Legal

Privacy policy.

Effective March 1, 2026 — Version 1.0 (draft)

This is a draft policy ready for legal review — it is not yet in effect. The structure and language below are our plain-English working draft. We’re publishing it so you can see exactly what we plan to do with your data while counsel finalizes the binding version.

Contents

1. Overview

Let’s Build Resilience (“we”, “us”) operates the resi.works application and the letsbuildresilience.com website. This policy explains what data we collect about you, how we use it, and the rights you have to access, correct, or delete it.

We treat your data the way we’d want our own family’s data treated: minimal collection, transparent use, no sale to third parties, and a clean exit path if you decide to leave.

2. What we collect

Account data. Your email address, name, and authentication tokens (managed by Clerk, our auth provider).

Household data. Items you add to your pantry, recipes you save, meal plans, grocery lists, and preparedness configuration. This data is scoped to your household and not shared across households.

Usage analytics. Anonymized events about feature usage, performance, and errors. Powered by PostHog. Granular opt-out available in Settings.

Billing data. Payment method handled entirely by Stripe. We never see or store your card number. We retain billing-event metadata (subscription tier, billing date) for accounting and tax compliance.

Optional integrations. If you connect an AI assistant via MCP, we store the integration tokens you provide. You can revoke at any time.

3. How we use it

We use your data to operate the product, send you the alerts you’ve opted into, surface aggregated trends in your Reports dashboard, and improve features. We never use your household data to train external AI models. We never sell or rent your data to third parties.

4. Who we share it with

We share data with the minimum set of service providers required to run the product:

  • Clerk — authentication
  • Stripe — billing
  • PostHog — anonymous analytics (opt-out available)
  • Cloudflare — DDoS protection and content delivery
  • AWS / DigitalOcean — infrastructure hosting (U.S. region)

Each is bound by a data processing agreement that mirrors the protections in this policy.

5. Data retention

Active accounts: we retain your data while your subscription is active. Cancelled accounts: data is deleted within 30 days of cancellation, except for legally-required billing records (kept 7 years for tax purposes).

You can export your full pantry, recipe, and meal-plan history as CSV at any time from Settings → Privacy & data export.

6. Your rights (GDPR / CCPA)

You have the right to:

  • Access a copy of your data (Settings → Privacy & data export)
  • Correct inaccurate data (in-app for most fields; email for the rest)
  • Delete your account and associated data
  • Object to specific processing (e.g., opt out of analytics)
  • Restrict processing during a dispute
  • Data portability — your exported data is portable JSON/CSV

To exercise any of these, email [email protected]. We respond within 30 days.

7. Security & breach response

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production data is limited to a small team and audited. In the event of a confirmed breach affecting your data, we will notify you within 72 hours via email and provide guidance on protective steps.

8. Cookies & tracking

We use a small number of essential cookies for authentication and session management. Analytics cookies are opt-in (we’ll show you a banner on first visit, per GDPR). We do not use third-party advertising cookies.

9. Children’s data

resi.works is not directed at children under 13. We don’t knowingly collect data from children under 13. A parent’s account can include children as household members; the child does not have a separate account or data profile with us.

10. Changes to this policy

If we make material changes to this policy, we’ll notify active users via email at least 30 days before the changes take effect. Minor non-material changes (formatting, clarifications) may be made without notice but will be reflected in the version number above.

11. Contact

For any privacy question, email [email protected] — a real human reads every message.

EU data protection officer: TBD pending counsel selection. We’ll update this section as soon as the appointment is final.