Privacy Policy

Effective Date: March 15, 2026 · Last Updated: March 15, 2026

1. Introduction

Keepacy (“we,” “us,” or “our”) operates the Keepacy platform at keepacy.com, including the web application, APIs, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

Keepacy is the data controller for your personal information. Our contact details are listed in Section 17 of this policy.

By using Keepacy, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: email address, password (stored as a bcrypt hash), and optional display name. Your email address is used for account authentication, email-based multi-factor authentication, transactional notifications (verification, check-in alerts, beneficiary updates), and account recovery.
  • Documents: files you upload to your vault (wills, insurance policies, financial records, medical directives, identity documents, and similar). All documents are encrypted at rest using AES-256-GCM with per-user keys. We cannot access or read the plaintext contents of your encrypted documents.
  • Beneficiary information: names, email addresses, phone numbers, and relationship descriptions of individuals you designate as beneficiaries. Beneficiary email addresses are used solely to send vault access notifications if your check-in system triggers. Beneficiary phone numbers, if provided, are used solely for escalation notifications.
  • Phone number: if you opt in to SMS-based check-ins or SMS two-factor authentication, we collect your mobile phone number. Your phone number is used solely to deliver check-in prompts, escalation alerts, and MFA codes via SMS or voice call.
  • Payment information: if you subscribe to a paid plan, payment details are collected and processed by our third-party payment processor (Stripe). We do not store credit card numbers on our servers.

2.2 Information Collected Automatically

  • Usage data: timestamps of logins, check-in responses, and feature interactions.
  • Audit logs: records of security-relevant actions (login attempts, MFA events, document access, beneficiary modifications) for security and compliance purposes.
  • Device information: IP address, browser type, and operating system, collected via server access logs for security monitoring.

2.3 Cookies and Similar Technologies

Keepacy uses a minimal number of cookies, limited to those necessary for the Service to function:

  • Authentication cookies: we use a secure, HttpOnly cookie to store your session refresh token. This cookie is essential for keeping you logged in and cannot be accessed by JavaScript running in your browser. It is set with the SameSite attribute and is transmitted only over HTTPS.
  • Bot protection: Cloudflare Turnstile may set cookies on authentication pages to distinguish humans from automated bots.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. We do not participate in cross-site tracking or interest-based advertising.

2.4 Information We Do Not Collect

  • We do not use third-party analytics trackers, advertising pixels, or behavioral profiling tools.
  • We do not collect biometric data.
  • We do not sell, share, or use personal information for targeted advertising.

2.5 Information About Beneficiaries

When you add a beneficiary, you provide us with their name, email address, and optionally their phone number. This information is provided by you, not directly by the beneficiary. We use this information solely to notify your beneficiaries if your check-in system triggers vault access, or to send them an initial invitation email on your behalf. Beneficiaries who wish to exercise their data rights may contact us at privacy@keepacy.com.

3. Lawful Basis for Processing

We process your personal information on the following legal bases:

  • Contractual necessity: processing required to provide the Service you have signed up for, including document storage, check-in monitoring, beneficiary notifications, and account management.
  • Consent: where you have opted in to specific features, such as SMS messaging or voice call check-ins. You may withdraw consent at any time.
  • Legitimate interests: fraud prevention, security monitoring, abuse detection, and improving the reliability of the Service, where these interests are not overridden by your rights.
  • Legal obligation: where we are required to process or retain data to comply with applicable laws.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including document storage, check-in monitoring, and beneficiary notifications.
  • Authenticate your identity and protect your account (passwords, MFA, session management).
  • Send transactional communications: email verification, check-in prompts, MFA codes, beneficiary notifications, and account alerts.
  • Send SMS messages for check-in confirmations, two-factor authentication codes, and urgent escalation alerts when you have opted in to SMS communications.
  • Process payments and manage subscriptions.
  • Detect, investigate, and prevent security incidents and fraudulent activity.
  • Comply with legal obligations, including responding to lawful data requests.

We do not use your personal information for automated profiling, targeted advertising, or any purpose unrelated to the operation of the Service.

5. Automated Decision-Making

Keepacy's check-in system uses automated processing to monitor your activity and trigger escalation sequences. Specifically:

  • If you do not respond to check-in prompts within your configured inactivity window, the system automatically escalates notifications (SMS, email, voice call) and may ultimately grant your designated beneficiaries access to your shared documents.
  • This automated processing is a core function of the Service that you configure and control. You set the inactivity window, choose the escalation methods, and designate which beneficiaries receive access to which documents.
  • You can pause, modify, or disable the check-in system at any time from your account settings.
  • Responding to any check-in prompt at any stage of escalation immediately resets the system.

No other automated decision-making or profiling with legal or similarly significant effects is performed on your data.

6. SMS and Messaging

If you opt in to SMS-based features (check-in alerts, two-factor authentication, or escalation notifications), the following applies:

  • We collect your mobile phone number solely to deliver the SMS services you have opted in to.
  • We do not use your phone number, SMS opt-in data, or any data collected via SMS for marketing or advertising purposes.
  • No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Phone numbers are shared only with our SMS delivery provider (Twilio) for the sole purpose of delivering messages to you.
  • SMS consent is not a condition of purchasing any goods or services from Keepacy.
  • You can opt out of SMS messages at any time by replying STOP to any message or by disabling SMS features in your account settings.
  • For help, reply HELP to any message or contact support@keepacy.com.

7. Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal data with third parties for their marketing or advertising purposes.

