How consent and agency work across the ecosystem
Consent isn't a one-time checkbox. Agency isn't a privacy policy. Here's how both work in practice — across LLIF, Best Life, and OpenLife Cloud — and why the design matters.
There are three entities in this ecosystem. Each has a different role, and understanding how they relate to each other is the key to understanding how consent and data protection actually work — rather than what the privacy page says.
This guide explains how they fit together, where consent happens in that structure, and how agency is preserved as an ongoing structural commitment — not just at the moment someone signs up.
Three entities. Three roles. One governance layer.
LLIF
Live Learn Innovate Foundation — 501(c)(3) nonprofit
The legal foundation for participant data — enforcing integrity, agency, privacy, and safety. LLIF does not build the app people use or the platform developers build on. It holds the legal framework that governs how participant data is protected across the ecosystem. Think of LLIF as the foundation the other two sit on — it sets the terms that neither entity can override.
Best Life
Consumer app — separate legal entity
The app that people use to track their health and lifestyle. Best Life is built by a separate company, Best Life Inc. It operates on OpenLife Cloud infrastructure and under a Data Partner Agreement with LLIF. Users interact with Best Life directly — but their data is governed by LLIF's framework, not just by Best Life's own policies.
OpenLife Cloud
Developer and research platform
The platform layer that other developers and researchers build on. It provides the technical infrastructure — APIs, data pipelines, program infrastructure — for apps and studies that want to work with LLIF-governed data. Organizations that access participant data through OpenLife Cloud do so under the same governance framework as anyone else.
How they relate
A person uses Best Life to track their sleep and mood. That app stores their data through OpenLife Cloud's infrastructure. But the rules governing what can happen to that data — who can access it, under what conditions, with what protections — are set by LLIF's governing documents and enforced by its board. Neither Best Life nor any developer on OpenLife Cloud can override those rules. They signed a Data Partner Agreement that legally binds them to the same standards.
How consent works — in layers
Consent in this ecosystem isn't a single event. It happens in two distinct layers, and both layers matter.
Consent to the LLIF data framework
When someone participates in the LLIF ecosystem for the first time — through Best Life or any other participating app — they consent to the overall framework that governs how LLIF holds and protects their data. This consent covers what LLIF can hold, what it can never do (sell, monetize, transfer commercially), and what rights the participant retains (export, delete, revoke at any time).
This layer is stable and doesn't change with each new program. It's the foundation under everything else.
Consent to a specific program or study
When a participant chooses to join a specific Program — a research study, a wellness challenge, a community tracking effort — they give a separate, specific consent that covers what that program organizer can access and for how long. This consent is scoped to that program and that organizer only.
Joining a sleep study does not give the sleep study organizer access to your nutrition data. Consenting to one program does not extend consent to other programs. Each is its own discrete consent event, logged in the participant's consent record.
Consent means something because the system stays aligned after you give it.
It's easy to get someone to click "I agree." The harder thing — and the thing that actually matters — is whether the organization holding their data remains structurally committed to those terms after the fact. That's what governance does. It makes consent durable, not just captured.
What participants can always do
These rights don't depend on which program you've joined or which app you use. They apply across the ecosystem, at all times, backed by LLIF's governing structure.
See every access to your data
Every time a researcher or partner accesses your data, it's logged and visible in your data access record. There is no silent data use.
Revoke consent for any program
You can withdraw from any specific program or study at any time. That revocation is processed immediately, logged, and terminates that organizer's access.
Export your full data
Full data exports are available at any time, in standard formats. No waiting period, no subscription required.
Delete your data
Deletion requests are processed within 30 days. Deletion is permanent and confirmed. Subject to legal retention requirements where they apply.
Understand what any program will access before you join
Program consent is specific. Before you join, you can see exactly what data types the program organizer will access and for how long.
Participate without being marketed to
Your data is never used to build advertising profiles or behavioral targeting — by LLIF, by any program organizer, or by any partner.
How agency is preserved in practice
Earlier drafts used "stewardship" as the framing word. Agency is the more accurate one — the user decides, and LLIF protects the perimeter that decision sits inside. In practice, that perimeter is enforced through ongoing, active responsibility for how participant data is held, accessed, and protected — not just at the moment of collection, but across the entire life of the data.
In practice, that means several concrete things:
Governance doesn't stop when data is collected
Data collected under LLIF's framework remains governed by that framework indefinitely. The protections don't expire at the end of a program. They don't lapse if a participant becomes inactive. The governance obligation is permanent.
Every partner is bound, not just LLIF
Every organization that accesses participant data — whether through the OpenLife Cloud API or as a program organizer — executes a Data Partner Agreement that binds them to the same standards LLIF holds itself to. LLIF retains audit rights and can terminate access immediately for violations. The governance layer extends to the edge of the ecosystem.
Transparency is ongoing, not annual
Data access is logged in real time and visible to participants continuously — not summarized once a year in a report. LLIF also publishes an Annual Transparency Report with financial statements, board meeting summaries, and governance activity. But the participant's own view of their data is always live.
The board maintains independent oversight
LLIF's independent board of directors holds exclusive authority over any change to how participant data is governed. Board members serve fixed terms and are not employed by LLIF. This separation isn't procedural — it's the mechanism that makes the governance real. One person cannot unwind what the organization committed to.
The charter can be read, not just referenced
The Participant Data Charter — LLIF's plain-language commitment to every participant — is a public document with six specific, numbered commitments that are enforced by board oversight. It doesn't require reading a 20-page privacy policy to understand what's protected. The commitments are findable, readable, and specific.
How everyone in the system depends on governance holding
The same data can support a person understanding their own health, a researcher studying population patterns, and a developer building a useful tool — but only if the governance layer holds. The moment trust breaks in one part of the system, it undermines the whole thing.
People contribute their most personal data — health events, symptoms, daily habits — on the assumption that the system governing it will stay aligned with their interests. If that assumption breaks, contribution stops. And without participants, nothing else in the ecosystem works.
A research study is only as good as the quality and integrity of its data. Researchers depend on LLIF's governance holding because it's the thing that makes their data ethically defensible — to IRBs, to journals, to the participants themselves. If the governance drifts, the research loses its foundation.
An app built on this infrastructure inherits its trust properties — or its trust problems. Developers who build on LLIF-governed data have a structural guarantee that the data layer won't become adversarial to their users. But that guarantee only exists while the governance holds. The builder's credibility is partly borrowed from the foundation under them.
Trust is not a UX feature
It's common for apps to describe trust as something they've designed into the experience — through clean interfaces, reassuring copy, and privacy settings that feel granular and empowering. Those things matter. But they're features. Features can be changed. Features can be removed. Features are what the product team decides to ship next quarter.
Structural trust is different. It comes from the legal architecture of the organization holding the data — from governing documents, board oversight, legal classification, and the specific things that require formal process to change. That kind of trust doesn't depend on a design decision. It doesn't ship in the next update.
That's what LLIF is building — not a better privacy interface, but a better foundation. One that the interface, the apps, and the research all rest on.
What to take from this
When you engage with the LLIF ecosystem — as a participant, a researcher, or a builder — you're entering a system that was designed with this governance structure deliberately. Not because it was easy (nonprofit governance is more constrained, not less), but because the constraints are the point.
You should understand the structure clearly — what consenting to the framework means, what the layered consent covers, what you can always do, and how the governance applies to everyone who touches your data. You shouldn't have to take any of this on faith.
If something here is unclear, we'd rather you ask than assume.