Legacy
Back to Settings

Table of Contents

Privacy Policy

Last Updated: March 1, 2026

1. Introduction

At Legacy, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure file transfer and beneficiary management platform.

We are committed to protecting your personal information and your right to privacy. By using Legacy, you agree to the collection and use of information in accordance with this policy.

If you have any questions or concerns about our policy or our practices regarding your personal information, please contact us at legal@legggacy.com.

2. Information We Collect

Personal Information You Provide:

  • Account Information: Name, email address, password, phone number (optional)
  • Profile Information: Profile photo, timezone, preferences
  • Payment Information: Credit card details, billing address (processed by Stripe)
  • Beneficiary Information: Names and email addresses of designated beneficiaries
  • Communications: Messages sent through our platform, support requests

Files and Content:

  • Files you upload to our Service
  • File metadata (names, sizes, upload dates)
  • Messages to beneficiaries

Automatically Collected Information:

  • Usage Data: Pages visited, features used, time spent on the Service
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Access times, error logs, referral URLs
  • Cookies: Session cookies, preference cookies (see Cookie Policy)

Information from Third Parties:

  • Payment processing information from Stripe
  • Authentication data from Supabase

3. How We Use Your Information

We use your information to:

Provide and Maintain the Service:

  • Create and manage your account
  • Store and secure your files
  • Process file uploads and downloads
  • Manage beneficiary designations and access requests
  • Send access codes and notifications

Improve and Personalize the Service:

  • Understand how users interact with our Service
  • Develop new features and functionality
  • Personalize your experience
  • Analyze usage trends and patterns

Communicate with You:

  • Send transactional emails (access codes, approvals, notifications)
  • Respond to your inquiries and support requests
  • Send service updates and security alerts
  • Send marketing communications (with your consent)

Process Payments:

  • Process subscription payments
  • Manage billing and invoices
  • Prevent fraud and unauthorized transactions

Ensure Security and Compliance:

  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Enforce our Terms of Service
  • Protect our rights and property

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

With Designated Beneficiaries:

  • When you designate beneficiaries, we share their nomination status
  • Upon approval, beneficiaries receive access to designated files
  • Beneficiaries can see file names, sizes, and your messages

With Service Providers:

  • AWS (Amazon Web Services): File storage and hosting
  • Supabase: Authentication and database services
  • Stripe: Payment processing
  • SendGrid: Email delivery
  • Vercel: Application hosting

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

For Legal Reasons:

  • To comply with legal obligations, court orders, or government requests
  • To enforce our Terms of Service
  • To protect our rights, property, and safety
  • To investigate fraud or security issues

Business Transfers:

If Legacy is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

With Your Consent:

We may share your information for any other purpose with your explicit consent.

5. Data Storage and Security

Where We Store Your Data:

  • Files are stored on Amazon S3 servers in eu-north-1 (Stockholm, Sweden)
  • Database information is stored on Supabase servers
  • All data is encrypted at rest and in transit

Security Measures:

  • Encryption: AES-256 encryption for files, TLS/SSL for data transmission
  • Access Controls: Role-based access, least privilege principle
  • Authentication: Secure password hashing, optional two-factor authentication
  • Monitoring: 24/7 security monitoring and logging
  • Regular Audits: Security assessments and penetration testing
  • Compliance: SOC 2 compliant infrastructure

Your Responsibility:

While we implement robust security measures, you are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

Files: We retain your files according to the expiry period you select (1, 3, 6, 12 months, or lifetime depending on your plan). Files are automatically deleted after expiration unless you renew them.

Account Information: We retain your account information while your account is active and for 90 days after account deletion, except where longer retention is required by law.

Activity Logs: We retain activity logs for 12 months for security and compliance purposes.

Backups: Backup copies of deleted data may persist for up to 90 days before permanent deletion.

Legal Holds: We may retain information longer if required for legal, regulatory, or security purposes.

7. Your Privacy Rights

Depending on your location, you may have the following rights:

Access and Portability:

  • Request a copy of your personal information
  • Export your data in a machine-readable format

Correction:

  • Update inaccurate or incomplete information
  • Correct errors in your profile

Deletion:

  • Request deletion of your account and personal information
  • Delete individual files at any time

Restriction and Objection:

  • Restrict processing of your information
  • Object to certain uses of your data

Withdraw Consent:

  • Withdraw consent for marketing communications
  • Opt-out of optional data collection

How to Exercise Your Rights:

You can exercise most rights through your account settings. For other requests, contact us at legal@legggacy.com. We will respond within 30 days.

GDPR Rights (EU/EEA Users):

If you are in the European Economic Area, you have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority.

CCPA Rights (California Users):

California residents have specific rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right to opt-out of the sale of personal information (we do not sell personal information).

8. Cookies and Tracking

We use cookies and similar tracking technologies to track activity on our Service and store certain information. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

Types of Cookies We Use:

  • Essential Cookies: Required for the Service to function
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Help us understand how users interact with the Service
  • Security Cookies: Authenticate users and prevent fraud

You can control cookies through your browser settings. Note that disabling cookies may affect the functionality of the Service.

9. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take steps to delete such information from our systems.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside your state, province, country, or other governmental jurisdiction where data protection laws may differ.

If you are located outside the European Economic Area (EEA) and choose to use our Service, your information will be transferred to the European Economic Area (EEA) and processed there.

We take steps to ensure that your data is treated securely and in accordance with this Privacy Policy. For EU/EEA users, we use Standard Contractual Clauses approved by the European Commission for international data transfers.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending you an email notification
  • Displaying a prominent notice on the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Legacy Privacy Team

Email: legal@legggacy.com

Address: Address available upon request. Contact: support@legggacy.com

Data Protection Officer: Support Team (legal@legggacy.com)

We will respond to your inquiry within 30 days. For urgent privacy concerns, please mark your email as "URGENT - Privacy Matter."

Related Documents

Terms of ServiceCookie PolicyData Processing AgreementAcceptable Use Policy