Version 1.0
Effective Date: January 1, 2025
We collect information you provide directly when creating an account and using the Service, including your email address, password (hashed), profile information, estate planning details, and uploaded documents. We also collect usage data such as IP addresses, browser type, device information, pages visited, and actions taken within the Service. For professional accounts, we collect business information including firm name, license information, and contact details.
We use your information to provide and maintain the Service, authenticate your identity, process vault sharing and member invitations, generate audit logs for security purposes, send transactional emails (account verification, password resets, invitations), improve the Service, and comply with legal obligations. We do not sell your personal information to third parties. We do not use your data for advertising purposes.
Your data is stored on secure servers provided by Supabase (backed by AWS infrastructure). Documents optionally encrypted using XSalsa20-Poly1305 authenticated encryption are encrypted client-side before transmission. Encryption keys are generated and managed in your browser and are never transmitted to or stored on our servers. Unencrypted metadata (file names, sizes, timestamps) is stored to facilitate the Service. All data in transit is protected by TLS 1.2 or higher. Database access is controlled by Row Level Security (RLS) policies ensuring users can only access their own data and data explicitly shared with them.
We use the following third-party services to operate the platform:
Each third-party provider is contractually bound to protect your data and process it only as directed by us.
We retain your account data for as long as your account is active. Audit logs are retained for a minimum of 2 years for compliance purposes. Upon account deletion, we will remove your personal data within 90 days, except where retention is required by law. Encrypted files for which we do not hold keys are permanently inaccessible upon key deletion regardless of file retention status.
You have the right to access, correct, export, and delete your personal data. You may request a copy of all data we hold about you by contacting privacy@legacyready.co. You may delete your account and associated data at any time. You have the right to withdraw consent for optional data processing. You have the right to object to processing based on legitimate interests. You have the right to data portability in a machine-readable format.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly.
California residents have the right to know what personal information is collected, whether it is sold or disclosed, and to whom. You have the right to request deletion of your personal information. You have the right to opt out of the sale of personal information — we do not sell personal information. You have the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact privacy@legacyready.co.
If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Our legal basis for processing your data is contractual necessity (providing the Service), consent (where applicable), and legitimate interests (security, fraud prevention). You may lodge a complaint with your local data protection authority. For GDPR-related inquiries, contact our Data Protection Officer at dpo@legacyready.co.
We use essential cookies for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Authentication tokens are stored securely in accordance with Supabase SSR best practices.
We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date and notify you through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.
For privacy-related questions or requests, contact us at privacy@legacyready.co.