We share information only in the following limited circumstances:

  • Service providers (sub-processors): we use third-party providers to operate the Service. These providers access only the minimum data necessary to perform their functions, are contractually obligated to protect it, and have Data Processing Agreements in place where required. See Section 13 for a full list.
  • Beneficiary access: when your check-in system triggers beneficiary notification (per your configuration), designated beneficiaries receive access to the documents and information you have chosen to share with them. This is a core function of the Service that you control.
  • Legal requirements: we may disclose information when required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect the rights, property, or safety of Keepacy, our users, or the public.
  • Business transfers: if Keepacy is acquired, merged, or sells substantially all of its assets, user data may be transferred as part of that transaction. We will notify users via email at least 30 days before any such transfer and update this Privacy Policy.

8. Data Security

We implement technical and organizational measures to protect your data:

  • All documents are encrypted at rest using AES-256-GCM with per-user encryption keys derived via PBKDF2. We operate a zero-knowledge architecture: the server never stores your plaintext documents or encryption keys.
  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with a work factor of 12.
  • Multi-factor authentication is required for all accounts.
  • MFA secrets, beneficiary data, and death certificates are each encrypted with dedicated, separate encryption keys.
  • Database backups are encrypted at rest.
  • Access to production systems is restricted to authorized personnel and logged.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify affected users by email within 72 hours of becoming aware of the breach.
  • Provide a description of the nature of the breach, the categories of data affected, and the measures taken or proposed to address it.
  • Report the breach to relevant supervisory authorities as required by applicable law (including GDPR Article 33 where applicable).
  • Maintain an internal record of all data breaches, regardless of whether notification is required.

10. Data Retention

We retain your data as follows:

  • Active account data: retained for the lifetime of your account.
  • Documents: retained until you delete them or delete your account.
  • Audit logs: retained for 3 years after account deletion (anonymized).
  • Beneficiary access logs: retained for 7 years after the access event (anonymized) for legal compliance.
  • Check-in event history: retained for 1 year.
  • Beneficiary contact information: retained until removed by the account holder, or until 30 days after account deletion.

When you delete your account, we initiate a 30-day grace period during which you may cancel the deletion. After 30 days, all personal data is permanently deleted from our systems, except for anonymized audit records retained per the schedule above.

11. International Data Transfers

Keepacy is based in the United States. All data is stored and processed on servers located in the United States (AWS US-East-1 region). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement as the legal mechanism for transferring personal data to the United States. Our sub-processors (AWS, Twilio, Stripe, Cloudflare) each maintain their own SCCs and Data Processing Agreements.

12. Your Rights

12.1 All Users

You may:

  • Access and export all data we hold about you via your account settings.
  • Correct or update your personal information at any time.
  • Delete your account and all associated data.
  • Opt out of SMS communications at any time.

12.2 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent (e.g., SMS opt-in), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making: you may request human review of any automated decision that significantly affects you. See Section 5 for details on our automated processing.
  • Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority.

We do not currently have a physical establishment in the EEA. If we determine that we are required to appoint an EU representative under GDPR Article 27, we will update this policy with their contact details.

12.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: you may request the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it.
  • Right to Delete: you may request that we delete your personal information, subject to certain exceptions.
  • Right to Correct: you may request correction of inaccurate personal information.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights.
  • Do Not Sell or Share: we do not sell personal information and do not share personal information for cross-context behavioral advertising. No opt-out is necessary because no sale or sharing occurs.

12.4 Virginia, Colorado, Connecticut, and Other US States

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or another US state with a comprehensive consumer privacy law, you may have similar rights to access, correct, delete, and port your personal data, as well as the right to opt out of targeted advertising and the sale of personal data.

  • We do not sell personal data or use it for targeted advertising, so no opt-out action is required on your part.
  • We honor Global Privacy Control (GPC) and similar browser-based opt-out preference signals.
  • Right to appeal: if we deny a privacy rights request, you may appeal by contacting us at privacy@keepacy.com with the subject line “Privacy Rights Appeal.” We will respond within 60 days. If you are not satisfied with our response, you may contact your state's attorney general.

To exercise any of the rights described above, contact us at privacy@keepacy.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

13. Third-Party Services (Sub-Processors)

The Service integrates with the following third-party providers. We maintain Data Processing Agreements with each where required:

  • Amazon Web Services (AWS): cloud infrastructure, encrypted file storage, database hosting, and application logs. Data stored in the US-East-1 region.
  • SendGrid (Twilio): transactional email delivery. Receives email addresses and message content necessary to deliver check-in prompts, MFA codes, and beneficiary notifications.
  • Twilio: SMS delivery and voice calls. Receives phone numbers and message content necessary to deliver check-in prompts, MFA codes, and escalation alerts. Phone and SMS data shared with Twilio is not used for marketing.
  • Stripe: payment processing for subscriptions. Receives payment card data, billing address, and transaction details. Keepacy does not store payment card numbers.
  • Cloudflare: bot protection (Turnstile) on authentication forms. Processes IP addresses and browser metadata to distinguish humans from bots.

Each provider maintains its own privacy policy and security certifications. We share only the minimum data necessary for each provider to perform its function.

14. Do Not Track

Some browsers transmit a “Do Not Track” (DNT) signal. Because there is no industry-wide standard for DNT, we do not currently respond to DNT signals specifically. However, Keepacy does not engage in cross-site tracking, interest-based advertising, or any tracking that DNT is designed to prevent. We also honor Global Privacy Control (GPC) signals as an opt-out of the sale or sharing of personal data, though we do not sell or share personal data in any case.

15. Children's Privacy

Keepacy is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@keepacy.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last Updated” date at the top of this page. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: