Privacy Policy

1. Introduction

Legacy Plans ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our end-of-life planning and legacy preservation platform at legacyplans.ai. Given the deeply sensitive and personal nature of the information you entrust to us, we take extraordinary measures to ensure its protection.

Our Commitment: We fundamentally believe that your personal data belongs to you. We will never sell your information, use it for advertising purposes, or share it with third parties for any reason other than providing you with the Legacy Plans service. Your trust is the foundation of our business, and we treat your data with the same care and respect you would expect for your most precious personal documents.

2. Information We Collect

Account Information

When you create an account, we collect:

• Full name and email address
• Phone number (optional, for SMS and WhatsApp notifications)
• WhatsApp number (optional, for WhatsApp notifications)
• Date of birth (optional)
• Location (optional)
• Profile photo (optional)
• Two-factor authentication settings and recovery codes

Trusted Contacts

When you add trusted contacts, we collect:

• Contact names, email addresses, and phone numbers
• Relationship descriptions
• Assigned roles (executor, beneficiary, guardian, medical proxy, witness)
• Verification contact status and priority
• Notes about each contact

Legacy Content

When using our services, you may provide:

• Goodbye Messages: Personal letters and messages for designated recipients, including subject lines, content, attachments, and delivery preferences
• Instructions: Step-by-step guidance for loved ones across categories including assets, wishes, medical, legal, and personal matters
• Documents: Uploaded files such as wills, trusts, powers of attorney, insurance policies, and other important documents with associated metadata
• Pet Care Plans: Pet information, care instructions, dietary requirements, medical conditions, medications, veterinarian details, and designated guardians
• Celebration of Life Plans: Ceremony preferences, burial preferences, music selections, readings, photo selections, dress codes, and special requests

Digital & Financial Assets

We collect information about your assets including:

• Digital Assets: Social accounts, subscriptions, domains, and other digital properties including platform names, usernames, access instructions, and estimated values
• Cryptocurrency: Wallet information, blockchain types, wallet addresses (partial), recovery instruction hints, and hardware device location hints (we never store actual private keys or seed phrases)
• NFT Collections: NFT names, collection details, blockchain information, marketplace URLs, and acquisition information
• Financial Accounts: Institution names, account types, last 4 digits of account numbers, approximate balances, beneficiary designations, and access instructions

Verification & Activity Data

• Check-in timestamps and activity logs
• Death verification requests and responses
• Notification delivery logs and status
• Device and browser information
• IP address and approximate location
• Pages visited and features used

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our legacy planning services
• Securely store your messages, instructions, documents, and asset information
• Send check-in reminders via email, SMS, or WhatsApp based on your preferences
• Process death verification requests through your designated trusted contacts
• Deliver goodbye messages and grant portal access to recipients upon verified passing
• Provide trusted contacts with access to instructions and digital asset information you've designated for them
• Generate notification logs and delivery confirmations
• Enable two-factor authentication and account recovery
• Communicate with you about service updates, security alerts, and account changes
• Prevent fraud, detect abuse, and ensure platform security
• Comply with legal obligations and respond to lawful requests

4. Death Verification Process

Our platform includes a verification process to confirm passing before delivering your legacy content:

• Trusted contacts you designate can initiate verification if you become unresponsive to check-ins
• Multiple confirmations from your verification contacts are required (configurable by you)
• A waiting period (configurable by you) occurs before content delivery
• Verification responses and notes are logged for audit purposes
• You can cancel verification at any time by checking in to your account

5. Data Security

We implement comprehensive security measures to protect your sensitive information:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption
• Encryption in Transit: All data transmission uses TLS 1.3
• Content Sanitization: User-generated content is sanitized to prevent injection attacks
• Row-Level Security: Database policies ensure users can only access their own data
• Two-Factor Authentication: Optional TOTP-based 2FA with backup recovery codes
• Secure Token Generation: Verification and portal access tokens are cryptographically generated
• Access Controls: Strict role-based access controls for our team
• Regular Audits: Periodic security assessments and vulnerability testing
• Secure Infrastructure: Hosted on enterprise-grade cloud infrastructure built on SOC 2 certified providers

6. Information Sharing — What We Will NEVER Do

Limited Sharing By Design (Only What You Authorize)

The only sharing that occurs is the sharing you explicitly configure as part of using Legacy Plans:

• Verification contacts you designate receive your name and verification requests during the death verification process
• Upon verified passing, recipients you designate receive your goodbye messages via email
• Trusted contacts you designate gain access to the contact portal containing instructions and digital asset information you've assigned to them
• Documents you've explicitly shared with specific contacts become accessible to them

