Privacy Policy

Last updated: December 21, 2024

Your privacy matters to us. This Privacy Policy explains how LostAura ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our mobile application ("App") and related services.

By using LostAura, you consent to the data practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the App.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Apple ID identifier (for Sign in with Apple) — a unique, anonymized identifier
Email address (if shared through Sign in with Apple or provided directly)
Account creation date and time
Device information (device type, operating system version, app version)

1.2 Commitment Data

When you create commitments, we collect:

Goal descriptions — the text you enter describing your commitment
Deadline dates and times
Frequency settings (one-time, daily, weekly, etc.)
Commitment status (active, completed, failed, cancelled)
Proof submission history

1.3 Photos and Images

LostAura collects and processes three types of images:

Stake Photos: Embarrassing photos you upload as accountability collateral
Proof Photos: Photos you submit to verify goal completion
Signature Images: Your digital signature captured during commitment confirmation

Important: Stake photos are stored in encrypted form and are never viewed by LostAura staff unless required by law or for abuse investigation.

1.4 Third-Party Contact Information

When you designate a consequence recipient, we collect:

Contact name (as stored in your device contacts)
Phone number (for SMS/MMS delivery via Twilio)

We only collect information for the single contact you explicitly select. We do not access your full address book or any contacts you do not specifically choose.

1.5 Usage Data

We automatically collect:

App usage patterns and feature interactions
Error logs and crash reports
Push notification delivery status
Subscription status and history

1.6 Payment Information

We do not directly collect or store payment card information. All payments are processed through the Apple App Store or Google Play Store. We receive only:

Subscription status (active, expired, cancelled)
Transaction identifiers
Subscription start and expiration dates

2. How We Use Your Information

2.1 Core App Functionality

Account management: Creating and maintaining your account
Commitment tracking: Storing and managing your goals and progress
Photo storage: Securely storing your staked photos until commitment resolution
Consequence delivery: Sending your staked photo to your designated contact if you fail to meet your commitment
AI verification: Analyzing proof photos to verify goal completion
Notifications: Sending reminders about upcoming deadlines and verification results

2.2 Service Improvement

Analyzing usage patterns to improve app features
Debugging errors and improving app stability
Developing new features based on user behavior

2.3 Communication

Sending service-related emails (account verification, security alerts)
Responding to support inquiries
Notifying you of significant changes to Terms or Privacy Policy

2.4 Legal Compliance

Complying with legal obligations
Responding to lawful requests from law enforcement
Protecting our rights and preventing fraud

3. Photo Handling: Storage, Processing, and Deletion

Given the sensitive nature of staked photos, we want to be completely transparent about how we handle them.

3.1 Encryption

All stake photos are encrypted using AES-256 encryption before storage
Encryption is performed on-device before upload
Encryption keys are stored separately from photo files in our database
Photos remain encrypted at rest and are only decrypted for consequence delivery

3.2 Access Controls

No human access: LostAura staff do not view stake photos under normal circumstances
Automated systems only: Photos are accessed only by automated consequence delivery systems
Exception: We may access photos if required by law, court order, or to investigate reported abuse

3.3 AI Processing of Proof Photos

When you submit proof of goal completion:

Your proof photo is transmitted to OpenAI's GPT-4 Vision API for analysis
OpenAI processes the image to compare it against your goal description
OpenAI's processing is governed by their API Data Usage Policy
According to OpenAI's policy, API data is not used to train their models
We do not send stake photos to OpenAI — only proof photos

3.4 Photo Deletion Schedule

Event	Deletion Timing
Goal completed successfully	Immediate — stake photo deleted within minutes
Consequence delivered	Immediate — stake photo deleted after successful delivery
Commitment cancelled	Immediate — stake photo deleted within minutes
Account deleted	Within 24 hours — all data purged
Proof photos	30 days after verification

3.5 Blurred Preview

The blurred preview you see of your stake photo is generated client-side on your device. The full photo is uploaded encrypted — we never generate or store a "clear" version for preview purposes.

4. Third-Party Contact Data

4.1 What We Collect

We collect only the name and phone number of the single contact you explicitly select as your consequence recipient. We do not:

Access your full contact list
Store contacts you do not select
Use contact data for any purpose other than consequence delivery

4.2 How We Use Contact Data

Third-party contact information is used solely to:

Deliver your staked photo via SMS/MMS if you fail to meet your commitment
Include context information (your name, goal description) in the consequence message

4.3 What We Do NOT Do

We never:

Sell or share contact data with third parties for marketing
Send promotional messages to your contacts
Contact your designated recipient for any reason other than consequence delivery
Store contact data after the commitment ends (deleted within 30 days of commitment resolution)

5. Third-Party Services

We use the following third-party services to operate LostAura:

5.1 Supabase

Purpose: Database, user authentication, and encrypted file storage
Data shared: Account information, commitment data, encrypted photos
Privacy Policy: supabase.com/privacy

5.2 RevenueCat

Purpose: Subscription management and payment processing
Data shared: User identifier, subscription status, transaction data
Privacy Policy: revenuecat.com/privacy

5.3 Twilio

Purpose: SMS/MMS message delivery for consequences
Data shared: Recipient phone number, message content (including photos)
Privacy Policy: twilio.com/legal/privacy
Note: Twilio may retain message logs and media as described in their privacy policy. Once your photo is transmitted to Twilio for delivery, it becomes subject to their data handling practices.

