dove can respond.

these messages are not stored on sanctuary servers after Dove responds. we do not maintain a permanent record of your conversations with Dove on our infrastructure.

we instruct Anthropic not to use your conversations to train their models. our agreement with Anthropic limits their use of your data to delivering Dove's responses.

a short window of recent context is maintained locally on your device so that the conversation feels continuous. you can clear your local Dove history at any time.

community data (the grove)

when you post in the grove, your words are stored on our servers alongside your grove name only. we do not attach your email, device identifier, or any other personal information to grove posts visible to other travelers.

grove posts are visible to other sanctuary travelers. we encourage you not to include personally identifying information in what you share.

authentication and cookies

sanctuary uses HttpOnly JWT tokens for authentication. these are secure, server-signed tokens that keep you signed in between returns. they are not used for monitoring or advertising.

we do not use third-party advertising cookies. we do not follow you across other websites or applications.

trusted infrastructure

sanctuary works with a small number of trusted services:

Anthropic: provides the language model that powers Dove. receives your Dove messages in real time; contractually prohibited from using them for training.
Netlify: hosts the sanctuary web platform and handles deployment infrastructure.
Google Analytics: collects anonymized, aggregate usage data (page views, general traffic patterns) to help us understand how travelers find sanctuary. no personal cairn content is ever sent to Google.

each provider is contractually limited to using data only to deliver their service.

one-click sovereignty

we keep your account data for as long as your account is active. when you choose to leave, we honor a complete account purge:

account data is deleted from active systems immediately upon request
encrypted backups are purged within 90 days
grove posts are removed
some anonymized, aggregate data (counts, not content) may be retained for understanding broad patterns

you have the right to be forgotten. when you delete your account, we delete it, fully and genuinely. we do not keep shadow profiles. we do not retain your content "just in case."

you can export everything sanctuary has stored about you at any time, in a machine-readable format, before you go. settings, your data, export. your data is yours to take with you.

if you are in the EU, UK, or EEA, the GDPR grants you additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority. if you are in California, the CCPA grants you the rights described above plus the right not to be discriminated against for exercising them.

children's privacy

sanctuary is intended for travelers aged 13 and older. we do not knowingly collect data from anyone under 13. if we learn that a traveler under 13 has created an account, we will delete it and all associated data.

parents or guardians who believe their child has used sanctuary should contact us at hello@joinsanctuary.io.

changes to this policy

if we make material changes to this policy, we will notify you in the app before the changes take effect. the effective date at the top always reflects the current version. we will not quietly erode the commitments made here.

contact

questions, concerns, or requests about your data and sovereignty:

hello@joinsanctuary.io

SanctuaryApp, Inc. · Delaware C-Corp · full legal terms