Skip to content

LEGAL_AND_PRIVACY.md — alaivOS Legal & Privacy Framework (Canonical)

Last updated: April 13, 2026 (Omega v2.7). Status: live docs drafted, attorney review pending, privacy.html + terms.html + lawenforcement.html updates required before launch.

This is the single canonical source for legal and privacy matters. Supersedes LEGAL_AND_WEBSITE.md (legal portions), omega_legal_review.md, sprint_G1_legal_settings.md, and the stand-alone alaivOS_privacy_policy.md, alaivOS_terms_of_service.md, alaivOS_health_disclaimer_framework.md — those files remain on disk as the source of the verbatim text carried below, but this document is authoritative.

Cross-references: ANTI_ABUSE_SPEC.md (device fingerprint + phone hash source of truth), INFRASTRUCTURE.md (Supabase encryption-at-rest), GHOST_PROTOCOL.md (Checkup anonymization flow, Ghost routing), PRICING_AND_TIERS.md (tier/pricing authoritative values).

  • Company: Citerius Holdings LLC
  • State of formation: Wyoming, USA
  • Registered address: 30 N Gould St Ste R, Sheridan, WY 82801
  • EIN: 38-4387983
  • D-U-N-S: Received
  • Sole member / founder: Jose Francisco Quevedo Piza, based in Guadalajara, Mexico
  • Bank: Mercury (approved)
  • Trademark: USPTO filed via Swyft Legal (Class 9 + 42). Madrid Protocol filing: post-launch, once USPTO serial is confirmed.
  • BOI/FinCEN: Not required (domestic Wyoming LLC, March 2025 interim rule)
  • Operating Agreement: Draft generated; signed copy held by J and registered agent
  • Anthropic API account: registered as organization "Citerius Holdings LLC" (used for Laiv Checkup Batch API routing only)
  • DBA: "alaivOS" (Citerius Holdings LLC d/b/a alaivOS)

2. DOCUMENT STATUS MATRIX

All files live under /alaivos-website/public/legal/ and render from index-*.html. Remove index- prefix at deploy. Copyright footer on every page: © 2026 Citerius Holdings LLC.

# Document Filename on site Draft status Deploy status Attorney reviewed? Pre-launch action required
1 App Privacy Policy privacy.html Live (v2.7 updates drafted below) ⚠ Deploy pending — V2.7 updates required No — pre-revenue URGENT Add third-party AI processing line, phone hash disclosure, 6-onboarding-fields disclosure, encrypted-at-rest tables
2 Terms of Service terms.html Live (v2.7 updates drafted below) ⚠ Deploy pending — V2.7 updates required No — pre-revenue URGENT Update trial terms (14 Pro + 7 Elite, mandatory interview, Day 14 phone verify), Ghost credit pricing, tier names
3 Health Data Privacy health.html Live Pending deploy No None — already MHMD-compliant
4 Billing & Refund Terms billing.html + billing-terms.html Live Pending deploy No Update trial terms, credit-model Ghost pricing (no per-skill)
5 Law Enforcement Guidelines lawenforcement.html Live (v2.7 updates required) ⚠ Deploy pending — V2.7 update required No Add phone hash row to data table (confirm-match only, cannot recover raw number)
6 Warrant Canary canary.html + canary.html.asc Draft, PGP-signed March 24 2026 Pending deploy n/a Re-sign by April 19, 2026 (quarterly cadence, 6 days from now)
7 PGP Public Key pgp.html + citerius_public_key.asc Draft Pending deploy n/a Paste signed key block. citerius_private_key.asc NEVER leaves J's machine.
8 Mexico LFPDPPP Notice Inline in Privacy Policy Live Covered by #1 deploy No
9 Brazil LGPD Notice Inline in Privacy Policy Live Covered by #1 deploy No Remove DPO claim — rely on ANPD small-agent exemption (Resolution CD/ANPD Nº 2/2022)
10 Analytics & Telemetry Policy Not created ❌ Drafting required Before launch No Firebase Analytics + Crashlytics scope, IP anonymization, opt-out
11 Website Privacy Policy Not created ❌ Drafting required Before launch No Cloudflare Analytics, no cookies, waitlist email
12 Website Terms of Use Not created ❌ Drafting required Before launch No Wyoming law, $100 cap, IP ownership
13 DMCA Designated Agent copyright.gov registry ❌ Pending registration Before launch n/a Registered Agents Inc ($6 + 10 min) — J-task
14 UK Online Safety Act notice Inline in Website ToU Research complete (see gemini_research_prompt_legal_framework.md) Before UK user volume No Content moderation policy + reporting mechanism

Critical pre-launch delta (V2.7): 1. Privacy policy: insert third-party AI processing paragraph (Anthropic Checkup) + phone collection paragraph + 6 onboarding fields paragraph + encrypted-at-rest disclosure 2. Terms of service: trial section rewrite (14 Pro + 7 Elite, mandatory interview, Day 14 phone verify) 3. Law enforcement page: add phone hash row (confirm-match only) 4. Warrant canary: re-sign by April 19

3. CORE PRIVACY PRINCIPLES ("Zero-Data-Harvesting Architecture")

The exact phrase is Zero-Data-Harvesting Architecture. Never "offline AI," never "private AI" alone.

The guarantee: your data is stored locally on your device and encrypted end-to-end. We cannot read your messages, notes, health data, financial information, or personal content. This is not a policy — it is a technical guarantee enforced by encryption.

3.1 Data Handling Matrix

Data class Where stored Encrypted at rest? In cloud? In Ghost prompts? In Checkup (Anthropic) prompts?
Messages / Chat Device SQLite ✅ Signal Protocol E2EE (libsignal_protocol_dart, real) Relay only, encrypted blobs, Citerius cannot decrypt ❌ NEVER ❌ NEVER
Notes Device SQLite ✅ AES-256 Optional encrypted sync blobs Only if user explicitly routes ❌ NEVER
Laiv AI conversations Device SQLite On-device only unless Ghost tier used Anonymized only (see §5)
Money / transactions / bank data Device SQLite ✅ AES-256 ❌ NEVER ❌ NEVER Anonymized aggregates only (Financial Checkup)
Health / mood / medication / pregnancy / baby care Device SQLite ✅ AES-256 NEVER — hard rule NEVER Anonymized aggregates only (Wellbeing Checkup)
Calendar events (personal) Device SQLite Optional encrypted sync Anonymized aggregates only (Planning Checkup)
Group / shared calendar events Supabase ✅ AES-256 encrypted blobs ✅ (encrypted)
Photos / media / AI tags Device
Shared gift notes Supabase ✅ AES-256-GCM (V2.7 encryption sprint) ✅ (encrypted)
Web AI content cache Supabase ✅ AES-256-GCM (V2.7) ✅ (encrypted)
AI command queue Supabase ✅ AES-256-GCM (V2.7, read+rewrite) ✅ (encrypted)
Account email / display name Supabase user_profiles Plaintext (required for service)
Subscription status / tier Supabase Plaintext
Device identifiers (fingerprint) Supabase trial_devices Plaintext hash
Phone number Never stored raw SHA-256 hash with server-side salt ✅ (hash only)
6 onboarding fields (birthday, sex, time_zone, country, city, roadblock_summary) Supabase user_profiles Plaintext (user-visible recovery) Used for Laiv personalization on device
Crash reports Firebase Crashlytics Standard ✅ anonymized
Referral attribution Supabase Plaintext

3.2 The Four Absolute Rules

  1. Health data NEVER syncs to cloud. Not encrypted, not blobbed, not hashed. Local only. Apple Health / Health Connect integration is READ-ONLY.
  2. Health data NEVER appears in Ghost prompts. The Ghost Brain (Gemma 4 E4B) must never see raw health data. Health coach AI runs on-device only (Qwen 3.5).
  3. Phone numbers are NEVER stored in readable form. Only sha256(phone + server_salt) is persisted.
  4. No third-party tracking, no ad networks, no analytics that sell or share.

4. E2EE — UNIVERSAL COVERAGE

  • Protocol: Signal Protocol via libsignal_protocol_dart (real implementation, not stubs — TAW-era migration complete).
  • Scope: Every tier including Starter. E2EE is never gated.
  • Surfaces: Chat messages, shared calendar events, shared notes, Ghost Protocol query payloads.
  • Keys: Per-device identity keys, generated on first launch, never leave the device. Account deletion wipes server-side prekeys.
  • Citerius cannot decrypt any user content in Supabase cloud sync, chat relay, or Ghost query queue. Our subpoena-response capability is limited by design (see §8 Law Enforcement).

Note: historical legal drafts used the phrase "E2EE using the Signal Protocol." That claim is now accurate; prior soften-language (Omega legal review C4, March 21) no longer applies.

5. THIRD-PARTY AI PROCESSING — ANTHROPIC CHECKUP (V2.7 MANDATORY DISCLOSURE)

Required new section in Privacy Policy before launch. Exact language to insert after "Ghost Protocol" section:

Laiv Checkup (Periodic Analysis). At scheduled intervals (see Terms for per-tier cadence), alaivOS runs an optional overnight "Checkup" across three domains — Wellbeing, Planning, and Financial. Checkup processing uses a dual-anonymization pipeline:

  1. On-device stripping. Before any data leaves your device, all names, contacts, locations, and specific amounts are removed. Only aggregate patterns, categories, and ranges remain.
  2. Server-side anonymization. The stripped payload is sent encrypted to our Ghost server (Hetzner CX43, Helsinki), where Gemma 4 E4B further paraphrases and removes any residual personal markers.
  3. Anthropic Batch API. The doubly-anonymized payload is then submitted to Anthropic's Batch API (organization: Citerius Holdings LLC) for pattern analysis. Anthropic receives no identifiers linking the payload to you.
  4. On-device merge. The response is returned to our Ghost server and then to your device, where it is merged with your local data to produce Checkup insights. Only aggregate patterns are retained for future Capsule generation.

You can disable Checkup at any time in Settings. Disabling Checkup does not affect any other feature. Checkups are free during Trial (Day 0 baseline, Day 14 mid-trial, Day 28 full). Post-trial cadence: Elite monthly, Pro every 2 months, Core every 3 months, Spark every 6 months.

Cross-reference: GHOST_PROTOCOL.md §Checkup Relay Architecture for the technical pipeline (CX43:8100, $0.012/checkup, stub endpoint for Capsule generation v1.1).

6. PHONE NUMBER COLLECTION — V2.7 MANDATORY DISCLOSURE

Collected at Day 14 of trial only, for Elite unlock. Verbatim privacy policy section (per ANTI_ABUSE_SPEC §16.1):

PHONE NUMBER VERIFICATION

When you verify your phone number to unlock Elite trial features, we: - Send a one-time verification code via SMS to the number you provide (delivered via Twilio). - Create an irreversible cryptographic hash of your phone number (SHA-256 with a server-side salt). - Store ONLY the hash — we cannot recover or read your actual phone number. - Use the hash solely to prevent duplicate trial accounts on the same phone. - Never share, sell, or transmit your phone number to any third party. - Never use your phone number for marketing, SMS campaigns, or any purpose other than account verification.

You may use alaivOS without providing a phone number. Skipping phone verification limits your trial to the Starter tier immediately at Day 14. Your phone number hash is retained for the lifetime of your account and deleted upon account deletion.

6.1 Law Enforcement Page — Phone Hash Row (V2.7 MANDATORY)

Add row to the data-disclosure table on lawenforcement.html:

Data type Can we provide? Notes
Phone number (hash) Confirm-match only We store SHA-256(phone + server-salt). We can confirm whether a given phone number hashes to a known account. We cannot recover the raw phone number from the hash.

7. DEVICE FINGERPRINT DISCLOSURE

Collected silently at signup as part of the 7-layer anti-abuse system (see ANTI_ABUSE_SPEC.md). Components: platform, model, OS version, locale, timezone, screen dimensions, hardware identifiers (Android: ANDROID_ID-equivalent; iOS: IDFV). Hashed and stored in Supabase trial_devices keyed by signup. Purpose: prevent trial re-farming.

Privacy policy disclosure language:

Device Identifiers. At first launch, we collect device identifiers (platform, OS version, model, locale, timezone, screen size, and a hardware identifier provided by the operating system) and store a hashed fingerprint on our servers. We use this fingerprint solely to prevent trial abuse — specifically, to detect when the same device attempts to create multiple free-trial accounts. Device fingerprints are never used for advertising, analytics beyond fraud prevention, or profiling.

Data Safety disclosures (per ANTI_ABUSE_SPEC §16.3): - Google Play Data Safety: Device identifiers — Collected automatically, used for fraud prevention, not shared with third parties, deleted on account deletion. - Apple App Privacy (Nutrition Label): Device ID — Used for Analytics and App Functionality. Data not linked to identity (hashed). Data not used for tracking.

