◆ Signing in
Accounts use Google sign-in (OAuth). Google verifies the person and tells us who they are — we never see, set, or store a password. There is no LegacyFile password database, which means there is no LegacyFile password database to breach.
◆ Where the data lives
Stories and account data live in a Postgres database managed by Supabase, an established infrastructure provider. Every table that holds family material is protected by row-level security: the database itself enforces that an account can only read and write its own records, on every query. That rule lives in the database, not in application code that could be forgotten on some new page.
Connections are encrypted in transit (HTTPS/TLS), data is encrypted at rest by the infrastructure provider, and the website is served by Netlify.
◆ Photos
Photos are uploaded to a private storage bucket. There are no public links — when you view your own photos, the app requests short-lived signed URLs tied to your session, and they expire. When a photo contains text worth capturing (a letter, the back of a print), that text scanning runs in your own browser, on your own device; the image is not shipped to a third-party scanning service for it.
◆ Voice
Interview audio is never stored. If the storyteller dictates an answer instead of typing, the audio is turned into text on the spot and only the text is saved.
With the Voice Edition, we build an AI narration voice from a short sample of the person's own voice. That voice is used for one thing — narrating their LegacyFile. It belongs to the family, and it is never reused for anything else, never sold, and never used to train AI.
◆ AI processing — the part you came to check
Yes, AI is involved: stories are organized and polished with help from OpenAI's models, and Voice Edition narration is generated through ElevenLabs. Two things matter here. First, those calls run on our servers — API keys never appear in the browser. Second, your stories, photos, and voice are never used to train AI, and we never sell or share your data. The AI works for your family's archive and nothing else.
◆ Who can see it
A LegacyFile is private to its own account. Nothing is public, nothing is posted anywhere searchable, and nothing shows up on Google.
One honest caveat, because you would find it anyway: a LegacyFile is partly handmade. A team member reviews your material in order to prepare the finished archive — that is the only reason anyone at LegacyFile looks at it.
◆ If we ever disappear
The finished archive ships on a USB drive that works completely offline. It does not phone home, it does not need an account, and it does not depend on our servers existing. Whatever happens to us, the family keeps the archive.
◆ Editing and deleting
The storyteller can edit or delete anything before submitting, and confirms they're ready before the archive is built. And the family can ask us to delete everything, at any time — one email to hello@legacyfile.org does it.
◆ What we never do
No ads. No social-media connection. No selling or sharing data. No training AI on your family. No subscription — a LegacyFile is a one-time purchase the family owns.