Privacy Policy

1. Who we are

1.1 We are the controller of personal data processed in connection with the Service, except where we act as processor for a partner under a separate contract.

1.2 Our contact details are:

• 45a Westbourne Road, Southport, Merseyside, PR8 2HY
• privacy@mytreasurechest.net
• Angela Baines, Founder — privacy@mytreasurechest.net

2. Scope

2.1 This Privacy Policy applies to users, visitors, delegates, partner staff, and other individuals whose personal data we process in connection with the Service.

2.2 If you use the Service through a Partner, that Partner may also be a separate controller for some processing relating to its own relationship with you.

3. Personal Data we collect

3.1 We may collect the following categories of personal data from you:

1. identity and contact details;
2. account and login information;
3. profile and preference data;
4. subscription and billing data;
5. device, browser, log, and usage data;
6. communication and support records;
7. vault metadata;
8. documents and files you upload;
9. AI input data, such as transcripts, prompts, images, or extracted text;
10. delegate and estate-related information; and
11. any other data you choose to provide to us.

3.2 Some data, such as financial records, identity documents, and estate documents, may be highly sensitive. We apply enhanced controls to such data.

3.3 Vault contents are encrypted at rest. We design the system so that we may not be able to read the content of your Vault.

4. How we use your Data

4.1 We process personal data for the following purposes:

1. to create and manage Accounts;
2. to provide the Service and related support;
3. to process subscriptions and payments;
4. to operate vault storage and delegation features;
5. to verify estate activation requests;
6. to provide and improve AI Features;
7. to detect fraud, abuse, and security incidents;
8. to comply with law and respond to requests from authorities;
9. to maintain records, audits, and backups; and
10. to send service and account communications.

4.2 The legal bases we rely on may include performance of a contract, compliance with legal obligations, legitimate interests, and consent (where required).

5. AI Processing

5.1 AI Features may involve voice transcripts, document photographs, extracted text, or similar inputs being sent to third-party AI providers, including ‘Anthropic’, for transient processing.

5.2 We do not intend to store voice transcripts after processing, and the data submitted to AI providers is limited to what is needed for the relevant feature.

5.3 We may rely on consent for certain AI processing, and where we do, you may withdraw consent by disabling the relevant feature or using manual input instead (where available).

5.4 We do not use AI to make solely automated decisions producing legal or similarly significant effects about you without human review and intervention.

6. Cookies and Similar Technologies

6.1 We use cookies and similar technologies as described in our Cookie Policy.

6.2 Essential cookies are necessary for security, login, and site functionality. Non-essential cookies are only used where permitted by law and, where required, your consent.

7. Sharing your Data

7.1 We may share personal data with:

1. ‘AWS’ and related infrastructure providers for hosting, storage, email, logging, and security;
2. ‘Stripe’ or other payments providers for billing;
3. ‘Anthropic’ or other AI providers for AI Features;
4. ‘Vercel’ or similar frontend infrastructure providers where used;
5. our professional advisers;
6. law enforcement, regulators, courts, or other authorities where required or permitted by law; and
7. service providers assisting with support, analytics, or communications.

7.2 We require our processors to process personal data only on our documented instructions and subject to appropriate contractual safeguards.

8. International Transfers

8.1 Some personal data may be processed outside the UK (or EEA), including where AI or cloud providers operate internationally.

8.2 Where required, we use a lawful transfer mechanism, which may include adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement or Addendum, or another lawful mechanism.

8.3 In relation to specific providers, the relevant transfer mechanism may depend on the service and the location of processing at the time of use.

9. Retention

9.1 We retain personal data only for as long as reasonably necessary for the purposes set out in this Policy and to comply with law.

9.2 In general:

1. active account data is kept while the account remains active;
2. deleted account data may be retained for up to 30 days before permanent deletion, unless we must keep it longer;
3. audit logs may be retained for up to 7 years where required for security, compliance, or dispute purposes; and
4. payment and accounting records may be retained for the period required by law.

10. Security

10.1 We use technical and organisational measures intended to protect personal data, including encryption, access controls, audit logging, network security, and periodic security reviews.

10.2 No online service is completely secure, but we work to reduce risk and respond promptly to incidents.

11. Your Rights

11.1 Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent.

11.2 To exercise your rights, you can use the in-app deletion or export tools where available or contact us using the details above.

12. Your Rights by Region

12.1 United Kingdom: You may have rights under the UK GDPR, including access, rectification, erasure, portability, restriction, objection, and complaint to the ICO.

12.2 EU/EEA: You may have similar rights under the EU GDPR, including the right to lodge a complaint with your local supervisory authority.

12.3 California: You may have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing. We do not sell personal information, but where required we will provide a “Do Not Sell or Share My Personal Information” link.

12.4 Canada: You may have rights under PIPEDA, including access, correction, and withdrawal of consent, subject to legal limits.

12.5 Australia: You may have rights under the Australian Privacy Principles, including access, correction, and complaint to the OAIC.

12.6 Brazil: You may have rights under the LGPD, including confirmation, access, correction, anonymisation, deletion, and complaint to the ANPD, subject to legal limits.

12.7 Other Regions: We will seek to comply with all mandatory applicable laws.

13. Children

13.1 The Service is intended for adults aged 18 and over.

13.2 We do not knowingly collect personal data from children under 18. If we become aware that we have done so, we will take appropriate steps to delete it.

14. Data Breaches

14.1 If we become aware of a personal data breach, we will investigate and, where required, notify the relevant authority and affected individuals in accordance with applicable law.

14.2 In the UK, that may include notification to the ICO within 72 hours where required.

14.3 We may also notify users sooner where appropriate, including where a consumer privacy law requires expedient notice.

15. Complaints

15.1 If you have concerns, contact us first and we will try to resolve the matter.

15.2 If you are not satisfied, you may have the right to complain to the ICO, your local EU supervisory authority, the OAIC, the ANPD, or another competent authority depending on your location.

16. Changes to this Policy

16.1 We may update this Privacy Policy from time to time.

16.2 We will post the updated version and, where the change is material, may notify you by email or in-app notice.

17. Further Information

17.1 If you are interacting with a Partner through the Service, that Partner may also have its own privacy notices and data processing terms.

17.2 If there is any conflict between this Policy and mandatory applicable laws, the mandatory applicable laws prevail.