\u2190 Second Half OS\u2122

Privacy Policy

Last updated: May 1, 2026

This Privacy Policy explains how Second Half OS™ (“SH-OS,” “we,” “us”) collects, uses, and protects information when you use our Service.

1. Data we collect

  • Account data: email address, password (hashed), display name, locale, timezone.
  • Subscription data: plan, billing status, Stripe customer ID, Stripe subscription ID. We do not store full card numbers; payment data is handled by Stripe.
  • Content you create: journal entries, daily energy ratings, finance buckets, relationship notes, tech-stack picks, and any other inputs you choose to record.
  • Operational data: streaks, completion progress, feature usage flags, mail-log records.
  • Device and log data: IP address, user-agent, push subscription tokens (when you opt in), service-worker installation status.

2. Sensitive categories

Some content you record \u2014 sleep, mood, intimacy, finances, family relationships \u2014 is treated as sensitive personal information under California’s CPRA and equivalent statutes. We use this data only to operate the Service for you. We do not sell or share it for cross- context behavioural advertising.

3. How we use data

  • To operate, secure, and improve the Service.
  • To personalise dashboards, AI summaries, and weekly digests.
  • To process payments via Stripe.
  • To send transactional emails (welcome, receipts, trial expiry, security alerts).
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

4. Subprocessors

We rely on the following third-party processors. Each is bound by a Data Processing Addendum (DPA) where applicable:

  • Supabase (Inc.) \u2014 database, authentication, file storage.
  • Vercel \u2014 application hosting and edge network.
  • Stripe \u2014 payment processing, subscriptions, customer portal.
  • Resend \u2014 transactional email delivery.
  • OpenAI and Anthropic \u2014 AI inference for summaries, briefings, and drafts. Inputs sent to these providers are subject to their respective enterprise data-handling terms; we configure the integration to disable training on your data where the provider supports that flag.

5. Cookies and local storage

We use first-party cookies and browser local storage to keep you signed in, remember preferences (such as your locale), and capture referral codes. We do not currently use third-party advertising cookies. If we add analytics in the future we will update this policy and, where required, request consent.

6. Your rights

Depending on where you live, you may have the following rights:

  • Access \u2014 ask what data we hold about you.
  • Correction \u2014 ask us to correct inaccurate data.
  • Deletion \u2014 ask us to delete your account and content.
  • Portability \u2014 export your content in JSON.
  • Objection / restriction \u2014 limit certain processing.
  • Do Not Sell or Share \u2014 California residents may opt out of any “sale” or “sharing” under CPRA. We currently do neither.

To exercise any right, email support@secondhalfos.com or use our contact form. We respond within 30 days, faster where the law requires.

7. Data retention

We keep account data and content while your account is active. After you delete your account we keep data for up to 30 days in a soft- deleted state to support recovery, then purge it. Mail-log audit entries and Stripe billing records are retained for the period required by tax and accounting law (typically seven years). See our Refund Policy for billing-specific retention.

8. Security

We use TLS in transit, encrypted storage at rest via Supabase, hashed passwords, signed Stripe webhooks, role-isolated database access, and scoped service-role keys. We monitor for anomalies and rotate secrets regularly. No system is perfectly secure; we will notify affected users and authorities as required if we discover a qualifying breach.

9. International transfers

We are based in the United States. Your data may be processed in the United States and other countries where our subprocessors operate. Where required, we rely on Standard Contractual Clauses (SCCs) for cross-border transfers.

10. Children

SH-OS is for adults 18 and older. We do not knowingly collect data from children under 13. If we learn we have, we will delete the data.

11. Changes

We may update this policy. Material changes will be announced in-app or by email at least seven days before they take effect.

12. Contact

Privacy questions: support@secondhalfos.com.

This Privacy Policy is an initial founder-grade draft and will be updated following attorney review prior to public launch.