Privacy policy

lineage.money

This is a starter template. A deployer of this service must have their own legal counsel review and adapt it before publication. Lineage (the operator of lineage.money) ships the template via the discovery Worker so the file isn't out of sync with the running config.

Effective: 2026-06-05 · Contact: privacy@lineage.money

What this service is

lineage.money operates a self-hosted mail, calendar, and contacts suite for the people whose accounts are provisioned on it. We are the data controller for everything you send, receive, schedule, or store here.

What we collect

Mail — the messages you send and receive, and their attachments. Stored encrypted at rest in Cloudflare R2 under a per-account namespace.
Calendar & contacts — events, attendees, invitations, and contact cards. Stored in Cloudflare D1.
Profile — your display name, department, job title, phone, recovery email, and any notes your admin records.
Operational logs — request logs for debugging (IP, timestamp, response code) retained for up to 30 days.
Admin audit log — when an administrator creates, suspends, exports, or deletes an account, that action is recorded with the actor identity, timestamp, and IP for compliance evidence.

What we don't do

We don't run advertising. We don't sell your data.
We don't read your mail for marketing or training.
We don't share your data with third parties except as required to deliver email (your outbound recipients see what you send them) or to comply with a binding legal order.

Your rights (GDPR / CCPA / similar)

Access & export — your administrator can export your full account as a portable archive (mbox + iCalendar + vCard + JSON metadata) at any time.
Erasure — your administrator can permanently delete your account; this cascades through every database row and sweeps every stored blob. The audit log entry recording the deletion is retained as evidence.
Rectification — you can correct your profile via the self-service Settings panel in webmail; administrative fields require your admin.
Portability — exports use open formats (mbox / iCalendar / vCard / JSON) that any compliant client can read.
Objection / complaint — contact privacy@lineage.money. You may also lodge a complaint with your local data-protection authority.

Data location & subprocessors

All data is stored on Cloudflare infrastructure (Workers, D1, R2, Email Routing, Email Sending). Cloudflare is the only subprocessor. Storage region follows Cloudflare's R2 jurisdiction rules.

Security

Mail is signed with DKIM (RSA + Ed25519); SPF and DMARC are enforced. R2 blobs are scoped per account. Administrator access is bearer-token-gated and audited. Report vulnerabilities via security.txt.

Retention

Mail and calendar data persist until you (or your admin) delete them. Suspended accounts retain data until explicit deletion. Operational logs roll off after 30 days. Audit log entries persist indefinitely.