Privacy Policy

Effective Date: March 15, 2026 · Last Updated: March 15, 2026

1. Introduction

Keepacy (“we,” “us,” or “our”) operates the Keepacy platform at keepacy.com, including the web application, APIs, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using Keepacy, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: email address, password (stored as a bcrypt hash), and optional display name.
  • Documents: files you upload to your vault (wills, insurance policies, financial records, medical directives, identity documents, and similar). All documents are encrypted at rest using AES-256-GCM with per-user keys.
  • Beneficiary information: names, email addresses, phone numbers, and relationship descriptions of individuals you designate as beneficiaries.
  • Phone number: if you opt in to SMS-based check-ins or SMS two-factor authentication, we collect your mobile phone number.
  • Payment information: if you subscribe to a paid plan, payment details are collected and processed by our third-party payment processor (Stripe). We do not store credit card numbers on our servers.

2.2 Information Collected Automatically

  • Usage data: timestamps of logins, check-in responses, and feature interactions.
  • Audit logs: records of security-relevant actions (login attempts, MFA events, document access, beneficiary modifications) for security and compliance purposes.
  • Device information: IP address, browser type, and operating system, collected via server access logs for security monitoring.

2.3 Information We Do Not Collect

  • We do not use third-party analytics trackers, advertising pixels, or behavioral profiling tools.
  • We do not place third-party cookies on your device.
  • We do not collect biometric data.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including document storage, check-in monitoring, and beneficiary notifications.
  • Authenticate your identity and protect your account (passwords, MFA, session management).
  • Send transactional communications: email verification, check-in prompts, MFA codes, beneficiary notifications, and account alerts.
  • Send SMS messages for check-in confirmations, two-factor authentication codes, and urgent escalation alerts when you have opted in to SMS communications.
  • Process payments and manage subscriptions.
  • Detect, investigate, and prevent security incidents and fraudulent activity.
  • Comply with legal obligations, including responding to lawful data requests.

4. SMS and Messaging

If you opt in to SMS-based features (check-in alerts, two-factor authentication, or escalation notifications), the following applies:

  • We collect your mobile phone number solely to deliver the SMS services you have opted in to.
  • We do not use your phone number, SMS opt-in data, or any data collected via SMS for marketing or advertising purposes.
  • We do not sell, rent, loan, trade, lease, or otherwise share your phone number or SMS data with third parties for their marketing purposes. Phone numbers are shared only with our SMS delivery provider (Twilio) for the sole purpose of delivering messages to you.
  • SMS consent is not a condition of purchasing any goods or services from Keepacy.
  • You can opt out of SMS messages at any time by replying STOP to any message or by disabling SMS features in your account settings.

5. Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal data with third parties for their marketing purposes.

We share information only in the following limited circumstances:

  • Service providers: we use third-party providers to operate the Service, including cloud hosting (AWS), email delivery (SendGrid), SMS delivery (Twilio), and payment processing (Stripe). These providers access only the minimum data necessary to perform their functions and are contractually obligated to protect it.
  • Beneficiary access: when your check-in system triggers beneficiary notification (per your configuration), designated beneficiaries receive access to the documents and information you have chosen to share with them. This is a core function of the Service that you control.
  • Legal requirements: we may disclose information when required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect the rights, property, or safety of Keepacy, our users, or the public.
  • Business transfers: if Keepacy is acquired, merged, or sells substantially all of its assets, user data may be transferred as part of that transaction. We will notify users of any such change via email and update this Privacy Policy.

6. Data Security

We implement technical and organizational measures to protect your data:

  • All documents are encrypted at rest using AES-256-GCM with per-user encryption keys derived via PBKDF2.
  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with a work factor of 12.
  • Multi-factor authentication is required for all accounts.
  • Database backups are encrypted and stored in a separate AWS region.
  • Access to production systems is restricted and logged.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

  • Active account data: retained for the lifetime of your account.
  • Documents: retained until you delete them or delete your account.
  • Audit logs: retained for 3 years after account deletion (anonymized).
  • Beneficiary access logs: retained for 7 years after the access event (anonymized) for legal compliance.
  • Check-in event history: retained for 1 year.

When you delete your account, we initiate a 30-day grace period during which you may cancel the deletion. After 30 days, all personal data is permanently deleted from our systems, except for anonymized audit records retained per the schedule above.

8. Your Rights

8.1 All Users

You may:

  • Access and export all data we hold about you via your account settings.
  • Correct or update your personal information at any time.
  • Delete your account and all associated data.
  • Opt out of SMS communications at any time.

8.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to Know: you may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: you may request that we delete your personal information, subject to certain exceptions.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.
  • Do Not Sell My Personal Information: we do not sell personal information. No opt-out is necessary because no sale occurs.

To exercise any of these rights, contact us at privacy@keepacy.com.

9. Children's Privacy

Keepacy is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@keepacy.com.

10. Third-Party Services

The Service integrates with the following third-party providers:

  • Amazon Web Services (AWS): cloud infrastructure, file storage, and database hosting.
  • SendGrid (Twilio): transactional email delivery.
  • Twilio: SMS delivery and voice calls for check-in and MFA features.
  • Stripe: payment processing for subscriptions.
  • Cloudflare Turnstile: bot protection on authentication forms.

Each provider has its own privacy policy. We encourage you to review them. We share only the minimum data necessary for each provider to perform its function.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last Updated” date at the top of this page. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: