Privacy Policy

1. Who we are and how to reach us

LYS Planner is operated by Love Your Life, LLC ("we," "us," "our," or "LYS"), a limited liability company in the United States, located at 6767 S Vine St #1185, Centennial, CO 80122, United States. For the purposes of the EU and UK General Data Protection Regulation, Love Your Life, LLC is the data controller of the personal information described in this policy.

For any privacy question or to exercise a data right, contact us at privacy@lysplanner.com. For general support, hello@lysplanner.com.

2. Notice at collection (summary)

This is a summary of the categories of personal information we collect and why; the full detail follows in the sections below. We collect: account and contact data (your email, and optional first name, birthday, gender, and profile photo); purchase and entitlement data (what access you have and when it expires); device and technical data (a random per-install device identifier, device model, operating-system version, app version, and your IP address); usage and diagnostic data (a small set of coarse product-event and crash-diagnostic signals); and the end-to-end-encrypted contents of your entries, which we store only as ciphertext we cannot read. We use this data to provide, secure, and improve the service, to process your purchases, and to comply with law. We do not sell or share your personal information (as those terms are defined under U.S. state privacy laws), and we do not use it for cross-context behavioral advertising.

3. End-to-end encryption

The content you create in LYS Planner (the titles of your goals and habits, the body of your notes and journal entries, the descriptions and notes on your todos, and the dates you attach to those items) is encrypted on your device using AES-256-GCM before it ever leaves the device. The key that protects it (your Master Encryption Key, or MEK) is a random 256-bit key generated on your device. That key is "wrapped" (encrypted) on your device using a key derived from your password with Argon2id, a memory-hard key-derivation function; our servers store only the wrapped key blob and never receive an unwrapped MEK or your plaintext password.

Because of this design, we cannot decrypt your content. We do not have a copy of your password, and we cannot read your entries. We also provide a recovery key: a second, independent way to unlock your encrypted content if you forget your password. If you lose both your password and your recovery key, your encrypted content is permanently unrecoverable, including by us. There is no email-based password reset, by design: a reset email would be a back door into content we have promised we cannot read.

If you use LYS Planner without setting a password (in device-only mode), the content you create is never uploaded to our servers and stays on your device. (Your device still communicates with our backend for basic functions such as verifying app integrity and checking your access status; see Section 5.) Content created in device-only mode lives only on that device and cannot be recovered by us if the app is deleted or the device is lost.

4. What our servers can and cannot see

End-to-end encryption protects the content of your entries. To run your account and sync your data across devices, some structural and account information is necessarily stored in readable form. Here is the precise line.

What our servers cannot see

We hold only ciphertext for all of the following, and cannot read any of it: the title of any goal, habit, todo, note, or journal entry; the body text of your notes and journal entries; the descriptions or notes on your todos; the dates you attach to your goals, todos, and events; and whether you have completed, pinned, archived, or organized those items. All of that rides inside the sealed encrypted blob. If a court ordered us to produce your entries, we could deliver only ciphertext we cannot decrypt.

What our servers can see

So that the app can sync, run your account, and order your items, our servers store, in readable form:

5. Accounts, device-only mode, and what we collect

At signup and sign-in

Device integrity and access checks

Even before you set a password, the app communicates with our backend to confirm that requests come from a genuine, unmodified copy of the app (device attestation, provided through Apple's platform services) and to check your access and trial status. This protects against fraud and abuse. In device-only mode, this traffic does not include the contents of your entries.

6. How we use your information

We use the personal information described above to:

7. Categories of personal information (U.S. state privacy laws)

For the purposes of the California Consumer Privacy Act (as amended by the CPRA) and comparable U.S. state laws, the categories of personal information we collect, the purposes for which we use them, and our retention approach are as follows. We have not sold or shared personal information, and do not use it for cross-context behavioral advertising.

8. Service providers we rely on

We use a small set of carefully chosen service providers (processors / sub-processors) to operate LYS Planner. To protect the security of our systems we describe them by function rather than by name; each receives only the data needed for its function, processes it on our behalf under a written data-processing agreement that requires confidentiality and protections at least equivalent to those in this policy, and is not permitted to use your data for its own purposes.

Device-integrity attestation is provided through Apple's platform services as part of the operating system.

9. Payments

LYS Planner is sold as one-time, non-renewing purchases (see our Terms of Service). You can pay in one of two ways:

10. Analytics and diagnostics

We keep telemetry deliberately minimal, and we never send the contents of your entries to any analytics or diagnostics provider.