5.4 OpenAI

Purpose: AI-powered proof verification using GPT-4 Vision
Data shared: Proof photos (NOT stake photos), goal descriptions
Privacy Policy: openai.com/privacy
API Data Policy: openai.com/policies/api-data-usage-policies
Note: OpenAI's API data is not used to train their models. Data may be retained for up to 30 days for abuse monitoring.

5.5 Apple (Sign in with Apple)

Purpose: User authentication
Data shared: Authentication tokens
Privacy Policy: apple.com/legal/privacy

6. Data Retention

Data Type	Retention Period
Account data	Until account deletion + 30 days
Stake photos	Until commitment resolution (immediate deletion)
Proof photos	30 days after verification
Signature images	1 year after commitment resolution
Commitment history	1 year after resolution
Third-party contact data	30 days after commitment resolution
Payment records	7 years (legal requirement)

7. Data Security

7.1 Security Measures

We implement industry-standard security measures including:

AES-256 encryption for photos at rest
TLS 1.3 encryption for data in transit
Secure authentication via Sign in with Apple
Regular security audits and penetration testing
Access controls and audit logging
Secure cloud infrastructure (Supabase/AWS)

7.2 Data Breach Notification

In the event of a data breach that affects your personal information:

We will notify affected users within 72 hours of discovering the breach
Notification will be sent via email and/or in-app notification
We will describe the nature of the breach, types of data affected, and steps we're taking
We will notify relevant regulatory authorities as required by law

7.3 Your Responsibility

You are responsible for:

Maintaining the security of your Apple ID credentials
Keeping your device secure
Notifying us immediately if you suspect unauthorized account access

8. Your Rights

8.1 Access and Portability

You have the right to:

Request a copy of the personal data we hold about you
Receive your data in a portable, machine-readable format
Access this information within 30 days of your request

8.2 Correction

You have the right to request correction of inaccurate personal data. Goal descriptions and commitment details can be modified directly in the App before a commitment is finalized.

8.3 Deletion

You have the right to request deletion of your account and associated data. You can:

Delete your account through Settings → Account → Delete Account
Request deletion by emailing privacy@lostaura.app

Upon deletion request:

Active commitments will be cancelled without consequence
All photos will be permanently deleted
Account data will be purged within 24 hours
Some data may be retained as required by law (payment records)

8.4 Withdrawal of Consent

You may withdraw consent for specific processing activities:

Cancel active commitments via Emergency Cancellation (deletes stake photos)
Disable push notifications through device settings
Delete your account to stop all processing

8.5 Opt-Out

You may opt out of:

Marketing emails (click unsubscribe or contact us)
Push notifications (through device settings)
Analytics (contact us to opt out)

9. Children's Privacy

LostAura is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If you believe a child under 18 has provided us with personal information, please contact us immediately at privacy@lostaura.app. We will promptly delete such information.

If we discover we have collected information from a child under 18, we will delete the account and all associated data immediately.

10. International Data Transfers

LostAura is operated from the United States. If you are located outside the United States:

Your data will be transferred to and processed in the United States
By using the App, you consent to this transfer
We implement appropriate safeguards for international transfers
US data protection laws may differ from those in your country

11. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

11.1 Legal Basis for Processing

Consent: For processing stake photos and delivering consequences (Article 6(1)(a))
Contract: For providing the App services (Article 6(1)(b))
Legitimate interests: For security, fraud prevention, and service improvement (Article 6(1)(f))

11.2 Your GDPR Rights

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / "right to be forgotten" (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object to processing (Article 21)
Right to withdraw consent at any time

11.3 Data Protection Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

11.4 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at: dpo@lostaura.app

12. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You have the right to request information about:

Categories of personal information we collect
Purposes for collecting personal information
Categories of third parties with whom we share information
Specific pieces of personal information we have collected about you

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal requirements).

12.3 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

12.4 Sale of Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.

12.5 Authorized Agent

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

12.6 How to Submit Requests

To exercise your CCPA rights, contact us at privacy@lostaura.app with the subject line "CCPA Request."

13. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals because there is no industry-wide standard for handling them. We will update this policy if a standard is established.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Last updated" date at the top of this page
For material changes, we will notify you via email or in-app notification
We may provide a summary of key changes
Continued use of the App after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries:
privacy@lostaura.app

Data Protection Officer (GDPR):
dpo@lostaura.app

Mailing Address:
LostAura
[Your Business Address]
United States

We aim to respond to all privacy-related inquiries within 30 days.