Privacy Policy

Last updated: April 5, 2026

This Privacy Policy describes how Lagom (‘we’, ‘us’, or ‘our’) collects, uses, and protects your personal information when you use our website at getlagom.app, our desktop application, our iOS app, and related services (collectively, the ‘Services’).

Your notes are encrypted at rest on our servers using AES-256-GCM with per-user encryption keys. We don’t read, sell, or use your note content for any purpose.

By using the Services, you agree to the collection and use of information in accordance with this policy. Please also review our Terms of Service and AI Disclosure.

1. Information We Collect

Information you provide

  • Account information: name, email address, and password when you register. The server stores a bcrypt hash of your password.
  • Notes and entries: the text content you write in the editor, including any embedded images or photos. This content is encrypted at rest on our servers (see Section 4).
  • Tasks (metadata): structured task names, priorities, due dates, and project assignments extracted from your notes by AI. These are stored as server-readable metadata to power AI features.
  • Chat messages: conversations with the AI chat assistant. Chat history is stored on our servers.
  • AI settings: if you choose to bring your own API key (BYOK), we store the encrypted key.
  • Preferences: language preference, theme setting, notification preferences, and other configuration choices.
  • Feedback: any feedback, bug reports, or support requests you submit.

Information collected automatically

  • Usage data: pages visited, features used, timestamps, and interaction patterns (via PostHog analytics).
  • Device information: browser type, operating system, and device type.
  • IP address: logged for security (rate limiting, audit logs) and fraud prevention.
  • Push notification tokens: if you enable push notifications, we collect your device’s push token (APNs device token on iOS, Web Push subscription on other platforms) to deliver notifications to your device.

Information from third parties

  • Google OAuth: if you sign in with Google, we receive your name, email, and profile picture from Google.
  • Apple Sign In: if you sign in with Apple, we receive your name and email address (or a private relay email) from Apple.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Services.
  • Process your notes through AI to extract tasks, generate insights, and provide chat assistance.
  • Generate vector embeddings of your notes for semantic search functionality.
  • Authenticate your identity and secure your account (including MFA).
  • Send transactional emails (account verification, MFA codes, password reset).
  • Monitor usage for rate limiting and abuse prevention.
  • Analyse usage patterns to improve the Services (via anonymised analytics).
  • Respond to your feedback and support requests.

3. AI Data Processing

Lagom uses artificial intelligence as a core part of the Services. For detailed information about how AI processes your data, please see our AI Disclosure.

In summary:

  • When using your own API key (BYOK), your note content is decrypted on your device and sent directly to the AI provider from your browser — it does not pass through our servers. For trial users, note content is decrypted server-side and forwarded to the AI provider for processing.
  • Text embeddings (mathematical representations) of your notes are generated by OpenAI for semantic search.
  • AI processing uses API endpoints, not consumer-facing products. Your data is not used to train AI models according to the providers’ API data policies.
  • If you bring your own API key (BYOK), your data is processed under your own agreement with the AI provider.
  • If you use the voice capture feature, audio recordings are sent to OpenAI Whisper for speech-to-text transcription. Audio data is processed in real time and is not stored by Lagom after transcription is complete.
  • We do not use your notes, tasks, or any personal content for AI model training. Your data is processed solely to provide the Services to you.

4. Data Encryption and Security

All note content (text, titles, editor data) and BYOK API keys are encrypted with AES-256-GCM using per-user keys derived from the server’s master secret. Data is encrypted before being written to the database and decrypted when read. This protects against database breaches — even with raw database access, the encrypted data is unreadable.

Authentication

Your password is hashed with bcrypt (10 rounds) and verified on login.

BYOK key encryption

BYOK API keys are encrypted with AES-256-GCM before storage.

