LifeLyt Back home
LEGAL

Privacy Policy.

Last updated: July 2, 2026 · Effective: July 2, 2026

The short version.

LifeLyt stores the minimum data needed to show you today's memories: your account identifier, your reactions and notes, and a daily cached list of photos matching today's date in past years. We never store the photo files themselves, we never read or store the contents of your photos, and we never sell your data. Connected-provider refresh tokens are stored encrypted at rest, and you can delete everything from inside the app or by emailing us.

This Privacy Policy explains how LifeLyt ("LifeLyt," "we," "our," or "us") collects, uses, stores, and shares information when you use the LifeLyt mobile application and related services (the "Service"). By using the Service you agree to this Policy.

Contents
  1. Information We Collect
  2. How We Use Information
  3. How Information Is Stored
  4. Sharing & Disclosure
  5. Third-Party Services
  6. Sub-Processors & Infrastructure
  7. International Transfers
  8. Data Retention
  9. Your Rights & Choices
  10. Account Deletion
  11. Children's Privacy
  12. Security
  13. Changes to this Policy
  14. Contact

1. Information We Collect

1.1 Account & authentication data

To let you sign in and keep your memories linked to one device or several, we use Firebase Authentication. Depending on the method you choose, we receive:

  • Phone number — if you sign in with your phone. We receive and store the verified phone number.
  • Google profile — if you sign in with Google: your Google account ID, display name, email address, and profile photo URL.
  • Apple ID — if you sign in with Apple: a stable Apple user ID and (optionally) your name and email. If you choose Apple's "Hide My Email," Apple generates a private relay address on your behalf.

We assign each user a Firebase user identifier (uid). This is the only identifier we use internally to scope your data.

1.2 Connected cloud-provider data

When you connect a third-party account (Facebook, Google Photos, Dropbox, Foursquare Swarm, Tumblr, Flickr), we store:

  • The provider name and your display name and email on that provider.
  • An encrypted refresh token (see §3.3) used to fetch new photos on your behalf.
  • The timestamp of the last successful sync, the current sync status, and (if applicable) why we lost access and need you to reconnect.

We do not copy or store the actual photo files. To display today's memories, our servers request photo metadata (URL, date, optional caption and location) from the connected provider on demand and discard it after rendering.

1.3 Memory index & daily cache

To make today open quickly, we store two narrow collections:

  • Memories you interacted with — when you react to a memory or write a note, we persist id, date, provider, photoUrl, your reaction(s), and your note text.
  • Today's anniversary cache — a single document per user listing today's matching photos (id, date, provider, photo URL, caption). It expires after 24 hours and is automatically deleted. We do not retain yesterday's, last week's, or any historical cache.

1.4 Automatically collected technical data

  • App Check attestation — on every server call we verify the request comes from a genuine, signed copy of the app, using Apple Device Check (iOS) or Google Play Integrity (Android). We do not read or store the device attestation token beyond the verification step.
  • Server logs — Cloud Functions emit structured logs to Google Cloud Logging containing request timestamps, function names, error codes, and latency. Logs are retained by Google per its standard policy (see §6).
  • Crash reports — only if you opt in via your device's crash-reporting setting (Apple "Share Analytics" or Google "Usage & diagnostics"). We do not run our own crash SDK.

1.5 Data we do not collect

  • We do not collect your contacts, your location in the background, your advertising ID, your phone's unique hardware identifiers for tracking, biometric data, or health data.
  • We do not collect the contents of your photos. The photo bytes live with the third-party provider you connected; we hold only the URLs to fetch them.
  • We do not track you across other apps or websites.

2. How We Use Information

We use the information we collect only to:

  • Authenticate you and keep you signed in across devices.
  • Fetch today's anniversary photos from the providers you connected.
  • Save and replay your reactions and notes on the memories you marked.
  • Keep your refresh tokens alive so we don't have to ask you to re-authenticate daily.
  • Detect and prevent abuse of our servers (App Check, rate limits).
  • Respond to legal requests and enforce our Terms of Service.

We do not use your data for advertising, profiling, or to train third-party AI models.

3. How Information Is Stored

3.1 Local device

Your settings, your local-only memories, and short-lived UI state are stored on your device using platform-secure storage (iOS Keychain / Android Keystore via expo-secure-store and AsyncStorage).

3.2 Firestore (server database)

Account-scoped data lives in Google Cloud Firestore under the path /users/{your-uid}/.... Firestore Security Rules require every read and write to be authenticated as you and to target only your own uid. No data is world-readable, and no other user can access your records.

3.3 Encrypted provider tokens

Connected-provider refresh tokens are encrypted with AES-256-GCM before they are written to Firestore. The symmetric key is generated once and stored in Google Cloud Secret Manager — a service designed for high-value secrets. The encryption key never lives in client code or in Firestore. Token rotation, decryption, and re-encryption all happen inside our Cloud Functions.

