LastBeacon Privacy Policy

Last updated: 2026-05-10
App: LastBeacon — Personal Safety Timer
Contact: privacy@lastbeacon.app


Data Inventory

Data Type Collected Encrypted Retention User Can Delete
Email address Optional (standard mode) No (stored plaintext) Until account deletion Yes
Password hash Optional (standard mode) Yes (bcrypt) Until account deletion Yes
Device ID Anonymous mode only No Until account deletion Yes
Vault item content (notes, documents, images, locations) Yes Yes — encrypted on device Until item or account deletion Yes
Vault item encryption keys Yes Yes — wrapped with master key Until account deletion Yes
Digital Trail breadcrumbs (location data, address, notes) Yes No — stored as plaintext Auto-deleted 90 days after the trip ends; or until trail/account deletion Yes
Contact names and emails Yes No Until contact or account deletion Yes
Contact phone numbers Optional No Until contact or account deletion Yes
Guardian verification responses Yes No Until account deletion Yes
Timer settings and check-in history Yes No Until account deletion Yes
Recovery key wrapper Yes Yes — encrypted Until account deletion Yes
File uploads (documents, photos) Yes Yes — client-side encrypted blobs Until item or account deletion Yes
TOTP secret (2FA) Optional No Until account deletion Yes
Failed login attempts / lockout timestamps Yes No Until account deletion Yes
JWT authentication tokens Generated at login No 7 days or logout N/A (session-only)

1. What Data We Collect

1.1 Account Information (Standard Mode)

When you create a standard account, we collect:

  • Email address — required for login and transactional emails
  • Password — stored as a bcrypt hash, never in plaintext
  • Encryption salt — used to derive your master encryption key
  • Vault key wrapper — your master key encrypted with your password-derived key
  • Vault recovery wrapper — your master key encrypted with your recovery key

1.2 Anonymous Mode

When you use anonymous mode, we collect:

  • Device ID — a unique identifier for your device, used as your login credential
  • Recovery key — a 12-word phrase or hex string; we store only the encrypted wrapper, never the key itself

Anonymous mode does NOT collect: email, password, or any personally identifiable information.

1.3 Vault Items

You can store the following in your vault:

Encrypted on your device (we cannot read these):

  • Text notes — encrypted content
  • Documents and images — encrypted files stored as blobs in S3-compatible storage
  • Location entries — encrypted location data, addresses, and notes

Stored as plaintext (we can read these):

  • Digital Trail breadcrumbs — location data, addresses, timestamps, and notes are not encrypted and are stored in plaintext in our database. This is a known limitation; only the trail's vault item title and encryption key are encrypted.

1.4 Contacts and Recipients

You can add contacts to receive your vault if your timer expires:

  • Name, email, and optional phone number — stored in plaintext
  • Guardian flag — whether this contact can cancel a vault release

1.5 Timer and Settings

  • Timer duration — how long between check-ins (default: 1 week)
  • Verification window — how long guardians have to respond (default: 48 hours)
  • Last check-in and next expiry timestamps
  • Auto-destruct preference — whether to delete vault instead of releasing it
  • Account status — active, paused, verifying, or triggered

1.6 Security Data

  • Two-factor authentication settings — TOTP secret or email OTP
  • Email verification tokens — hashed, 24-hour expiry
  • Password reset tokens — hashed, 1-hour expiry
  • Failed login attempts and lockout timestamps — for brute-force protection

2. How We Process Your Data

2.1 Client-Side Encryption

LastBeacon uses client-side encryption for vault items:

  1. Master Key — generated on your device, never sent to us in plaintext
  2. Item Keys — each vault item gets a unique random key
  3. Encryption — titles, content, and location data (except Digital Trail breadcrumbs) are encrypted with the item key
  4. Key Wrapping — item keys are encrypted with your master key
  5. Server Storage — we store only ciphertext, encrypted keys, and wrappers

During normal operation, we cannot decrypt your vault contents. Without your password or recovery key, your data is unrecoverable.

