Your privacy is sacred
Your data — and the eventual delivery of your final messages — is a trust we take seriously. Here is exactly what we collect, how we use it, and what we will never do.
Encrypted at rest
Your messages are encrypted in our database — even we can't read them.
No ad tracking
No advertising cookies. No third-party trackers. Ever.
You're in control
Edit, delete, or export your data anytime. Your account, your call.
What we collect
Personal information
- Email address (used to identify and verify your account)
- First name (used in personalisation and communications)
- Message content and video links you create
- Email addresses of your designated message recipients
- Email address of your trusted contact (if added)
- Your Buy Me a Coffee email (if supplied, for supporter status validation)
Usage & status data
- Last verification timestamp — used to determine your current status and decide when messages should be sent.
- Membership and support level — helps us apply your plan's features.
- Trusted contact interactions — we log when your contact confirms or denies your status so we can act accordingly.
How we use your information
Message delivery. To deliver your messages only if your account becomes inactive past your set window and all verification steps are completed.
Daily check-ins. To ask if you're still around — and keep your messages safe while you're alive.
Trusted contacts. To confirm your status only after you've missed multiple check-ins.
Membership & access. To apply correct usage limits and unlock features based on your support tier.
Service communications. To send you verification emails, expiry warnings, and support-related notifications. We do not send marketing emails unless you've explicitly opted in.
Recipient data
You provide us with the email addresses of people who will receive your messages. By adding a recipient, you confirm that:
- You have a legitimate personal relationship with them.
- You take full responsibility for the appropriateness of the messages they will receive.
- You understand that recipients have not consented to receive messages through this platform and that delivery is initiated on your behalf.
We store recipient email addresses solely to facilitate delivery of your messages. We do not contact recipients for any other purpose.
Third-party service providers
We use the following platforms to operate Last Letter. Each has its own privacy policy and data handling practices:
- Supabase — database and authentication hosting. Your messages and account data live on their infrastructure.
- Netlify — website hosting and serverless function execution.
- Resend — email delivery service. Sends verification emails, check-in requests, and your final messages.
- Buy Me a Coffee — payment and subscription platform. We receive supporter status updates via webhook but do not store your payment details.
We do not sell your data to any of these providers or third parties. Data is shared only to the extent necessary to operate the service.
Cookies & tracking
Last Letter does not use advertising trackers or third-party tracking pixels. We use Google Analytics only if you accept the cookie banner — declining means no analytics cookies are loaded at all. We use minimal session cookies to keep you logged in.
Who can see your messages
- You — while your account is active. Your messages remain private and encrypted at rest.
- Your trusted contact — does not see your messages. They only confirm your status if something seems wrong.
- Your chosen recipients — only after you miss your check-ins and a trusted contact confirms your absence (or your fallback period passes for free users).
- Law enforcement — we may disclose data if required by a valid legal order, subpoena, or court order. We will notify you where legally permitted.
Your rights & options
- Access. You can request a copy of your data by emailing us. We'll provide a manual export of your messages, recipients, and profile info.
- Update. You can edit or replace your messages and recipient details anytime via the Dashboard.
- Deletion. You can delete your account at any time from your Profile page. This permanently removes all your messages and data — and we will not be able to recover it.
- Portability. Upon request, we will provide your data in a readable format (plain text or JSON).
- Objection. You may contact us to object to how we process your data. We will respond within a reasonable timeframe.
Data retention
- Active accounts and all associated data are retained while your account is active.
- If you delete your account, all data is permanently erased within 30 days.
- Messages that have already been delivered cannot be recalled — they exist in the recipient's email inbox, which is outside our control.
What we do not do
- Sell your data to anyone.
- Display your messages publicly.
- Track you for advertising.
- Allow any staff to read your private messages (unless legally compelled).
- Share your data with third parties beyond what is listed above.
Security practices
We follow platform-backed security standards:
- Data is encrypted in transit (TLS) and at rest (AES-256-GCM for message content; provider-side encryption for account data).
- Secure access through environment-isolated secrets and platform-level logging.
- Row-level security (RLS) ensures each user can only access their own data.
- Authentication, rate limiting, and HMAC-signed webhooks at every server boundary.
- Ongoing internal reviews of platform code and email systems for stability and abuse prevention.
Data breach notification
In the event of a data breach that may affect your personal information, we will notify affected users as soon as reasonably possible via the email address on your account, and take prompt steps to contain and assess the incident.
International users
Last Letter is operated from a global hosting infrastructure. By using this service, you consent to your data being processed and stored on servers that may be located outside your home country. We take reasonable steps to ensure your data is protected regardless of where it is stored.
Updates to this policy
This privacy policy may evolve. We will always post updates to this page and clearly indicate any major changes. Continued use of the service after changes are posted constitutes acceptance of the revised policy.
Questions? Email support@lastletter.app.