Privacy Policy

Privacy Policy – AfterWords Legacy Ltd

AfterWords Legacy Ltd ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, store, and delete your personal data in connection with the AfterWords mobile and web application ("Service").

We comply with the UK General Data Protection Regulation (UK GDPR), EU GDPR, Data Protection Act 2018, California Consumer Privacy Act (CCPA), and other applicable laws. Our core mission is to help you preserve and share your memories securely — especially for end-of-life legacy purposes.

1. Who We Are

• Data Controller: AfterWords Legacy Ltd, a UK-registered limited company

• Contact: support@afterwords.world

• ICO Registration: Yes

We are the "data controller" for your personal data, except where explicitly stated that we act as a "data processor" (e.g., in limited infrastructure provider contexts).

2. Data We Collect

We collect and process the following categories of personal data:

a. Account Data

• Name, email address, password (hashed), or OAuth credentials

b. Legacy Data

• Text, images, videos, and voice recordings uploaded by yo

• Metadata (e.g., timestamps, file types)

• Shared via unique PINs (e.g., "ROSE1234")
  
  

c. Special Category & Biometric Data

• Legacy content may inadvertently contain special category personal data under Article 9 GDPR (health information, religious beliefs, ethnic origin, political opinions)

• Voice recordings may constitute biometric data where voice patterns are processed for identification purposes

• Processing is based on explicit consent (Article 9(2)(a)) or substantial public interest in preserving family heritage (Article 9(2)(j)) where applicable

d. AI Chat Data

• Prompts and AI-generated responses during interactive sessions (e.g., Grandma Rose or custom legacy chats), processed through Retrieval-Augmented Generation (RAG) models

• You provide explicit consent for AI analysis of your legacy content to enable chat functionality

• You may withdraw this consent at any time, though this will disable AI chat features while preserving your stored content

e. Device & Usage Data

• IP address, device type, OS version, app events (e.g., uploads, chat use), app version

• Firebase Analytics pseudonymized metrics

f. Payment Data

• Billing information (e.g., transaction ID, purchase history) processed by:

  • Apple App Store

  • Google Play

• We do not store credit card numbers

g. User Feedback

• Surveys, emails, community discussions (e.g., WhatsApp, X Community)

3. How We Use Your Data (Lawful Basis)

Your data is processed under the following legal bases:

• Account setup and access: Contract (Art. 6(1)(b))

• Legacy creation, PIN sharing: Contract

• AI chat functionality: Contract

• Performance & analytics: Legitimate Interests (Art. 6(1)(f))

• Optional features (e.g., Memory Wall): Consent (Art. 6(1)(a))

• Compliance (e.g., tax): Legal Obligation (Art. 6(1)(c))

Specific Purposes:

• Hosting your legacies securely (Firebase Cloud Storage – Google Cloud)

• Processing chat data via Railway, Docker, Chroma, and OpenAI APIs

• Sending onboarding and operational emails (no marketing without consent)

• Processing payments via third-party providers

• Analyzing usage trends to improve performance

• Responding to support requests or legal obligations

4. Data Storage and Security

We use robust technical and organizational measures to safeguard your data.

a. Hosting & Processing

• Storage: Firebase Cloud Storage (Google Cloud – US)

• Processing: Railway, Docker, and OpenAI (US-based RAG pipelines)

• Security:

  • Data encrypted at rest (AES-256) and in transit (TLS 1.2/1.3)

  • Authenticated access enforced by Firebase rules

  • Minimal container access and secure credential handling

b. International Transfers

• Data may be processed outside the UK/EU (e.g., US servers via OpenAI, Railway)

• We use Standard Contractual Clauses (SCCs) and additional safeguards to ensure GDPR-compliant transfers

5. Data Retention and Deletion

a. Testing Users

• Data from testers (August 14, 2025) will be deleted by September 30, 2025, unless you explicitly opt in to retention

• You can export legacies anytime via the "Export Legacy" button (ZIP format)

b. Public Users

• We retain your data as long as your account is active

• Upon account deletion, we erase your personal data within 30 days, unless retention is required by law (e.g., HMRC requires 7-year payment records)

c. Inactive Account Policy

• Accounts with no usage activity for 12 consecutive months will be considered inactive

• Inactive accounts will be automatically closed and all associated data permanently destroyed

• Email notifications will be sent at 10 and 11 months of inactivity to provide opportunity to reactivate your account

• Once data is destroyed, it cannot be recovered

6. Your Rights (UK/EU GDPR)

You have the following rights:

• Access: Get a copy of your personal data

• Rectification: Correct inaccurate or outdated data

• Erasure ("Right to be Forgotten"): Request deletion of your data

• Restriction: Ask us to limit processing in specific cases

• Portability: Receive your data in a machine-readable format

• Objection: Object to certain processing (e.g., analytics)

• Withdraw Consent: Withdraw optional consents at any time

• Complaint: Contact ICO or your local EU authority

To exercise any of these rights, contact support@afterwords.world. We respond within 30 days, free of charge unless requests are manifestly excessive or unfounded.

7. Data Breaches

In the event of a personal data breach:

• We notify the ICO within 72 hours if there is a risk to your rights or freedoms

• We notify affected users without undue delay via email and social media

• We promptly secure affected infrastructure and log the event
  
  

8. Data Sharing, PINs & Analytics

• Third-Party Sharing: Limited to providers above (Firebase, OpenAI, etc.). No unnecessary sharing or sale

• PIN Sharing: You control who accesses legacies via unique PINs. We do not access PIN-protected content unless legally required

• Analytics: We may use anonymized and aggregated usage data to improve functionality. Opt-out is available upon request

9. Global and Regional Compliance

• UK GDPR / DPA 2018: Primary compliance framework

• EU GDPR: Applies to EU users; equivalent safeguards ensured

• CCPA (California): California users may request access/deletion of their personal data. We do not sell data

• Other Regions: We aim to comply with local laws where our users reside, to the extent feasible
  
  

10. Children's Data

The Service is not intended for children under 16. We do not knowingly collect data from minors. If you believe we hold data from a child, please contact us for immediate removal.

11. Cookies and Tracking

We use minimal, privacy-friendly cookies for performance analytics (Firebase only).

• No ad-tracking or behavioral profiling

• You can opt out via app settings or by contacting us
  
  

12. Changes to This Policy

We may update this Privacy Policy from time to time. If material changes occur, we will notify you via:

• Email

• In-app notifications

• 30 days prior to changes taking effect

Continued use of the Service after the notice period constitutes acceptance.

13. Contact Us

For questions, requests, or complaints:

• Email: support@afterwords.world

• ICO (UK): ico.org.uk / 0303 123 1113

• EU Users: Contact your local data protection authority (e.g., CNIL – France)