8. 6 ONBOARDING FIELDS (V2.7 REINSTALL RECOVERY)

Per V2.7 Alpha reinstall-persistence sprint, six onboarding fields are persisted to Supabase user_profiles so a user can reinstall on a new device and recover context without redoing onboarding:

  1. birthday (date)
  2. sex (enum)
  3. time_zone (IANA TZ string)
  4. country (ISO 3166-1 alpha-2)
  5. city (string)
  6. roadblock_summary (short free text — the single "what's in your way" answer from onboarding)

Privacy policy disclosure language:

Onboarding Profile. Six fields you provide during onboarding — birthday, sex, time zone, country, city, and a short free-text summary of your current priority — are stored on our servers in your user profile so that if you reinstall alaivOS on a new device, we can restore your context without making you redo onboarding. These fields are visible only to you, are never used for advertising or analytics, and are deleted when you delete your account.

All other onboarding answers (45-question progressive interview, 11 personality traits) remain on-device only.

9. TERMS OF SERVICE — V2.7 UPDATES

9.1 Verbatim trial section to replace §6 of current ToS

TRIAL CONDITIONS

All new users receive a 21-day free trial structured as 14 days at the Pro tier, followed by 7 days at the Elite tier. Access to the Elite trial period requires phone number verification at Day 14. Users who decline phone verification transition to the free Starter tier immediately at Day 14.

During the trial, the progressive onboarding interview (45 questions across Days 1-14) is mandatory — it cannot be skipped, cancelled, or dismissed, as it is required for Laiv personalization. Three Laiv Checkups are free during trial: a Day 0 baseline (planning-only), a Day 14 mid-trial, and a Day 28 full Checkup.

No credit card is required for the trial. After the 21-day trial expires, your account reverts to the Starter tier unless you subscribe.

Trial access is limited to one trial per person. Creating multiple accounts to obtain additional trial periods violates these Terms of Service and may result in trial access being denied. We use device identifiers and phone number hashes to enforce trial limits. Device identifiers are collected at first app launch. Phone number hashes are collected only if you choose to verify your phone at Day 14. See our Privacy Policy for details on how these are stored.

9.2 Subscription Tiers (authoritative, source of truth: PRICING_AND_TIERS.md)

  • Starter (Free): Basic features with manual data entry. Includes E2EE chat, interactive map with voice nav, motorcycle time.
  • Spark ($3.99/month): On-device AI, cloud sync, active sharing, traffic patterns.
  • Core ($7.99/month): Full AI capabilities, live traffic, smart alerts.
  • Pro ($14.99/month): All AI models, voice commands, advanced features, traffic coloring + multi-stop.
  • Elite ($23.99/month): All features plus bundled Ghost base allocation (50 Deferred + 20 Instant credits), 1 bank connection, unlimited DDG search.

Annual: pay for 10 months, get 12 (~16.7% savings). No other annual discount model. Billed via Apple App Store or Google Play Store.

Group Plans: 50% off per member, cap 6 total (creator + 5 additional), open to anyone — not just family.

9.3 Ghost Protocol (Credit Model — per-skill pricing is DEAD)

Ghost Protocol routes AI queries to our private Ghost server running open-source AI models (Gemma 4 E4B) in Helsinki. Credits are the ONLY gate — ALL Ghost capabilities (Brain Overnight, Brain Instant, Deep Search, Voice HD) are available at every Ghost tier. We do not log, store, or analyze your queries or the AI responses generated through Ghost Protocol. Standard Search (DuckDuckGo via anonymous Cloudflare Worker) is free for all tiers.

9.4 Billing Terms (billing-terms.html)

Update to reflect V2.7 trial terms and credit-model Ghost pricing. No per-skill pricing references. Annual Elite displays as $239.90 ($23.99 × 10).

9.5 Acceptable Use, Capsules, Referrals, Affiliate, IP, Termination, Governing Law (Wyoming), Limitation of Liability ($12 months paid cap), Disclaimer of Warranties

All retained verbatim from current ToS (see alaivOS_terms_of_service.md for full text). Arbitration under AAA rules in Wyoming.

10. HEALTH DISCLAIMER FRAMEWORK (ALL TIERS, MANDATORY)

Rule: alaivOS is NOT a medical device. Laiv is NOT a healthcare provider. No feature in the app provides medical advice, diagnosis, prognosis, or treatment recommendations. EVER.

Applies to: Senior Mode, Pregnancy Mode, New Parent Mode, Training Mode, Recovery Mode, Wellbeing Module, Sessions (medical/therapy), Kitchen/Nutrition, and any feature referencing health, body, medication, or mental state.

10.1 In-App Disclaimer Layers (7 total, all mandatory)

  1. Blocking first-time health disclaimer on first activation of any health-related mode/feature. Non-dismissable. Tap "I Understand" required. Stored in SharedPreferences (health_disclaimer_accepted).
  2. Persistent footer on every health screen: ℹ️ For informational purposes only. Not medical advice. (10dp, 50% opacity).
  3. Contextual inline disclaimers at high-risk touchpoints (abnormal readings, low kick count, missed pill, mood tracking, recovery score, pregnancy nutrition).
  4. Laiv language rules baked into system prompts: never diagnose, never recommend treatments, never interpret readings medically, always "consult your healthcare provider" for abnormal values. Framings allowed: "higher/lower than your usual range," "general guideline," "you might want to mention this to your doctor."
  5. Crisis response protocol. If Laiv detects suicidal ideation / self-harm / immediate danger language, surface regional crisis lines (988 US, Línea de la Vida MX, Samaritans UK, CVV BR, etc. — 9+ countries seeded in assets/data/emergency_lines.json, expandable). Immediate, non-optional.
  6. Settings toggle: "Health insights: Show / Hide" — user controls AI health suggestions.
  7. Privacy nuclear option: "Delete all health data" one-tap in Settings with confirmation.

10.2 ToS §8 — Health and Medical Disclaimer (verbatim retained)

alaivOS, including its AI assistant Laiv, is not a medical device, healthcare provider, or clinical tool. The application does not provide medical advice, diagnosis, prognosis, or treatment recommendations. Health-related features, including but not limited to medication reminders, health reading tracking, pregnancy tracking, baby care logging, mood tracking, nutrition information, fitness recovery estimates, and symptom tracking, are provided for personal organizational and informational purposes only.

You should not rely on alaivOS to make medical decisions. Always seek the advice of your physician, obstetrician/gynecologist, pediatrician, licensed mental health professional, or other qualified healthcare provider with any questions regarding a medical condition.

If you think you may have a medical emergency, call your doctor, go to the nearest emergency department, or call your local emergency number immediately. alaivOS does not provide emergency medical services.

Medication reminders are organizational tools to help you follow your healthcare provider's instructions. They do not constitute pharmaceutical advice. If you miss a dose or are unsure about your medication schedule, contact your prescribing healthcare provider.

Nutrition information, including calorie counts, macronutrient data, and dietary suggestions, is based on general databases (USDA FoodData Central) and is approximate. It does not account for individual medical conditions, allergies, drug interactions, or specific dietary needs. Consult a registered dietitian or your healthcare provider for personalized nutrition guidance.

Trusted contact alerts are informational notifications, not medical monitoring alerts. They do not replace professional medical monitoring systems.

By using health-related features in alaivOS, you acknowledge that the application is not a substitute for professional medical advice, diagnosis, or treatment.

10.3 Trusted Contacts Privacy Guarantees

  • Alerts carry only the alert message — never raw data (no readings, no finances, no messages, no location).
  • User can revoke trust instantly.
  • All alerts logged locally (audit trail).
  • Recovery scope alerts ALWAYS require per-alert user consent.
  • Delivery: in-app push if contact is an alaivOS user, else SMS (Twilio) or email (SendGrid).

Full verbatim health framework (15 sections, 9 crisis-line countries, i18n keys) preserved in alaivOS_health_disclaimer_framework.md — referenced from this canonical, not duplicated.

11. LAW ENFORCEMENT POSTURE

11.1 What Citerius CAN provide under valid US court order

  • Account email address
  • Account creation date
  • Last login timestamp
  • Subscription status and tier
  • Device fingerprint hash (for match confirmation)
  • Phone number hash — confirm-match only, cannot recover raw number (V2.7 new row)
  • 6 onboarding fields (birthday, sex, time_zone, country, city, roadblock_summary) — V2.7 new row
  • Supabase-synced encrypted blobs (Citerius cannot decrypt)
  • Group membership records (encrypted)

11.2 What Citerius CANNOT provide (ever, by design)

  • Health data (never synced)
  • Financial data (never synced)
  • Message content (E2EE)
  • AI conversations (on-device)
  • Photos, notes, on-device SQLite
  • Raw phone numbers (hash-only storage)
  • Decrypted sync blobs (we don't hold the keys)

11.3 Response Protocol

  1. Receive request.
  2. Verify legitimacy (valid court order, competent US jurisdiction).
  3. Scope assessment (do we even have it?).
  4. Challenge overly broad or invalid requests.
  5. Notify user if legally permitted.
  6. Provide only what we possess and are compelled to share.
  7. Document in transparency report.

