Last updated: March 20, 2026

Privacy Policy

This Privacy Policy explains how YearInReview(“we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our websites and applications at www.yearinreview.online(the “Service”). By using the Service, you agree to this policy. If you do not agree, please do not use the Service.

1. Information we collect

1.1 You provide

• Account data: name, email address, profile image (if you sign in with a provider that supplies it), and authentication identifiers.
• Plan and billing: subscription status and transaction references processed by our payment provider; we do not store full payment card numbers on our servers.
• User content: goals, reflections, check-ins, notes, wheel-of-life ratings, and similar content you enter into the Service.
• Support: information you send when you contact us.

1.2 Collected automatically

• Device and log data: IP address, browser type, general location derived from IP, timestamps, and diagnostic logs to secure and operate the Service.
• Cookies and similar technologies: as described in our Cookie Policy.

2. How we use information

We use information to:

• Provide, maintain, and improve the Service and your account.
• Process subscriptions and communicate about billing, security, and policy changes.
• Send transactional and product emails (e.g., magic links, reminders if enabled).
• Detect, prevent, and address fraud, abuse, and technical issues.
• Comply with legal obligations and enforce our terms.
• Analyze usage in aggregate or de-identified form where we use analytics tools (see Cookies)—only as configured and permitted by law.

3. Legal bases (EEA, UK, and similar)

Where GDPR or similar law applies, we rely on:

• Contract: providing the Service you requested.
• Legitimate interests: security, product improvement, and internal analytics, balanced against your rights.
• Consent: where required (e.g., non-essential cookies or marketing)—you may withdraw consent at any time.
• Legal obligation: where we must retain or disclose data by law.

4. How we share information

We do not sell your personal information as that term is defined under the CCPA/CPRA. We share data with:

• Service providers who process data on our instructions (e.g., hosting—such as Vercel, database—such as Neon, email—such as Resend, payments—such as Lemon Squeezy, authentication—such as Google for OAuth). Their use is governed by contracts and their privacy policies.
• Analytics providers if you enable or we configure optional analytics (e.g., PostHog)—as described in our Cookie Policy.
• Legal and safety: when required by law, legal process, or to protect rights, safety, and security.
• Business transfers: in a merger, acquisition, or asset sale, with notice where required.

5. International transfers

We may process data in the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers from the EEA, UK, or Switzerland.

6. Retention

We retain information for as long as your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. You may delete certain content in-product; account deletion may be available through settings or by contacting us.

7. Security

We use industry-standard technical and organizational measures to protect data. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. You may withdraw consent where processing is consent-based.

California residents: see our California Privacy Notice for CPRA-specific disclosures and how to exercise rights.

To exercise rights, contact us using the email at the bottom of this page. We may verify your request as permitted by law. You may lodge a complaint with your local supervisory authority.

9. Children

The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, contact us and we will take appropriate steps to delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy and update the “Last updated” date. For material changes, we will provide additional notice where appropriate.