The Short Version
- We cannot read your files. They're encrypted before leaving your device.
- We don't know your username or password. We only store hashes.
- We cannot link your payment to your vault (if you use anonymous payment).
- We keep minimal logs and delete them regularly.
- We will never sell data. We literally don't have data to sell.
- Upon your death, everything is permanently destroyed.
Contents
- 1. Our Privacy Philosophy
- 2. What We Collect
- 3. What We Cannot Access
- 4. How Our Encryption Works
- 5. Data Storage & Security
- 6. Third Parties
- 7. Law Enforcement & Legal Requests
- 8. Data Retention & Deletion
- 9. Your Rights
- 10. Cookies & Analytics
- 11. Children's Privacy
- 12. Changes to This Policy
- 13. Contact Us
1. Our Privacy Philosophy
Most privacy policies are lists of ways companies could use your data, hedged with promises that they won't. We think that's backwards.
Delete Upon Death is built on a different principle: we've engineered our systems so that we cannot access your data, even if we wanted to, even if we were compelled to.
This is called zero-knowledge architecture. Your files are encrypted on your device before they reach our servers. We never see the encryption keys. We never see your password. We store only encrypted blobs that are mathematically useless without your credentials.
Privacy isn't a policy for us. It's a technical constraint.
2. What We Collect
Here's an honest breakdown of every piece of data we handle:
| Data | Stored | Can We Read It? | Purpose |
|---|---|---|---|
| Account ID (hashed username) | Yes | No — irreversible hash | Identify your account |
| Authentication token (hashed) | Yes | No — irreversible hash | Verify login |
| Your username (plaintext) | No | No — never sent to us | N/A |
| Your password (plaintext) | No | No — never sent to us | N/A |
| Encrypted files | Yes | No — encrypted client-side | Store your data |
| Encrypted filenames | Yes | No — encrypted client-side | Organize your vault |
| File sizes | Yes | Yes | Storage quota tracking |
| Timestamps (upload, access) | Yes | Yes | Dead man's switch, display |
| Notification address (email/Signal) | Optional | Minimal — for sending only | Check-in reminders |
| Trusted contact addresses | Hashed + encrypted | No — encrypted with your key | Death verification |
| Payment information | No — processor handles | No | Process payment |
| IP address | Temporarily | Yes — for rate limiting | Abuse prevention |
3. What We Cannot Access
This is the important part. Due to our zero-knowledge architecture, the following are mathematically impossible for us to access:
- The contents of your files — encrypted with keys we never see
- The names of your files — also encrypted
- Your username — we only store an irreversible hash
- Your password — never transmitted to our servers
- Your encryption keys — derived from your password client-side
If our database were stolen tomorrow, the attacker would get encrypted blobs and hashed identifiers. Without your password, this data is useless.
What this means: If you lose your password, we cannot help you recover your account. This isn't us being difficult — it's proof that the system works. We genuinely cannot access your data.
4. How Our Encryption Works
For transparency, here's how data flows through our system:
// On your device (client-side): 1. You enter username + password 2. Username → hashed (Argon2id) → becomes account_id 3. Password → derived (Argon2id) → becomes master_key 4. Password → derived differently → becomes auth_token 5. Your files → encrypted with master_key (AES-256-GCM) // Sent to our server: account_id ← we store this (can't reverse to username) auth_token ← we store a hash of this encrypted_files ← we store this (can't decrypt) // Never sent to our server: username ← stays on your device password ← stays on your device master_key ← stays on your device
For full technical details, see our Security Whitepaper.
5. Data Storage & Security
Where Data Is Stored
Your encrypted data is stored on servers located in [jurisdiction]. If you purchase the Geographic Redundancy add-on, a second encrypted copy is stored in [second jurisdiction].
