Privacy Policy
Effective Date: March 11, 2026
Last Updated: March 11, 2026
VaultLegacy ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, and share information when you use our digital estate planning platform (the "Service").
By accessing or using VaultLegacy, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Policy, please do not use the Service.
1. Information We Collect
We collect the following categories of information when you use VaultLegacy:
1.1 Account Information
- Email address -- Required for account creation, authentication, and service communications
- Full name -- Used for account identification and personalization
- Location (country/region) -- Used to provide jurisdiction-relevant information and comply with local regulations
1.2 Digital Asset Metadata
When you use our vault features, we store metadata about your digital assets, such as:
- Account names and types (e.g., "Coinbase account," "Gmail account")
- Beneficiary designations and distribution instructions
- Notes and messages for your designated contacts
- Asset categories and organizational labels
Important: What We Do NOT Store
We do NOT store actual assets, private keys, passwords, seed phrases, or financial access credentials on our servers in decrypted form. All sensitive vault data is encrypted using AES-256 encryption before storage. We cannot access the decrypted contents of your vault.
1.3 Payment Information
Payment processing is handled entirely by Stripe, our third-party payment processor. We do not store your full credit card number, CVV, or banking details on our servers. We receive and store only:
- Transaction confirmation and payment status
- Last four digits of your payment method (for your reference)
- Billing country and postal code
- Stripe customer ID (for managing your account)
1.4 Automatically Collected Information
- Usage data: Pages visited, features used, actions taken within the Service
- Device information: Browser type, operating system, device type, screen resolution
- Log data: IP address, access times, referring URLs, error logs
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1 To Provide and Maintain the Service
- Create and manage your account
- Store and encrypt your vault data
- Process your payments
- Enable beneficiary designations and trusted contact features
- Authenticate your identity and secure your account
2.2 To Improve the Platform
- Analyze usage patterns to improve features and user experience
- Identify and fix technical issues, bugs, and security vulnerabilities
- Develop new features based on aggregate usage data
- Monitor Service performance and reliability
2.3 To Communicate With You
- Send essential service emails (account verification, security alerts, payment confirmations)
- Notify you of changes to our Terms of Service or Privacy Policy
- Respond to your support requests and inquiries
- Send important product updates that affect your account functionality
We do not send promotional marketing emails without your explicit opt-in consent. You may opt out of non-essential communications at any time.
3. Data Storage & Security
Protecting your data is fundamental to our mission. We implement multiple layers of security:
AES-256 Encryption
All sensitive vault data is encrypted at rest using AES-256 encryption, the gold standard used by governments and financial institutions worldwide.
TLS 1.2+ in Transit
All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher.
Secure Servers
Our infrastructure is hosted on secure, SOC 2-compliant cloud providers with physical security, redundancy, and disaster recovery measures.
Access Controls
Strict role-based access controls, multi-factor authentication for internal systems, and regular access reviews for all team members.
Additionally, we implement:
- Regular security audits and penetration testing
- Automated monitoring for suspicious activity and unauthorized access attempts
- Data backups with encrypted redundant storage
- Incident response procedures for rapid breach identification and mitigation
While we employ robust security measures, no system is perfectly secure. We cannot guarantee absolute security but are committed to protecting your information using industry best practices.
4. What We Don't Do
We believe transparency about our data practices is just as important as what we do with your data. Here is what we commit to never doing:
We DO NOT sell your data.
Your personal information and vault contents are never sold, rented, or leased to any third party, under any circumstances.
We DO NOT share your data with third parties for marketing purposes.
We never provide your information to advertisers, data brokers, or marketing companies. Your data is used solely to provide and improve the Service.
We DO NOT access your vault contents without legal obligation.
Your encrypted vault data is your own. We will not access, read, or decrypt your vault contents unless compelled to do so by a valid court order, subpoena, or other binding legal process. Even then, we will notify you (if legally permitted) and will challenge overly broad requests.
5. Third-Party Services
We use a limited number of third-party service providers to operate VaultLegacy. Each provider is selected for their security standards and data protection practices:
Stripe (Payment Processing)
Stripe processes all payments on our behalf. When you make a purchase, your payment information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy. Stripe is PCI DSS Level 1 certified, the highest level of certification available in the payments industry.
We may also use:
- Cloud hosting providers for secure infrastructure and data storage
- Email delivery services for transactional emails (account verification, security alerts)
- Analytics tools for aggregated, anonymized usage statistics (no personal data shared)
All third-party providers are contractually obligated to protect your information and may only use it to perform services on our behalf. We do not allow them to use your personal information for their own purposes.
6. GDPR Compliance (European Union Users)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and related data protection laws.
6.1 Legal Basis for Processing
We process your personal data under the following legal bases:
- Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications). You may withdraw consent at any time.
- Contract Performance: Processing necessary to fulfill our contractual obligations to you, including providing the Service, managing your account, and processing payments.
- Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where these interests do not override your data protection rights.
- Legal Obligation: Processing required to comply with applicable laws and regulations.
