Privacy Policy

Who runs Legacy

Legacy is run by a sole operator based in Portugal. You can reach us at legacystories@proton.me for any privacy-related question, including data requests, complaints, or just to say hi.

What data we collect, and why

We try to collect as little as possible. Here's everything we store and the reason:

When you sign up as the family member

• Your email address — so you can sign in and we can send you account-related emails (like password resets)
• Your display name — to personalize your experience
• A password (hashed, never stored in plain text) if you sign up with email/password
• If you sign in with Google: your email and name as Google provides them

When you add a parent or family member

• Their name, relationship to you (Mom, Dad, etc.)
• Their birth date and country of origin (used to personalize question prompts)
• An optional avatar photo if you add one
• A unique randomly-generated link (QR code) so they can answer questions

When your family member answers questions

• The text of their answer
• An optional audio recording if they speak instead of typing
• The AI-polished version of their answer (the memoir prose our AI generates)
• Optional photos they choose to upload alongside their stories

When you use the website

• Page visits and basic usage data (which pages you view, how long you stay) collected anonymously
• Server logs (IP addresses, browser type, errors) for security and debugging — kept for 7 days then automatically deleted
• A session cookie to keep you signed in (essential — the site can't work without it)

If you contact us

• Whatever you write to us (emails, feedback messages submitted through the app)

What we DON'T collect

To be absolutely clear, we do not collect:

• Your phone number (unless you choose to add it somewhere)
• Your physical address
• Your payment information directly (when paid plans launch, payments will be handled by a specialized payment provider — see "Future paid services" below)
• Your social media accounts beyond what's needed for Google sign-in
• Any tracking data for advertising purposes
• Cross-site browsing history

How we use your data

We use what we collect to:

• Make Legacy work (show you your memoir, save new stories, etc.)
• Send you account-related emails (sign-in confirmations, password resets, inactive-account warnings, and — if you order one in the future — delivery of your memoir PDF)
• Improve the service (looking at anonymous usage patterns)
• Respond when you contact us
• Keep the service secure (detect and block abuse)

We do not:

• Sell your data to anyone, ever
• Share your data with advertisers
• Use your stories to train AI models
• Read your memoir for any reason other than helping you when you ask
• Make automated decisions that legally affect you

Who we share data with (sub-processors)

Legacy relies on a small number of trusted partners to operate. We share only the minimum data each one needs:

• Our database, authentication, and storage partner — securely stores everything you create, with encryption at rest and in transit. Hosted in the EU.
• Our hosting and analytics partner — runs the website, handles basic usage logs and anonymous page-view counting.
• Our AI text-processing partner — polishes raw answers into memoir prose. Receives your family member's first name, relationship, the question, and their answer. Does not use this data to train AI models.
• Our voice-to-text partner — converts voice recordings to text. Receives the audio recording only, does not store it long-term.
• Our email delivery partner — sends transactional emails on our behalf (such as password resets, inactive-account warnings, and future memoir delivery). Receives your email address and the contents of the message we send to you. Never used for marketing or shared further.
• Google — only if you choose to sign in with your Google account. Provides us your Google email and name. Their privacy policy: policies.google.com/privacy.

We've chosen partners that offer strong data protection, GDPR compliance, and don't use customer data for advertising. If you'd like the specific names of our partners or copies of their privacy policies, email us at legacystories@proton.me — we'll send them to you.

We do not transfer your data to any other third party.

Emails we may send you

Legacy will only email you for clear, necessary reasons. Specifically:

• Account essentials — sign-up confirmation, password resets, email changes. These are handled directly by our authentication partner and you receive them by default.
• Inactive-account warnings — a single email if your account has been inactive for 24 months, giving you a chance to keep your memoir before it's deleted (see "How long we keep your data" below).
• Memoir delivery — if you order a memoir PDF in the future, we'll email it to you (or a link to download it).
• Replies to your requests — if you contact us, we'll write back.
• Important changes — significant updates to this Privacy Policy or the Terms of Service that affect your rights.

We do not send marketing newsletters, promotional emails, or product announcements. We don't share your email address with anyone for marketing purposes. If we ever decide to start a newsletter, it will be strictly opt-in.

Where your data is stored

Your data is stored on EU-based servers (Frankfurt, Germany). Some of our partners may process your data temporarily on US-based servers when generating responses or serving the website. All transfers are protected by Standard Contractual Clauses and other safeguards required under GDPR.