Exception — Vault Release: When your timer expires and your vault is released to recipients, the server uses per-recipient delivery tokens (generated on your device at the time you assign recipients) to derive decryption keys and decrypt vault contents for one-time viewing. These keys exist only briefly in server memory during the viewing request and are not stored persistently. See Section 2.2 for details.

2.2 Vault Release Process

When your timer expires:

  1. Your account status changes to "verifying"
  2. Guardians are emailed with a unique verification link
  3. Guardians have your configured window (default 48 hours) to respond
  4. If a guardian confirms you are OK, the release is cancelled
  5. If a guardian confirms an emergency, or no one responds, the vault is released
  6. When released, the server uses per-recipient delivery tokens to derive decryption keys, decrypt your vault contents, and make them available to recipients via secure one-time-view links

Privacy implication: At the moment of release, your vault contents are decrypted server-side using delivery tokens that were generated on your device. Decryption keys exist only in server memory during the viewing request and are purged immediately after. Recipients view content via one-time links that expire after use.

2.3 Auto-Destruct Mode

If you enable Auto-Destruct:

  • When the timer expires and guardians don't cancel, your vault is permanently deleted instead of released
  • All S3 files are deleted, and database records are purged
  • No content is ever sent to recipients

2.4 Digital Trail (Location Breadcrumbs)

When you add entries to a Digital Trail:

  • location data, address, and notes are stored in our database
  • These are not encrypted (unlike regular vault location items). This is deliberate: your trusted contacts must be able to see your last known location exactly when you cannot unlock anything — the server needs to read this data to alert them
  • The trail itself can be assigned recipients and released like any vault item
  • Breadcrumbs are collected only during an active trip. They are retained after the trip ends so your contacts can review them if something happened, automatically deleted 90 days after the trip ends, and you can delete them (or your whole account) at any time before that

3. Where We Store Your Data

3.1 Primary Storage

  • PostgreSQL database — hosted on AWS RDS (or your configured provider)
  • S3-compatible object storage — files stored via MinIO (or AWS S3 in production)

3.2 Encryption at Rest

  • Database connections use SSL/TLS in production (sslmode=require)
  • File storage access requires authentication keys
  • Passwords are hashed with bcrypt (cost factor 12)
  • Email OTPs, verification tokens, and reset tokens are SHA-256 hashed

3.3 Data Retention

  • Active accounts: Data is retained indefinitely until you delete it
  • Deleted items: Immediately removed from database and S3
  • Account deletion: Cascade-deletes all user data, vault items, contacts, breadcrumbs, and verifications
  • Orphaned S3 objects: May persist briefly if deletion fails, but are not linked to any user

4. How We Share Your Data

4.1 Vault Recipients

Your vault contents are shared with designated recipients only when:

  • Your timer expires, AND
  • No guardian cancels the release within the verification window

Recipients receive an email with secure one-time-view links. Each link can be used once and expires after 7 days (configurable). Content is decrypted server-side only at the moment of viewing.

4.2 Guardians

Guardians receive transactional emails when your timer expires, containing:

  • Your email address (so they know who the request is for)
  • A unique verification link
  • Whether Auto-Destruct is enabled

Guardians do NOT have access to your vault contents unless you also designate them as recipients.

4.3 Email Provider (Resend)

We use Resend (or your configured SMTP provider) to send all transactional emails:

  • Warning emails
  • Timer expiry notifications
  • Guardian verification requests
  • Vault release emails
  • 2FA codes
  • Password reset links

Resend processes recipient email addresses and email content. See Resend's Privacy Policy.

4.4 Error Monitoring (Sentry)

We use Sentry for backend error monitoring. Sentry may receive:

  • Error stack traces
  • Request paths (without personal data)
  • Environment information

Sentry is configured to NOT track health checks and samples traces at 10% in production.

4.5 What We Do NOT Do

  • No advertising — we do not show ads
  • No analytics tracking — we do not use Google Analytics, Mixpanel, or similar
  • No data sales — we never sell your data to third parties
  • No push notifications — we do not collect device push tokens
  • No tracking cookies — the app does not use cookies for tracking

5. Your Rights

5.1 Access Your Data

You can view all your vault items, contacts, timer settings, and trail data within the app.

5.2 Delete Your Account

You can permanently delete your account from the app settings (Settings → Danger Zone → Delete Account). This will:

  • Delete your user record and all associated data (cascade deletion)
  • Delete all vault items, contacts, breadcrumbs, and verifications
  • Delete all S3 files associated with your account
  • This action is irreversible

If you can no longer access the app, you can request deletion at lastbeacon.app/delete-account. Email deletion requests (from your account's email address) are completed within 30 days and confirmed by reply.

5.3 Delete Individual Items

You can delete individual vault items, contacts, or trail breadcrumbs at any time.

5.4 Data Portability

You can export your account data (profile information, contacts, and vault metadata) as machine-readable JSON via Settings → Download My Data in the app. Vault contents are encrypted on your device — to export them, download files and copy notes from within the app.

If you can no longer access the app, email privacy@lastbeacon.app from your account's email address and we will provide your data export. Anonymous Mode accounts have no email on file — restore access with your access key first, then export in-app.

5.5 Right to Be Forgotten

Account deletion removes all personal data from our systems. Due to the nature of encrypted vault data, we cannot recover or retain your contents after deletion.

5.6 Auto-Destruct as Privacy Control

Enable Auto-Destruct to ensure your vault is permanently destroyed (not released) if your timer expires. This guarantees your data never leaves our servers without your active check-in.


6. Anonymous Mode

6.1 What Is Anonymous Mode?

Anonymous mode lets you use LastBeacon without providing an email or password.

6.2 What Data Is NOT Collected

  • No email address
  • No password
  • No personal identifiers
  • No 2FA setup

6.3 What Is Collected

  • Device ID — used to identify your account on login
  • Recovery key — your only way to recover access; we store only the encrypted wrapper
  • Vault data — same encryption as standard mode
  • Timer settings and contacts — same as standard mode

6.4 Limitations

  • If you lose your device and recovery key, your account is unrecoverable
  • No email notifications (warning, expiry, etc.)
  • No password reset option

7. Children's Privacy

LastBeacon is not intended for children under 13 (or the applicable age in your jurisdiction, up to 16 in the EU per GDPR Art. 8). We do not knowingly collect data from children. If you believe a child has used the app, contact us at privacy@lastbeacon.app and we will delete the account.


8. Security Measures

  • Client-side encryption — we cannot read your vault contents
  • bcrypt password hashing — resistant to brute-force attacks
  • Account lockout — 5 failed logins triggers a 15-minute lockout
  • Rate limiting — all sensitive endpoints are rate-limited
  • Anti-enumeration — registration and password reset return generic responses to prevent account probing
  • Turnstile CAPTCHA — protects auth endpoints from bots
  • JWT tokens — expire in 7 days (configurable)
  • Fresh re-auth required — vault destruction requires a token issued within 5 minutes

9. Changes to This Policy

We will notify you of material changes via email (standard mode) or in-app notice (anonymous mode). Continued use after changes constitutes acceptance.


10. Contact Us

For privacy questions, data requests, or to report concerns:

Email: privacy@lastbeacon.app

Data Controller: MSS Ventures LLC
Address: 3324 Rue Royale St, Suite 1438, St. Charles, MO 63301, USA


Compliance Notes

Regulation How We Comply
GDPR (EU) Lawful basis: contract performance (Art. 6(1)(b)) for account and vault data required to provide the service; legitimate interest (Art. 6(1)(f)) for security logging; consent for optional data. Right to access, rectify, erase, and port data. Account deletion fulfills right to erasure. EU representative: to be appointed before EU launch.
CCPA (California) We do not sell personal information. Users can request deletion of their data.
Apple App Store Privacy policy provided. Data collection disclosed (contact info, location, user content). No tracking.
Google Play Privacy policy provided. Data types disclosed. No ads. Security practices documented.

Placeholders Requiring Founder Input

  • EU representative — appoint before EU launch (GDPR Art. 27)