Privacy Policy
The following is my take on a privacy policy. It attempts to answer two essential questions:
- What decisions were made regarding my data?
- How does it affect me?
The short version: your data is yours. It is never sold, rented, traded, shared with advertisers, or monetized in any form. There are no ads, no analytics, and no trackers here.
1. What VISION is
VISION is a personal productivity suite — Horizon (tasks), Luminate (notes), Refract (weekly journaling), and Pupil (team management) — operated by Andrew Larson as an individual. It is not a commercial service: accounts exist by personal invitation only, and there is no business model attached to your data.
2. What is stored
- Your account: the first name you're registered under.
- Sign-in credentials: the public half of your passkey and a salted hash of your PIN. Biometric data (Face ID, fingerprints) never leaves your own device — VISION never sees or stores it.
- Your content: what you create in each app — Horizon tasks, Luminate notes, Refract journal entries, and Pupil team records.
- Operational records: a hashed device token and last sign-in date (used to offer PIN sign-in), and standard short-lived infrastructure logs used only to keep the service running.
3. How it is protected
- Every account's data is fully separate; the isolation is enforced by the server on every request, not just hidden in the interface.
- Everything you write is encrypted at rest with AES‑256‑GCM at the application layer, in addition to the infrastructure provider's own storage encryption, and encrypted in transit with TLS.
- Authentication uses passkeys (WebAuthn), which are phishing-resistant and never transmit a reusable secret.
4. Where it lives
VISION runs entirely on Cloudflare infrastructure (Workers, D1, Vectorize, and Workers AI), which acts as the hosting and processing provider. Some features process your text with AI models running on that infrastructure: semantic search (used across Horizon and Luminate) uses the BAAI bge‑base‑en‑v1.5 embedding model (@cf/baai/bge-base-en-v1.5), and Refract’s weekly-reflection assistant uses Meta Llama 3.3 70B Instruct (@cf/meta/llama-3.3-70b-instruct-fp8-fast), both served by Cloudflare Workers AI. If these models are ever swapped, this section will be updated to match. That processing exists solely to power those features for you; your content is not used to train any model, and no other third party receives your data.
5. Why Cloudflare
Cloudflare is one of the largest infrastructure companies on the internet, and its business is selling infrastructure — not data — so its incentives point the same direction as yours. It holds independent security certifications (SOC 2 Type II, ISO 27001, and ISO 27701 for privacy management), publishes a regular transparency report about government requests, and commits contractually to not selling customer data or using customer content to train AI models. And because of the application-layer encryption described in section 3, the written content sitting in Cloudflare's storage is ciphertext — readable only through this application.
6. How this software was built (AI disclosure)
VISION was predominantly written with the help of artificial intelligence — specifically Anthropic's Claude. AI-written code carries real risks: subtle bugs that mishandle data, security vulnerabilities a casual read won't catch, software quietly drifting from what its author believes it does.
How I manage them:
- Nothing ships on the AI's word. I run every change against a live staging environment before it reaches production, and I test the running software myself rather than accepting descriptions of it.
- The codebase is audited by AI for security flaws. Those adversarial audits have caught and fixed real issues here.
- Security rests on boring, standard, widely reviewed mechanisms — WebAuthn passkeys, AES‑256‑GCM, server-enforced account isolation — never on invented cryptography, precisely because novelty is where AI-written security goes wrong.
- The privacy protections here were deliberately specified. At-rest encryption, the sign-in page's refusal to reveal account names, per-app access controls, this policy, and its model disclosures all exist because I asked for them.
- Design decisions are written down inside the codebase — what was built, why, and which trade-offs I accepted — so my understanding of this software never depends on memory, or on the tool.
7. What is never done with your data
Your data is not sold. It is also not rented, leased, licensed, sublicensed, loaned, traded, bartered, exchanged, brokered, auctioned, syndicated, or resold; not aggregated, bundled, compiled, or packaged into datasets for anyone else; not shared with, disclosed to, or made available to advertisers, ad networks, data brokers, analytics providers, “marketing partners,” or any other “trusted third parties”; not used for advertising, ad targeting, audience building, lookalike modeling, profiling, scoring, market research, or the enrichment of anyone else's records; not used to train AI models; and not monetized through affiliate arrangements, sponsorships, referrals, or any scheme not yet invented — not in identifiable form, not in “anonymized” or “aggregated” form, not for money, not in kind, not ever. It cannot even be transferred as a business asset in a sale, merger, or bankruptcy, because there is no business to sell. No marketing email is sent, because VISION doesn't even have your email address — it was never collected in the first place. The only circumstance under which data would be disclosed to anyone else is a valid legal requirement to do so.
8. Cookies
VISION sets two strictly functional cookies: one that recognizes a device you've signed in on (so PIN sign-in can be offered) and one short-lived cookie used during the sign-in handshake itself. Neither tracks you, and there are no third-party cookies of any kind.
9. Retention and deletion
Your content is kept until you delete it. Deleting an item removes it from the live database immediately (short-lived infrastructure backups age out on their own). If your account is removed, everything associated with it — content, credentials, and settings — is permanently deleted. You can also request deletion or a copy of your data at any time using the contact below.
10. Changes and contact
If this policy ever changes, the effective date above will change with it. Questions, deletion requests, or anything else: privacy_concerns@andrewlarson.org.
11. CCPA and similar laws
VISION is not subject to the California Consumer Privacy Act (CCPA, as amended by the CPRA). The CCPA applies only to a “business” as defined in Cal. Civ. Code § 1798.140(d): a for-profit entity doing business in California that meets at least one of three thresholds:
- annual gross revenues over $25 million;
- annually buying, selling, or sharing the personal information of 100,000 or more consumers or households; or
- deriving 50% or more of annual revenue from selling or sharing consumers' personal information.
VISION meets none of these: it is operated by an individual, not a for-profit entity; it has no revenue; it serves a small number of personally invited users; and it never buys, sells, or shares personal information. Similar state privacy laws carry comparable business definitions and thresholds and do not apply either. The core rights those laws grant — access to your data, deletion, and no sale — are provided here regardless (sections 7, 9, and 10).