Foreign requests require MLAT through US channels. Direct foreign police requests not honored.

11.4 Anti-Backdoor Commitment (verbatim)

"We have not built, will not build, and cannot technically implement any mechanism that would allow government access to encrypted user data. Such demands are technically impossible without fundamentally rebuilding the application."

If ordered: challenge in US federal court, seek stay, make position public.

12. WARRANT CANARY

  • File: canary.html (web) + canary.html.asc (detached PGP signature)
  • Cadence: re-signed quarterly. Next due: April 19, 2026 (6 days from today).
  • Content affirms NO: National Security Letters, FISA orders, gag orders, backdoor demands, compelled key disclosures, warrants served and concealed from users.
  • Removal rule: Absence = inference that a secret order was served. We will never deny an inference publicly.
  • Key: RSA 4096-bit, legal@alaivos.com, expires 2028-03-20. Fingerprint: 04AD B003 932B A565 9E60 E646 8B7C 27A2 7589 61E6.

13. PGP

  • Public key page: pgp.html — renders key + download link.
  • Public key file: citerius_public_key.asc (downloadable from site).
  • Private key file: citerius_private_key.ascNEVER public, never on server, held by J only.
  • Purpose: Signs warrant canary, signs law-enforcement responses, verifies security disclosure emails.

14. DMCA DESIGNATED AGENT

  • Registration: copyright.gov DMCA Designated Agent Directory.
  • Status: Pending. Will register through Registered Agents Inc ($6 + 10 min) — J-task, before launch.
  • Takedown contact: legal@alaivos.com (once registered).
  • Scope: Capsules Marketplace (user-generated content).

15. REGIONAL COMPLIANCE

Region Law Status Mechanism
US (federal + 50 states) CCPA, state privacy laws ✅ Privacy Policy covers Opt-out, deletion, data portability via app
US (Washington) MHMD Act (My Health My Data) ✅ Separate Health Data Privacy page Consumer Health Data Policy, geofencing prohibition, no health data ever leaves device
EU GDPR ✅ Privacy Policy covers Consent, right to erasure, DPA, legal basis = legitimate interest + consent
UK Online Safety Act (Oct 2023 + phased duties through 2026) ⚠ Research complete, Website ToU update pending Content moderation policy, user reporting mechanism, age-assurance for Capsules
Mexico LFPDPPP + Aviso de Privacidad + ARCO ✅ Inline LFPDPPP notice in Privacy Policy ARCO rights, SABG confirmed, Mexican-Spanish notice
Brazil LGPD ✅ Inline LGPD notice; DPO exempt ANPD Resolution CD/ANPD Nº 2/2022 small-agent exemption (remove prior "DPO designated" claim before deploy)
California CCPA + CPRA ✅ Covered Opt-out of "sale" (we don't sell), deletion, portability
Global E2EE + zero-access Core architecture

15.1 Age Restriction

Minimum age: 13 to create an account (COPPA floor). Under 18 requires parental/guardian consent. Older LEGAL_AND_WEBSITE.md states 16 — update to 13 for consistency with alaivOS_terms_of_service.md §2 and COPPA compliance. J to confirm final age gate before launch.

15.2 UK Online Safety Act

Research input: gemini_research_prompt_legal_framework.md. Required before UK user volume: - Content moderation policy for user-generated Capsules. - Reporting mechanism in-app. - Age-assurance for content surfaced to minors. - Designation of a UK contact (can be Citerius legal@alaivos.com). - Transparency reporting annually once user-volume thresholds cross.

The Learning module (Capsules / courses / books) pulls exclusively from curated legal sources. No piracy sites — Apple and Google would reject the app.

Allowed book sources: gutenberg.org, openlibrary.org, standardebooks.org, manybooks.net. Allowed course sources: classcentral.com, khanacademy.org, theodinproject.com, openculture.com, alison.com.

Blocklist (hard rule — never integrate): anna-archive, oceanofpdf, pdfdrive, libgen, z-library, sci-hub, any mirror/proxy thereof.

