Last updated: 7 May 2026 Effective date: 7 May 2026
This document explains how you can exercise your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2) when using journail.app. It is published by Tomaž Pernovšek s.p., the data controller.
This page is the practical companion to our Privacy Policy. The Privacy Policy explains what we process and why; this document explains how you exercise your rights and what happens when you do.
1. Your rights at a glance
Under the GDPR you have the following rights:
| Right | What it means | How to use it in Journail |
|---|---|---|
| Access (Art. 15) | Get a copy of the personal data we hold about you. | Settings → Export data, or write to info@journail.app |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. | Edit your profile and entries directly, or email us |
| Erasure (Art. 17) | Delete your data ("right to be forgotten"). | Settings → Delete account, or email us |
| Restriction (Art. 18) | Pause processing in defined cases. | Email us with your request |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format. | Settings → Export data (JSON or Markdown) |
| Objection (Art. 21) | Object to processing based on legitimate interests, including marketing. | Email us, or use the unsubscribe link in any email |
| Withdraw consent (Art. 7(3)) | Pull back consent at any time, without affecting prior lawful processing. | Settings → Email preferences; Cookie settings; or email us |
| Not be subject to solely automated decisions (Art. 22) | We don't make such decisions; you remain in control. | Always on by design |
| Complain (Art. 77) | File a complaint with a supervisory authority. | See Section 9 below |
You do not need to give a reason to exercise most of these rights. You do not need legal language to make a request. A plain email is enough.
2. Right of access (Article 15) — getting a copy of your data
You can obtain a copy of all personal data we hold about you in two ways.
2.1 Self-service export (recommended)
Go to Settings → Export data. Choose your preferred format:
- Markdown (.md) — readable, portable, ideal for opening in any text editor or note-taking app.
- JSON (.json) — machine-readable, ideal for moving to another tool or for archiving.
The export includes:
- Your profile and account data (name, email, language, time zone, plan).
- All journal entries (morning briefs, evening debriefs, generated entries, free-form notes).
- All goals (yearly, monthly, weekly), with their full history.
- All tasks created in or imported into Journail.
- Settings (email times, integrations, language, vacation periods).
- A list of integrations you have connected (without OAuth tokens).
- Your conversation history with the AI.
The export does not include:
- Other users' data.
- Server access logs (these are kept under our security legitimate interest).
- Payment data (this is held by Paddle and can be requested directly from Paddle).
The export is generated on demand. For large archives, it may take a few minutes; you'll receive an email when it's ready.
2.2 Formal request by email
If you prefer a formal Article 15 access request, write to info@journail.app with:
- Your registered email address.
- A short description of what you'd like to receive (or just "everything").
- Optionally, your preferred format.
We may ask you to confirm your identity to prevent disclosure to the wrong person — typically by replying from your registered email address. If we have reasonable doubts, we may ask for further verification. We will not ask for ID copies unless we genuinely cannot otherwise verify the request.
We respond within one month. We may extend this by a further two months for complex or numerous requests, in which case we will inform you within the first month and explain why.
The first copy is free. For repeated or excessive requests we may charge a reasonable administrative fee or refuse the request, as permitted by Article 12(5) GDPR.
3. Right to rectification (Article 16)
If something we hold about you is inaccurate or incomplete, you can correct it. Most fields you can edit yourself:
- Name, email, language, time zone, password — Settings → Profile.
- Journal entries, goals, tasks — directly in the app.
- Integration scopes — Settings → Integrations.
If a correction is not possible in the UI, write to info@journail.app and we will fix it.
4. Right to erasure (Article 17) — deleting your account and data
You can delete everything at any time.
4.1 Self-service deletion
Go to Settings → Delete account. We ask you to confirm by typing your email address; this prevents accidental deletion. After confirmation:
- You are immediately logged out and your account is marked for deletion.
- Within 30 days, we permanently erase your account data, journal entries, goals, tasks, and conversation history.
- Within 35 days, your data is removed from rolling backups.
- Some data is retained where law requires it (see Section 4.3).
4.2 Formal request by email
If you can't access your account, write to info@journail.app from the email address registered to your account, with the subject "Erasure request". We will process within one month.
4.3 What we have to keep
Some data is retained for legal reasons even after you ask for erasure:
- Invoices and accounting records — 10 years (Slovenian tax law).
- Records of your erasure request itself — for the period required to demonstrate compliance with the GDPR.
These are stored under the lawful basis of legal obligation (Article 6(1)(c) GDPR) and access is restricted to the minimum needed.
4.4 What deletion does NOT undo
- Past payments are not refunded automatically. If you want a refund of unused subscription time, see our refund policy in the Terms of Service.
- Already-sent emails cannot be recalled from your inbox.
- A friend who saw an exported journal entry on your device cannot be made to forget it. Only what we hold can be deleted by us.
5. Right to restriction (Article 18)
You can ask us to pause processing in specific cases:
- You contest the accuracy of data — we restrict processing while we verify.
- The processing is unlawful but you don't want erasure — we restrict instead.
