Privacy is structural. Not a setting.
LLIF's privacy protections aren't policies that future leadership can reverse. They're legal structures embedded in our 501(c)(3) nonprofit status. Here's exactly how they work — and why that matters for anyone building on or researching with LLIF.
Why nonprofit status is a technical choice
A for-profit company can promise not to sell user data. But business conditions change. Investors demand returns. Companies get acquired. Privacy promises that seem solid today evaporate under new ownership tomorrow.
LLIF solves this structurally. As a 501(c)(3) nonprofit, participant data is legally classified as a donor-restricted asset under IRS rules. This means:
This is not soft. This is law. And it's the reason developers and researchers can build on LLIF with a time horizon measured in decades, not product cycles.
The Participant Data Charter
Plain-language commitments to every participant. Enforced by board oversight, not just policy.
You own your data.
LLIF holds participant data in trust on behalf of each participant. Ownership never transfers to LLIF, to program organizers, or to any third party.
You can export it.
Full data exports are available at any time, in standard formats. No friction, no waiting period, no data locked behind a subscription.
You can delete it.
Deletion requests are processed within 30 days, subject to legal retention requirements. Deletion is permanent and confirmed.
It will never be sold.
Participant data is a donor-restricted asset. This cannot be changed by any future leadership — board, executive, or acquirer.
You will be notified of every access.
Every research or partner access to participant data is logged and visible in the participant's data access record. No silent data use.
Consent is yours to revoke.
Participants can modify or revoke consent to any program or research study at any time. Revocation is processed immediately and logged in the consent audit trail.
Consent architecture
Designed for IRB requirements. Built for participant trust.
Layered Consent
Participants consent at two levels: first to the LLIF data framework (what LLIF can hold and how), then to each program or study they join (what that organizer can access and for how long). These are separate, auditable consent events.
Consent Audit Trail
Every consent event is timestamped and immutable. Consent records are available to participants via their data dashboard and to researchers via the API with appropriate partner access. IRB reviewers can inspect the consent architecture before approving a study.
Granular Revocation
Participants can revoke consent to a specific program or study without affecting their data in other programs. Revocation triggers immediate access termination for that organizer and is logged with timestamp. Historical data collected under prior valid consent is retained per study protocol and participant agreement.
What this means if you're building on LLIF
You can't become adversarial to your users
When your app builds on LLIF, the data layer is governed by nonprofit constraints — not by your cap table. Your users' data cannot be weaponized against them if your company pivots, gets acquired, or faces investor pressure to monetize data assets.
Your users' trust is backed by structure
When users ask 'who owns my data?' you can point to a legal structure, not just a privacy policy. That's a material difference in a world where data privacy promises are routinely broken.
The infrastructure won't become adversarial to you
LLIF is a nonprofit with no incentive to extract value from developers. We cannot be acquired and pivoted to compete with you. We cannot revoke your API access to serve a competing product. The governance that protects participants also protects the developer ecosystem.
Compliance documentation is already done
IRB-compatible consent architecture, data access logging, and audit trails are built into the infrastructure. For developers building research-adjacent apps, this reduces the compliance burden significantly.
What this means if you're running a study
Participant data persists independently of any single grant cycle. If funding lapses, data is not lost. Longitudinal follow-up studies can access historical data with renewed participant consent — without re-enrollment.
The consent framework is designed to meet IRB requirements. Participants consent once to the LLIF framework, then separately to each study. Secondary analyses can be approved with a lighter IRB pathway because the primary consent architecture is already established.
Research institutions frequently lose longitudinal data when the software platform it was collected on shuts down, gets acquired, or changes its terms. LLIF's nonprofit structure eliminates this risk category entirely.
Governance isn't self-reported
An independent board holds authority over every material governance decision.
The LLIF board is structured to provide independent oversight of mission alignment. Board members serve fixed terms and are not employed by LLIF. The board holds exclusive authority over:
No single executive — including the founder — can unilaterally change how participant data is handled. Annual governance disclosures are published in LLIF's Form 990, which is publicly available.
Read the Governance documentation