Privacy Policy
Last updated: July 12, 2026
Yearspan ("we", "us", "our"), operated by [LEGAL ENTITY], is built privacy-first. This policy explains what we collect, what we deliberately do not collect, and how your financial plan stays yours.
What we collect
- Account information — your email address, and authentication material stored only as hashes (password hash, passkey public credentials, recovery-code hashes).
- Subscription status — your plan, trial/renewal dates, and entitlement state, used to grant access. Payment card details are handled by our merchant of record (Paddle); we do not receive or store them.
- Encryption key custody — a per-account data key, generated on our server and stored only in wrapped (encrypted) form. We release it to your browser so your device can decrypt your plan. This is how account recovery is possible without us ever seeing your plan.
- Operational logs — minimal security/audit records (e.g., sign-in events, timestamps) to protect accounts. No plan data.
What we do NOT collect
- Your financial plan. Accounts, balances, income, expenses, scenarios, and projections are stored only in your browser's local storage (IndexedDB), encrypted at rest. They are never transmitted to or stored on our servers.
- No tracking. No third-party analytics, advertising, or behavioral tracking cookies. We use only the local/session storage necessary to keep you signed in and remember preferences.
Payments
Purchases are processed by Paddle, our authorized reseller and merchant of record, who acts as the data controller for payment information under its own privacy policy. We receive only the subscription status needed to grant access.
We send transactional email only (verification and password reset) via our email provider. We do not send marketing email without your consent.
Security & threat model
Your plan is encrypted on your device (AES-GCM) with a per-account key. Being honest about what that protects:
Use your operating system's full-disk encryption (FileVault, BitLocker) for device-loss protection. Encrypted mode requires a secure context (HTTPS).
Data retention & your choices
- Export anytime. You can export your full plan as a plaintext file (to move off the platform) or an account-encrypted file, at any time from Settings.
- Deletion. You may delete your account; this destroys the wrapped encryption key we hold, after which your locally stored data can no longer be decrypted by us or recovered through us. Your local copy remains on your device until you clear it.
- Access. Because we do not hold your plan data, an access request returns your account metadata (email, subscription status) only.
Children
The Service is not directed to children under 18, and we do not knowingly collect their information.
Changes
We will post updates here and, for material changes, notify you by email or in-app.
Contact
Privacy questions: support@yearspanretirement.com. [Add postal address / data-protection contact as required by your jurisdiction.]