LastBeacon Privacy Policy
Last updated: 2026-05-10
App: LastBeacon — Personal Safety Timer
Contact: privacy@lastbeacon.app
Data Inventory
| Data Type | Collected | Encrypted | Retention | User Can Delete |
|---|---|---|---|---|
| Email address | Optional (standard mode) | No (stored plaintext) | Until account deletion | Yes |
| Password hash | Optional (standard mode) | Yes (bcrypt) | Until account deletion | Yes |
| Device ID | Anonymous mode only | No | Until account deletion | Yes |
| Vault item content (notes, documents, images, locations) | Yes | Yes — encrypted on device | Until item or account deletion | Yes |
| Vault item encryption keys | Yes | Yes — wrapped with master key | Until account deletion | Yes |
| Digital Trail breadcrumbs (location data, address, notes) | Yes | No — stored as plaintext | Auto-deleted 90 days after the trip ends; or until trail/account deletion | Yes |
| Contact names and emails | Yes | No | Until contact or account deletion | Yes |
| Contact phone numbers | Optional | No | Until contact or account deletion | Yes |
| Guardian verification responses | Yes | No | Until account deletion | Yes |
| Timer settings and check-in history | Yes | No | Until account deletion | Yes |
| Recovery key wrapper | Yes | Yes — encrypted | Until account deletion | Yes |
| File uploads (documents, photos) | Yes | Yes — client-side encrypted blobs | Until item or account deletion | Yes |
| TOTP secret (2FA) | Optional | No | Until account deletion | Yes |
| Failed login attempts / lockout timestamps | Yes | No | Until account deletion | Yes |
| JWT authentication tokens | Generated at login | No | 7 days or logout | N/A (session-only) |
1. What Data We Collect
1.1 Account Information (Standard Mode)
When you create a standard account, we collect:
- Email address — required for login and transactional emails
- Password — stored as a bcrypt hash, never in plaintext
- Encryption salt — used to derive your master encryption key
- Vault key wrapper — your master key encrypted with your password-derived key
- Vault recovery wrapper — your master key encrypted with your recovery key
1.2 Anonymous Mode
When you use anonymous mode, we collect:
- Device ID — a unique identifier for your device, used as your login credential
- Recovery key — a 12-word phrase or hex string; we store only the encrypted wrapper, never the key itself
Anonymous mode does NOT collect: email, password, or any personally identifiable information.
1.3 Vault Items
You can store the following in your vault:
Encrypted on your device (we cannot read these):
- Text notes — encrypted content
- Documents and images — encrypted files stored as blobs in S3-compatible storage
- Location entries — encrypted location data, addresses, and notes
Stored as plaintext (we can read these):
- Digital Trail breadcrumbs — location data, addresses, timestamps, and notes are not encrypted and are stored in plaintext in our database. This is a known limitation; only the trail's vault item title and encryption key are encrypted.
1.4 Contacts and Recipients
You can add contacts to receive your vault if your timer expires:
- Name, email, and optional phone number — stored in plaintext
- Guardian flag — whether this contact can cancel a vault release
1.5 Timer and Settings
- Timer duration — how long between check-ins (default: 1 week)
- Verification window — how long guardians have to respond (default: 48 hours)
- Last check-in and next expiry timestamps
- Auto-destruct preference — whether to delete vault instead of releasing it
- Account status — active, paused, verifying, or triggered
1.6 Security Data
- Two-factor authentication settings — TOTP secret or email OTP
- Email verification tokens — hashed, 24-hour expiry
- Password reset tokens — hashed, 1-hour expiry
- Failed login attempts and lockout timestamps — for brute-force protection
2. How We Process Your Data
2.1 Client-Side Encryption
LastBeacon uses client-side encryption for vault items:
- Master Key — generated on your device, never sent to us in plaintext
- Item Keys — each vault item gets a unique random key
- Encryption — titles, content, and location data (except Digital Trail breadcrumbs) are encrypted with the item key
- Key Wrapping — item keys are encrypted with your master key
- Server Storage — we store only ciphertext, encrypted keys, and wrappers
During normal operation, we cannot decrypt your vault contents. Without your password or recovery key, your data is unrecoverable.
