sovereign data & privacy

effective: may 20, 2026

your inner life is sovereign territory. sanctuary does not observe it, harvest it, or broker it. this document is not a legal disclaimer. it is a product specification.

We hold one belief above all others: your thoughts belong to you.

Sanctuary was built on the premise that a person's inner landscape, the late-night reflections, the unsent words, the quiet conversations with Dove, is inviolable. Not because regulation demands it. Because dignity does.

We do not read your journals. We do not analyze your Dove conversations for behavioral patterns. We do not sell your emotional data to advertisers, researchers, or anyone else. We do not build profiles of your pain. We engineered the platform so that we cannot, not so that we choose not to.

When you decide to leave Sanctuary, your data does not linger. Traveler-initiated data destruction is absolute and immediate. There is no grace period, no shadow copy, no retention policy designed to serve our interests over yours. You say delete. We delete. Fully and irreversibly.

This is what we mean by Traveler Sovereignty. Not a marketing position. A structural commitment.

SanctuaryApp, Inc. · an independent, Delaware-incorporated startup

architecture specifications

journal isolation

Your written reflections, cairn entries, meadow journals, expedition responses, are stored locally on your device. If cloud sync is enabled, encrypted backups are transmitted via TLS 1.3 and stored with AES-256 encryption at rest. Only your authenticated device can decrypt them. Our infrastructure cannot read your content by design.

dove conversation boundary

Dove conversations are streamed to the Anthropic API in real time and are not persisted on Sanctuary servers after Dove responds. A short context window lives locally on your device to maintain conversational continuity. You can clear this at any time. Anthropic is contractually prohibited from using your conversations for model training.

encryption at rest

All traveler data that passes through our infrastructure is encrypted at rest using AES-256. In transit, all connections are enforced via TLS 1.3. There is no plaintext path between your device and our servers.

zero third-party data sales

Sanctuary will never sell, lease, license, or otherwise transfer your personal data or conversational content to any third party. This is a permanent, structural constraint, not a policy that can be revised in a future terms update.

immediate data destruction

When you delete your account, we execute a full purge: account data is removed from active systems immediately. Encrypted backups are destroyed within 90 days. Community posts are removed. No shadow profiles. No "anonymized" retention of your content. The instruction is absolute.

client-side sanitization

Before any text leaves your device, a client-side sanitization layer detects and masks sensitive personal information: social security numbers, phone numbers, credit cards, email addresses, medical identifiers. This layer operates silently at every text submission boundary.

the minimal threshold

We collect only what is necessary to keep the path open:

a grove name (the pseudonym you choose)
an email address, only if you opt into cloud sync or account recovery
basic device information: device type, OS version, app version, and crash data
app preferences and settings you configure

This is the minimal threshold. Nothing more.

what we will never access

These are structural boundaries, not best-effort promises:

raw text of your journal entries or cairn reflections
the content of your conversations with Dove
your real name, phone number, or contacts
your location, camera, microphone, or photos
advertising identifiers or biometric data
your browsing history outside Sanctuary

trusted infrastructure

Sanctuary works with a small number of providers, each contractually limited to delivering their specific service:

Anthropic: provides the language model that powers Dove. Receives your Dove messages in real time; contractually prohibited from using them for training.
Netlify: hosts the Sanctuary web platform and handles deployment infrastructure.
Google Analytics: collects anonymized, aggregate usage data (page views, general traffic patterns). No personal content is ever sent to Google.

the design principle

Sanctuary was engineered so that if our servers disappeared tomorrow, your reflections would still be on your device, untouched and unread by us. Trust is not required when the architecture makes betrayal impossible.

your rights

You can export everything Sanctuary has stored about you at any time, in a machine-readable format, before you go. Your data is yours to take with you.

If you are in the EU, UK, or EEA, the GDPR grants you additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority. If you are in California, the CCPA grants you the rights described above plus the right not to be discriminated against for exercising them.

contact

Questions, concerns, or data requests: hello@joinsanctuary.io

SanctuaryApp, Inc. · Delaware C-Corp · full legal terms · privacy policy · about sanctuary