Privacy Policy
Last updated: March 2026
This privacy policy describes how Handover Engine Inc. operating as Lastday (“we”, “us”, “our”) collects, uses, and protects your information when you use lastdayops.com and the Lastday platform.
This document is under active legal review. The following reflects our operating principles and will be updated with formal legal language before general availability.
Data Ownership
Your data belongs to you. We are custodians, not owners. No provision of service transfers ownership of your data to us.
What We Collect
Account information (name, email, company), operational data you input into the platform, usage telemetry that does not expose client content or identity, and information submitted through our contact form.
How We Use Your Data
To provide and maintain the Lastday service, to secure the platform, to perform client-authorized workflows and AI interactions, to comply with lawful obligations, and to generate internal service telemetry that cannot expose one client's data to another.
What We Never Do
Sell your data. Share it across client environments. Use it to train AI models for other clients. Use it for advertising. Access it for non-service purposes.
Tenant Isolation
Every client environment is logically isolated. Your data is never visible to or accessible by other clients.
AI Data Handling
AI processing is traceable, bounded, and operates only within your client and role boundaries. External model providers may not retain or repurpose your data beyond the permitted service purpose.
Data Retention and Deletion
Your data is retained for as long as necessary to provide the service and comply with law. You may request export or deletion at any time, subject to lawful retention obligations.
Subprocessors
We use the following subprocessors to deliver the service: Vercel (hosting and deployment), Supabase (database infrastructure), Nango (integration infrastructure), Anthropic (AI model provider). All subprocessors are bound by contractual duties consistent with this policy.
Jurisdictional Compliance
Our primary compliance baseline is PIPEDA (Canada), with operational alignment toward CCPA/CPRA transparency and deletion controls, and GDPR-style access, export, and erasure standards.
Changes
We will update this policy as needed. Material changes will be communicated clearly.