3.4 At-rest & in-transit

All network traffic between the app and our backend uses TLS 1.2+. Firestore encrypts data at rest by default using Google-managed AES-256 keys.

4. Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only with:

  • Sub-processors that host, encrypt, or transmit it on our behalf (listed in §6).
  • Connected providers, and only as you direct: when we fetch today's photos from Google Photos, Google Photos sees the request and returns the photos to us. Same for Dropbox, Facebook, etc.
  • Law enforcement, if we receive a valid subpoena, court order, or other legal compulsion. If permitted, we will notify you before disclosing.
  • A successor entity, in the event of a merger, acquisition, or sale of assets, with notice to you.

5. Third-Party Services

The Service integrates with the following third-party platforms. When you connect one, you authorize us to access that platform on your behalf. Their own terms and privacy policies apply to data they hold.

ProviderWhat we access
Facebook (Meta)Photos & albums you own; profile name & email
Google PhotosMedia items and their metadata (date, optional location, description)
DropboxImage files and their metadata
Foursquare SwarmCheck-in history (date, venue name, optional location)
TumblrPosts you authored that contain images or text you chose to import
FlickrYour photos and their metadata

6. Sub-Processors & Infrastructure

We use the following sub-processors to operate the Service:

Sub-processorRoleRegion
Google Firebase (Auth, Firestore, Cloud Functions)Authentication, database, server logicUnited States (default project region)
Google Cloud Secret ManagerStores the encryption key used for provider tokensUnited States
Google Cloud LoggingServer-side structured logsUnited States
Apple Push Notification service (APNs)Phone-auth SMS / push verification (iOS)Apple-managed regions
Google Sign-In / Apple Sign-InFederated identity providersProvider-managed
RevenueCat (if you subscribe to LifeLyt Pro)Subscription & receipt validationUnited States

7. International Transfers

Our servers are located in the United States. By using the Service you understand that your data will be transferred to, stored in, and processed in the United States. Where required (for example, the European Economic Area, the United Kingdom, or Switzerland), we rely on Google's data-transfer mechanisms and Standard Contractual Clauses with our sub-processors. To request a copy of the relevant safeguards, contact us at the address in §14.

8. Data Retention

  • Memories index — kept until you delete the memory, disconnect the source provider, or delete your account.
  • Daily cache — auto-deleted after 24 hours via a TTL field.
  • Refresh tokens — kept while you remain connected to that provider. They are deleted when you disconnect, when token refresh fails permanently, or when you delete your account.
  • Server logs — retained per Google Cloud Logging's default policy (typically 30 days for user-facing logs).
  • Backups — Firestore retains a 7-day point-in-time recovery window. After that window, deleted records are gone.

9. Your Rights & Choices

Depending on where you live, you may have some or all of the following rights:

  • Access — request a copy of the data we hold about you.
  • Correction — fix inaccurate data (for example, a misread photo date).
  • Deletion — delete your account and all associated data.
  • Portability — export your notes and reactions in a machine-readable format (JSON).
  • Restriction or objection — to certain processing, where applicable.
  • Withdraw consent — for any processing that relies on consent, at any time.
  • Lodge a complaint — with your local data-protection authority.

To exercise any of these rights, use the in-app Settings → Privacy → Export Data and Delete Account options, or email us at the address in §14. We respond within 30 days.

10. Account Deletion

You can delete your account at any time:

  • In the app: open Settings → Account → Delete Account. We will permanently delete your uid, all memories index records, all connections, and all encrypted refresh tokens within 7 days, and revoke any active sessions immediately.
  • By email: send a deletion request to creationsapk@gmail.com from the email address tied to your account. We will confirm by reply before deleting.

After deletion, an irreversible 30-day cooling-off period applies during which backups may still contain your records; after that they are gone.

11. Children's Privacy

The Service is not directed to children under 13 (or older, where local law requires a higher age of consent, such as 14, 16, or 18). We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete the account within 7 days.

12. Security

We protect your data with industry-standard measures: TLS in transit, AES-256 at rest, scoped Firestore Security Rules, App Check attestation on every server call, encrypted storage of provider tokens, and least-privilege service accounts. No system is perfectly secure; if we discover a breach affecting your personal data, we will notify you and applicable regulators as required by law.

13. Changes to this Policy

We may update this Policy as the Service evolves. For material changes — anything that broadens what we collect, how we use it, or who we share it with — we will give you at least 30 days' notice through the app and by email (if we have one). The "Last updated" date at the top of this Policy reflects the most recent revision.

14. Contact Us

If you have any questions, want to exercise your rights, or need to report a privacy concern, contact:

LifeLyt
Email: creationsapk@gmail.com

If you are in the EEA, UK, or Switzerland and would like to contact our lead supervisory authority, please email us first and we will provide the relevant details.

© 2026 LifeLyt. All rights reserved.

  • Terms of Service
  • Privacy Policy