- We no longer need the data, but you need it for a legal claim.
- You have objected under Article 21 and we are assessing whether our legitimate interests override yours.
While restricted, we keep the data but do not actively process it (other than for storage). To request, write to info@journail.app and explain which data and why.
6. Right to data portability (Article 20)
The Service is designed for portability. Use Settings → Export data to download your data in either:
- Markdown — for human reading and pasting into other tools.
- JSON — for direct import into other systems.
If you want us to transmit your data directly to another data controller and that controller can technically receive it, write to info@journail.app. Where technically feasible we will do so. We are not obliged to perform conversions if no common machine-readable format works for both controllers.
7. Right to object (Article 21)
You can object to any processing based on legitimate interests — and you do not need to give a reason for objecting to direct marketing.
7.1 Marketing emails
Every marketing email we send (newsletter, product update) contains an unsubscribe link. One click is enough. You will continue to receive transactional emails (account, billing, security) because they are necessary for the Service.
7.2 Other legitimate-interest processing
We use legitimate interests for security monitoring, fraud prevention, and error logging. To object, write to info@journail.app explaining the specific processing you object to. We will assess whether our legitimate interest can be overridden by your particular situation. If we agree, we stop. If we do not agree, we will explain why and tell you about your right to complain to the supervisory authority.
8. Right to withdraw consent (Article 7(3))
Where we rely on consent (cookies, special-category content in journal entries, marketing newsletters), you can withdraw at any time:
- Cookies — click "Cookie settings" in the footer of journail.app.
- Marketing emails — click "Unsubscribe" in any marketing email.
- Special-category content — delete the entries containing such content, or delete your account.
Withdrawing consent does not invalidate processing that took place under that consent before withdrawal.
9. Right to lodge a complaint (Article 77)
If you believe we have not properly handled your data or your request, you can lodge a complaint with a supervisory authority.
In Slovenia:
Informacijski pooblaščenec (Information Commissioner) Dunajska cesta 22, 1000 Ljubljana, Slovenia Email: gp.ip@ip-rs.si Web: www.ip-rs.si
You may also complain to the supervisory authority in the EU country where you live, work, or where the alleged infringement occurred.
We would also genuinely appreciate hearing from you first, at info@journail.app, so we can try to resolve the issue. This is your right, not your obligation.
10. How to make a request — practical guide
10.1 What to include
A useful request typically includes:
- Your registered email address (so we can identify your account).
- What you want ("export my data", "delete my account", "correct my name", etc.).
- Format preference for exports, if any.
- Anything specific you want to raise (e.g. "please confirm my data has been removed from backups").
10.2 Where to send it
- In-app first for self-service options (Settings).
- info@journail.app for any formal request — privacy, legal, security, billing.
10.3 How we verify your identity
For most requests, replying from your registered email address is sufficient. If we are not satisfied, we may ask for additional information — but we will never ask for more identification than necessary.
10.4 How long it takes
| Request type | Response time |
|---|---|
| Self-service in app | Immediate or within minutes |
| Email request — straightforward | Up to 5 working days |
| Formal GDPR request | Within 1 month (extendable by 2 months for complex cases) |
| Erasure | Within 30 days for active data; within 35 days from backups |
10.5 If we say no
If we refuse a request — for example, because we cannot verify identity, or because the request is manifestly unfounded or excessive — we will tell you in writing within one month, with a reason and a reminder of your right to complain to the supervisory authority and to seek judicial remedy.
11. Children's data
The Service is not intended for users under 16. If you become aware that a minor under 16 has provided us with personal data, please contact info@journail.app and we will delete it promptly.
If you are a parent or legal guardian and you believe a child under your care has been using the Service without permission, write to us at the same address. We will treat such requests with priority.
12. Sub-processors and international transfers
A current list of our sub-processors and the international transfer safeguards we use is published in Section 14 of our Privacy Policy. If you would like a copy of the relevant Standard Contractual Clauses or a description of supplementary technical and organisational measures, write to info@journail.app.
13. Data Protection Impact Assessments (DPIA)
We assess high-risk processing activities (in particular AI processing of personal content) through internal DPIAs aligned with Article 35 GDPR. Summaries are available on request to legitimate stakeholders.
14. Glossary
A few terms used in this document, in plain language:
- Personal data — any information about an identified or identifiable person.
- Special-category data — data about health, sex life, religion, ethnicity, political views, union membership, biometrics, or genetics. We don't ask for this; you may write about it in your journal voluntarily.
- Processing — anything we do with the data, from collecting it to deleting it.
- Controller — Tomaž Pernovšek s.p. (the entity that decides why and how data is processed).
- Processor — a third party that processes data only on our instructions (e.g. our AI providers, our hosting provider).
- Sub-processor — a processor used by our processor.
15. Contact
Tomaž Pernovšek s.p. Dolinškova ulica 10a, 1000 Ljubljana, Slovenia Email: info@journail.app
We respond to all rights requests in good faith. If something feels unclear or unfair, please tell us — the GDPR exists to protect you, and we work in that spirit.