Privacy Policy
Version 1.0 · Effective July 7, 2026
LYS Planner is built so that the people who run it cannot read your plans, goals, notes, or journal entries. This Privacy Policy explains, in plain language and in legal terms, what data leaves your device, what stays on it, what our servers can and cannot see, who else is involved, how long we keep things, and the rights you have over your information.
The short version. The things you write in LYS Planner are end-to-end encrypted on your device before they reach us, so we only ever hold scrambled ciphertext we cannot decrypt. We do not sell your personal information, we do not use it to train AI models, and we run no advertising or cross-app tracking. We collect the minimum we need to run your account, sync your data, process purchases, fix bugs, and keep the service secure.
1. Who we are and how to reach us
LYS Planner is operated by Love Your Life, LLC ("we," "us," "our," or "LYS"), a limited liability company in the United States, located at 6767 S Vine St #1185, Centennial, CO 80122, United States. For the purposes of the EU and UK General Data Protection Regulation, Love Your Life, LLC is the data controller of the personal information described in this policy.
For any privacy question or to exercise a data right, contact us at privacy@lysplanner.com. For general support, hello@lysplanner.com.
2. Notice at collection (summary)
This is a summary of the categories of personal information we collect and why; the full detail follows in the sections below. We collect: account and contact data (your email, and optional first name, birthday, gender, and profile photo); purchase and entitlement data (what access you have and when it expires); device and technical data (a random per-install device identifier, device model, operating-system version, app version, and your IP address); usage and diagnostic data (a small set of coarse product-event and crash-diagnostic signals); and the end-to-end-encrypted contents of your entries, which we store only as ciphertext we cannot read. We use this data to provide, secure, and improve the service, to process your purchases, and to comply with law. We do not sell or share your personal information (as those terms are defined under U.S. state privacy laws), and we do not use it for cross-context behavioral advertising.
3. End-to-end encryption
The content you create in LYS Planner (the titles of your goals and habits, the body of your notes and journal entries, the descriptions and notes on your todos, and the dates you attach to those items) is encrypted on your device using AES-256-GCM before it ever leaves the device. The key that protects it (your Master Encryption Key, or MEK) is a random 256-bit key generated on your device. That key is "wrapped" (encrypted) on your device using a key derived from your password with Argon2id, a memory-hard key-derivation function; our servers store only the wrapped key blob and never receive an unwrapped MEK or your plaintext password.
Because of this design, we cannot decrypt your content. We do not have a copy of your password, and we cannot read your entries. We also provide a recovery key: a second, independent way to unlock your encrypted content if you forget your password. If you lose both your password and your recovery key, your encrypted content is permanently unrecoverable, including by us. There is no email-based password reset, by design: a reset email would be a back door into content we have promised we cannot read.
If you use LYS Planner without setting a password (in device-only mode), the content you create is never uploaded to our servers and stays on your device. (Your device still communicates with our backend for basic functions such as verifying app integrity and checking your access status; see Section 5.) Content created in device-only mode lives only on that device and cannot be recovered by us if the app is deleted or the device is lost.
4. What our servers can and cannot see
End-to-end encryption protects the content of your entries. To run your account and sync your data across devices, some structural and account information is necessarily stored in readable form. Here is the precise line.
What our servers cannot see
We hold only ciphertext for all of the following, and cannot read any of it: the title of any goal, habit, todo, note, or journal entry; the body text of your notes and journal entries; the descriptions or notes on your todos; the dates you attach to your goals, todos, and events; and whether you have completed, pinned, archived, or organized those items. All of that rides inside the sealed encrypted blob. If a court ordered us to produce your entries, we could deliver only ciphertext we cannot decrypt.
What our servers can see
So that the app can sync, run your account, and order your items, our servers store, in readable form:
- The fact that a record exists, its random identifier (a UUID), a version number, and the size of its encrypted contents, together with timing information about when our servers last received an update to it.
- For habit completions: the dates on which you marked a habit complete, linked to that habit's random identifier. The habit's name itself stays encrypted.
- For calendar events you choose to surface from your device's calendar: an opaque system identifier and whether you marked the event done. The event's title, date, time, and location stay on your device and are never sent to us.
