Privacy Policy
Plain-language summary. We collect what you give us, encrypt sensitive parts at rest, send memos to trustees only after a verified death and a grace period, and let you delete or download your data at any time.
Last updated: 22 April 2026.
1. What we collect
- Account data: username, email address, password (hashed, never stored in plaintext), first and last name, date of birth, country of residence, and an optional phone number as a second contact channel.
- Memos: the title, body, file uploads (for video/image memos) and trustee assignments you create. Includes financial memos (bank, loan / credit card, mortgage, pension, investments, crypto, real estate, other financial) and personal memos (written, video / image, will, funeral wishes).
- Trustees: first and last name, email address, phone number for each person you nominate.
- Medical profile (optional): blood type, allergies, current medications, conditions, DNR / resuscitation status, organ-donor status, primary physician, medical power of attorney, insurance details, emergency contact, religious considerations and other notes. Reached through an unauthenticated wallet-card URL for emergency responders; access to that URL is rate-limited and every successful read is recorded in an audit log visible to you.
- Operational data: session cookies, login attempt records (for brute-force protection), audit-log entries describing CRUD actions you take, IP address on login.
- Death notifications: name, contact details and uploaded death certificate of the person submitting a notification, plus the LGCYBox identifier of the named user.
The complete field-by-field breakdown — what each field is for, what we expect you to put in it, and what we ask you not to put in it — lives on the Data Dictionary.
2. How we store it
The sensitive memo content (titles, descriptions, trustee names and contact details, death-notification fields, medical profile fields) is stored AES-encrypted at rest using a key held separately from the database. Searchable hashes are computed from a per-field HMAC key so we can do exact-match equality lookups without decrypting the whole table. Uploaded files (video/image memos, death certificates) are stored in a private S3 bucket and only served via short-lived presigned URLs.
3. What we use it for
- To run the service: authenticate you, render your memos and trustees, send the operational emails described in this policy.
- To deliver memos to your trustees after a verified, uncontested notification of your death.
- To serve your medical profile, if you have created one, from the unauthenticated wallet-card URL you print.
- To detect and block abuse (rate limiting, account lockouts after many failed logins).
- To produce an audit log of who changed what, so we can investigate misuse.
We do not sell your data. We do not show advertising. We do not share your data with third parties except the infrastructure providers listed below.
4. Who we share it with
- Your trustees: only after a verified, uncontested notification of your death, and only the memos you have addressed to that specific trustee.
- Amazon Web Services: hosts the database and private S3 bucket in the eu-west-2 (London) region, and the SES email gateway we use to send mail, which runs in a United States region (us-west-2). The body of any email we send is therefore processed in the United States — see the GDPR page for how that transfer is handled.
- Law enforcement, when legally compelled. We will tell you about any such request unless prohibited from doing so.
5. Outbound emails we send to you
- Account activation when you sign up.
- Password reset when you request one.
- “A trustee was added to your account” (toggleable in Notification preferences).
- “A trustee’s details changed” (toggleable).
- If a death notification naming you is approved by our team: a contest URL with at least 72 hours to dispute.
6. Outbound emails we send to your trustees
- An invite when you nominate them, asking them to confirm acceptance.
- An update if you change their details.
- A consolidated release email containing the memos you addressed to them — and, if you opted in, a copy of your medical profile — after a verified and uncontested notification of your death.
7. Your rights
- Access / portability: you can download a complete export of your account at Download my data. Memo contents are decrypted in the export.
- Correction: edit any of your data at any time.
- Erasure: delete individual memos and trustees at any time, subscription or not. For full account-level erasure, visit Delete my account — you re-enter your password, type a confirmation phrase, and we remove your User row, Profile, every memo (encrypted bodies and metadata), your trustees, notification preferences and any uploaded files in a single transaction.
- Restriction / objection: contact us at [email protected]. See the GDPR rights page for the full list of rights and how to exercise each one.
8. Retention
While your account is open, we keep everything you have entered. After your account is closed (whether by you or because the service shuts down), we delete account-scoped data within 30 days. Audit log entries naming you may be retained for up to 12 months for fraud-prevention purposes, then deleted.
9. Cookies
We set a session cookie when you log in (12-hour expiry, dies on browser close), a CSRF cookie used by Django to prevent cross-site request forgery, and a cookie-consent cookie to remember your cookie preferences. We do not set advertising or analytics cookies.
10. Changes
If we change this policy in a material way, we will email you at the address on file.
11. Contact
Questions: [email protected].