← Back to Lockstep Legal

Privacy Policy

Last updated: May 29, 2026

Lockstep ("we", "us", "our") is a habit-accountability app. This policy explains what data we collect, how we use it, and your rights over it. We keep this short and honest.

What we collect

• Account data — your email address and display name, provided when you sign in via Google or email/password through Firebase Authentication.
• Task and proof data — the tasks you create, your proof conditions, completion timestamps, streak counts, and any evidence you submit (text reflections, numbers, timer completions).
• Photo evidence — photos you upload as proof. These are stored in your browser's local data (as base64 in Firestore) and are only used to verify task completion.
• Push notification tokens — if you enable reminders, we store a push subscription token so we can deliver notifications at the time you set.
• Subscription status — whether your account is on the free or Pro plan, stored in our Cloudflare KV store tied to your Firebase user ID.

What we do not collect

• We do not sell your data to anyone.
• We do not run ads.
• We do not track you across other websites or apps.
• We do not collect your location.

How we use your data

• To provide the service — syncing your tasks across devices, calculating streaks, sending reminders.
• AI photo verification (Pro) — if you're a Pro subscriber and upload a photo, it is sent to Google Gemini to verify it matches your task condition. Photos are not stored by Google beyond the immediate API call.
• Payment processing — if you upgrade to Pro, payment is handled by Stripe. We never see or store your card details. Stripe's privacy policy applies to that transaction.
• Support — if you contact support, your message and email are sent via Resend to our support inbox. We use this only to respond to your request.

Data storage and security

Your task data is stored in Google Firestore, secured by Firebase Authentication rules that allow only you to read or write your own data. Proof photos are stored as compressed images inside your Firestore documents. Push tokens are stored in Cloudflare KV.

Data retention

Your data is kept as long as your account is active. If you delete your account or request deletion, we will remove your data from Firestore and Cloudflare KV within 30 days. To request deletion, email [email protected].

Third-party services

• Firebase / Google — authentication and database
• Cloudflare Workers — backend API, push notifications, subscription management
• Stripe — payment processing
• Google Gemini — AI photo verification (Pro only)
• Resend — support email delivery

Children

Lockstep is not directed at children under 13. We do not knowingly collect data from anyone under 13.

Changes

If we make material changes to this policy, we'll update the date above. Continued use of the app after changes constitutes acceptance.

Contact

Questions? Email us at [email protected].