Additional security measures

  • MFA codes: multi-factor authentication codes are stored as SHA-256 hashes and verified using timing-safe comparison.
  • Transport security: all traffic is encrypted via HTTPS (TLS) through Cloudflare Tunnel.
  • SQL injection prevention: all database queries use parameterised queries — no string interpolation.
  • Rate limiting: all sensitive endpoints are rate-limited to prevent brute-force attacks.
  • Security headers: HSTS (with preload), X-Frame-Options DENY, Content-Security-Policy, X-Content-Type-Options nosniff.

5. Key Management and Recovery

Your password can be reset via email. Password resets do not affect your stored data — all notes and tasks remain accessible after a password change. BYOK API keys can be updated or deleted at any time in Settings.

6. Information Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share your data only with the following third-party services as necessary to provide the Services:

  • OpenAI: task metadata and note content are processed for AI task extraction, chat, and embedding generation. With BYOK, content is sent directly from your device; for trial users, content is forwarded via our servers. See OpenAI’s API data usage policy.
  • Anthropic: if selected as your AI provider (via BYOK), note content is sent from your device for processing. See Anthropic’s privacy policy.
  • Google: if you use Google sign-in, authentication is handled by Google OAuth.
  • Apple: if you use Sign in with Apple, authentication is handled by Apple. Apple may provide a private relay email address. See Apple’s Sign in with Apple page.
  • Resend: transactional email delivery (verification, MFA codes).
  • PostHog: product analytics (usage patterns, feature adoption). Data is anonymised.
  • Cloudflare: DNS, CDN, and tunnel services for secure traffic routing.
  • Stripe: payment processing for subscription billing. We do not store your payment card details.

We do not engage in cross-app tracking. We do not share your data with advertising networks, data brokers, or information resellers. We do not track your activity across other companies’ apps or websites for advertising or analytics purposes.

We may also disclose your information if required by law, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Cookies and Local Storage

We use a minimal set of cookies and local storage:

  • Authentication session cookie: (httpOnly) manages your login session. Essential for the Services to function.
  • Locale cookie (NEXT_LOCALE): (httpOnly, 1-year expiry) stores your language preference.
  • Theme preference: stored in localStorage to remember your light/dark mode choice.
  • Daily brief dismissal: stored in localStorage to track if you’ve dismissed the daily brief.

We do not use tracking cookies or advertising cookies. Analytics (PostHog) uses its own minimal cookie for session tracking.

8. Data Retention

We retain your data as follows:

  • Account data: retained for as long as your account is active.
  • Notes and tasks: retained until you delete them or delete your account. Note content is encrypted at rest.
  • Chat messages: retained until you delete the conversation or your account.
  • Audit logs: retained for security and compliance purposes.
  • AI insights: automatically expire and are regenerated daily.

When you delete your account, we will delete your personal data, encrypted notes, tasks, and associated content. Some data may be retained in backups for a limited period as part of routine backup procedures. Note content in backups remains encrypted at rest and unreadable without the server’s encryption keys.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate personal data.
  • Erasure: request deletion of your personal data (you can delete your account from Settings).
  • Data portability: request your data in a structured, machine-readable format.
  • Restriction: request that we restrict processing of your personal data.
  • Objection: object to processing of your personal data for certain purposes.
  • Withdraw consent: withdraw consent at any time where processing is based on consent.

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). To exercise any of these rights, please contact us at [email protected].

You also have the right to lodge a complaint with your local data protection authority.

10. Children’s Privacy

The Services are not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at [email protected].

11. International Data Transfers

Our Services are hosted in the European Union. If you access the Services from outside the EU, please be aware that your data may be transferred to, stored, and processed in the EU. By using the Services, you consent to the transfer of your data to the EU.

When your data is sent to third-party AI providers for processing, it may be transferred to servers located outside the EU, subject to the respective provider’s data processing agreements and privacy policies. When using your own API key (BYOK), your encrypted content is decrypted on your device and sent directly to the AI provider without transiting our servers. For trial users, content is decrypted and forwarded via our EU servers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a new “Last updated” date. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Lagom
[email protected]