Privacy Policy

The Legacy Project 360 LLC, a California limited liability company ("The Legacy Project 360," "we," "us," or "our"), respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information through The Legacy Binder web application and related services (the "Service").

This Privacy Policy applies only to the Service. It does not apply to other products, books, courses, consulting services, or content offered by The Legacy Project 360 LLC outside of the Service, which are governed by their own privacy practices.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, you must not access or use the Service.

This Privacy Policy is incorporated by reference into our Terms of Service and uses certain capitalized terms defined in those Terms.

The Service is offered primarily to users in the United States. We accept account registrations from users in other jurisdictions, but we do not actively market to or target users outside the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your personal information to the United States, where data protection laws may differ from those in your jurisdiction.

If you are a resident of the European Union, the United Kingdom, or another jurisdiction with comprehensive data protection laws, certain provisions of this Privacy Policy provide you with specific rights as described in Section 12 (Your Rights and Choices).

We collect three categories of information: information you provide directly, information collected automatically when you use the Service, and information from third-party services.

3.1 Information You Provide Directly

Account information. When you create an account, we collect your email address. We use a passwordless magic-link authentication system, so we do not collect or store passwords.

Profile information. You may optionally provide your first name and other profile details to personalize your experience.

Binder content. As you use the Service, you provide information that constitutes your "User Content," which may include:

• Personal and family information such as names, dates of birth, addresses, phone numbers, and email addresses of you and your family members;
• Emergency contacts and the contact details of friends, neighbors, professionals, and caregivers;
• Medical information including current medications, medical history, allergies, and the contact details of your healthcare providers;
• Children and pet information including their names, dates of birth, schools, daycares, activities, and care instructions;
• Financial information including the names of your banks, credit card issuers, lenders, insurance providers, retirement and investment accounts, utility companies, and subscriptions, along with associated account numbers (which you may abbreviate at your discretion), websites, and login usernames. We do not collect your full passwords; we only collect text descriptions of where your passwords are stored (e.g., "1Password" or "notebook in desk drawer");
• Employment information including current and past employers, including details about military, fire, and police service if applicable;
• Real estate and asset information including property addresses, purchase dates, and ownership details;
• Document location information indicating where your important physical documents are stored (e.g., "fire safe in bedroom closet");
• End-of-life preferences including disposition of remains, religious preferences, memorial preferences, and burial or cremation wishes;
• Letters to family containing personal stories, advice, memories, and other content you choose to write;
• Family traditions, recipes, and history that you wish to preserve.

Communications. When you contact us by email or through the Service, we receive the content of your communications and any contact information you provide.

Payment information. When you make a purchase, our payment processor (Stripe) collects your payment card information directly. We do not store your full payment card details. We receive limited transaction information from Stripe, including the last four digits of your payment method, the transaction amount, and a Stripe customer identifier.

3.2 Information We Collect Automatically

Usage and technical data. When you use the Service, we automatically collect:

• IP address;
• Browser type and version;
• Device type and operating system;
• Pages viewed within the Service;
• Time and date of access;
• Referring website (if any);
• Aggregated and anonymized usage statistics through Plausible Analytics (a privacy-focused, cookieless analytics service).

Authentication and session data. When you sign in with a magic link, we maintain session tokens to keep you logged in. These tokens are stored as secure cookies and are necessary for the Service to function.

We do not use third-party advertising cookies, behavioral tracking pixels, fingerprinting technologies, or session-replay tools.

3.3 Information from Third Parties

Payment processor. We receive transaction confirmations, customer identifiers, and refund or chargeback notifications from Stripe.

Email service provider. We receive delivery and bounce notifications from our transactional email provider (Resend) for emails we send.

We do not purchase, license, or otherwise acquire personal information about our users from data brokers or other third-party sources.

We use your information for the following purposes:

4.1 To Provide and Operate the Service

To create and manage your account, authenticate sign-ins, save your binder content, generate PDF documents from your data, deliver bonus materials to paying customers, and otherwise deliver the features of the Service.

4.2 To Process Payments

To accept payment, verify transactions, prevent fraud, issue refunds when applicable, and maintain financial records as required by law.

4.3 To Communicate With You

To send you transactional emails such as account confirmations, magic-link sign-in messages, payment receipts, security notifications, important service updates, and responses to your inquiries. These transactional communications are necessary for the Service and are not optional while your account remains active.

We do not currently send marketing emails. If we introduce marketing communications in the future, we will obtain your explicit opt-in consent before sending them, and you will have the ability to unsubscribe at any time.

4.4 To Maintain and Improve the Service

To monitor system performance, diagnose technical problems, prevent abuse, conduct anonymous and aggregated analytics, and develop new features.

4.5 To Comply With Legal Obligations

To comply with applicable laws, respond to valid legal requests, enforce our Terms of Service, and protect the rights, safety, and property of The Legacy Project 360 LLC, our users, and the public.

4.6 With Your Consent

For any other purpose disclosed to you at the time we collect your information or as otherwise authorized by you.

We do not use your User Content to:

• Sell to third parties;
• Train artificial intelligence or machine learning models (see Section 8);
• Build advertising profiles;
• Engage in cross-context behavioral advertising;
• Make automated decisions that produce legal or similarly significant effects on you.

If you are located in the European Union, the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we process your information on the following bases:

• Performance of a contract. We process the information necessary to provide the Service that you have signed up for or purchased.
• Legitimate interests. We process limited information to maintain the security of the Service, prevent fraud, and improve our offerings, where these interests are not overridden by your rights.
• Legal obligation. We process information as required to comply with applicable laws, including tax and accounting obligations.
• Consent. Where applicable law requires consent (such as for marketing communications, if introduced in the future), we will process your information only on the basis of your explicit consent, which you may withdraw at any time.

We share information with the following categories of third parties only as necessary to operate the Service. We do not sell, rent, or trade your personal information.

6.1 Service Providers (Subprocessors)

Each of these subprocessors is contractually obligated to use your information only as necessary to provide their services to us, and to maintain reasonable security practices. We have reviewed each subprocessor's privacy and security practices before engaging them.

We may add, change, or replace subprocessors over time. We will update this Privacy Policy to reflect material changes to our subprocessor list.

6.2 Legal and Safety Disclosures

We may disclose information to law enforcement, government agencies, or other third parties if required by law, subpoena, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation;
• Protect the rights, property, or safety of The Legacy Project 360 LLC, our users, or the public;
• Investigate or prevent fraud, abuse, or other prohibited activity;
• Defend against legal claims.

When permitted by law, we will attempt to notify you of legal requests for your information before disclosure.

6.3 Business Transfers

If The Legacy Project 360 LLC is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice through the Service or by email before your information becomes subject to a different privacy policy.

6.4 With Your Consent

We may share information with third parties for any other purpose with your explicit consent.

We recognize that certain information you provide through the Service is particularly sensitive. This includes:

• Health and medical information (medications, conditions, allergies, healthcare providers);
• Financial account information (banks, lenders, insurance, account numbers);
• Information about minors (your children's names, ages, schools, and care instructions, if you choose to record this);
• End-of-life preferences and memorial wishes;
• Personal letters and family stories of significant emotional value.

We treat all of this information with extra care:

• We do not share sensitive information with any third party other than the subprocessors listed in Section 6.1 to the extent necessary to provide the Service;
• We do not use sensitive information for marketing, advertising, profiling, or any purpose other than operating the Service for you;
• We apply encryption to data at rest in our database (managed by Supabase) and to data in transit (TLS/HTTPS) for all communications between you and the Service;
• We do not use sensitive information to train AI or machine learning models (see Section 8);
• We restrict internal access to sensitive information to those individuals who need it to operate or support the Service.

You have the right to limit the use and disclosure of your sensitive personal information under California law (see Section 12.2.f).

We do not currently use your personal information or User Content to train, improve, or fine-tune any artificial intelligence or machine learning model.

If we introduce AI-powered features in the future (such as the planned Legacy Story System interview tool), we will:

• Obtain your explicit, informed consent before processing your User Content through any AI system;
• Clearly disclose what data is used, how it is used, and which AI providers are involved;
• Provide you with the option to use the Service without participating in AI-powered features;
• Update this Privacy Policy to reflect any AI-related processing.

We will not retroactively apply AI processing to data you submitted before we make these disclosures.

We retain your information for as long as necessary to provide the Service and as required by law.

9.1 Active Accounts

For active accounts, we retain your User Content for as long as your account remains active. "Active" means you have signed in within the past 24 months.

9.2 Inactive Accounts

If your account is inactive for 24 consecutive months:

1. We will send a deletion warning email to your registered email address;
2. You will have 30 days to sign in to keep your account active;
3. If you do not sign in within 30 days of the warning, we may delete your account and User Content from our active systems.

This 24-month policy applies to free-tier accounts. We retain paid customer accounts indefinitely while you remain a customer, subject to the rest of this Section 9 and our Terms of Service.

9.3 Account Deletion Requests

You may request deletion of your account and User Content at any time (see Section 13). Upon a verifiable deletion request:

• We will delete your User Content from our active database within 30 days;
• Backup copies may persist for an additional 90 days before being purged in the ordinary course of business;
• We may retain certain limited information as required by law (such as transaction records for tax and accounting purposes), as necessary to defend against legal claims, or in anonymized form that no longer identifies you.

9.4 Specific Data Categories

We use commercially reasonable technical, administrative, and organizational measures to protect your information, including:

• Encryption in transit using TLS for all communications between your browser and the Service;
• Encryption at rest for our database and file storage (managed by Supabase);
• Access controls that limit internal access to your data to those who need it to operate or support the Service;
• Authentication using passwordless magic links to eliminate the most common vector for account compromise;
• Row-level security in our database that ensures users can only access their own data, even in the event of a software bug;
• Regular backups to protect against data loss;
• Monitoring for unusual activity and unauthorized access attempts.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the security of the email account you use to sign in to the Service.

In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by law.

You can support your own security by using a strong, unique password on your sign-in email account, enabling two-factor authentication on that email account, and signing out when using shared devices.

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from children under 13 (or under the relevant age in your jurisdiction).

If we learn that we have collected personal information from a person under 18, we will delete it promptly. If you are a parent or guardian and you believe a minor has provided us with personal information, please contact us at paul@thelegacyproject360.com and we will work with you to remove that information.

Note that you may, at your discretion, record information about your own minor children within your binder (such as their names, dates of birth, and school information). When you do so, you are the data subject's parent or guardian, and you are responsible for that information under this Privacy Policy.

Depending on where you live, you have certain rights regarding your personal information.

12.1 Rights for All Users

Regardless of your location, you have the right to:

• Access your personal information by signing in to your account;
• Correct information that is inaccurate by editing your account or binder content directly;
• Delete your account and User Content by following the process in Section 13;
• Export your binder data as a PDF document (paid users);
• Withdraw consent for any optional processing at any time;
• Contact us with questions or concerns at paul@thelegacyproject360.com.

12.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

a. Right to Know. You have the right to request that we disclose:

• The categories of personal information we have collected about you;
• The categories of sources from which we collected your personal information;
• The business or commercial purposes for which we collected, used, or disclosed your personal information;
• The categories of third parties with whom we have shared your personal information;
• The specific pieces of personal information we have collected about you.

Categories of personal information we have collected in the past 12 months:

• Identifiers (name, email address, IP address);
• Customer records (account information, payment information);
• Commercial information (purchase history);
• Internet activity (usage data, server logs);
• Geolocation data (general location derived from IP address);
• Sensory data (none);
• Professional information (employment data you choose to enter);
• Education information (none);
• Inferences (none — we do not build profiles or inferences from your data);
• Sensitive personal information (health information, financial account identifiers, content of personal communications, and information about minors, when you choose to enter it).

b. Right to Delete. You have the right to request deletion of personal information we have collected from you, subject to certain legal exceptions.

c. Right to Correct. You have the right to request that we correct inaccurate personal information we hold about you.

d. Right to Opt Out of Sale or Sharing. We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. Therefore, no opt-out is needed. We have not sold or shared personal information in the past 12 months.

e. Right to Limit Use of Sensitive Personal Information. You have the right to limit our use of your sensitive personal information to what is necessary to provide the Service. We already limit our use of sensitive personal information to providing the Service; we do not use it for inference, profiling, or any secondary purpose.

f. Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide you with a different level of quality solely because you exercised your privacy rights.

g. Authorized Agents. You may designate an authorized agent to make a request on your behalf. We will require the authorized agent to provide proof of authorization, and we may require you to verify your identity directly with us.

h. California Shine the Light. California Civil Code Section 1798.83 entitles California residents to request information about how we share certain categories of personal information for direct marketing purposes. We do not share personal information for third-party direct marketing purposes.

12.3 European Union and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Union or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right of access to your personal data;
• Right to rectification of inaccurate or incomplete personal data;
• Right to erasure ("right to be forgotten");
• Right to restrict processing in certain circumstances;
• Right to data portability, where technically feasible;
• Right to object to processing based on legitimate interests;
• Right to withdraw consent where processing is based on consent;
• Right to lodge a complaint with a supervisory authority.

The Legacy Project 360 LLC is the data controller for personal information processed through the Service. We do not currently appoint an EU representative because we do not actively offer the Service in the European Union or process EU data on a regular and systematic basis.

If we transfer your personal data outside the European Economic Area or the United Kingdom (which we do, because our infrastructure is primarily located in the United States), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) where required.

To exercise any of the rights described in this Privacy Policy, contact us at:

Email: paul@thelegacyproject360.com
Subject line: "Privacy Request"

In your request, please include:

• The specific right you wish to exercise;
• The email address associated with your account;
• Sufficient information for us to verify your identity (we may follow up to confirm).

We will respond to your request within the timeframes required by applicable law:

• CCPA/CPRA: within 45 days, with one possible 45-day extension;
• GDPR/UK GDPR: within 30 days, with one possible 60-day extension for complex requests;
• Other jurisdictions: as required by applicable law, or within a reasonable time.

We may need to verify your identity before fulfilling certain requests. Verification typically involves confirming the email address associated with your account or, in some cases, requesting additional information.

If we are unable to fulfill your request, we will explain why.

The Service uses minimal cookies and similar technologies. The cookies we use are:

• Authentication cookies that keep you signed in. These are necessary for the Service to function and cannot be disabled.
• Session cookies that maintain state during your visit. These are necessary for the Service to function.

We do not use:

• Third-party advertising cookies;
• Cross-site tracking pixels;
• Behavioral profiling cookies;
• Session replay tools;
• Fingerprinting technologies.

Our analytics provider, Plausible Analytics, is cookieless and does not track individuals across websites.

You can control cookies through your browser settings. However, disabling authentication cookies will prevent the Service from working.

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry-wide standard for how DNT signals should be honored. Because we do not engage in cross-context behavioral advertising and do not use third-party tracking cookies, we do not track users across websites regardless of DNT signals.

If your browser transmits a Global Privacy Control (GPC) signal, we honor it as a valid request to opt out of the sale or sharing of your personal information. As stated above, we do not sell or share personal information, so no additional action is required.

The Legacy Project 360 LLC is based in the United States, and our subprocessors are primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States. The data protection laws of the United States may differ from those of your country.

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on appropriate safeguards (such as Standard Contractual Clauses) when our subprocessors process your data outside those regions, to the extent required by applicable law.

By using the Service, you consent to the transfer of your information to the United States and to its processing by our subprocessors as described in this Privacy Policy.

The Service may contain links to third-party websites, services, or products. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party services you use.

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this Privacy Policy will reflect the most recent revision.

For material changes, we will provide notice through the Service, by email to the address on file, or both, at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the updated terms.

We are not obligated to notify you of non-material changes (such as clarifications of existing language, formatting changes, correction of typographical errors, or updates to subprocessor lists that do not change how your data is handled).

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

The Legacy Project 360 LLC
PO Box 481
Cool, CA 95614
United States

Email: paul@thelegacyproject360.com

Please use the subject line "Privacy Request" for any privacy-related correspondence to ensure timely processing.