Privacy Policy

Last updated: April 28, 2026

What we collect

• Account info: email, name, password (hashed — we never store it in readable form)
• Plan data you enter: emergency contacts, medical info, account locations, wishes — whatever you put into your Emergency Card and Pro modules
• Sharing data: emails of people you grant Always-Access to
• Payment data: handled entirely by Stripe — we never see your card number
• Usage data: which pages you visit, when you log in, which features you use (analytics)

What we do with it

• Provide the service you signed up for
• Send you transactional emails (welcome, drips, cancellation confirmations, security alerts)
• Improve the product (aggregated analytics only — never tied to you specifically)
• Comply with legal obligations (e.g., respond to subpoenas)

What we don't do

• Sell your data to anyone
• Share with advertisers
• Use your data to train AI models
• Read your private content (sensitive fields are encrypted at the application level before storage)

Your rights (GDPR + CCPA)

• Access: Export your data anytime from account settings
• Correction: Edit any field anytime
• Deletion: One-click erase from account settings
• Portability: Excel export designed to be human-readable + re-importable
• Restriction: Pause processing by deactivating your account
• Objection: Email privacy@legacyready.co with specific objections

Response time: immediate for self-service rights, 30 days for human-handled requests.

Vendors who process your data

• Supabase — database hosting (US-based, SOC 2)
• Vercel — application hosting (US-based, SOC 2)
• Stripe — payment processing (PCI DSS)
• Resend — transactional email (US-based)

Each vendor is contractually bound to our privacy standards.

Cookies

We use the minimum cookies necessary to keep you logged in (session cookies). No tracking cookies. No advertising cookies.

Data retention

• Account data: retained until you delete your account
• Deleted account data: purged within 24 hours
• Backups: rotated and purged within 30 days
• Audit logs: retained 12 months for security purposes, then deleted

International transfers

Data is stored in the United States. If you're in the EU, the standard contractual clauses apply between you and our US-based vendors.

Children

Legacy Ready is not intended for users under 18. We do not knowingly collect data from children.

Changes to this policy

We'll email you 30 days before any material change.

Contact

Privacy questions: privacy@legacyready.co
Data Protection Officer: dpo@legacyready.co