How long we keep your data

• Your active account and everything in it: While your account exists.
• Your stories, photos, audio recordings: While your account exists.
• Anonymized record of deleted accounts (no email or name, just hashes and reasons): Indefinitely, for understanding why people leave.
• Feedback messages (with email removed): 2 years.
• Server logs: 7 days.
• Voice recordings (on our voice-to-text partner's side): Not stored long-term — processed and discarded.
• AI prompts and answers (on our AI partner's side): Retained briefly for service operation, then deleted. Never used to train AI models.
• Inactive accounts: If you don't sign in for 24 months, we'll send you a warning email. After 30 more days of inactivity, the account and all its data is deleted.

You can also delete your account at any time from the Account page — that immediately removes everything except an anonymized record of the deletion (which contains no personally identifying information).

Your rights under GDPR

You're in Portugal (or the EU), and so are we. That means you have these legal rights over your data:

• Right to access — Ask us what data we have about you. We'll respond within 30 days.
• Right to correction — Update or fix anything inaccurate. Most of this you can do yourself in the Account page; for anything else, email us.
• Right to deletion ("right to be forgotten") — Delete your account and all your data anytime through the Account page. We honor this immediately.
• Right to data portability — Download a complete copy of your data in a machine-readable format anytime, free of charge. Go to your Account page and click "Download your data". The export includes your account info, parents, stories (raw and AI-polished), photos, and audio recordings as a JSON file. For your security, photo and audio links in the export expire 7 days after download — you can re-export anytime to get fresh links.
• Right to object — Tell us to stop processing your data for any non-essential reason.
• Right to restrict processing — Ask us to pause certain uses of your data while we work things out.
• Right to file a complaint — If you think we've mishandled your data, you can complain to the Portuguese data protection authority, the Comissão Nacional de Proteção de Dados (CNPD) at cnpd.pt. But please tell us first — we'd rather fix the problem.

To exercise any of these rights, email us at legacystories@proton.me. We'll respond within 30 days. There's no charge for these requests unless they're clearly excessive (and even then we'll explain before charging).

Permission to upload family members' data

When you add a parent or family member to Legacy, you're adding their personal information (name, birthday, photo). Under GDPR, that family member is also a data subject with rights — even though they didn't sign up to Legacy themselves.

By adding a family member to Legacy, you confirm that:

• You have their permission to do so, OR
• You're a close family member acting on their behalf with their reasonable consent
• You'll let them know their stories are being preserved on Legacy
• You'll handle requests from them (to access, correct, or delete their data) with care

If a family member ever asks us directly to delete their information, we'll respect that — even if you're the account holder. We'll also notify you when it happens.

Cookies

Legacy uses cookies, but only the bare essentials:

• Session cookies — Required to keep you signed in. Without these, the site can't work.
• Anonymous analytics — A simple page-view counter. No personal information, no tracking across other sites.

We don't use any third-party advertising cookies, social media tracking pixels, or cross-site trackers. There's nothing to opt out of beyond signing out of your account.

Security

We take security seriously:

• All data is transmitted over HTTPS (encrypted)
• Passwords are hashed with bcrypt — we never see your actual password
• Database access is protected by Row-Level Security (only you can see your own data)
• Photos and audio are stored in private buckets and accessed via short-lived signed links
• Production secrets are stored in encrypted environment variables, never in code

That said, no internet service is 100% secure. If we ever discover a breach affecting your data, we'll notify you within 72 hours as required by GDPR.

Children's privacy

Legacy is for adults aged 18 and over. We don't knowingly collect data from anyone under 18. If you're under 18 and you've signed up, please contact us — we'll delete your account.

If a parent on your Legacy account is a minor (rare, but possible — say, a younger sibling), please don't upload their information without their guardian's consent.

Future paid services

When Legacy launches paid plans (sometime in the future), payment processing will be handled by a specialized payment provider that you'll see at checkout. We won't see your full credit card number — only payment confirmations and your basic billing info. The payment provider's privacy policy will apply to payment data.

Free plan users will continue to enjoy the same data protections.

Changes to this policy

If we make significant changes to this Privacy Policy, we'll let you know by:

• Posting the updated policy on this page with a new effective date
• Sending you an email if the changes affect your rights or how we use your data
• Continuing to honor the previous policy for data collected before the changes, unless you accept the new version

Contact us

For anything related to your data — questions, requests, complaints, or just curious — email us at legacystories@proton.me.

We aim to respond within 5 business days, and we're legally required to respond to formal data requests within 30 days.