Last updated: 1 March 2025
Memoari holds some of the most personal information you will ever store anywhere. We take that responsibility seriously. This policy explains clearly what we collect, how we use it, and the rights you have over it.
When you create a Memoari account, we collect:
Account data:: Your name, email address, date of birth, and hashed password. We never store your password in plain text.
Vault contents:: Documents, digital asset details, financial asset information, and personal messages that you voluntarily add to your vault. These are encrypted with AES-256 before storage.
Usage data:: Pages visited, features used, and session duration — collected in aggregate and used only to improve the service. We do not sell usage data.
Payment data:: If you upgrade to a paid plan, payment is processed by Lemon Squeezy. We do not store your card number or CVV on our servers.
Device data:: Browser type, operating system, and IP address, retained for security and fraud prevention purposes only.
We use your data exclusively to:
- Provide the Memoari service (vault storage, will generation, message delivery) - Authenticate your identity and protect your account from unauthorised access - Process subscription payments - Send you transactional emails (account confirmations, check-in reminders, beneficiary notifications) - Comply with legal obligations under UK law - Improve the product (aggregate, anonymised analytics only)
We do not use your data for advertising. We do not sell your data to third parties. We do not share your vault contents with anyone — except the contacts you explicitly designate, and only after the unlock conditions you set have been met.
Vault contents:: All files, messages, and digital asset details you store are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) before being written to our database.
Passwords you store:: When you add a password or account credential to your digital asset vault, it is encrypted client-side before transmission. This means the encrypted value leaves your device — we receive only ciphertext and never have access to the plaintext password. This is a zero-knowledge approach: we cannot recover your stored passwords, even if compelled to do so.
Your Memoari account password:: Hashed using bcrypt with a work factor of 12. Not recoverable by Memoari staff.
Data in transit:: All connections between your browser and our servers use TLS 1.2 or higher (HTTPS). We enforce HTTPS everywhere and use HSTS headers.
Key management:: Encryption keys are managed using Supabase's encryption infrastructure, which stores key material separately from encrypted data.
Active accounts:: Your data is retained for as long as your account is active.
Deleted accounts:: When you delete your account, your personal data and vault contents are scheduled for permanent deletion within 90 days. This delay exists to allow you to recover your account if deletion was accidental.
Cancelled paid subscriptions:: Your account reverts to Free tier with all data intact for 90 days. After that, if the account remains inactive and on Free tier, vault contents beyond Free plan limits are archived (not deleted) for a further 12 months.
Beneficiary access logs:: Logs of vault access by beneficiaries are retained for 7 years for legal and audit purposes. These logs record who accessed what and when — not the contents accessed.
Legal hold:: In the event of a legal dispute or regulatory investigation, we may be required to retain data beyond standard retention periods.
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:
Right to access:: You can request a copy of all personal data we hold about you. We will provide this within 30 days.
Right to rectification:: If any of your data is inaccurate, you can correct it directly in your account settings, or contact us to request correction.
Right to erasure ('right to be forgotten'):: You can request deletion of your account and all associated data. Requests are processed within 90 days, subject to any legal retention obligations.
Right to portability:: You can export your vault data in machine-readable format (JSON and PDF) from your account settings at any time.
Right to restrict processing:: You can request that we stop processing your data for specific purposes while a dispute is resolved.
Right to object:: You can object to processing based on legitimate interests, including any profiling.
Right to withdraw consent:: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at: privacy@memoari.org
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We use a small number of trusted third-party services to operate Memoari:
- Supabase (supabase.com) — database, file storage, and authentication. Data is processed in the EU/UK under GDPR-compliant terms. - Lemon Squeezy (lemonsqueezy.com) — payment processing. Lemon Squeezy is PCI-DSS Level 1 certified and acts as the Merchant of Record for all transactions. - Resend (resend.com) — transactional email delivery. Used only for account and vault-related emails. - Vercel / Netlify — web hosting and CDN. Our web application is served from these platforms.
We maintain Data Processing Agreements (DPAs) with each of these providers. We do not use advertising or analytics platforms that receive personal data.
Data controller:: Memoari Ltd (registration number: [pending])
Registered address:: [To be confirmed upon company registration]
Data protection enquiries:: privacy@memoari.org
General contact:: hello@memoari.co.uk
Response time:: We aim to respond to all data protection enquiries within 5 business days and to fulfil formal data subject requests within 30 calendar days.