Privacy Policy

My Asset Safe ("we", "us", "our") is a secure digital estate vault service operated in the United Kingdom. We are committed to protecting your personal data and respecting your privacy. This policy explains what personal data we collect, how we use it, and the rights you have under the UK GDPR and the Data Protection Act 2018.

We are in the process of registering with the Information Commissioner's Office as a data controller in respect of personal data collected through our service. Our ICO registration reference will be published here once the application has completed. Until then, this registration is shown as pending and is not to be interpreted as evidence of registration for the purposes of UK GDPR Article 36.

We collect the following categories of data:

• Account data: email address, full name, date of birth, phone number, and authentication details (hashed passwords, TOTP seed).
• Vault content: encrypted records of your financial assets, liabilities, documents, passwords, and beneficiaries. This data is encrypted client-side with a key we cannot access during normal operation.
• Beneficiary and contact data: names, email addresses, relationships and identity verification status for people you nominate.
• Billing data: payment records held by our payment processor (Stripe). We do not store full card numbers.
• Usage and device data: IP address, browser type, session timestamps, pages visited, and security events.
• Death verification data: identity verification results, uploaded death certificates, and administrator decision records when a death claim is raised.

We process your data for the following purposes:

• Providing the core vault service and fulfilling our contract with you.
• Authenticating you and your nominated beneficiaries at time of access.
• Processing death claims through our multi-step verification workflow.
• Preventing fraud, unauthorised access, and abuse of the service.
• Complying with legal and regulatory obligations, including AML and safeguarding.
• Sending service, security, and billing communications.
• Improving the product through aggregated and anonymised analytics.

Our lawful bases for processing your personal data are:

• Contract: processing necessary to provide the vault and death claim services you have subscribed to.
• Legal obligation: where we are required to retain or disclose data by law.
• Legitimate interests: for fraud prevention, security, and service improvement, where those interests are not overridden by your rights.
• Consent: for optional communications and any processing outside the above bases.

We retain your account and vault data for as long as your subscription is active. On cancellation we retain a minimal record for 90 days for reversal and audit, after which your vault content is permanently purged.

Death claim records, including uploaded death certificates, are retained for seven years to comply with legal and regulatory obligations. Audit logs of administrator activity are retained for the same period.

Under UK GDPR you have the following rights:

• Right of access to your personal data.
• Right to rectify inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") where applicable.
• Right to restrict or object to processing.
• Right to data portability.
• Right to withdraw consent where processing is based on consent.
• Right to lodge a complaint with the Information Commissioner's Office.

To exercise any of these rights, email us at the address in Section 11. We will respond within one month.

We work with the following categories of trusted sub-processors:

• Amazon Web Services (AWS): cloud hosting and storage, located in the London (eu-west-2) region.
• Stripe: payment processing for subscription billing.
• Onfido: identity verification during the death claim process.
• TrueLayer: Open Banking connections for asset balance refresh.
• GRO (General Register Office): death register lookups for automated claim triggers.

All sub-processors are bound by data processing agreements compliant with UK GDPR.

Your data is stored and processed within the United Kingdom. If any of our sub-processors transfer data outside the UK, we ensure such transfers are protected by Standard Contractual Clauses, adequacy decisions, or equivalent safeguards as required by UK GDPR.

My Asset Safe uses client-side envelope encryption: your vault master key is generated in your browser and never leaves it in plaintext. A KMS-escrowed copy of your key is held for the sole purpose of death unlock, and the escrow key policy explicitly denies decryption to all principals except the controlled death-unlock workflow role. All traffic is protected by TLS 1.2 or higher, all databases are encrypted at rest with customer-managed keys, and all access to production systems is audited.

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. Analytics cookies, where used, are anonymised and respect Do Not Track signals. See our Cookie Policy for full details and how to change your choice.

For privacy questions, data subject access requests, or complaints, contact our Data Protection Officer at privacy@myassetsafe.com.

You also have the right to complain to the Information Commissioner's Office: ico.org.uk.

We will notify you of material changes to this policy by email and post a notice on this page. The "Last updated" date above will always show the current version.