6.2 Your Rights Under GDPR
As an EU/EEA user, you have the right to:
- Access -- Request a copy of the personal data we hold about you
- Rectification -- Request correction of inaccurate or incomplete personal data
- Erasure ("Right to Be Forgotten") -- Request deletion of your personal data, subject to legal retention requirements
- Restriction -- Request restriction of processing of your personal data in certain circumstances
- Data Portability -- Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
- Object -- Object to processing based on legitimate interests or direct marketing
- Withdraw Consent -- Withdraw previously given consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
6.3 Data Protection Officer
To exercise any of your GDPR rights, or if you have questions about our data protection practices, please contact our Data Protection Officer:
Data Protection Officer
Email: privacy@vaultlegacy.com
We will respond to all GDPR requests within 30 days, as required by law. Complex requests may require an extension of up to 60 additional days, in which case we will notify you.
6.4 International Data Transfers
Your data may be transferred to and processed in countries outside the EEA. When such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally approved transfer mechanisms.
You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.
7. CCPA Compliance (California Users)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
7.1 Your Rights Under CCPA/CPRA
- Right to Know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions, security).
- Right to Opt-Out of Sale: You have the right to opt out of the "sale" of your personal information. However, VaultLegacy does not sell your personal information and has never sold personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access levels for exercising your privacy rights.
- Right to Correct: You have the right to request correction of inaccurate personal information we hold about you.
- Right to Limit Use of Sensitive Information: You have the right to limit our use of sensitive personal information to purposes necessary to provide the Service.
"Do Not Sell My Personal Information"
VaultLegacy does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We do not participate in data broker activities. This applies to all users, not just California residents.
7.2 How to Exercise Your Rights
California residents may submit requests by:
- Emailing privacy@vaultlegacy.com with the subject line "CCPA Request"
- We will verify your identity before processing any request
- We will respond within 45 days, with a possible extension of 45 additional days for complex requests
7.3 Categories of Information Collected (Last 12 Months)
| Category | Collected | Sold |
|---|---|---|
| Identifiers (name, email) | Yes | No |
| Commercial information (purchase history) | Yes | No |
| Internet activity (usage data, logs) | Yes | No |
| Geolocation (country/region) | Yes | No |
8. Cookies & Tracking Technologies
VaultLegacy uses essential cookies only. We do not use advertising cookies, tracking pixels, or third-party marketing cookies.
8.1 Essential Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Maintains your authenticated session | Session |
| auth_token | Keeps you logged in across visits | 7 days |
| cookie_consent | Remembers your cookie preferences | 1 year |
| theme_pref | Stores your dark/light mode preference | 1 year |
8.2 Cookie Consent
Because we use only essential cookies that are strictly necessary for the Service to function, they do not require consent under most privacy regulations. However, we provide transparency about all cookies used, and you can manage cookies through your browser settings.
Disabling essential cookies may prevent certain features of the Service from functioning properly, including authentication and session management.
9. Data Retention
Our data retention practices are designed to keep your data only as long as necessary:
9.1 Active Accounts
Your personal data and vault contents are retained for as long as your account remains active and in good standing. "Active" means you have not requested account closure or been terminated for Terms violations.
9.2 Account Closure
Upon receiving a valid account closure request:
- Vault data: Permanently deleted within 90 days of the closure request
- Account information: Anonymized or deleted within 90 days
- Transaction records: Retained for up to 7 years as required by tax and financial regulations
- Anonymized analytics data: May be retained indefinitely in aggregate form that cannot identify you
9.3 Legal Holds
If we are required to preserve data due to litigation, regulatory investigation, or legal obligation, we will retain the relevant data until the hold is lifted, after which standard deletion procedures apply.
10. Children's Privacy
VaultLegacy is not intended for use by individuals under the age of 18. We do not knowingly collect, use, or disclose personal information from anyone under 18 years of age.
If we become aware that we have collected personal information from a person under 18, we will take immediate steps to:
- Delete the personal information from our systems
- Terminate the associated account
- Notify the parent or guardian, if contact information is available
If you are a parent or guardian and believe your child under 18 has provided personal information to VaultLegacy, please contact us immediately at privacy@vaultlegacy.com so we can take appropriate action.
This policy complies with the Children's Online Privacy Protection Act (COPPA) and equivalent international regulations.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:
- We will update the "Effective Date" and "Last Updated" date at the top of this page
- For material changes, we will provide notice via email to the address associated with your account at least 30 days before the changes take effect
- We will display a prominent notification on the Service
- Where required by law, we will obtain your consent before applying material changes
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
If you disagree with any changes, you may request account deletion by contacting us at privacy@vaultlegacy.com.
12. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
VaultLegacy Privacy Team
Email: privacy@vaultlegacy.com
For general support inquiries, please contact support@vaultlegacy.com.
For GDPR-specific inquiries, please direct your correspondence to our Data Protection Officer at privacy@vaultlegacy.com with the subject line "GDPR Inquiry."
We aim to respond to all privacy-related inquiries within five (5) business days, and to fulfill data rights requests within the timeframes required by applicable law.