Privacy Policy
Last Updated: December 6, 2025
1. Introduction
Ever Legacy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital asset inheritance platform (the "Service").
This policy is designed to comply with:
- The General Data Protection Regulation (GDPR) for users in the European Union
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for users in California
Important: This policy is not a substitute for professional legal advice. If you have questions about your privacy rights, please consult with a qualified attorney.
2. Data Controller
Company Name: [YOUR COMPANY NAME]
Address: [YOUR COMPANY ADDRESS]
Email: [YOUR CONTACT EMAIL]
Country: [YOUR COUNTRY]
Note: Please fill in the above information with your actual company details.
3. Data We Collect
3.1 Personal Data You Provide
- Account Information: Email address, name (optional), password (stored as bcrypt hash)
- Vault Content: Assets, beneficiaries, and other information you store in your encrypted vault
- Beneficiary Information: Names, email addresses, phone numbers, and relationship information
- Payment Information: Processed securely through Stripe (we do not store full payment card details)
3.2 Automatically Collected Data
- Technical Data: IP addresses (for security and rate limiting), login timestamps
- Usage Data: Activity logs (login attempts, password changes, etc.) - no sensitive content
- Cookies: Essential session cookies for authentication (see Cookie Policy)
3.3 Data We Do NOT Collect
- We do not use tracking cookies or analytics services (Google Analytics, Meta Pixel, etc.)
- We do not collect browsing behavior or device fingerprints
- We do not sell or share your data with third parties for marketing purposes
4. How We Use Your Data
We use your data solely to provide and improve our Service:
- To create and manage your account
- To store and encrypt your vault content (AES-256 encryption)
- To send heartbeat reminders and service notifications (if you opt in)
- To process payments through Stripe
- To provide customer support
- To ensure security and prevent fraud (rate limiting, login monitoring)
- To comply with legal obligations
Marketing Emails: We only send marketing emails if you explicitly opt in. You can change your preferences at any time in your account settings.
5. Data Storage and Security
We implement industry-standard security measures to protect your data:
- Encryption: All vault content is encrypted using AES-256 encryption. We cannot decrypt your data without your encryption key.
- Password Security: Passwords are hashed using bcrypt (never stored in plaintext)
- Secure Transmission: All data is transmitted over HTTPS/TLS
- Access Controls: Strict access controls and authentication requirements
- Regular Security Audits: We regularly review and update our security practices
Important: You are responsible for keeping your password and encryption key secure. We cannot recover your encrypted data if you lose your encryption key.
6. Data Sharing
We do not sell your personal data. We only share data in the following limited circumstances:
- Service Providers: We use Stripe for payment processing. Stripe's privacy policy applies to payment data.
- Legal Requirements: If required by law or to protect our rights and safety
- With Your Consent: When you explicitly authorize sharing (e.g., sharing access with beneficiaries)
7. Your Rights (GDPR & CCPA)
7.1 Right of Access (GDPR Article 15, CCPA Right to Know)
You can download a copy of all your data at any time from your account settings. The export includes your profile, assets, beneficiaries, and activity logs (but not encryption keys for security reasons).
7.2 Right to Rectification (GDPR Article 16)
You can update your account information (name, email preferences) at any time in your account settings.
7.3 Right to Erasure (GDPR Article 17, CCPA Right to Delete)
You can delete your account and all associated data at any time from your privacy settings. This action is permanent and cannot be undone.
7.4 Right to Object (GDPR Article 21)
You can opt out of marketing emails at any time. Essential service emails (security notifications, password resets) cannot be disabled as they are necessary for account security.
7.5 Right to Data Portability (GDPR Article 20)
You can export your data in machine-readable JSON format from your account settings.
7.6 CCPA-Specific Rights
- Right to Know: See section 7.1 above
- Right to Delete: See section 7.3 above
- Right to Opt-Out: You can opt out of marketing emails in your account settings
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise any of these rights, please use the self-service tools in your account settings or contact us at [YOUR CONTACT EMAIL].
9. Data Retention
We retain your data for as long as your account is active. When you delete your account, we permanently delete all associated data within 30 days (or immediately for hard deletes, depending on your deletion request).
Some data may be retained longer if required by law (e.g., financial records for tax purposes).
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the updated policy on this page
- Sending an email notification (if you have opted in to product updates)
- Requiring you to accept the new policy version when you next log in
The "Last Updated" date at the top of this page indicates when the policy was last revised.
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Email: [YOUR CONTACT EMAIL]
Address: [YOUR COMPANY ADDRESS]
Note: Please fill in the above contact information with your actual details.