Privacy Policy

Version 1.0 | Last Updated: February 2026

This Privacy Policy describes how Lifestream Dynamics ("we", "us", "our") collects, uses, and protects your personal information when you use the Lifestream Vault service ("the Service"). This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Account Data

When you create an account, we collect:

• Email address
• Display name
• Password (stored as a one-way hash using argon2)
• Profile information (optional: bio, avatar URL, profile slug)

1.2 Documents and Content

We store the documents and files you upload to the Service. This includes:

• Markdown documents and their content
• Document metadata (titles, tags, frontmatter)
• File organization structure (folders and paths)
• Document version history

1.3 Usage Data

We automatically collect certain information when you use the Service:

• API request logs (endpoint, timestamp, response status)
• Authentication events (login, logout, token refresh)
• Feature usage metrics (search queries, AI interactions)
• Error logs for debugging and service improvement

1.4 Technical Data

• IP address
• Browser type and version (user agent)
• Device information
• Session identifiers

1.5 Cookies

We use cookies as described in our Cookie Policy. Essential cookies are required for authentication and session management.

2. How We Use Information

We use your information to:

• Provide the Service: Store and sync your documents, process search queries, deliver AI features
• Authenticate you: Manage login sessions, API key verification, OAuth sign-in
• Communicate with you: Send account-related notifications, password reset emails, verification emails
• Improve the Service: Analyze usage patterns, fix bugs, develop new features
• Ensure security: Detect and prevent unauthorized access, fraud, and abuse
• Comply with legal obligations: Respond to lawful requests from authorities

We do not sell your personal information to third parties.

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you subscribed to
• Legitimate interests: Service improvement, security, and fraud prevention
• Consent: Optional features such as marketing communications and analytics cookies
• Legal obligation: Compliance with applicable laws and regulations

4. Data Storage and Security

4.1 Storage Location

Your data is stored on servers located in Canada. Documents are stored on the filesystem with metadata in a PostgreSQL database.

4.2 Security Measures

We implement industry-standard security measures including:

• Encryption at rest for stored data
• TLS/HTTPS encryption for all data in transit
• Password hashing with argon2 (no plaintext storage)
• JWT-based authentication with short-lived tokens
• Rate limiting to prevent brute-force attacks
• Regular security audits and updates

4.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify:

• Affected users within 72 hours
• The relevant supervisory authority as required by law

5. Third-Party Services

We may share limited data with third-party service providers who assist in operating the Service:

• Google OAuth: If you use Google Sign-In, Google receives your authentication request. See Google's Privacy Policy.
• Payment processors: If you subscribe to a paid plan, your billing information is processed by our payment provider.
• AI services: If you use AI features, document content may be sent to AI service providers (Google Vertex AI) for processing.

We require all third-party processors to maintain appropriate security measures and process data only as instructed.

6. Your Rights

6.1 Under PIPEDA and GDPR

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

6.2 How to Exercise Your Rights

You can exercise these rights by:

• Using the Data Export feature in your account settings
• Using the Delete Account feature in your account settings
• Contacting us at privacy@lifestreamdynamics.com

We will respond to requests within 30 days.

7. Data Retention

We retain your data according to the following schedule:

After the retention period, data is permanently and irreversibly deleted.

8. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us.

9. International Transfers

If your data is transferred outside of Canada or the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Cookie Policy

For detailed information about how we use cookies, please refer to our separate Cookie Policy.

11. Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted at:

• Email: dpo@lifestreamdynamics.com
• Address: Lifestream Dynamics, Ontario, Canada

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before the changes take effect.

13. Contact Information

For questions about this Privacy Policy or our data practices, contact us at:

• Email: privacy@lifestreamdynamics.com
• Address: Lifestream Dynamics, Ontario, Canada
• Data Protection Officer: dpo@lifestreamdynamics.com