Why you should trust us
Not a sales pitch. The reasons, plainly.
The short version. We built LGCYBox because we have each lost someone and watched the practical side of that loss swallow the people left behind. Account numbers no one could find. Passwords nobody had. Boxes of paperwork that might as well have been in a different language. We are not here to take your data, resell it, or sit on top of it. We are here to make sure that when the time comes, the right people reach the right information, and nothing more.
1. Why we built this
Every one of us has been on the receiving end of a loss where the practical chaos was almost as painful as the grief.
- A parent died suddenly and the family spent three months piecing together which bank held the current account, which lender held the mortgage, and which drawer contained the will.
- A spouse passed after a long illness and even with time to prepare, the cryptocurrency held in a self-custody wallet was almost lost forever because the seed phrase was written on a piece of paper no one thought to look for.
- A friend’s pension provider took nine months to release funds because nobody could find the original policy document, and the provider wouldn’t talk to a grieving partner without it.
- A relative was taken to A&E unconscious and the ambulance crew spent precious minutes trying to reach someone who knew her allergies, DNR wishes and medical power of attorney.
Each of us thought the same thing afterwards: surely there should be a tool for this. LGCYBox is that tool. We built it because we needed it.
2. What we promise
These aren’t marketing phrases. They’re choices baked into how the product works.
- We do not sell your data. Ever. Not to advertisers, not to insurers, not to data brokers, not to anyone. The business model is a subscription. That’s the whole story.
- We do not show advertising. No ad networks, no retargeting pixels, no behavioural tracking.
- We do not train models on your memos. Your letters to your children are not training data.
- We take only what we need. The full list of fields is on the Data Dictionary — every field explains why it exists. If a field isn’t there, we don’t have it.
- You can see everything we hold. Visit Download my data at any time and get a ZIP with every memo decrypted into plain JSON. That export is the ground truth — what you see is exactly what we store.
- You can delete everything in one step. Delete my account wipes your user row, your profile, every memo (encrypted bodies included), every trustee, every notification preference and any uploaded files in a single transaction. We keep audit-log entries naming you for up to 12 months for fraud prevention; then they go too.
3. How we protect what you give us
We designed the encryption so that a single leaked secret does not open the whole database.
- Everything sensitive is encrypted at rest with AES-256-GCM. Titles, bodies, trustee contacts, profile PII, death-notification fields — all ciphertext in the database.
- Keys are compartmentalised, not shared. Each data class reads from its own decryption key, so compromising one does not unlock the others. Specific numbers and layout are not published for obvious reasons — that detail lives only with the people who need it to operate the service.
- Two-person staff approval for releases. No single member of our team can push a death notification through to release. Two distinct approvers are required before the grace-period timer even starts.
- Append-only audit log. Every CRUD action is logged, and the log cannot be deleted from inside the application — not even by an administrator. A compromised account cannot cover its tracks.
- Private file storage. Video and image memos live in a private bucket and are only ever served via short-lived signed URLs tied to your account.
- Strict Content-Security-Policy. Nothing runs in your browser from outside a small allow-list. No analytics pixels, no third-party scripts, no inline JavaScript except where a per-request nonce is issued.
4. What your memos actually become
Nothing is sent to anyone while you are alive. Full stop.
After a verified notification of your death — reviewed by two separate members of our team, with a contest window during which the named user can dispute — each trustee receives a single consolidated email containing only the memos you addressed to them. They do not see memos addressed to anyone else. If you contest during the grace period, nothing is sent.
The one exception to the “nothing is sent while you are alive” rule is the optional medical profile, which is deliberately reachable by emergency responders at a short URL you print on a wallet card or bracelet. It is an opt-in tool, capped by a rate limit, and every successful view is recorded in a log you can read. Once a death notification naming you is released, the URL stops resolving automatically.
5. What if something happens to us?
A legitimate question. The company might fold. The team might change. We might be acquired.
- Your data is portable. The export is a machine-readable ZIP — take it anywhere.
- We will give you notice. If we ever plan to wind down the service, we commit to email every user at the address on file with enough time to export and delete.
- We will not hand your data to an acquirer silently. Any acquirer inherits the Privacy Policy you signed up under; a material change gets your explicit re-consent, not a footnote in a terms update.
6. How to verify us
Don’t take our word for it. Check:
- The Privacy Policy lists every category of data we hold.
- The Data Dictionary lists every single field, why it exists, and what we ask you not to put in it.
- The GDPR rights page explains how to exercise each of your UK/EU rights — with direct links to the self-service buttons for access, rectification and erasure.
- The Terms of Service spells out the contract in plain English.
7. Contact us directly
A real person reads [email protected]. If something in this page doesn’t match what we do in practice, we want to know, and we’ll fix the reality or fix the page.
8. Services we may recommend in future
Over time we expect to introduce a small, curated set of optional add-ons for users who would find them useful. These will always follow the same rules:
- Opt-in only. We will never sign you up to anything automatically. If a suggestion appears, it is a link you can ignore.
- No silent data sharing. Your details are not passed to any partner without your explicit action. If you click through to a provider, we tell you exactly what leaves LGCYBox, and you choose whether to continue.
- A genuine fit, not a revenue farm. We will only list a service if we think a reasonable person in your situation might actually want it.
The first likely example: if you haven’t recorded a will memo and you’ve told us you don’t have one, we may suggest a short list of will-writing providers you can look at. You are never required to use them, and the suggestion never shares your details with the provider — it’s a link, not an introduction.
Same principle applies to anything we add later (trust services, probate help, funeral planning, etc.). If a future partnership ever changes how your data is handled at a material level, we’ll ask you first — not update a footnote.
9. A final thought
We built this because the alternative — leaving the people we love to piece together our lives from memory and paper — isn’t good enough. If we do this right, the people you nominate will open an email one day and find exactly what they need. Nothing more, nothing less. No account hunts. No missed pensions. No lost crypto. Just what you meant to leave them.
That is the only thing we are trying to do.
Privacy Policy · GDPR rights · Data Dictionary · Terms of Service