- Your account email address, and any optional profile details you choose to add (first name, birthday, and gender), along with your selected theme and a set of usage counts (how many items you have created or completed in each area of the app).
- If you entered a referral or attribution code when signing up, that code.
- Your purchase and access status: whether you are in a free trial or have active access, and when that access expires.
- Basic device information: a random per-install device identifier, your device model, operating-system version, and app version.
- Your profile photo, if you set one. Unlike your entries, a profile photo is stored on our servers without end-to-end encryption.
- Your IP address, which we process transiently for security and abuse prevention and retain for a limited period in our access logs (see Section 11).
5. Accounts, device-only mode, and what we collect
At signup and sign-in
- Email address. Used as your account identifier and for essential service messages. Required to create a synced account; not collected in device-only mode.
- Password (in cryptographic form only). We never receive or store your plaintext password. A derivation of your password is used to authenticate you and, separately, to unlock your encryption key on your device.
- Optional profile details. You may add a first name, birthday, gender, and profile photo. These are optional and can be changed or cleared at any time.
- Device information. A random per-install device identifier, device model, operating-system version, and app version, used to operate and secure the service and to deliver sync changes.
Device integrity and access checks
Even before you set a password, the app communicates with our backend to confirm that requests come from a genuine, unmodified copy of the app (device attestation, provided through Apple's platform services) and to check your access and trial status. This protects against fraud and abuse. In device-only mode, this traffic does not include the contents of your entries.
6. How we use your information
We use the personal information described above to:
- provide, maintain, and sync the service and your account;
- authenticate you and protect your account and our systems from fraud, abuse, and security threats;
- process your purchases and manage your access and trial status;
- diagnose crashes and errors and improve product quality and reliability;
- understand, in coarse and aggregate terms, how features are used so we can improve them;
- respond to your support requests and any feedback you choose to send us;
- send you essential service communications; and
- comply with our legal obligations and enforce our agreements.
7. Categories of personal information (U.S. state privacy laws)
For the purposes of the California Consumer Privacy Act (as amended by the CPRA) and comparable U.S. state laws, the categories of personal information we collect, the purposes for which we use them, and our retention approach are as follows. We have not sold or shared personal information, and do not use it for cross-context behavioral advertising.
- Identifiers: email address, optional first name, a random per-install device identifier, and IP address. Purpose: account, security, communications. Retained: for the life of your account (IP addresses only for a limited log-retention period).
- Characteristics of protected classifications: optional birthday and gender, where you choose to provide them. Purpose: personalization and product analytics. Retained: for the life of your account.
- Commercial information: purchase and entitlement records (the access you bought, amount, currency, and processor transaction identifiers; never your card number). Purpose: processing purchases, support, fraud prevention, tax and accounting. Retained: as required by law (see Section 12).
- Internet or other electronic network activity: coarse product-usage events and counts, app/OS/device version, and an optional referral code. Purpose: diagnostics and product analytics. Retained: as described in Section 12.
- Geolocation data: coarse, country-level location derived from your IP address at signup, and transient IP processing for security. We do not collect precise device location.
- Visual information: a profile photo, only if you choose to upload one. Purpose: displaying your profile.
- Your own content: the entries you create. We hold this only as end-to-end-encrypted ciphertext we cannot read, and therefore cannot access, disclose, or use its contents.
- Inferences: none. We do not build behavioral profiles about you or make automated decisions that produce legal or similarly significant effects.
8. Service providers we rely on
We use a small set of carefully chosen service providers (processors / sub-processors) to operate LYS Planner. To protect the security of our systems we describe them by function rather than by name; each receives only the data needed for its function, processes it on our behalf under a written data-processing agreement that requires confidentiality and protections at least equivalent to those in this policy, and is not permitted to use your data for its own purposes.
- Cloud hosting and infrastructure providers: run our application servers and store our data, including your encrypted content blobs, your profile photo, and your account and structural metadata. These providers see ciphertext and structural metadata (and your unencrypted profile photo); they cannot read the contents of your entries.
- Payment processors: Apple (for purchases made through the App Store) and a third-party payment processor (for purchases made through our website checkout). See Section 9.
- Error- and crash-diagnostics providers: receive crash reports and technical error data so we can fix bugs. See Section 10.
- A product-analytics provider: receives a small set of coarse, content-free usage events. See Section 10.
- A team-communication tool: receives the feedback you choose to submit through the in-app feedback form, including the message you write and the contact and profile details attached to it (see "A note on feedback" below).
Device-integrity attestation is provided through Apple's platform services as part of the operating system.
A note on feedback. If you submit feedback through the app, the message you write (along with your first name, the email or follow-up address you provide, and limited profile and device details) is delivered to our team through a team-communication tool so we can read and respond to it. Please do not include sensitive information you would not want our team to see in a feedback message; unlike your entries, feedback is not end-to-end encrypted.
9. Payments
LYS Planner is sold as one-time, non-renewing purchases (see our Terms of Service). You can pay in one of two ways:
- Through the App Store. Apple processes your payment as a non-renewing in-app purchase. We receive a transaction identifier and your entitlement status from Apple; we do not receive your card or billing details. Apple's privacy practices govern its handling of your payment.
- Through our website checkout (an alternative offered only to users in the United States). A third-party payment processor handles the transaction. That processor receives your card details, your email address (used for your receipt), and the amount and currency; we never see or store your card number. The processor's privacy practices govern its handling of your payment.
10. Analytics and diagnostics
We keep telemetry deliberately minimal, and we never send the contents of your entries to any analytics or diagnostics provider.
Product analytics
We record a defined set of coarse product events: for example, that the app was opened, that an item was created or completed, or that the purchase screen was viewed. These events carry no entry content, no free text, and no email address; where they describe something you created, they are reduced to a count or a preset label. Events are tied to a random, app-generated identifier by default; once you create a full account, they are associated with a pseudonymous internal account identifier (not your email). Each event also carries basic technical context: your device model, operating-system version, and app version. The legal basis for this processing for EEA/UK users is our legitimate interest in understanding and improving the product.
Crash and error diagnostics
We collect crash reports and error events so we can find and fix bugs. We configure this to not collect personal data by default, and we do not capture screenshots, screen recordings, or view-hierarchy snapshots. Diagnostic events may still include limited technical state at the moment of an error (such as function names, file paths, the device model and operating-system version, the app version, and a diagnostics-tool install identifier) but are designed not to carry your decrypted content. The legal basis for EEA/UK users is our legitimate interest in the stability and security of the service.
11. Security logging and IP addresses
When your device communicates with our servers, our infrastructure processes your IP address to route the request, to enforce rate limits, and to detect and prevent abuse, fraud, and security threats. Your IP address is also used, once, to determine the country your account is associated with at signup. IP addresses and basic request metadata appear in our access logs, which are retained for a limited period (currently approximately 30 days) and then deleted. We do not use IP addresses to build advertising or behavioral profiles.
12. Data retention
We keep personal information only as long as we need it for the purposes described in this policy, then delete or de-identify it.
- Active account data: retained for as long as your account exists.
- Entries you delete in the app: marked for deletion and purged from our servers shortly afterward (within approximately 30 days), including the corresponding encrypted blobs.
- Access logs (including IP addresses): retained for a limited period (currently approximately 30 days).
- Purchase and transaction records: retained after account deletion where we are required to keep them for tax, accounting, refund, chargeback, and anti-fraud purposes, generally for up to seven years or as otherwise required by applicable law. These records include the email address and limited profile details (such as the country) associated with a purchase at the time it was made; they are kept under a legal obligation and are not used to re-identify you for any other purpose.
- Pseudonymous usage and lifecycle analytics: we may retain aggregate and pseudonymous product- and business-analytics records, keyed to an internal identifier rather than to your entry content. These records never contain your entry content, but may include coarse usage and lifecycle signals and limited demographic attributes (such as country, age band, and event counts), and they may survive account deletion.
13. Account deletion
You can delete your account at any time from inside the app. When you do, we immediately revoke your active sessions and erase your personal data from our active systems: your email, name, birthday, gender, profile photo, and the cryptographic material protecting your account are removed; your end-to-end-encrypted content blobs and the structural records associated with them are deleted from our storage; and your account record is reduced to a permanent, anonymous tombstone that retains no personal data beyond the limited records described in Section 12.