Exception — Vault Release: When your timer expires and your vault is released to recipients, the server uses per-recipient delivery tokens (generated on your device at the time you assign recipients) to derive decryption keys and decrypt vault contents for one-time viewing. These keys exist only briefly in server memory during the viewing request and are not stored persistently. See Section 2.2 for details.
2.2 Vault Release Process
When your timer expires:
- Your account status changes to "verifying"
- Guardians are emailed with a unique verification link
- Guardians have your configured window (default 48 hours) to respond
- If a guardian confirms you are OK, the release is cancelled
- If a guardian confirms an emergency, or no one responds, the vault is released
- When released, the server uses per-recipient delivery tokens to derive decryption keys, decrypt your vault contents, and make them available to recipients via secure one-time-view links
Privacy implication: At the moment of release, your vault contents are decrypted server-side using delivery tokens that were generated on your device. Decryption keys exist only in server memory during the viewing request and are purged immediately after. Recipients view content via one-time links that expire after use.
2.3 Auto-Destruct Mode
If you enable Auto-Destruct:
- When the timer expires and guardians don't cancel, your vault is permanently deleted instead of released
- All S3 files are deleted, and database records are purged
- No content is ever sent to recipients
2.4 Digital Trail (Location Breadcrumbs)
When you add entries to a Digital Trail:
- location data, address, and notes are stored in our database
- These are not encrypted (unlike regular vault location items). This is deliberate: your trusted contacts must be able to see your last known location exactly when you cannot unlock anything — the server needs to read this data to alert them
- The trail itself can be assigned recipients and released like any vault item
- Breadcrumbs are collected only during an active trip. They are retained after the trip ends so your contacts can review them if something happened, automatically deleted 90 days after the trip ends, and you can delete them (or your whole account) at any time before that
3. Where We Store Your Data
3.1 Primary Storage
- PostgreSQL database — hosted on AWS RDS (or your configured provider)
- S3-compatible object storage — files stored via MinIO (or AWS S3 in production)
3.2 Encryption at Rest
- Database connections use SSL/TLS in production (
sslmode=require) - File storage access requires authentication keys
- Passwords are hashed with bcrypt (cost factor 12)
- Email OTPs, verification tokens, and reset tokens are SHA-256 hashed
3.3 Data Retention
- Active accounts: Data is retained indefinitely until you delete it
- Deleted items: Immediately removed from database and S3
- Account deletion: Cascade-deletes all user data, vault items, contacts, breadcrumbs, and verifications
- Orphaned S3 objects: May persist briefly if deletion fails, but are not linked to any user
4. How We Share Your Data
4.1 Vault Recipients
Your vault contents are shared with designated recipients only when:
- Your timer expires, AND
- No guardian cancels the release within the verification window
Recipients receive an email with secure one-time-view links. Each link can be used once and expires after 7 days (configurable). Content is decrypted server-side only at the moment of viewing.
4.2 Guardians
Guardians receive transactional emails when your timer expires, containing:
- Your email address (so they know who the request is for)
- A unique verification link
- Whether Auto-Destruct is enabled
Guardians do NOT have access to your vault contents unless you also designate them as recipients.
4.3 Email Provider (Resend)
We use Resend (or your configured SMTP provider) to send all transactional emails:
- Warning emails
- Timer expiry notifications
- Guardian verification requests
- Vault release emails
- 2FA codes
- Password reset links
Resend processes recipient email addresses and email content. See Resend's Privacy Policy.
4.4 Error Monitoring (Sentry)
We use Sentry for backend error monitoring. Sentry may receive:
- Error stack traces
- Request paths (without personal data)
- Environment information
Sentry is configured to NOT track health checks and samples traces at 10% in production.
4.5 What We Do NOT Do
- No advertising — we do not show ads
- No analytics tracking — we do not use Google Analytics, Mixpanel, or similar
- No data sales — we never sell your data to third parties
- No push notifications — we do not collect device push tokens
- No tracking cookies — the app does not use cookies for tracking
5. Your Rights
5.1 Access Your Data
You can view all your vault items, contacts, timer settings, and trail data within the app.
5.2 Delete Your Account
You can permanently delete your account from the app settings (Settings → Danger Zone → Delete Account). This will:
- Delete your user record and all associated data (cascade deletion)
- Delete all vault items, contacts, breadcrumbs, and verifications
- Delete all S3 files associated with your account
- This action is irreversible
If you can no longer access the app, you can request deletion at lastbeacon.app/delete-account. Email deletion requests (from your account's email address) are completed within 30 days and confirmed by reply.
5.3 Delete Individual Items
You can delete individual vault items, contacts, or trail breadcrumbs at any time.
5.4 Data Portability
You can export your account data (profile information, contacts, and vault metadata) as machine-readable JSON via Settings → Download My Data in the app. Vault contents are encrypted on your device — to export them, download files and copy notes from within the app.
If you can no longer access the app, email privacy@lastbeacon.app from your account's email address and we will provide your data export. Anonymous Mode accounts have no email on file — restore access with your access key first, then export in-app.
5.5 Right to Be Forgotten
Account deletion removes all personal data from our systems. Due to the nature of encrypted vault data, we cannot recover or retain your contents after deletion.
5.6 Auto-Destruct as Privacy Control
Enable Auto-Destruct to ensure your vault is permanently destroyed (not released) if your timer expires. This guarantees your data never leaves our servers without your active check-in.
6. Anonymous Mode
6.1 What Is Anonymous Mode?
Anonymous mode lets you use LastBeacon without providing an email or password.
6.2 What Data Is NOT Collected
- No email address
- No password
- No personal identifiers
- No 2FA setup
6.3 What Is Collected
- Device ID — used to identify your account on login
- Recovery key — your only way to recover access; we store only the encrypted wrapper
- Vault data — same encryption as standard mode
- Timer settings and contacts — same as standard mode
6.4 Limitations
- If you lose your device and recovery key, your account is unrecoverable
- No email notifications (warning, expiry, etc.)
- No password reset option
7. Children's Privacy
LastBeacon is not intended for children under 13 (or the applicable age in your jurisdiction, up to 16 in the EU per GDPR Art. 8). We do not knowingly collect data from children. If you believe a child has used the app, contact us at privacy@lastbeacon.app and we will delete the account.
8. Security Measures
- Client-side encryption — we cannot read your vault contents
- bcrypt password hashing — resistant to brute-force attacks
- Account lockout — 5 failed logins triggers a 15-minute lockout
- Rate limiting — all sensitive endpoints are rate-limited
- Anti-enumeration — registration and password reset return generic responses to prevent account probing
- Turnstile CAPTCHA — protects auth endpoints from bots
- JWT tokens — expire in 7 days (configurable)
- Fresh re-auth required — vault destruction requires a token issued within 5 minutes
9. Changes to This Policy
We will notify you of material changes via email (standard mode) or in-app notice (anonymous mode). Continued use after changes constitutes acceptance.
10. Contact Us
For privacy questions, data requests, or to report concerns:
Email: privacy@lastbeacon.app
Data Controller: MSS Ventures LLC
Address: 3324 Rue Royale St, Suite 1438, St. Charles, MO 63301, USA
Compliance Notes
| Regulation | How We Comply |
|---|---|
| GDPR (EU) | Lawful basis: contract performance (Art. 6(1)(b)) for account and vault data required to provide the service; legitimate interest (Art. 6(1)(f)) for security logging; consent for optional data. Right to access, rectify, erase, and port data. Account deletion fulfills right to erasure. EU representative: to be appointed before EU launch. |
| CCPA (California) | We do not sell personal information. Users can request deletion of their data. |
| Apple App Store | Privacy policy provided. Data collection disclosed (contact info, location, user content). No tracking. |
| Google Play | Privacy policy provided. Data types disclosed. No ads. Security practices documented. |
Placeholders Requiring Founder Input
- EU representative — appoint before EU launch (GDPR Art. 27)