Safety & Security

Only what's needed to do its job:

• Your name and email — to create your account.
• Your kids' first names, ages, grades, schools, and teachers — only what you type into onboarding, only to match incoming emails to the right kid.
• The emails you forward to your Lifto address, or (only if you turn on Power Mode) recent messages in your Gmail inbox.
• Items extracted from those emails — events, tasks, money-due notices, and reminders Lifto creates for your calendar and to-do list.
• Your review actions — when you approve, reject, or correct an item, Lifto remembers that to get smarter about your preferences over time.

That's the full list. No advertising tracker, no analytics that follow you around the web, no data broker integration.

• No social security numbers, bank details, credit cards, or government IDs. Lifto isn't built to handle them and there's no field anywhere in the product that asks for them.
• No medical records or health information.
• No location tracking. Lifto doesn't know where you are.
• No browsing history or third-party data. What's in your Lifto account is what you put there or forwarded in.
• No data from your kids directly. Lifto is a tool for parents. Kids don't have accounts.

Three places, each chosen because they're vetted by tens of thousands of other businesses:

• Supabase (US-West, AWS) — your account, kids' info, emails forwarded to Lifto, extracted items. Built on AWS infrastructure; data encrypted in transit and at rest; SOC 2 Type 2 certified.
• Vercel — the Lifto web app itself (no user data stored beyond standard server logs). SOC 2 Type 2 certified; ISO 27001 certified.
• Anthropic (Claude API) — email content is sent here briefly so the AI can extract events and tasks, then the result comes back. Anthropic does not retain or train on this data when accessed via Lifto's paid API key. SOC 2 Type 2 certified.

Your Google Calendar events and Google Tasks live in your own Google account — not in Lifto's database. Lifto writes to them; Google holds them.

You. Your data is scoped to your account and visible to you in your dashboard.

Lifto's operator. During beta, there is admin access to Lifto's database for support, debugging, and operating the service. That access is not used to read user emails for any purpose other than (a) you asking directly (e.g., a support ticket), (b) investigating a specific bug a user reports, or (c) the rare case where security or legal compliance requires it. User data is not browsed for fun, content, or curiosity. This is documented in the Privacy Policy.

Nobody else. No other people, no advertising partners, no marketing partners, no data brokers, no other Lifto users.

The database has row-level security turned on, which means even if someone obtained one of Lifto's internal credentials, they would still only see data belonging to a specific authenticated user — not the whole database. The one exception: a small set of internal “service” credentials used by Lifto's own background jobs (like the daily brief sender), which are protected separately and never exposed to users or the public.

This is the most reasonable question a parent can ask in 2026, so it gets a direct answer. There are two completely separate things going on, and they're worth pulling apart.

Claude Code is a developer tool — it is not part of Lifto.

Claude Code is a coding assistant used to help write the code that becomes Lifto. Think of it the way an architect uses CAD software, or a designer uses Figma. The tool helps build the product. The tool is not the product.

All code written with Claude Code's help is reviewed, tested, and decided on before it gets deployed. Once the code is shipped, Claude Code is no longer in the picture. Lifto runs on Supabase and Vercel — not on Anthropic's infrastructure. Your data has zero relationship to Claude Code. It never goes near it.

Lifto uses one AI in production: Anthropic's Claude API.

Lifto uses one AI model in the running product, for one specific job: reading the text of your kid's school emails (or photos of paper flyers you upload) and pulling out the events, tasks, and reminders. That's it.

What goes to the Claude API, and what doesn't:

A few specifics worth knowing:

• Anthropic does not train on API customer data. That's their published policy for paid API usage, which is what Lifto runs on.
• Default 30-day retention at Anthropic for safety and abuse review, then automatic deletion. This is Anthropic's standard policy for API requests.
• Anthropic is SOC 2 Type 2 certified — independently audited security controls.
• The extracted events come back to Lifto and are stored in Supabase. They are not stored at Anthropic.

If you want to reduce the surface area further, Power Mode is optional — leave it off and only the specific emails you forward to your Lifto address are ever processed. Nothing else from your inbox is scanned.

When you click “Sign in with Google,” you'll see a Google screen — not a Lifto screen — asking you to grant permission for specific things:

• Google Calendar (calendar.events) — so Lifto can put events on your calendar.
• Google Tasks (tasks) — so Lifto can put to-dos on your task list.
• Gmail read access (gmail.readonly) — only if you turn on Power Mode. This lets Lifto auto-scan recent messages for school items so you don't have to forward each one.

A few things to know:

• Lifto never sees your Google password. Google handles sign-in. Lifto only receives a token that lets it access the specific things you approved.
• You can revoke Lifto's access at any time at myaccount.google.com/permissions. When you do, Lifto stops accessing your Google data immediately.
• Lifto cannot send email from your Gmail. Read-only means read-only.
• You may see an “unverified app” warning right now. Lifto submitted to Google for OAuth verification on April 23, 2026, and is currently in Google's review queue (typical turnaround is 2–6 weeks). The warning is a normal part of being a new app in the queue. The app is real, the privacy policy is published, and we're going through Google's process — but it takes the time it takes.