Product analytics

We record a defined set of coarse product events: for example, that the app was opened, that an item was created or completed, or that the purchase screen was viewed. These events carry no entry content, no free text, and no email address; where they describe something you created, they are reduced to a count or a preset label. Events are tied to a random, app-generated identifier by default; once you create a full account, they are associated with a pseudonymous internal account identifier (not your email). Each event also carries basic technical context: your device model, operating-system version, and app version. The legal basis for this processing for EEA/UK users is our legitimate interest in understanding and improving the product.

Crash and error diagnostics

We collect crash reports and error events so we can find and fix bugs. We configure this to not collect personal data by default, and we do not capture screenshots, screen recordings, or view-hierarchy snapshots. Diagnostic events may still include limited technical state at the moment of an error (such as function names, file paths, the device model and operating-system version, the app version, and a diagnostics-tool install identifier) but are designed not to carry your decrypted content. The legal basis for EEA/UK users is our legitimate interest in the stability and security of the service.

11. Security logging and IP addresses

When your device communicates with our servers, our infrastructure processes your IP address to route the request, to enforce rate limits, and to detect and prevent abuse, fraud, and security threats. Your IP address is also used, once, to determine the country your account is associated with at signup. IP addresses and basic request metadata appear in our access logs, which are retained for a limited period (currently approximately 30 days) and then deleted. We do not use IP addresses to build advertising or behavioral profiles.

12. Data retention

We keep personal information only as long as we need it for the purposes described in this policy, then delete or de-identify it.

13. Account deletion

You can delete your account at any time from inside the app. When you do, we immediately revoke your active sessions and erase your personal data from our active systems: your email, name, birthday, gender, profile photo, and the cryptographic material protecting your account are removed; your end-to-end-encrypted content blobs and the structural records associated with them are deleted from our storage; and your account record is reduced to a permanent, anonymous tombstone that retains no personal data beyond the limited records described in Section 12.

As noted in Section 12, we retain a limited set of records that we are legally required to keep (principally purchase and transaction records), and we may keep pseudonymous analytics keyed to an internal identifier rather than to your name or contact details, as described in Section 12. Apple and our payment processor likewise retain transaction records under their own legal obligations. Deletion of any copies that exist in routine encrypted backups completes as those backups age out on their normal rotation cycle.

14. Legal bases for processing (EEA and UK users)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable law, we process your personal data on the following legal bases:

Providing your email is necessary to create a synced account; if you do not provide it, you can still use the app in device-only mode but cannot sync or recover your data. Optional profile details may be left blank. We do not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.

15. International data transfers

We are based in the United States, and the service providers described in Section 8 store and process data in the United States and potentially other countries. If you are located in the EEA, the United Kingdom, or Switzerland, your personal data is transferred to the United States. Where we make such transfers, we rely on appropriate safeguards: the European Commission's Standard Contractual Clauses (and the UK Addendum), and/or our providers' certification under the EU-U.S. Data Privacy Framework and its UK extension, as applicable. You may request more information about these safeguards using the contact details in Section 23.

16. Your privacy rights

Depending on where you live, you have rights over your personal information. Because the contents of your entries are end-to-end encrypted, the copy we hold is ciphertext we cannot read, but the readable copy on your device is the same data, and the app's built-in export (to Markdown or PDF) and its delete features give you direct access and control. For any request the app cannot fulfill on its own, contact privacy@lysplanner.com.

U.S. state privacy rights

Subject to your state's law (for example California, Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws), you may have the right to: know and access the personal information we hold about you; correct inaccurate information; delete your information; obtain a portable copy; opt out of the "sale" or "sharing" of personal information and of targeted advertising (we do none of these); and not be discriminated against for exercising your rights. To exercise these rights, use the in-app account controls or email privacy@lysplanner.com. We will respond within the timeframes required by law (generally 45 days, extendable where permitted). If we deny a request, you may appeal by replying to our response; we will inform you of the outcome and, where applicable, how to contact your state attorney general.

EEA and UK rights

If you are in the EEA or the UK, you have the rights to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; data portability; object to processing carried out on the basis of legitimate interests; and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection supervisory authority: in the UK, the Information Commissioner's Office (ico.org.uk), and in the EEA, your national data protection authority. We ask that you contact us first so we can try to resolve your concern. For UK users, we will acknowledge a complaint within 30 days.

Universal opt-out and Global Privacy Control

We do not sell your personal information, share it with third parties for cross-context behavioral advertising, or use it for targeted advertising, so there is no such activity for you to opt out of, and we do not maintain a separate opt-out mechanism for those purposes. If your browser or device sends a Global Privacy Control or other universal opt-out signal, it is consistent with how we already handle your data. If our practices ever change, we will update this policy and honor such signals before any such change takes effect.

17. Children's privacy

LYS Planner is intended for users aged 13 and older, and children under 13 are not permitted to use it. You must be at least 13 years old to use the service, and the app asks you to confirm this when you create an account. We do not knowingly collect personal information, including biometric identifiers, which are treated as personal information under the U.S. Children's Online Privacy Protection Act (COPPA), from any child under 13. In jurisdictions where a higher age of digital consent applies (for example, certain EEA member states set this age between 13 and 16), you must meet the age required in your country or have verifiable parental consent.

If we learn that we have collected personal information from a child under 13, we will (a) promptly suspend the account, (b) delete the associated personal information within 30 days, and (c) where we have contact details, notify the child's parent or guardian. If you are a parent or guardian and believe a child under 13 has created an account or given us personal information, please contact us at privacy@lysplanner.com.

For all users, including minors aged 13–17, we do not serve advertising, engage in targeted advertising or behavioral profiling, sell personal information, or use personal information or content to train AI or recommendation systems. Privacy protections are set to their most protective configuration by default (your content is end-to-end encrypted, we do not use precise location, and your data is not shared with third parties for their own purposes), and these protections apply to every user regardless of age.

18. Consumer health data

A journal or planner can hold reflections about your wellbeing. Some laws (including Washington State's My Health My Data Act and Nevada's SB 370) treat information relating to your past, present, or future physical or mental health as "consumer health data," and they can apply regardless of our size. We want to be clear about how this works at LYS:

By creating an account and choosing to record content in LYS, you consent to our processing of that end-to-end-encrypted content solely to provide the service to you. Where these laws grant you rights to access, delete, or withdraw consent regarding consumer health data, you may exercise them using the contact details in Section 23, and we will respond within the time required by law.

19. Account recovery and the limits of our help

Because your content is end-to-end encrypted and we never hold your password or an unwrapped encryption key, our ability to help you recover access is limited by design. Your recovery key is the second path back into your content if you forget your password. If you lose both your password and your recovery key, we cannot restore access to your encrypted content: it is cryptographically unrecoverable. Please store your recovery key somewhere safe. This is a deliberate trade-off in favor of your privacy.

20. What we do not do

Artificial intelligence. We do not use your content, your personal information, or any data derived from them to train, fine-tune, or improve any artificial-intelligence or machine-learning model (ours or anyone else's), and we do not sell or license your data to any AI developer. Because your content is end-to-end encrypted, we are technically unable to read it in the first place. If we ever wished to change this, we would notify you and obtain your explicit, opt-in consent before doing so.

Face ID / biometric app lock. LYS offers an optional Face ID or Touch ID app lock. When you enable it, authentication is performed entirely on your device by iOS using Apple's Secure Enclave. We never receive, store, or transmit your biometric data (such as your face geometry or fingerprint), and we have no access to it. You can turn this feature off at any time in the app's settings.

21. Security

We design for security from the ground up: end-to-end encryption of your content, encryption in transit, device-integrity attestation, strict access controls, rate limiting, and diagnostics that are configured not to collect personal data by default, with no screenshots, screen recordings, or session replay, and your decrypted content never attached to diagnostic events. No system is perfectly secure, but our zero-knowledge architecture means that even in the worst case, your entry content remains protected by encryption we cannot reverse.

Breach notification. If we become aware of a security incident that compromises your account information (such as your email address), we will notify you, by email or in-app, without undue delay and, where applicable, within 30 days, and we will notify regulators where required by law. Because your entries are end-to-end encrypted, a compromise of our servers would expose only ciphertext that cannot be read without your device-held keys.

22. Changes to this policy

We may update this policy as the app changes. If we make a material change, we will notify you in the app or by email before the change takes effect, and we will update the version and effective date at the top of this page. Your continued use of the service after the change takes effect constitutes acceptance of the updated policy, except where additional consent is required by law.

23. Contact

Questions, concerns, or data-rights requests: privacy@lysplanner.com. You can also write to us at Love Your Life, LLC, 6767 S Vine St #1185, Centennial, CO 80122, United States.

Document history