Privacy Policy
Effective date: 2026-06-09 · Version: 1.0
Lam is built private by default. This policy explains what data we process, why, who we share it with, how long we keep it, and your rights under the PDPD.
1. Data we process
- Account information: email, display name, handle, bio, avatar, language, timezone.
- Your content: entries, photos, comments, reactions, the spaces and channels you create, and your follow/block lists.
- Technical and log data: basic device information, IP address, and error logs to operate and secure the service.
- Payments: when paid features are available, order information is processed by the payment provider; we do not store full card/bank details.
2. Purposes and legal bases
| Purpose | Basis |
|---|---|
| Provide and maintain the service (journaling, display, search, notifications) | Performance of the service you request |
| Public entries and public-profile display | Your consent (opt-in, per entry) |
| Security, abuse prevention, handling reports | Legitimate interests & legal obligation |
| User support, product improvement | Legitimate interests |
| Legal compliance | Legal obligation |
We do not sell personal data and do not use your content for advertising. You can withdraw consent at any time (change settings, make an entry private, or delete content); withdrawal does not affect the lawfulness of prior processing.
3. Third parties that process data for us
We share only what is necessary to operate, under contract and only to provide the service to us:
- Supabase — authentication and database.
- Cloudflare (R2, Images, Workers) — image storage/processing and network.
- Resend — transactional email (sign-in codes, system notices).
- SePay/VietQR — payments (when available).
- Sentry — error reporting (optional).
4. Cross-border transfers
Some providers above process/store data outside Vietnam (e.g. Supabase infrastructure in South Asia and Cloudflare's global network). This is a cross-border transfer of personal data under the PDPD. We apply contractual safeguards with processors and carry out the required Transfer Impact Assessment dossier. By using Lam, you are informed of these transfers.
5. Public content (opt-in)
Entries are private by default. If you deliberately make an entry public (only possible in personal spaces), that entry and your public profile may be visible to others. You can revert to private at any time.
6. Security
All access to user data goes through our API with application-layer authorization. Private photos are served via short-lived, non-public links. Sign-in tokens are encrypted in transit. No system is perfectly secure, but we apply reasonable technical and organizational measures.
7. Your rights under the PDPD
You have the rights to: be informed; consent / withdraw consent; access; rectify; erase; restrict processing; data portability (export); object; and to complain, denounce, and litigate as provided by law.
- Access & portability: download a full copy (journal + photos) in the app, in a usable format that does not require Lam.
- Rectification: update your profile and content anytime.
- Erasure: delete individual entries/photos, or delete your account (Section 9).
- For other rights, contact privacy@laminthecloud.com; we respond within the time limits required by law.
8. Children
Lam is for users aged 16 and over. For users under 16, processing requires the consent of a parent or legal guardian under the PDPD. If we learn we collected a child's data improperly, we will delete it.
9. Retention and account deletion
- We keep data while the account is active and for as long as needed to provide the service or to meet legal obligations.
- Account deletion: when you request deletion in the app, the account enters a 30-day pending-deletion state. During this window you can cancel (sign back in and choose to restore). After 30 days we permanently erase your personal data — profile, entries, photos (including original files in storage), comments, reactions, follow/block relationships, and the sign-in account — except where the law requires retention (e.g. transaction records). Technical backups are purged on their rotation cycle.
10. Data breaches
In the event of a personal-data breach involving risk, we will notify the competent authority (Ministry of Public Security – A05) and affected users within the time and manner required by the PDPD.
11. Changes to this policy
For material changes we will give reasonable notice and update the effective date.
12. Contact
- Privacy / personal data (data protection point of contact): privacy@laminthecloud.com
- General / legal: legal@laminthecloud.com