Privacy policy

Your life, your data. We are careful with both.

We wrote this policy the way we wish every privacy policy was written — in plain sentences, with a summary at the top and no lawyerese unless the lawyer absolutely insisted. If anything here is unclear, email privacy@lifr.global and we'll explain.

Effective: April 1, 2026 Last updated: April 1, 2026 Version: 3.2 Changes: Email privacy@lifr.global for prior versions
What this means in plain English.
  • We don't sell your data. Not to advertisers, not to data brokers, not ever.
  • We don't track you across the web. No third-party ad pixels, no retargeting, no Meta pixel.
  • Your tasks stay yours. Private by default. Never used to train any model, ours or anyone else's.
  • Export or delete anytime. Two taps. No "are you sure" guilt, no retention dark patterns.
  • GDPR & CCPA rights honored for everyone, not just EU and California residents.
  • Breach notification inside 72 hours — even when not legally required.

§ 01Who we are.

Lifr Ltd is a small software company registered in Scotland (company no. SC772101). Our registered office is 11 Rutland Square, Edinburgh EH1 2AS, United Kingdom. We are the data controller for information you give us through the Lifr apps, website, and extension.

One human — Alex Hewett — is responsible for privacy decisions at Lifr and replies to every privacy email personally.

§ 02What we collect.

We try to collect as little as possible. Here's the whole list:

CategoryWhat it contains
AccountEmail, display name, password hash, preferences.
Your tasksThe content you create: tasks, rotations, plans, notes, completion history.
Usage (minimal)When you open the app, which screens, rough device class. App analytics: self-hosted Plausible (cookieless). Marketing site: Cloudflare Web Analytics (cookieless, no personal data). No ad-tech or cross-site trackers.
BillingProcessed by Stripe. We see the last 4 of your card and your billing country — never the full card number.
Device metadataOS, app version, locale. Used for bug triage, then dropped after 30 days.
Support emailsWhatever you send us. Kept as long as the thread is open, then archived.
What we never collect.Location, contacts, calendar contents, browser history, keystroke data, microphone, camera, health data. None of it. The app simply doesn't ask.

§ 03Why we collect it.

Two reasons, always:

  • To run the product. Sync your tasks between devices, send you the emails you opted into, bill you correctly, answer support.
  • To make it better. Understand which features are used, which screens break on which browsers, which categories need more rotation templates.

We do not collect data to profile you, segment you, or target ads. Lifr has no ads, and we commit in writing (below) that it never will.

§ 04Who we share with.

A small number of carefully chosen subprocessors. Each is named, linked, and listed so you can verify:

WhoWhy & where
StripePayment processing. US & IE. Only billing metadata.
SupabaseDatabase & authentication. EU region (Frankfurt) for EU users, US-East for the rest.
CloudflareApp hosting & edge functions. Global CDN; EU data processed in EU region.
Cloudflare Web AnalyticsCookieless, privacy-preserving analytics on the marketing site (lifr.global). No personal data, no cross-site tracking. Aggregated page-view data only.
PostmarkTransactional email (password resets, billing receipts). US.
ButtondownNewsletter, if you opted in. US. You can unsubscribe in one click.
Sentry (self-hosted)Crash logs. EU. Scrubbed of task contents.

That's the full list. We do not share data with advertisers, data brokers, or "analytics partners" — because we don't have any.

§ 05How long we keep it.

  • Your tasks & account: as long as your account is active.
  • After deletion: purged from live systems within 24 hours. Purged from encrypted backups within 35 days.
  • Billing records: 7 years, because UK tax law requires it.
  • Device & usage logs: 30 days, then deleted.
  • Support threads: archived 12 months after they close, then deleted.

§ 06Your rights.

We extend full GDPR rights to everyone who uses Lifr, not just EU residents. You can at any time:

  • Access — download everything we have about you as a JSON export from Settings → Data.
  • Correct — edit your account, tasks, and preferences directly in-app.
  • Delete — Settings → Data → Delete my account. Two taps. No retention flow, no "wait, let's talk".
  • Port — the JSON export is a standard, documented format you can import elsewhere.
  • Object — reply to any email or write to privacy@lifr.global. We reply within 30 days, usually much sooner.

§ 07How we secure it.

Tasks and account data are encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with argon2id. Backups are encrypted before they leave the database. Production access is restricted to the founder and one contractor under NDA; every access is logged and audited quarterly.

We run a public security contact — security@lifr.global — with a responsible disclosure policy. Valid reports get a response in 48 hours and a bounty between £100–£2,000 depending on severity.

§ 08Cookies & local storage.

Lifr uses a handful of cookies and localStorage items, all first-party, all strictly necessary:

  • Session token — so you stay logged in.
  • Preferences — sidebar collapsed state, plant background, sort order.
  • Plausible analytics — self-hosted, cookieless, GDPR-exempt.
  • Cloudflare Web Analytics — a cookieless, privacy-preserving page-view beacon loaded on the marketing site only. No cross-site tracking, no fingerprinting, no persistent identifiers. Data is aggregated and retained by Cloudflare per their privacy policy.

No marketing cookies, no third-party ad trackers. No consent banner is needed because neither analytics tool uses cookies or persistent tracking.

§ 09Children.

Lifr is not directed at people under 16. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we'll delete the account within 48 hours.

§ 10International transfers.

EU and UK users are stored in the Frankfurt region. Other users are stored in US-East. Cross-region transfers (e.g. support, backups) rely on Standard Contractual Clauses approved by the European Commission in June 2021. You can request a copy.

§ 11AI & your tasks.

Lifr does not use your tasks to train any AI model — ours, or anyone else's. Features that rely on inference (e.g. energy matching, task suggestions) run on rules and small, local models inside the app. When we do use a third-party model for an experimental feature, it is opt-in, clearly labeled, and your data is sent without identifiers.

Our AI commitment.We will never sell, license, or share your tasks, notes, or completion history to any AI company. If this ever has to change, we will email every user 60 days in advance with a one-click opt-out and a full data export.

§ 12Changes to this policy.

When we change anything material, we email every user at least 30 days before the change takes effect, summarize it in the blog, and keep previous versions available on request — email privacy@lifr.global. Minor edits (typos, clarifications) are logged but not emailed.

§ 13Contact & complaints.

Email privacy@lifr.global — Alex answers. Reply time is under 72 hours, usually under 24.

If you're in the UK or EU and we haven't resolved your complaint, you can also contact the Information Commissioner's Office (ico.org.uk) or your local Data Protection Authority. We'd prefer you came to us first, but we respect your right to go straight to them.

Still unclear?

If any part of this policy doesn't make sense, or you'd like a specific concern addressed before you sign up, email us. We'll answer in plain language.

Email privacy@lifr.global