Security Measures
- Encryption at rest: Server-side encryption on all storage (in addition to your client-side encryption)
- Encryption in transit: TLS 1.3 for all connections
- Access controls: Minimal employees have server access; all access is logged
- Infrastructure: Hardened servers, regular security updates, DDoS protection
- Audits: Annual third-party security audits
Breach Notification
In the unlikely event of a security breach, we will notify affected users within 72 hours via any notification address on file and post a notice on our website. Remember: even in a breach, your encrypted data remains encrypted.
6. Third Parties
Service Providers We Use
| Service | Purpose | Data Shared |
|---|---|---|
| Cloud hosting provider | Server infrastructure | Encrypted blobs only |
| Payment processor | Handle payments | Payment info (not linked to vault) |
| Email delivery service | Send check-in reminders | Notification address only |
What We Don't Do
- We do not sell your data to anyone
- We do not share data with advertisers
- We do not use third-party analytics that track you
- We do not allow third-party cookies
7. Law Enforcement & Legal Requests
We respect the rule of law. We also designed our system to protect you even if we're compelled to cooperate with legal requests.
What We Can Provide If Legally Compelled
- Confirmation that a hashed account_id exists (or doesn't)
- Encrypted file blobs (useless without your password)
- Timestamps (when account was created, last access)
- File sizes
- Notification address (if one is on file)
What We Cannot Provide (Even If Compelled)
- Decrypted file contents — we can't decrypt them
- Your username — we only have an irreversible hash
- Your password — we never had it
- Link between payment and vault — not recorded (for anonymous payments)
Warrant Canary
We maintain a warrant canary — a signed statement updated monthly confirming we have not received any secret court orders or national security letters. If this statement stops updating, assume we've been compromised.
Legal Request Transparency
We publish an annual transparency report detailing the number of legal requests received and how we responded. We will always push back on overly broad requests.
8. Data Retention & Deletion
While You're Alive
- Vault data: Retained as long as your account is active
- Access logs: Deleted after 30 days
- IP addresses: Deleted after 7 days
Upon Confirmed Death
When our death detection system confirms your passing (through missed check-ins, trusted contact reports, or death registry matches) and the grace period expires:
- All encrypted files are permanently deleted
- All metadata (encrypted filenames, folder structure) is deleted
- All trusted contact information is deleted
- Your account record is deleted
- Only an anonymized log entry remains (timestamp, file count, bytes deleted)
This deletion is irreversible. That's the point.
If You Delete Your Account
You can delete your account at any time from your vault settings. The deletion process is the same as death-triggered deletion: complete and permanent.
If We Shut Down
If Delete Upon Death ever ceases operations, we will provide at least 12 months notice and open-source our client software so you can export your encrypted data.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
Access
You can access all your data by logging into your vault. We cannot provide it to you because we can't decrypt it.
Rectification
You can modify your vault contents at any time.
Erasure
You can delete individual files or your entire account at any time. Deletion is permanent and immediate.
Portability
You can download all your files from your vault in their original format.
Objection
We don't process your data for marketing or profiling, so there's nothing to object to.
GDPR, CCPA, and Other Regulations
Our zero-knowledge architecture means we comply with the spirit of privacy regulations by default. We collect minimal data, can't access what we store, and delete everything upon request or death.
10. Cookies & Analytics
Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Keep you logged in | Session (until logout/close) |
| csrf_token | Security (prevent cross-site attacks) | Session |
Cookies We Don't Use
- No advertising cookies
- No third-party tracking cookies
- No social media cookies
- No Google Analytics or similar
Analytics
We collect minimal, anonymized analytics (page views, general geographic region) using a self-hosted, privacy-respecting solution. This data cannot be linked to individual users.
11. Children's Privacy
Delete Upon Death is not intended for use by anyone under the age of 18. We do not knowingly collect information from children. If you believe a child has created an account, please contact us.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We'll update the "Last updated" date at the top
- For significant changes, we'll notify you via your notification address (if on file) or a prominent notice on our website
- We'll maintain an archive of previous versions
Continued use of the service after changes constitutes acceptance of the updated policy.
13. Contact Us
Questions about this Privacy Policy or our privacy practices?