Security
How we protect your data
The key point: Free users enjoy complete local storage - your data never leaves your device. Premium users who opt for cloud sync have their data protected in a secure repository meeting the latest safety standards.
Local-First Architecture (Free Users)
Tracking My Mood uses a "local-first" design for free users. This means:
- All data stored on your device: Your mood entries, journal, photos, and settings are stored in your browser's secure storage (IndexedDB and localStorage)
- No server-side storage: We don't maintain databases of your data
- No accounts needed: No usernames, passwords, or email addresses required
- Offline capable: The app works without an internet connection
Secure Cloud Storage (Premium Users)
Premium users who create an account have opted to store their data in our secure cloud repository. This provides:
- Cross-device access: Access your mood history from any device
- Automatic backup: Never lose your data if you change devices or clear your browser
- Extended history: Unlimited access to your complete mood tracking history
Data Safety Standards
Our cloud infrastructure meets the latest data safety requirements:
- Encryption at rest: All stored data is encrypted using AES-256 encryption
- Encryption in transit: All data transfers use TLS 1.3
- Secure infrastructure: Hosted on enterprise-grade servers with regular security audits
- Access controls: Strict authentication ensures only you can access your data
- GDPR compliant: Full compliance with UK and EU data protection regulations
- Regular backups: Automated backups ensure data integrity and availability
Premium users retain full control - you can export or delete all cloud-stored data at any time from your account settings.
Encryption & Transport Security
HTTPS Everywhere
All connections to Tracking My Mood use HTTPS (TLS 1.2/1.3), which means:
- The application code is delivered securely
- Man-in-the-middle attacks are prevented
- Your connection is encrypted end-to-end
Browser Storage Security
Modern browsers provide security features for local storage:
- Same-origin policy: Only Tracking My Mood can access Tracking My Mood data
- Sandboxed storage: Other websites and apps cannot read your data
- Device-level encryption: Most modern devices encrypt local storage at rest
What We Protect
The Application
- Our servers are secured and regularly updated
- We use security headers (HSTS, CSP, X-Frame-Options, etc.)
- We implement rate limiting to prevent abuse
- We regularly review and update our security practices
Your Data (Stored Locally)
Since your data stays on your device, its security depends on your device security:
- Use a device passcode or biometric lock
- Keep your browser and operating system updated
- Be cautious about who has physical access to your device
- Consider using private browsing if using a shared device
Data You Control
You have complete control over your data:
- Export: Download all your data as JSON anytime from Settings
- Delete: Permanently erase all data with one click from Settings
- No traces: Clearing browser data removes all Tracking My Mood information
Cookies We Use
We use only strictly necessary cookies required for the service to function:
- Session cookie: Keeps you logged in when you have an account (essential for authentication)
- Security cookies: Help protect against cross-site request forgery attacks
These are exempt from cookie consent requirements under UK/EU law because they are essential for the service to work. We do not use any cookies that require consent.
Payment Security
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor (the highest level of certification).
- We never see your card details: Credit card information goes directly to Stripe - we never see, store, or have access to it
- Secure checkout: All payment pages are hosted by Stripe with bank-level encryption
- No card storage: Your card details are stored securely by Stripe, not on our servers
What We Don't Do
- We don't store credit card or payment details
- We don't use tracking or analytics cookies
- We don't use advertising cookies
- We don't use third-party cookies
- We don't fingerprint your browser or device
- We don't sell, share, or monetise any data
- We don't integrate with social media platforms
Security Limitations (Local Storage Users)
For free users storing data locally, please be aware:
- Device access: Anyone with access to your unlocked device can potentially access your data
- Browser clearing: Clearing your browser data will delete your Tracking My Mood data
- Device loss: If you lose your device without a backup, your data is lost
- No cloud backup: Local storage has no automatic backup - please use the export feature regularly
Premium users with cloud storage are protected from data loss due to browser clearing or device changes.
Responsible Disclosure
If you discover a security vulnerability in Tracking My Mood, please report it responsibly:
- Email: support@trackingmymood.com
- Please include details about the vulnerability and steps to reproduce
- Please give us reasonable time to address the issue before public disclosure
Best Practices for Users
To maximise the security of your data:
- Lock your device: Use a PIN, password, or biometric lock
- Update regularly: Keep your browser and OS up to date
- Backup your data: Use the export feature regularly if your data is important to you
- Shared devices: Consider using private/incognito mode on shared computers
- Public WiFi: The app works offline, so you don't need public WiFi
Questions about security? We're happy to explain our practices in more detail. Contact us anytime.