17. THIRD-PARTY DATA PROCESSORS (FULL LIST)

Processor Purpose Data shared Encryption
Supabase Account + encrypted sync + signaling Email, tier, encrypted blobs, device hash, phone hash, 6 onboarding fields AES-256 at rest + TLS
Cloudflare CDN (R2), Workers (Photon, DDG proxy, Checkup relay front), Pages (alaivos.com) Search queries (not logged), CDN requests TLS; CF Workers do not log
Hetzner Ghost server (CX43 Helsinki), traffic/POI pipeline (cx23, cx23-b) Anonymized Checkup payloads, Ghost queries TLS
Anthropic Laiv Checkup Batch API (V2.7 new) Doubly-anonymized Checkup payloads only TLS; Anthropic Batch retention per their DPA; org = Citerius Holdings LLC
Twilio Day 14 phone verification SMS Phone number (transient, not stored by us in raw form) TLS
Firebase (FCM + Crashlytics) Push notifications + crash reports Device token, anonymous crash traces, no personal content TLS; IP anonymization enabled
Apple App Store / Google Play Subscriptions Payment handled by stores — we never see card data Store-managed
Stripe Web billing portal (Bank Sync add-on only) Payment handled by Stripe — we never see card data Stripe-managed, PCI
Plaid / Belvo / TrueLayer Bank Sync add-on User enters credentials in provider's UI; we never see them; transactions stream to device Provider-managed
SendGrid (if configured) Email-delivery fallback for trusted contact alerts Alert message, recipient email TLS
TheSportsDB (Patreon $3/mo) Sports data cache backing No user data — server-side cache only TLS

Not used, ever: Google Cloud TTS, ElevenLabs in production (was reference-only for voice pipeline training on Bishop — never shipped to users), Foursquare, Yelp, data brokers, ad networks, analytics that sell/share.

18.1 Documents to deploy (Kappa)

  • privacy.html — V2.7 rewrite (phone, Checkup, 6 fields, encrypted-at-rest, third-party AI)
  • terms.html — V2.7 rewrite (trial terms, mandatory interview, Day 14 phone verify, credit-model Ghost pricing)
  • billing.html + billing-terms.html — V2.7 trial terms + credit-model pricing
  • lawenforcement.html — phone hash row + 6 onboarding fields row
  • health.html — already MHMD-compliant, deploy as-is
  • canary.html + canary.html.asc — re-signed by April 19
  • pgp.html + citerius_public_key.asc — public key pasted
  • Create Analytics & Telemetry Policy (missing)
  • Create Website Privacy Policy (missing)
  • Create Website Terms of Use (missing, include UK OSA content-moderation section)
  • Self-host Inter + JetBrains Mono fonts (no Google CDN — eliminates Google tracking)
  • Footer copyright on all pages: © 2026 Citerius Holdings LLC
  • Remove index- prefix from filenames at deploy

18.2 J-tasks (pre-revenue URGENT)

  • Cross-border tax counsel (MX founder + WY LLC + global revenue). Before first dollar.
  • Attorney review of Privacy Policy + Terms of Service. Before significant user volume.
  • DMCA designated agent registration (Registered Agents Inc, $6)
  • Warrant canary re-sign (April 19 — 6 days)
  • Twilio signup (for phone verify SMS)
  • Anthropic API account as Citerius Holdings LLC (for Checkup Batch API)

18.3 Post-launch

  • Madrid Protocol trademark filing once USPTO serial confirmed (Class 9 + 42).
  • Transfer Apple Developer + Google Play accounts from J personal to Citerius Holdings LLC.
  • UK OSA transparency reporting if/when user thresholds crossed.
  • Quarterly canary re-sign cadence (next: July 19, 2026).

19. CONTACTS

  • Privacy inquiries / deletion requests: privacy@alaivos.com (subject line "Data Deletion Request" for deletions)
  • Legal / LE / PGP-signed: legal@alaivos.com
  • Support: support@alaivos.com
  • Press: press@alaivos.com
  • Partnerships: partnerships@alaivos.com
  • Capsule creators: creators@alaivos.com

Entity: Citerius Holdings LLC, 30 N Gould St Ste R, Sheridan, WY 82801, USA. Website: alaivos.com.

Source files preserved on disk for verbatim text: alaivOS_privacy_policy.md, alaivOS_terms_of_service.md, alaivOS_health_disclaimer_framework.md, ANTI_ABUSE_SPEC.md §16. This canonical is authoritative for all Builder, Kappa, and Omega decisions as of April 13, 2026.