Privacy is a product principle, not a feature bolt-on. LTL is private by default and treats the most sensitive data, including memorial content and the death-transition flow, as security-critical infrastructure.
Authentication
- Supabase Auth is the primary provider, with email-and-password plus OAuth.
- MFA is optional in general but required for the sensitive actions: initiating a death transition, changing Legacy Contacts, approving a Sunset, and account deletion.
Row-Level Security
Every table has row-level security enabled. Representative policies:
entriesare readable by the author, by a pairing partner when visibility allows, and by family members when shared, and writable only by the author.profilesare readable based on relationship and writable by the owner (while living) or the legacy contact (in memorial mode).memorial_candlesare readable by anyone with a relationship to the deceased and writable only by the memorial admin.legacy_transitionsare writable only by specific server-side functions, andaudit_logis readable only by a dedicated support role.
Encryption
- In transit: TLS 1.3.
- At rest in Postgres: managed AES-256.
- At rest on device: SQLCipher, with keys derived from the device credential plus a backend-delivered wrap key, so a stolen device without authentication cannot read content.
- Media access goes through signed URLs generated by RLS-aware backend functions; storage paths are never exposed directly. Higher-sensitivity content (voice notes, private entries) is additionally client-side encrypted before upload, with per-user keys that are never logged or exported.
Immutable Audit Log
Death-transition and administrative actions append rows to an audit log that permits no UPDATE or DELETE, ever. State changes are additive, so no data is destroyed during a COOLDOWN or DISPUTED window. Exports for legal or support purposes go through a read-only role.
Data Rights
- Export: users can export all their data at any time as a zip of per-entity JSON, a media folder, and a human-readable HTML browser, delivered via signed URL.
- Deletion (living user): a request enters a grace period during which it can be canceled; on execution the user’s authored content and structured profile are removed and relationships dissolved. Entries written about other living users in shared contexts are retained for those recipients, with the author attribution anonymized.
AI and Children
- AI is never trained on user content; this is documented in the privacy policy and enforced by the API contract. AI is never applied to memorial content without explicit per-memorial opt-in.
- Users under 13 are not permitted; ages 13 to 17 require a parent or guardian account, which is automatically the Legacy Contact and can restrict where the minor appears.
Compliance Posture
Data export, right to erasure, and portability are implemented for GDPR and CCPA. HIPAA is not sought: medical fields in profiles are for family reference only, and users are warned the app is not a medical system.