Lifto exists because school communication happens to parents — not to kids. Kids don't have Lifto accounts. They never log in. They never see Lifto. The only kid information in the system is what you, the parent, type into onboarding so Lifto can route emails to the right kid:

• First name (or nickname — whatever you call them at home).
• Age and grade — so Lifto can tell whether an email about “5th grade field trip” applies to your kid.
• School and teacher names — so Lifto can tell which emails are even relevant to you.
• Items extracted from emails about your kid — events on the calendar, tasks on the to-do list, money-due reminders.

What Lifto does NOT collect about kids:

• No last names required. First name is enough.
• No birthdays, just age and grade.
• No photos, no medical records, no school IDs, no addresses, no contact info.
• No behavioral profiles. Lifto does not build a profile of your kid for advertising. There is no advertising in Lifto.
• No direct contact with your kid. Lifto only ever talks to you, the parent.

You control all of it. You can delete a kid from your account at any time in your dashboard, and that wipes their info from Lifto's database. You can delete the whole account and everything goes (see “How to delete your data” below).

How Lifto handles COPPA.

The U.S. Children's Online Privacy Protection Act (COPPA) regulates what online services can collect from kids under 13. Lifto's audience is parents, not kids — kids don't sign up, they don't have accounts, and they never interact with the product. So the parental-consent requirements COPPA places on child-facing services don't apply the way they would to an app kids log into directly.

That said, kid information is in the system, so here's how Lifto handles it:

• The parent provides and controls all kid data. A parent typing their own kid's first name into a parent-facing app is the consent.
• No advertising at all — to anyone, parent or kid. No ad network, no behavioral targeting, no third-party trackers.
• Data minimization. Lifto stores the least amount of kid info needed to do the job: first name, age, grade, school, teacher.
• Parent-initiated deletion. Parents can delete a kid, an item, or the whole account at any time. Within 30 days of account deletion, kid data is purged.
• No sharing with third parties for any purpose other than the vendors needed to operate the service (Supabase, Vercel, Anthropic — all listed above).

If you're a parent or a privacy professional with questions about how kid data is handled, email mary@maryflorcruz.com and Mary will answer directly.

• Encryption. All data is encrypted in transit (HTTPS) and at rest (database-level encryption via Supabase/AWS).
• Authentication. You sign in with your Google account; Lifto never stores a password for you.
• Row-level security on every table. Each user can only see their own rows. The database enforces this — it's not just application logic.
• Backups. Supabase runs daily automated backups. If something breaks, we can roll back.
• Health monitoring. Lifto runs watchdog jobs every few minutes to check that the daily brief is being delivered, emails are being processed, and the system is healthy. If something fails, an alert fires immediately.
• Platform security floor. Lifto's three core platforms — Supabase, Vercel, and Anthropic — are all SOC 2 Type 2 certified. That means independent auditors have validated their security controls. Lifto's baseline security is at least their baseline.

Two ways:

• Revoke Google access. Go to myaccount.google.com/permissions, find Lifto, and click Revoke. Lifto immediately loses access to your Google account.
• Email Mary. Send a note to mary@maryflorcruz.com asking to delete your account. Within 30 days, your Lifto data is purged from the database — emails, extracted items, kid info, preferences, all of it.

Note: events and tasks Lifto already wrote to your Google Calendar and Google Tasks stay in your Google account after you delete Lifto — they're yours now. You can delete them yourself in Google.

Lifto hasn't had a security incident, and we hope it never does. If one ever happens, here's what we commit to:

• You'll hear from us. Affected users get an email within 72 hours of us discovering an incident, with what we know, what we're doing, and what (if anything) you should do.
• We'll publish what happened. A short post-incident write-up will go on this page or the blog.
• We won't hide. No vague PR language. Specific facts, plain language.

If you find a vulnerability, bug, or anything that looks wrong, please email mary@maryflorcruz.com with a clear description. There's no formal bug bounty during beta — Lifto is too small for that to be meaningful — but issues get treated seriously and fixed quickly. Mary will reply personally. (A bug bounty program is something we'll add once Lifto has a larger user base and the budget to make it worthwhile for security researchers.)

Lifto's security posture is going to keep improving. The benchmark is consumer best-in-class — what a thoughtful, modern consumer app should look like — not enterprise certification. Specifically:

• Two-factor authentication on admin access to the database. In progress.
• Independent security review of the codebase by an outside reviewer. Targeted within the next 60 days. When it's complete, we'll publish a summary of what was reviewed and what was hardened.
• Ongoing data minimization for kids' info. Lifto's commitment: collect only the minimum, never advertise to anyone, keep parents in full control of deletion.
• Transparency on changes. When the security posture, data practices, or vendor stack changes in any meaningful way, we'll update this page and date the change.

If anything on this page is unclear, or you'd like a deeper answer, email mary@maryflorcruz.com. During beta, you'll hear back directly from Mary.

You can also read the full Privacy Policy and Terms of Service for the complete legal version.

Lifto exists because school communication is structurally broken — not because parents are. The least we can do is be straight with you about how we handle your data while we try to fix it.