Privacy Policy

Last Updated: 2 June 2026

Effective Date: 2 June 2026

At The Life File, we understand that you are trusting us with your most sensitive, personal, and valuable information. We believe that absolute transparency is the foundation of trust.

This Privacy Policy explains how we collect, use, fiercely protect, and ultimately delete your data. It also outlines your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The Short Version: We do not — and will never — sell your personal data. We use zero-knowledge, end-to-end encryption to secure your Vault, meaning our team cannot view the passwords, financial details, personal details, or documents you store inside it. If you leave our platform, we permanently delete your data after 180 days.

1. Who We Are

For the purposes of the UK GDPR, the "Data Controller" (the company responsible for your personal data) is:

The Life File Ltd
Company Number: [Insert 8-digit Company Number]
ICO Registration Number: [Insert ICO Registration Number]
Registered Address: [Insert Full Registered Address, UK]
Email: [Insert Privacy Contact Email]

2. The Data We Collect

To provide you with a secure and functional platform, we collect information in three distinct categories:

A. Account & Operational Data (What we can see)

This is the limited information required to operate your account, process your subscription, and provide support:

Contact Data: Your email address (used to sign in and to send essential account communications).

Financial Data: Billing information, processed securely via our payment provider (Stripe). We do not store your full card numbers on our servers.

Account Metadata: Your subscription status, plan, trial dates, and account state. We can see that you are a subscriber, never the contents of your Vault.

Technical Data: Limited technical information such as IP address and browser type, used to operate and secure the platform.

B. Your "Vault" Data (What we CANNOT see)

This is the sensitive data you input into your secure Vault. Because of our zero-knowledge AES-256 encryption — performed on your own device with a key derived from your password — our staff and developers cannot access, read, or decrypt this information. It includes:

Your personal details, including your name, date of birth, and phone number (these are encrypted, not held as plain operational data).

Financial and banking details.

Digital legacy information (passcodes, passwords, logins).

Identity and health details.

Uploaded documents (e.g., Wills, property deeds, ID scans).

C. Third-Party Data (Invited Users & Executors)

When you invite family members or designate an Executor, you provide us with their email address. We use this solely to send them a secure invitation on your behalf and to manage their access to your Vault.

3. How We Use Your Data & Our Lawful Basis

Under UK GDPR, we must have a valid lawful basis to process your data:

To provide the Service (Contractual Necessity): Setting up your Vault, managing your 60-day trial, processing subscriptions, and facilitating Vault access for your invited users and Executors.

To secure the platform (Legitimate Interest): Monitoring for fraudulent activity, verifying logins, and ensuring the integrity of our encryption.

To communicate with you (Legitimate Interest / Consent): Sending essential service messages (trial expiration notices, security alerts, deletion warnings). We will only send marketing communications if you have explicitly opted in.

4. How We Protect Your Data

We treat your Vault data like a digital fortress.

Encryption: All sensitive Vault data and uploaded documents are encrypted on your device before they reach us, and remain encrypted at rest and in transit.

Zero-Knowledge Architecture: We do not hold the keys to decrypt your Vault entries. The decryption key is derived from your password, which never leaves your device.

Access Controls: Your Vault can only be decrypted and viewed by you, and by Executors you have explicitly designated — and only after a verified bereavement process.

5. Who We Share Your Data With

We will never sell, rent, or trade your personal information to data brokers, marketing agencies, or advertisers. We only share strictly necessary Operational Data with trusted infrastructure partners (Sub-processors) that make our service possible:

Hosting & Database: Vercel (application hosting) and Supabase (encrypted database and file storage).

Payment Processing: Stripe, to handle subscription billing.

Transactional Email: Resend, to send secure invitations and automated system alerts.

Note that because of our encryption, these providers store and transmit your Vault data only in its encrypted, unreadable form.

Legal Disclosure: We will only disclose your Operational Data to law enforcement or government authorities if strictly required to do so by a valid, legally binding UK court order. Even then, your Vault contents remain encrypted and unreadable to us.

6. Data Retention and the 180-Day Deletion Rule

We strictly adhere to data minimisation principles. You are in total control of your data's lifespan.

Active Accounts: We retain your data for as long as your Vault has an active subscription or is within its 60-day free trial.

The 180-Day Purge: If your trial expires without upgrading, or your subscription lapses, your Vault enters a "Frozen" state. If it remains Frozen for a continuous period of 180 days, we permanently and irreversibly delete your Vault, all entries, and all uploaded documents.

Manual Deletion: You may permanently delete your account at any time via your settings. Upon doing so, your Vault is immediately scrubbed from our systems.

7. Your Rights Under UK GDPR

You have robust rights regarding your personal data:

Right of Access: You can request a copy of the Operational Data we hold about you. (You already have full access to your Vault data via your dashboard.)

Right to Rectification: You can correct inaccurate Operational Data.

Right to Erasure ('Right to be Forgotten'): You can delete your account and all its data at any time from your settings.

Right to Restrict Processing: You can ask us to pause processing your data under certain conditions.

Right to Data Portability: You can download your uploaded documents from your Vault at any time, and may request a copy of your Operational Data.

Right to Object: You can object to our processing of your data for direct marketing.

How to exercise your rights: Please email us at [Insert Privacy Contact Email]. We will respond to all legitimate requests within 30 days.

8. Complaints to the ICO

If you believe we have not handled your data in accordance with the law, we kindly ask that you contact us first so we can resolve the issue. However, you have the absolute right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), at www.ico.org.uk.

9. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes (such as altering our retention periods or security protocols), we will notify you via the email address associated with your account before those changes take effect.

Contact Us About Data Protection

If you have any questions, concerns, or feedback regarding this Privacy Policy, please reach out to us at:

The Life File Ltd
Email: [Insert Privacy Contact Email]
Address: [Insert Full Registered Company Address, UK]