Data privacy

Privacy architecture

LifeCopilot is built around a simple boundary: sensitive life signals stay on your device unless you explicitly enable a feature that needs secure server processing. This page explains what stays local, what can be synced, and how you stay in control.

Local-first

Your raw signals stay with you

The app computes your Energy Score and daily context on device by default. Server processing is opt-in and tied to specific signals.

Raw location stays localPrecise GPS coordinates are used only on device. Server-side data uses named places such as home, work or gym, without latitude and longitude.
Raw audio stays localVoice recordings are processed on your device. Only a text summary may be processed later if you explicitly allow it.
Device identity is hashedDirect device identifiers are not sent. Release builds use hashes and minimized account identifiers.
No ad identifiersLifeCopilot does not use IDFA, GAID or advertising profiles.
Data map

What may leave the device and what never does

The server receives only the minimum needed for sync, AI memory, account security and support, and only for features you enable.

May be processed on DuoHuman servers with consent

  • Named places, dwell time and transitions, without precise coordinates
  • Aggregated app-category usage, without raw installed-app lists
  • Mood, energy and stress values on numeric scales
  • Aggregated health metrics such as daily steps, sleep and average heart rate
  • Tasks, goals and notes after PII scrubbing where server processing is enabled
  • AI-chat messages and memory when you use the AI coach
  • Email and device hashes, consent records and technical logs

Not sent to DuoHuman servers

  • Precise GPS latitude and longitude
  • Raw voice recordings and audio files
  • Installed-app inventory
  • Advertising identifiers such as IDFA or GAID
  • Direct device identifiers
  • Names, surnames and physical addresses before de-identification
  • Data for sale, advertising targeting or marketing transfer
Permissions

Sensitive access is explained first

Before sensitive Android or iOS permissions, LifeCopilot shows a prominent disclosure: what is accessed, why, and how to turn it off.

Background location

Used for named-place detection and day context. You can disable it in system settings or in LifeCopilot privacy settings.

Usage stats

Used for screen-time categories, not app inventory transfer.

Health data

Used for Energy Score and recovery insights. Health Connect, Apple Health and wearables require explicit permission.

Microphone and calendar

Voice notes and calendar context are optional; raw audio is not uploaded and calendar content is de-identified.

AI and memory

AI processing is bounded

The AI coach uses only the data you permit. Long-term memory is designed as structured facts and summaries, not an unrestricted copy of your life.

PII scrubbing

Notes and AI-chat content are scrubbed for personal identifiers before server-side memory or insight processing where possible.

User-controlled memory

Long-term memory exists to improve insights over time and can be deleted through account and privacy controls.

Retention

History improves insights, deletion stays available

LifeCopilot keeps long-term history while your account is active because patterns need time. You can export or delete your data.

DataRetentionControl
Events, mood, activity and plansWhile account is activeExport or delete
AI insights and memoryUntil deleted or account is deletedManage memory and account deletion
Technical logsUp to 90 daysLimited operational retention
AI call logsUp to 365 daysOperational and abuse-prevention retention
Billing recordsUp to 7 years where requiredLegal retention only

Account deletion triggers cascade deletion through the GDPR deletion workflow, subject to legal and technical retention windows.

Sync

Sync is encrypted and opt-in

Sync between LifeCopilot components uses an end-to-end encrypted channel. The server is not meant to see raw data in transit.

Per-signal consentEach data signal can be enabled or disabled independently.
User-controlled flushYou control what is sent and when sync is allowed.
Aggregates over raw dataWhere server processing is needed, the app prefers aggregates, hashes and de-identified values.
Boundaries

The privacy promise

These are the product boundaries we design against and document publicly.

  • We do not sell personal data.
  • We do not use your data for advertising targeting.
  • We do not upload raw GPS coordinates or raw audio.
  • We do not transfer installed-app lists.
  • LifeCopilot is not a medical device and does not provide medical advice.

Full legal details

The complete Privacy Policy contains controller details, retention periods, user rights, regional notices and contacts.

Open the Privacy Policy