Privacy Policy

Last updated: April 8, 2026

Lastlya ("we", "us", "our") is operated by Samael Sp. z o.o., a company registered in Poland. We are committed to protecting your personal data and your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use our mobile application ("App") and website ("Site").

1. Data Controller

Samael Sp. z o.o.
Registered in Poland
Email: privacy@lastlya.com

For the purposes of the General Data Protection Regulation (GDPR), Samael Sp. z o.o. is the data controller.

2. What Data We Collect

2.1 Account Data

• Email address (required for registration and communication)
• Display name (optional)
• Password (stored as a cryptographic hash — we cannot read it)
• Profile avatar (optional)

2.2 Content Data

• Text letters you create within the App
• Audio recordings you create within the App
• Video recordings you create within the App (on eligible plans)
• Recipient names and email addresses you add
• Delivery schedules, trigger configurations, and Time Capsule settings

Important: Your message content is encrypted at rest. We do not access, read, listen to, or view the content of your messages except where technically required to deliver them to recipients.

2.3 Technical Data

• Device type, operating system, and version
• App version
• IP address (for security and fraud prevention)
• Crash reports and error logs (anonymized)
• Usage analytics (anonymized, aggregated)

2.4 Payment Data

Payments are processed by Google Play Billing. We do not collect or store credit card numbers, bank account details, or other financial information. We receive only subscription status and transaction identifiers from Google Play.

2.5 Advertising Data (Whisper plan only)

The free Whisper plan displays non-personalized advertisements served via Google AdMob. On the Whisper plan, limited device identifiers may be shared with AdMob solely for ad serving purposes. All paid plans (Echo and above) are entirely ad-free and involve no advertising data collection.

3. How We Use Your Data

• To provide the service: Creating accounts, storing messages, delivering messages at scheduled times or upon trigger events.
• To execute the Delivery Promise: Notifying recipients and delivering your messages when your plan lapses without account deletion, as described in our Terms of Service §6.
• To communicate: Sending transactional emails — delivery confirmations, renewal reminders, final delivery warnings.
• To improve the service: Analyzing anonymized usage data to improve features and fix bugs.
• To ensure security: Detecting and preventing fraud, abuse, and unauthorized access.
• To comply with law: Responding to legal requests from authorities when required by applicable law.

4. Legal Basis for Processing (GDPR)

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the service you signed up for, including executing the Delivery Promise.
• Legitimate interest (Art. 6(1)(f) GDPR): Security, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a) GDPR): Non-personalized advertising on the Whisper plan; marketing communications; analytics cookies.
• Legal obligation (Art. 6(1)(c) GDPR): Tax records, law enforcement requests.

5. Data Sharing

We do not sell your personal data. We share data only with the following processors, bound by Data Processing Agreements (DPAs):

• Supabase — database and authentication hosting, EU-based infrastructure
• Google Play Billing — subscription and payment processing (subscription status only)
• Resend — transactional email delivery (renewal reminders, delivery notifications)
• Google AdMob — non-personalized advertising (Whisper plan only, with consent)

We share recipient email addresses with our email provider solely for the purpose of delivering your messages to those recipients, as you have configured.

6. The Delivery Promise and Recipient Data

You provide email addresses of your intended recipients (loved ones) within the App. This data is stored securely and used exclusively to deliver your messages when a delivery trigger occurs (date-based, inactivity-based, or plan-lapse-based).

Recipients receive an email notification with a secure, time-limited link to access the messages you designated for them. We do not retain recipient data beyond the 90-day download window following delivery. Recipients are not registered as users of Lastlya unless they choose to create their own account.

7. Data Storage and Security

• Data is stored on servers located in the European Union.
• All data is transmitted over TLS 1.3 encrypted connections.
• Message content is encrypted at rest.
• Passwords are hashed using bcrypt.
• We implement Row Level Security (RLS) policies ensuring you can only access your own data.
• Regular security reviews are conducted.

8. Data Retention

• Active accounts: Data is retained for as long as your account is active.
• After plan lapse (Delivery Promise protocol): Content is retained through the delivery and download window (up to 180 days from plan expiry), then permanently deleted.
• Deleted accounts: All message content is deleted immediately upon confirmed account deletion. Personal account data is deleted within 30 days.
• Already-delivered messages: Content in the recipient's download session is accessible for 90 days post-delivery, then deleted.
• Legal retention: Some administrative data (e.g. billing records) may be retained longer if required by law (typically 5 years for tax purposes).

9. Your Rights (GDPR)

As a data subject under the GDPR, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us at privacy@lastlya.com. We will respond within 30 days.

Note on erasure and the Delivery Promise: If you request erasure of your data, we will treat this as equivalent to account deletion — permanently cancelling all pending deliveries and deleting all content. This cannot be undone.

10. Cookies

Our website uses the following cookies:

• Essential cookies: Language preference, cookie consent status. Necessary for the site to function.
• Analytics cookies: Anonymized usage data to understand how visitors use the site. Set only with your explicit consent.

You can manage cookie preferences through your browser settings or the cookie banner on our site.

11. Children's Privacy

Lastlya is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, please contact us immediately at privacy@lastlya.com so we can delete it promptly.

12. International Data Transfers

Your data is primarily stored in the EU. In cases where data is processed outside the EU/EEA (e.g., through certain third-party processors), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact & Complaints

For privacy-related questions or requests:

Samael Sp. z o.o.
Email: privacy@lastlya.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Poland, this is the UODO (Urząd Ochrony Danych Osobowych / Office for Personal Data Protection): https://uodo.gov.pl.