Skip to content
My Loved Ones
Privacy and security concept

Privacy Policy

Last updated: May 2026

My Loved Ones ("Mylo," "we," "us," or "our") operates the website mylo.family. This Privacy Policy explains how we collect, use, and protect your information when you use our platform.

Your personal and family information is deeply private. The work you save inside Mylo is encrypted in your browser before it reaches our servers. We hold scrambled bytes; neither Mylo staff nor our cloud providers can read your saved content. Anything you can do without an account — free quizzes, free tools, public articles — stays session-only on your device and never reaches us at all.

Information We Collect

Account Information

When you create an account, we collect your name and email address through our authentication provider, Clerk. This information is used solely to manage your account and verify your identity.

Payment Information

If you purchase a plan, your payment is processed by Lemon Squeezy. We do not collect, store, or have access to your credit card number, billing address, or other financial details. Lemon Squeezy handles all payment processing in accordance with PCI compliance standards.

Usage Data

We use Cloudflare Web Analytics to understand how visitors interact with our site. Cloudflare Web Analytics is a privacy-focused analytics tool that does not use cookies, does not track individual users, and does not collect personal information. It provides us with aggregate, anonymized data such as page views and general traffic patterns.

How Your Content Is Processed

Public tools (no account)

Pages you can use without logging in — the free quiz, the free planning tool, articles — keep any answers you type in your browser's session memory only. Refresh the page, close the tab, or switch devices and the data is gone. We do not log, store, or transmit those answers to our servers.

Documents (Excel asset workbooks, DOCX letters, PDFs, calendars, posters) are generated entirely on the client side — in your browser — and downloaded directly to your device. At no point are these files uploaded to our servers.

Encrypted vault (signed-in users)

When you save work inside any of the Mylo wings, your data is encrypted in your browser before storage. New password-derived vault accounts use AES-GCM-256 and Argon2id (the same primitives password managers like Bitwarden and 1Password use). Some older accounts may use our legacy split-key vault while they are being migrated. In both models, our servers store ciphertext and cannot read plaintext.

What we store: an opaque ciphertext blob plus your wrapped data-encryption key, the random salt used by the key-derivation function, and some non-secret metadata (schema version, revision number, integrity hash).

What we never see: the data-encryption key itself or the plaintext contents of your vault. In password-derived vault accounts, password-based key derivation happens in your browser. Our servers see scrambled bytes and have no way to read or reconstruct your saved content.

Trust model: this design is sometimes called "zero knowledge" or "end-to-end encrypted at rest." The trade-off is honest: Mylo support cannot decrypt, restore, or read your saved work for you. For password-derived vault accounts, losing or resetting the account password makes the old encrypted vault unrecoverable. Pick a password you can remember or save it in your password manager — there is no support override.

AI Consultant

Our AI Consultant feature uses the Anthropic Claude API to answer your questions about inheritance and legacy planning. Your question text is sent to Anthropic for processing and is subject to Anthropic's Privacy Policy. We use Anthropic's API in a configuration that does not use your prompts to train their models. Older messages may be retained for short-term conversation context and are not connected to your vault content unless you paste vault data into the chat yourself.

Cookies and Local Storage

We use minimal cookies, limited to what is necessary for authentication sessions managed by Clerk. We do not use advertising cookies, tracking cookies, or any third-party marketing cookies.

Answers you type into public tools live in your browser's sessionStorage and are cleared when the tab closes.

For signed-in users, your browser stores a cached data-encryption key in IndexedDB (the "remember this device" behaviour) so you do not have to enter your password on every page load. This cached key never leaves your device and can be wiped at any time by clicking "Forget this browser" in the vault status banner.

Third-Party Services

We use the following third-party services, each with their own privacy policies:

  • Clerk — authentication and account management.
  • Anthropic — AI Consultant processing (API only, no model training on your data).
  • OpenAI — generates embeddings for our internal knowledge base of inheritance-law documents (your messages are not sent here for chat).
  • Lemon Squeezy — payment processing. We never see your card details.
  • Supabase — our database. Stores Clerk user metadata, encrypted vault ciphertexts (for vault users), and the Consultant knowledge base. The vault rows are opaque ciphertext — Supabase, like Mylo, cannot read them.
  • Cloudflare — web analytics (privacy-focused, no cookies), content delivery, and encrypted off-site backup of vault ciphertexts. The backups are encrypted by Mylo with a key we hold separately from the database; Cloudflare stores encrypted bytes only.
  • Vercel — website hosting and serverless compute.
  • Resend — transactional email (welcome emails, password resets).

Data Sharing

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not participate in data brokers, advertising networks, or any form of data monetization. Your information is shared only with the third-party service providers listed above, strictly for the purpose of operating our platform.

Data Retention

Account data — name, email, subscription status — is retained for as long as your account is active. You can request deletion at any time.

Public-tool content (answers in the free quiz, the free planning tool, and similar) is never stored on our servers, so there is nothing to retain.

Encrypted vault ciphertext is retained as long as your account is active. We also keep the last five revisions of your vault row in a history table so you can roll back if a corrupted save lands. Daily encrypted backups are stored in Cloudflare R2 for 30 days and then automatically deleted. All of these copies are ciphertext — unreadable to us, Cloudflare, or anyone else without your password.

When you delete your account, your live vault row, history rows, and any backup copies are removed within 30 days. Even before deletion, none of these copies are useful to an attacker without your Mylo password.

Your Rights

You have the right to:

  • Access the personal information we hold about you (account data only — your vault content is unreadable to us by design).
  • Correct any inaccurate information in your account.
  • Delete your account, your encrypted vault ciphertext, and any backup copies.
  • Export your account data and a copy of your encrypted vault blob.
  • Object to any processing of your data.

To exercise any of these rights, contact us at team (at) mylo.family. We will respond to requests within 30 days.

GDPR Compliance

We are committed to complying with the General Data Protection Regulation (GDPR). Our lawful basis for processing your account data is the performance of a contract (providing the service you signed up for). For analytics, we rely on legitimate interest using a privacy-focused, cookie-free analytics tool. You may request account deletion at any time.

Children's Privacy

My Loved Ones is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our platform after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at team (at) mylo.family.