Privacy Policy

Lifetime Labs LLC ("we", "us") operates lifetimelabs.dev and the tools hosted on it, including Paper and PrivacyNotes. This policy describes what information we collect, the legal basis for processing it, and how we protect your rights. The short version: our tools run in your browser, we don't upload your files, we don't run advertising trackers, and we don't profile you across the web.

What runs where

Our web tools execute on your device. When you drop a file into one of our tools, the file is read into your browser's memory and processed there. We do not upload the file, we do not store it on a server, and we do not retain any copy of it after you leave the page.

What we collect

Free use of our web tools does not require an account. We do not place tracking cookies, we do not run any third-party JavaScript in our applications, and we do not log the content of files you process. For aggregate traffic metrics, we rely on server-side analytics at the CDN edge — see the Analytics section below.

If you purchase a paid license (for example, Paper Pro), our payment processor Paddle collects the information required to process your transaction, including your name, email address, billing address, and payment details. Paddle acts as the Merchant of Record for all purchases, meaning Paddle is the seller of record for tax and billing purposes. We receive your email address and purchase record from Paddle so we can deliver your license key.

Our servers keep standard access logs (IP address, request time, user agent, requested URL) for a short period to protect against abuse and to keep the site running. These logs are not linked to any account and are rotated automatically.

Device fingerprinting

For products that include device-based licensing (such as PrivacyNotes), we use a lightweight device fingerprint to enforce per-account device limits. This consists of four signals available through standard browser APIs: your operating system platform (e.g. "Windows" or "macOS"), GPU renderer string (via WebGL), CPU core count, and browser language setting.

Before any of these signals leave your device, they are hashed on your machine using a key derived from your account's recovery phrase, which exists only on your device. Our servers receive and store only the resulting hashes, never the raw values. Because the hashing key is unique to your account, the same hardware produces different hashes for different accounts; we cannot link a device across accounts or learn what GPU, OS, or language you actually use.

The purpose remains preventing the same physical machine from consuming multiple device slots when you clear your browser data or switch browsers. Without this, you would hit artificial device limits on a single computer.

We deliberately exclude signals that would identify your specific browser, such as screen resolution, timezone, user agent string, canvas fingerprints, font enumeration, cookies, IP-based fingerprinting, and behavioral tracking. Chrome and Firefox on the same machine count as one device, not two.

The fingerprint hashes are stored server-side alongside the device registration record. They are deleted when your account is deleted. When you remove a device, the record (including the hashes) is retained for a short cooldown period to prevent abuse, then permanently deleted.

Legal basis for processing

We process personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Contractual necessity — to fulfill a purchase (delivering a license key to the email address provided during checkout).
• Legitimate interest — to maintain server access logs for security and abuse prevention, to collect a lightweight device fingerprint that prevents false device-limit errors within your account, and to collect aggregate traffic metrics via server-side edge analytics (see the Analytics section). Because no client-side code is involved, no cookies are set, and no personal identifiers are collected, no consent is required under ePrivacy and processing is based on GDPR Art. 6(1)(f).

We do not send marketing emails and therefore do not rely on consent for email communications. The only emails you receive from us are transactional (license key delivery).

Cookies

Our website does not set first-party cookies. The analytics described below is also cookieless. If you initiate a purchase, the Paddle checkout overlay may set cookies required to complete and secure the transaction. These are strictly necessary cookies set by Paddle, not by us. See Paddle's privacy policy for details on the cookies Paddle uses.

Analytics

We collect aggregate traffic metrics (page views, unique visitors, country) through Cloudflare's server-side edge analytics. This operates entirely at the CDN layer, using HTTP request metadata (IP address, user agent, URL) as each request passes through Cloudflare's network. No JavaScript is injected into your browser, no cookies are set, and no client-side code runs for analytics purposes.

IP addresses are processed transiently by Cloudflare at the edge to derive approximate country and to fight abuse. They are not stored against analytics records and are not linked to any user identity.

No third-party analytics scripts run on any Lifetime Labs product. The PrivacyNotes app, in particular, loads zero third-party JavaScript — the only scripts that execute in your browser are the application code itself.

Data retention

License records (email address, license key, purchase date) are retained for as long as your license is active. If you request deletion of your data, we will remove your license record and invalidate the associated key. Server access logs are retained for no more than 30 days and are then automatically deleted.

Third parties we use

• Cloudflare, Inc. (United States, with EU data processing agreements) — hosts the website and provides DDoS protection. Cloudflare processes HTTP request metadata (IP address, user agent, URL) at the edge to serve pages and provide the server-side aggregate analytics described above. No client-side analytics code is loaded from Cloudflare or any other third party. Cloudflare Privacy Policy.
• Paddle — processes payments as the Merchant of Record for all paid licenses. Paddle collects the information needed to complete transactions and comply with tax law, including your name, email, billing address, and payment method. Paddle Privacy Policy.
• Resend — delivers transactional emails (license keys, receipts) on our behalf. Resend Privacy Policy.

We do not sell, rent, or share your personal data with any other third parties.

Your rights

In practice, we hold very little personal data. If you use our free web tools without purchasing anything, we do not have any data that identifies you — server access logs rotate automatically and are not linked to any identity. If you have purchased a license, the only personal data we hold is your email address, license key, and purchase date. For PrivacyNotes accounts with device licensing, we also hold the device fingerprint data described above.

Regardless of where you are located, and in particular under the GDPR if you are in the European Economic Area, you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing based on legitimate interest. If we delete your purchase record at your request, the associated license key will be invalidated.

To exercise any of these rights, please contact us. We will respond within 30 days. If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection authority.

Children's privacy

Our Services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes

If this policy changes in a material way, we'll update the date at the top of this page and, where relevant, note the change in a release post.

Contact

Lifetime Labs LLC
Contact form