As noted in Section 12, we retain a limited set of records that we are legally required to keep (principally purchase and transaction records), and we may keep pseudonymous analytics keyed to an internal identifier rather than to your name or contact details, as described in Section 12. Apple and our payment processor likewise retain transaction records under their own legal obligations. Deletion of any copies that exist in routine encrypted backups completes as those backups age out on their normal rotation cycle.
14. Legal bases for processing (EEA and UK users)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable law, we process your personal data on the following legal bases:
- Performance of a contract (GDPR Art. 6(1)(b)): to create and operate your account, sync your data, and provide the features and purchases you request.
- Legitimate interests (Art. 6(1)(f)): to secure the service, prevent fraud and abuse, diagnose errors, and understand and improve the product through coarse analytics, balanced against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): to retain purchase and tax records and to respond to lawful requests.
- Consent (Art. 6(1)(a)): where we ask for it, for example when you grant the app access to your device calendar. You may withdraw consent at any time, without affecting processing already carried out.
Providing your email is necessary to create a synced account; if you do not provide it, you can still use the app in device-only mode but cannot sync or recover your data. Optional profile details may be left blank. We do not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.
15. International data transfers
We are based in the United States, and the service providers described in Section 8 store and process data in the United States and potentially other countries. If you are located in the EEA, the United Kingdom, or Switzerland, your personal data is transferred to the United States. Where we make such transfers, we rely on appropriate safeguards: the European Commission's Standard Contractual Clauses (and the UK Addendum), and/or our providers' certification under the EU-U.S. Data Privacy Framework and its UK extension, as applicable. You may request more information about these safeguards using the contact details in Section 23.
16. Your privacy rights
Depending on where you live, you have rights over your personal information. Because the contents of your entries are end-to-end encrypted, the copy we hold is ciphertext we cannot read, but the readable copy on your device is the same data, and the app's built-in export (to Markdown or PDF) and its delete features give you direct access and control. For any request the app cannot fulfill on its own, contact privacy@lysplanner.com.
U.S. state privacy rights
Subject to your state's law (for example California, Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws), you may have the right to: know and access the personal information we hold about you; correct inaccurate information; delete your information; obtain a portable copy; opt out of the "sale" or "sharing" of personal information and of targeted advertising (we do none of these); and not be discriminated against for exercising your rights. To exercise these rights, use the in-app account controls or email privacy@lysplanner.com. We will respond within the timeframes required by law (generally 45 days, extendable where permitted). If we deny a request, you may appeal by replying to our response; we will inform you of the outcome and, where applicable, how to contact your state attorney general.
EEA and UK rights
If you are in the EEA or the UK, you have the rights to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; data portability; object to processing carried out on the basis of legitimate interests; and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection supervisory authority: in the UK, the Information Commissioner's Office (ico.org.uk), and in the EEA, your national data protection authority. We ask that you contact us first so we can try to resolve your concern. For UK users, we will acknowledge a complaint within 30 days.
Universal opt-out and Global Privacy Control
We do not sell your personal information, share it with third parties for cross-context behavioral advertising, or use it for targeted advertising, so there is no such activity for you to opt out of, and we do not maintain a separate opt-out mechanism for those purposes. If your browser or device sends a Global Privacy Control or other universal opt-out signal, it is consistent with how we already handle your data. If our practices ever change, we will update this policy and honor such signals before any such change takes effect.
17. Children's privacy
LYS Planner is intended for users aged 13 and older, and children under 13 are not permitted to use it. You must be at least 13 years old to use the service, and the app asks you to confirm this when you create an account. We do not knowingly collect personal information, including biometric identifiers, which are treated as personal information under the U.S. Children's Online Privacy Protection Act (COPPA), from any child under 13. In jurisdictions where a higher age of digital consent applies (for example, certain EEA member states set this age between 13 and 16), you must meet the age required in your country or have verifiable parental consent.
If we learn that we have collected personal information from a child under 13, we will (a) promptly suspend the account, (b) delete the associated personal information within 30 days, and (c) where we have contact details, notify the child's parent or guardian. If you are a parent or guardian and believe a child under 13 has created an account or given us personal information, please contact us at privacy@lysplanner.com.
