Privacy Policy

Last updated: April 8, 2026

Lastlya ("we", "us", "our") is operated by Samael Sp. z o.o., a company registered in Poland. We are committed to protecting your personal data and your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use our mobile application ("App") and website ("Site").

1. Data Controller

Samael Sp. z o.o.
Registered in Poland
Email: privacy@lastlya.com

For the purposes of the General Data Protection Regulation (GDPR), Samael Sp. z o.o. is the data controller.

2. What Data We Collect

2.1 Account Data

Email address (required for registration)
Display name (optional)
Password (stored as a cryptographic hash — we cannot read it)
Profile avatar (optional)

2.2 Content Data

Text messages you create within the App
Audio recordings you create within the App
Video recordings you create within the App
Contact names and email addresses you add
Delivery schedules and trigger configurations

Important: Your message content is encrypted. We cannot access, read, listen to, or view the content of your messages. Encryption keys are derived from your account credentials and stored on your device.

2.3 Technical Data

Device type, operating system, and version
App version
IP address (for security and fraud prevention)
Crash reports and error logs (anonymized)
Usage analytics (anonymized, aggregated)

2.4 Payment Data

Payments are processed by Google Play Billing (via RevenueCat). We do not collect or store credit card numbers, bank account details, or other financial information. We receive only subscription status and transaction identifiers.

3. How We Use Your Data

To provide the service: Creating accounts, storing messages, delivering messages at scheduled times.
To communicate: Sending transactional emails (password reset, delivery confirmations).
To improve the service: Analyzing anonymized usage data to improve features and fix bugs.
To ensure security: Detecting and preventing fraud, abuse, and unauthorized access.
To comply with law: Responding to legal requests from authorities when required by applicable law.

4. Legal Basis for Processing (GDPR)

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR): Security, fraud prevention, service improvement.
Consent (Art. 6(1)(a) GDPR): Marketing communications, cookies, and optional analytics.
Legal obligation (Art. 6(1)(c) GDPR): Tax records, law enforcement requests.

5. Data Sharing

We do not sell your personal data. We share data only with:

Supabase (database and authentication hosting) — EU-based infrastructure
RevenueCat (subscription management) — processes subscription status only
Resend (email delivery) — for transactional emails
Google AdMob (free plan only) — non-personalized ads with your consent

All third-party processors are bound by Data Processing Agreements (DPAs) and process data in compliance with GDPR.

6. Data Storage and Security

Data is stored on servers located in the European Union.
All data is transmitted over TLS 1.3 encrypted connections.
Message content is end-to-end encrypted.
Passwords are hashed using bcrypt.
We implement Row Level Security (RLS) policies ensuring you can only access your own data.
Regular security audits and penetration testing are conducted.

7. Data Retention

Active accounts: Data is retained for as long as your account is active.
Deleted accounts: Personal data is permanently deleted within 30 days of account deletion. Encrypted message content is deleted immediately.
Delivered messages: After a message is delivered to a recipient, it remains in the recipient's access. The sender may delete their copy at any time.
Legal retention: Some data may be retained longer if required by applicable law (e.g., tax records for 5 years).

8. Your Rights (GDPR)

As a data subject under the GDPR, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — limit how we process your data
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interest
Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us at privacy@lastlya.com. We will respond within 30 days.

9. Cookies

Our website uses the following cookies:

Essential cookies: Language preference, cookie consent status. These are necessary for the site to function.
Analytics cookies: Anonymized usage data to understand how visitors use the site. Only set with your consent.

You can manage cookie preferences through your browser settings or the cookie banner on our site.

10. Children's Privacy

Lastlya is not intended for children under 13 years of age. We do not knowingly collect data from children under 13. If you believe we have collected data from a child under 13, please contact us immediately at privacy@lastlya.com.

For minors aged 13-17 using the service through our "Gift of Words" program, parental or guardian consent is required. These accounts are managed with additional protections.

11. International Data Transfers

Your data is primarily stored in the EU. In cases where data is processed outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact & Complaints

For privacy-related questions or requests:

Samael Sp. z o.o.
Email: privacy@lastlya.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Poland, this is the UODO (Urząd Ochrony Danych Osobowych / Office for Personal Data Protection), https://uodo.gov.pl.