Skip to content
Lithium Docs

Privacy Policy

Last updated: 22 February 2026

The short version

Lithium is built on a simple principle: your data is yours. Everything you write is encrypted on your device before it ever reaches our servers. We can’t read it. We don’t want to.

What we collect

Account information

When you create an account, we store your email address and a hashed version of your password. We need these so you can sign in. Your actual password never reaches our servers - only a cryptographic derivative used for authentication.

Encrypted content

Your notes, pages, blocks, and all content you create are end-to-end encrypted on your device using XChaCha20-Poly1305 before being transmitted. Our servers store this encrypted data to enable sync across your devices. We cannot decrypt or read this content - by design.

Google Calendar data (if connected)

If you choose to connect Google Calendar, we temporarily process your calendar events to display them in the app. Your Google OAuth tokens are encrypted with your personal encryption key before being stored. We request read-only access (calendar.readonly) and never modify your Google Calendar data. You can disconnect at any time from Settings.

Basic usage data

We collect minimal analytics to keep the service running: error reports, sync performance metrics, and basic feature usage. This data does not include the content of your notes or any decrypted information.

What we don’t collect

  • The content of your notes (we literally can’t read them)
  • Your encryption keys
  • Your plaintext password
  • Browsing history or tracking data
  • Data from other apps on your device

How we use your information

  • Email: Account authentication, critical service notifications (e.g., security alerts)
  • Encrypted content: Stored and synced between your devices. That’s it.
  • Google Calendar tokens: Fetch your calendar events for display in Lithium. Tokens are encrypted at rest with your personal key.
  • Usage data: Diagnose errors, improve performance, understand which features matter

Data storage and security

Your encrypted data is stored on infrastructure hosted by Supabase. Even in the event of a data breach, your content remains encrypted and unreadable without your personal encryption key, which only exists on your devices.

We use Row-Level Security (RLS) at the database level to ensure users can only access their own data.

Third-party services

  • Supabase: Database and authentication infrastructure
  • Google Calendar API: Only if you explicitly connect it. Subject to Google’s Privacy Policy
  • Vercel: Hosting for the documentation site

We do not sell, rent, or share your data with advertisers or data brokers. Ever.

Data retention

Your data persists as long as you have an account. If you delete your account, your encrypted data is permanently removed from our servers. Since we can’t decrypt it anyway, there’s nothing useful for us to retain.

Your rights

You can:

  • Export all your data at any time from within the app
  • Delete your account and all associated data
  • Disconnect third-party integrations (like Google Calendar) at any time
  • Request information about what data we hold about you

Children’s privacy

Lithium is not directed at children under 13. We do not knowingly collect data from children under 13.

Changes to this policy

We may update this policy from time to time. Significant changes will be communicated via email or an in-app notice. The “last updated” date at the top will always reflect the current version.

Contact

Questions about privacy? Reach out at privacy@lithium.ac.