Heart Script

Privacy Policy

Your story
stays yours.

Effective May 13, 2026

Heart Script is operated by Nuptial PH, the data controller for the information you give us. This page explains, in concrete terms, what we collect, why, who else sees it, and how to make it go away.

i.What we collect

Only what the product actually needs:

We don’t run third-party advertising trackers, session replay, or behavioural analytics. The cookies the site sets are the ones Supabase needs to keep you signed in.

ii.Why we collect it

The legal bases (where they matter): performance of contract for everything tied to delivering the service you bought, and legitimate interest for the narrow security and anti-abuse cases.

iii.What we do not do
iv.Who else processes your data

We use a small set of vendors. Each one is contractually limited to the purpose listed here:

We may add or replace vendors over time. If we add one that materially changes how your data is handled, we’ll update this page and bump the effective date.

v.Where the data lives and crosses borders

Our infrastructure is global, and your data is likely to be stored or processed outside the Philippines — including in regions operated by our vendors (United States, European Union, Singapore). We rely on the vendors’ standard contractual protections for international transfers. If you have a specific regional requirement, write to us before signing up.

vi.How long we keep it

Account and content data are kept for as long as your account is open. If you delete your account, we delete your vow content and journal entries within 30 days. We keep a minimal record of the transaction (order ID, amount, date) for tax and accounting purposes for as long as Philippine law requires — typically up to ten years.

Error logs and security logs are kept for up to 90 days, then aged out.

vii.Your rights

Under Philippine Republic Act 10173 (the Data Privacy Act), and under equivalent laws where you live, you have the right to:

The fastest path on any of these is an email to [email protected] from the address on your account. We aim to respond within 30 days, usually sooner.

viii.Security

We use TLS for everything in transit and rely on Supabase’s row-level-security primitives to keep accounts cleanly separated. Passwords are hashed and salted at rest. We don’t store secrets in client code and we don’t log raw user input in plaintext. No system is perfect — if we ever discover a breach affecting your data, we’ll tell you and the National Privacy Commission within the timelines the law requires.

ix.Children

Heart Script is for adults. We don’t knowingly collect data from anyone under 18. If you believe a minor has signed up, write to us and we’ll remove the account.

x.Changes to this policy

We may revise this policy as the product changes. The effective date at the top of this page is the source of truth. If a change is material — for example, a new vendor that processes your content — we’ll notify you by email before it takes effect. For the agreement itself, see the Terms of Service.