Privacy Policy

1.1 Information you provide to us

• Account data — your name, email address, and password hash (we never see your plaintext password). If you sign in via Google or Facebook OAuth, we receive your name and email address from that provider.
• Phone number (optional) — if you verify a phone number for SMS notifications, we store the E.164-formatted number and a verification timestamp.
• Trustee information — names, emails, phone numbers, and relationships for the people you designate as Trustees or Executors. You are responsible for having a lawful basis to share this information with us.
• Encrypted Vault content — the ciphertext produced by encrypting your Vault Items client-side. This includes encrypted letters, video messages, documents, and other items you choose to store. We cannot read any of this content.
• Metadata about Vault Items — the category (e.g. “Bank Accounts,” “Insurance”), creation date, last-modified date, and which Trustees have permission to each item. This metadata is not encrypted because we need to query it to enforce access controls.
• Dead-man's-switch configuration — your inactivity threshold, warning schedule, and last check-in timestamp.
• Billing information — if/when you subscribe to a paid plan, billing is handled by Stripe. We receive only the last four digits of your card, its brand, and an internal customer identifier. We do not store full card numbers or CVVs.

1.2 Information we collect automatically

• Log data — your IP address, browser user agent, device type, session timestamps, and the pages or actions you take within the Service. Used for security, debugging, and analytics in aggregate.
• Cookies and local storage — we use essential cookies to keep you signed in and, if you enable “Remember on this device,” we store an encrypted copy of your unlock key in IndexedDB. We do not use third-party advertising or tracking cookies.
• Activity log — records of significant events such as check-ins, warnings sent, trustee invitations, and Legacy Release triggers. This log is tied to your account and retained for audit purposes.

1.3 What we do NOT collect

• Your Master Password. We never see it, and it never leaves your device in a form we could reconstruct.
• Your Recovery Key. Ditto.
• Your decrypted Vault contents. These are only ever decrypted in your browser after you enter your Master Password.
• Your Trustee passphrases. These are shared out-of-band between you and the Trustee; the Service never touches them.
• Data from other tabs, your browsing history, your location, your contacts, or anything else outside the Service.

We use your information to:

• Provide, maintain, and secure the Service.
• Deliver transactional emails and SMS messages (account confirmations, password resets, Legacy Release notifications, check-in reminders, trustee invitations).
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Comply with legal obligations, respond to lawful requests from authorities, and enforce our Terms of Service.
• Analyze usage patterns in aggregate to improve the product. We do not build profiles of individual users for advertising or resale.

We will not use your information for any purpose materially different from those listed above without notifying you first.

We rely on a small number of third-party service providers to operate the Service. These providers process data on our behalf under contractual obligations. We do not authorize them to use your data for their own purposes.

We will update this list when our infrastructure changes. Material additions (new categories of data sharing) will be communicated to registered users via email at least 14 days in advance.

Our servers and our sub-processors' servers are located in the United States. If you access the Service from outside the United States, you consent to the transfer of your data to the United States for processing. We use standard contractual clauses and other legally recognized safeguards where required by applicable law.

Security is the core of what this product does. We implement industry- standard technical and organizational measures, including:

• Client-side encryption using AES-256-GCM with keys derived from your Master Password via Argon2id. Details at legadovault.com/security.
• Transport-layer security (TLS 1.3) for all connections between your browser and our servers.
• Passwords are never stored in plaintext. Account passwords are hashed by Supabase Auth using industry-standard algorithms. Master passwords are never transmitted at all.
• Row-Level Security (RLS) policies in the database that prevent one user's data from ever being visible to another user.
• Access controls on internal systems limited to staff with a legitimate operational need, and audited through activity logs.

No system is perfectly secure. If we become aware of a breach that affects your personal information, we will notify you and the appropriate regulators in accordance with applicable law, typically within 72 hours of discovery.

• Account and Vault data — retained for the lifetime of your account.
• After account closure — we delete your encrypted Vault Items, Trustee records, and identifying account data within 30 days, except where we are required to retain specific records by law (for example, for tax or anti-fraud purposes).
• Operational backups — encrypted backups may persist for up to 90 days after deletion before being rotated out.
• Activity logs — retained for up to 24 months for security and audit purposes, then anonymized or deleted.
• After a Legacy Release — we retain your account data and the encrypted Vault for at least 12 months after the release to give Trustees time to retrieve and decrypt what was left for them.

Depending on where you live, you may have the following rights under laws such as the European Union's GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar statutes:

• Access — request a copy of the personal information we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure (“right to be forgotten”) — ask us to delete your data. You can do this yourself from Settings at any time.
• Portability — receive your data in a structured, machine-readable format. The encrypted Vault ciphertext can be exported from Settings; you remain responsible for decrypting it with your own keys.
• Objection / restriction — object to certain types of processing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Non-discrimination — we will not discriminate against you for exercising any of these rights.
• File a complaint — with your local data protection authority.

To exercise these rights, email privacy@legadovault.com. We will respond within 30 days (or the timeline required by applicable law, whichever is shorter).

Do-Not-Sell / Do-Not-Share (CCPA). We do not sell or share your personal information within the meaning of the CCPA and do not use it for cross-context behavioral advertising. The “Do Not Sell or Share My Personal Information” link is therefore not applicable, but you may still exercise all other CCPA rights by contacting us.

The Service is explicitly designed to share certain data with the Trustees and Executors you designate when a Legacy Release is triggered. That is the product. Outside of the Legacy Release mechanism:

• A legal representative of your estate may request account closure or changes. They can reach us at support@legadovault.com. We will require reasonable documentation of their authority before acting.
• We cannot provide a legal representative with access to the decrypted contents of your Vault. Without your Master Password or Recovery Key, the data is unreadable to us as well.
• Where permitted by law, we will honor a validly executed power of attorney that survives incapacity and an order of a court with jurisdiction. Where legal and practical, we will preserve your configured Trustee designations and allow the Legacy Release to proceed as you intended.

The Service is intended for adults 18 years of age or older. We do not knowingly collect personal information from children under 18. If we learn that we have collected such information, we will delete it. Parents or guardians who believe their child has provided us with personal information should contact us at privacy@legadovault.com.

We may update this Privacy Policy from time to time. Material changes will be announced via email to registered users and by posting notice on the Service at least 14 days before the changes take effect. We will update the “Last updated” date at the top of this page.

Privacy questions, rights requests, or complaints: privacy@legadovault.com

General questions and support: support@legadovault.com