Security & data handling

Your life,
locked down.

Evergreen holds the quiet parts of your life — moods, doubts, money, routines. Here's exactly how that data is stored, encrypted and handled.

Encryption in transit

Every connection to Evergreen is HTTPS/TLS. Your data is encrypted between your device and our servers, always.

Database in the EU

Your data lives in a Turso libSQL database hosted in the AWS eu-west-1 region (Ireland). Under UK GDPR and EU GDPR jurisdiction.

No shadow copies

We don't ship your journal to analytics platforms, session replay tools or third-party warehouses. What's in the database is the whole story.

Transparent AI usage

AI features (Weekly Reflection, Ask Your Life, Daily Spark) send only the specific entries needed to Anthropic's Claude API. Never used to train any model. Only runs when you explicitly opt in.

Full export, anytime

Export your journal, habits, goals and todos as JSON or Markdown from Settings → Export. No gated exports. No vendor lock-in.

Clean deletion

Delete your account from Settings → Account. Every entry, habit, goal and completion is hard-deleted from the database within 30 days.

Accounts & authentication

Authentication is handled by Auth.js with signed, HTTP-only session cookies. Passwords are stored as bcrypt hashes — never in plain text. You can sign in with email + password or via Google OAuth.

Sessions use a signed JWT. If you sign out, the session is invalidated immediately. If you change your password, every existing session is rotated.

How AI handles your entries

Never used for training. Your journal, habits and goals are never used to train any AI model — ours or anyone else's.

Only on request. AI-powered features (Weekly Reflection, Ask Your Life, Daily Spark) only run when you trigger them. Nothing is silently sent to an LLM in the background.

Minimum necessary data. A Weekly Reflection receives only that week's entries. Ask Your Life receives only the snippets matching your query. We don't ship your whole journal to the model.

Provider. All LLM calls go to Anthropic's Claude API, which has a zero-retention policy for API inputs and outputs by default.

Found a vulnerability?

Please email security@evergreenapp.life with details. We read every report and aim to respond within 48 hours.

Privacy policyTerms of serviceSystem status