Necessary Service Providers

We work with a minimal set of trusted service providers to operate our platform. These providers process data only on our behalf, under strict contracts, and only as necessary to deliver our service to you:

• Email Delivery: To send notifications, reminders, and your goodbye messages
• SMS/WhatsApp: To deliver check-in reminders and alerts via your preferred channels
• Cloud Infrastructure: To securely store your encrypted data
• Authentication: To verify your identity and protect your account

All service providers are bound by strict data processing agreements and confidentiality obligations. They cannot use your data for their own purposes, share it with others, or retain it beyond what is necessary to provide their service to us.

Payment Information

We use Stripe to process payments. Stripe collects payment card information, billing address, and email address. We do not store your full payment card details on our servers.

For more information, please review Stripe's Privacy Policy.

Legal Requirements

We may disclose information only if required by law, valid court order, or government request, or to protect our rights, property, safety, or the rights of others. In such cases, we will notify you to the extent legally permitted.

7. Your Rights and Choices

You have the right to:

• Access: View all your personal data through your account dashboard
• Correction: Update or correct any information in your profile and content
• Deletion: Delete individual items or request complete account deletion
• Export: Download your financial summary and other data in portable formats
• Notification Preferences: Control check-in reminder frequency and channels (email, SMS, WhatsApp)
• Pause Reminders: Temporarily pause check-in reminders
• Verification Settings: Configure required confirmations and waiting periods
• Withdraw Consent: Revoke permissions at any time

To exercise these rights, use your account settings or contact us at privacy@legacyplans.com.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Your California Privacy Rights

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions (such as legal obligations or completing transactions you initiated).
• Right to Correct: You can request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. However, Legacy Plans does NOT sell or share your personal information for cross-context behavioral advertising. We never have and never will.
• Right to Limit Use of Sensitive Information: You can limit our use of sensitive personal information. We only use sensitive information to provide the services you requested.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will receive equal service and pricing.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, phone number, IP address, account ID
• Personal Information (Cal. Civ. Code § 1798.80): Name, address, phone number
• Protected Classifications: Age (date of birth, optional)
• Commercial Information: Records of services purchased, subscription history
• Internet/Network Activity: Browsing history on our site, interactions with our services
• Geolocation Data: Approximate location based on IP address
• Sensitive Personal Information: Account login credentials; financial account information (last 4 digits only); contents of messages you create for legacy planning

Sale and Sharing of Personal Information

How to Exercise Your California Rights

To submit a request to know, delete, or correct your personal information:

• Email: privacy@legacyplans.com with subject line "California Privacy Request"
• Account Dashboard: Use the Data Export and Account Deletion features in Profile Settings

We will verify your identity before processing your request using information associated with your account. You may designate an authorized agent to make a request on your behalf by providing written authorization to privacy@legacyplans.com. We will respond to verifiable requests within 45 days.

California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request a list of third parties to whom we have disclosed personal information for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Do Not Track Signals

Our website does not currently respond to "Do Not Track" browser signals. However, we do not engage in cross-site tracking or share data with third parties for behavioral advertising, so the practical effect is the same as honoring such signals.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide services:

• Active Accounts: All data is retained indefinitely while your account is active
• After Delivery: Upon verified passing and successful content delivery, data is retained for 90 days for delivery confirmation before secure deletion
• Account Deletion: Upon your request, we delete your data within 30 days, except where retention is required by law
• Notification Logs: Delivery logs are retained for 1 year for troubleshooting and audit purposes
• Legal Holds: Data may be retained longer if required for legal proceedings or regulatory compliance

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will take steps to delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including standard contractual clauses and data processing agreements, to protect your data in accordance with this Privacy Policy and applicable laws including GDPR.

12. Cookies and Tracking

We use only essential cookies necessary for authentication, session management, and security. We do not use advertising, analytics, or third-party tracking cookies. You can control cookie settings through your browser, though disabling essential cookies may affect functionality.

13. White Label Services

Legacy Plans may be offered through partner organizations (white label clients). In these cases:

• The partner organization may have access to aggregated, anonymized usage statistics
• Your personal content remains private and is not shared with the partner
• The partner's own privacy policy may also apply to your use of their branded service
• This Privacy Policy governs our handling of your data regardless of how you access the service

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by email and/or through a prominent notice on our platform. Your continued use after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Team: