Privacy architecture
LifeCopilot is built around a simple boundary: sensitive life signals stay on your device unless you explicitly enable a feature that needs secure server processing. This page explains what stays local, what can be synced, and how you stay in control.
Your raw signals stay with you
The app computes your Energy Score and daily context on device by default. Server processing is opt-in and tied to specific signals.
What may leave the device and what never does
The server receives only the minimum needed for sync, AI memory, account security and support, and only for features you enable.
May be processed on DuoHuman servers with consent
- Named places, dwell time and transitions, without precise coordinates
- Aggregated app-category usage, without raw installed-app lists
- Mood, energy and stress values on numeric scales
- Aggregated health metrics such as daily steps, sleep and average heart rate
- Tasks, goals and notes after PII scrubbing where server processing is enabled
- AI-chat messages and memory when you use the AI coach
- Email and device hashes, consent records and technical logs
Not sent to DuoHuman servers
- Precise GPS latitude and longitude
- Raw voice recordings and audio files
- Installed-app inventory
- Advertising identifiers such as IDFA or GAID
- Direct device identifiers
- Names, surnames and physical addresses before de-identification
- Data for sale, advertising targeting or marketing transfer
Sensitive access is explained first
Before sensitive Android or iOS permissions, LifeCopilot shows a prominent disclosure: what is accessed, why, and how to turn it off.
Background location
Used for named-place detection and day context. You can disable it in system settings or in LifeCopilot privacy settings.
Usage stats
Used for screen-time categories, not app inventory transfer.
Health data
Used for Energy Score and recovery insights. Health Connect, Apple Health and wearables require explicit permission.
Microphone and calendar
Voice notes and calendar context are optional; raw audio is not uploaded and calendar content is de-identified.
AI processing is bounded
The AI coach uses only the data you permit. Long-term memory is designed as structured facts and summaries, not an unrestricted copy of your life.
PII scrubbing
Notes and AI-chat content are scrubbed for personal identifiers before server-side memory or insight processing where possible.
User-controlled memory
Long-term memory exists to improve insights over time and can be deleted through account and privacy controls.
History improves insights, deletion stays available
LifeCopilot keeps long-term history while your account is active because patterns need time. You can export or delete your data.
| Data | Retention | Control |
|---|---|---|
| Events, mood, activity and plans | While account is active | Export or delete |
| AI insights and memory | Until deleted or account is deleted | Manage memory and account deletion |
| Technical logs | Up to 90 days | Limited operational retention |
| AI call logs | Up to 365 days | Operational and abuse-prevention retention |
| Billing records | Up to 7 years where required | Legal retention only |
Account deletion triggers cascade deletion through the GDPR deletion workflow, subject to legal and technical retention windows.
Sync is encrypted and opt-in
Sync between LifeCopilot components uses an end-to-end encrypted channel. The server is not meant to see raw data in transit.
The privacy promise
These are the product boundaries we design against and document publicly.
- We do not sell personal data.
- We do not use your data for advertising targeting.
- We do not upload raw GPS coordinates or raw audio.
- We do not transfer installed-app lists.
- LifeCopilot is not a medical device and does not provide medical advice.
Full legal details
The complete Privacy Policy contains controller details, retention periods, user rights, regional notices and contacts.