For all users, including minors aged 13–17, we do not serve advertising, engage in targeted advertising or behavioral profiling, sell personal information, or use personal information or content to train AI or recommendation systems. Privacy protections are set to their most protective configuration by default (your content is end-to-end encrypted, we do not use precise location, and your data is not shared with third parties for their own purposes), and these protections apply to every user regardless of age.
18. Consumer health data
A journal or planner can hold reflections about your wellbeing. Some laws (including Washington State's My Health My Data Act and Nevada's SB 370) treat information relating to your past, present, or future physical or mental health as "consumer health data," and they can apply regardless of our size. We want to be clear about how this works at LYS:
- The content where such information would live (the body of your notes and journal entries, and the titles and contents of your goals, habits, and todos) is end-to-end encrypted on your device and unreadable by us. We store only ciphertext we cannot decrypt, plus the limited sync and account metadata described in Section 4.
- We do not access, read, or derive health inferences from your content, and we do not sell or share consumer health data with anyone, or use it for advertising.
- You can delete your content and your account at any time from inside the app, which erases it from our active systems as described in Section 13.
By creating an account and choosing to record content in LYS, you consent to our processing of that end-to-end-encrypted content solely to provide the service to you. Where these laws grant you rights to access, delete, or withdraw consent regarding consumer health data, you may exercise them using the contact details in Section 23, and we will respond within the time required by law.
19. Account recovery and the limits of our help
Because your content is end-to-end encrypted and we never hold your password or an unwrapped encryption key, our ability to help you recover access is limited by design. Your recovery key is the second path back into your content if you forget your password. If you lose both your password and your recovery key, we cannot restore access to your encrypted content: it is cryptographically unrecoverable. Please store your recovery key somewhere safe. This is a deliberate trade-off in favor of your privacy.
20. What we do not do
- We do not sell or rent your personal information. To anyone. Ever.
- We do not share your personal information for cross-context behavioral advertising.
- We do not use your data (or your content, which we cannot read) to train AI models.
- We do not place advertising trackers in the app. There are no ad SDKs, no IDFA, and no App Tracking Transparency prompt because we do not track you across other companies' apps or websites.
- We do not send you push notifications (the app does not use Apple Push Notifications).
- We do not access your device's Health, Photos library (beyond a profile photo you explicitly pick), Contacts, or Location data. We read your device Calendar (events only) so the Today view can show your day, and only if you grant permission; even then, event details stay on your device.
Artificial intelligence. We do not use your content, your personal information, or any data derived from them to train, fine-tune, or improve any artificial-intelligence or machine-learning model (ours or anyone else's), and we do not sell or license your data to any AI developer. Because your content is end-to-end encrypted, we are technically unable to read it in the first place. If we ever wished to change this, we would notify you and obtain your explicit, opt-in consent before doing so.
Face ID / biometric app lock. LYS offers an optional Face ID or Touch ID app lock. When you enable it, authentication is performed entirely on your device by iOS using Apple's Secure Enclave. We never receive, store, or transmit your biometric data (such as your face geometry or fingerprint), and we have no access to it. You can turn this feature off at any time in the app's settings.
21. Security
We design for security from the ground up: end-to-end encryption of your content, encryption in transit, device-integrity attestation, strict access controls, rate limiting, and diagnostics that are configured not to collect personal data by default, with no screenshots, screen recordings, or session replay, and your decrypted content never attached to diagnostic events. No system is perfectly secure, but our zero-knowledge architecture means that even in the worst case, your entry content remains protected by encryption we cannot reverse.
Breach notification. If we become aware of a security incident that compromises your account information (such as your email address), we will notify you, by email or in-app, without undue delay and, where applicable, within 30 days, and we will notify regulators where required by law. Because your entries are end-to-end encrypted, a compromise of our servers would expose only ciphertext that cannot be read without your device-held keys.
22. Changes to this policy
We may update this policy as the app changes. If we make a material change, we will notify you in the app or by email before the change takes effect, and we will update the version and effective date at the top of this page. Your continued use of the service after the change takes effect constitutes acceptance of the updated policy, except where additional consent is required by law.
23. Contact
Questions, concerns, or data-rights requests: privacy@lysplanner.com. You can also write to us at Love Your Life, LLC, 6767 S Vine St #1185, Centennial, CO 80122, United States.
Document history
- Version 1.0 · Effective July 7, 2026. First public version of this Privacy Policy.