Privacy Policy

We collect only what is necessary to operate Life Vault and honor your wishes:

• Account information. Your name, email address, password (stored as a salted hash), and authentication identifiers when you sign up or sign in with a third-party provider (such as Google).
• Subscription and billing data. Your plan tier (Free or Pro), billing cycle, and the limited transaction metadata returned by our payment processor. We do not store full payment card numbers on our servers.
• Vault content you create. Titles, categories, descriptions, and notes you enter into your vault.
• Beneficiary and emergency-contact details that you choose to provide (see dedicated sections below).
• Heartbeat and audit metadata. Timestamps of your check-ins, stage transitions, email events, and other actions necessary to run the legacy release process.
• Technical data. IP address, browser type, device identifiers, and basic log information collected automatically when you interact with the Service, used for security and abuse prevention.

Pro subscribers may upload files (the “Attachments”) to a private storage bucket associated with their account. Attachments are:

• Stored in a non-public bucket and accessible only via short-lived, signed URLs;
• Encrypted in transit (TLS) and at rest using the underlying storage provider’s encryption;
• Subject to a hard 10 GB per-account quota and category-based file-type limits enforced at upload time;
• Released to your designated beneficiary only after your configured heartbeat workflow has fully escalated and the mandatory 14-day cancellation window has elapsed without a check-in or block, and only for the limited 30-day legacy access window. Life Vault does not independently verify death, incapacity, or legal authority before initiating the configured release workflow.

Kholagi Enterprise LLC does not routinely review the contents of your Attachments. We may access them only when strictly required to operate the Service, respond to a verified legal request, investigate a security incident, or enforce our Terms of Service.

You may designate one primary beneficiary. We collect the beneficiary’s name, email address, and relationship to you solely so that we can:

• Contact them on your behalf if you fail to respond to heartbeat reminders;
• Issue them a unique, single-purpose link to request and later access your legacy materials; and
• Maintain an audit log of legacy-release events for your protection.

We never sell beneficiary data, do not market other products to them, and remove their record from active use if you delete them or close your account.

You may add up to five emergency contacts. For each contact we store the name, email address, and relationship. Emergency contacts are notified only after your heartbeat cycle has fully escalated and the legacy release process has begun. They receive a one-time, tokenized email allowing them to acknowledge the notification or report incorrect information. We never share their details with the beneficiary or with each other.

We send three categories of email:

• Transactional & safety emails — heartbeat reminders, final reminders, beneficiary and emergency-contact notifications, password resets, and receipts. These are essential to the Service and cannot be unsubscribed from while your account is active.
• Account notices — security alerts, plan changes, and grace-period notices for cancellations or deletion.
• Optional product updates — only sent if you opt in. Every such message includes an unsubscribe link, and we honor opt-outs promptly.

We use a reputable third-party email delivery provider. Bounces and spam complaints are recorded so we can stop emailing addresses that should not receive further mail.

• To create and secure your account and authenticate your sessions;
• To operate the heartbeat, legacy release, and emergency contact workflows;
• To process subscription payments and manage Free and Pro plans;
• To send transactional and safety emails;
• To detect, prevent, and respond to fraud, abuse, and security incidents;
• To comply with applicable legal obligations.

We do not sell your personal information and we do not use your vault content, beneficiary data, or emergency-contact data to train machine-learning models.

• Active accounts. We retain your account, vault content, beneficiary, and emergency contact data for as long as your account remains active.
• Cancellation grace period. When you cancel, your subscription enters a 30-day grace period during which you may reverse the cancellation. After the grace period ends, your account is downgraded to Free and uploaded files are scheduled for deletion through our automated cleanup process. Residual copies may persist in encrypted backups for up to 35 days as described below.
• Legacy release. Once a beneficiary’s access window expires (30 days after release) for Free-plan accounts, the released materials are permanently deleted. Pro-plan accounts receive an extended 12-month legacy protection window before deletion.
• Audit logs. We retain a minimal audit log of heartbeat events, email events, and security events for up to 24 months for fraud prevention and dispute resolution.
• Backups. Residual copies may persist in encrypted backups for up to 35 days before being overwritten.

• TLS 1.2+ in transit and provider-managed encryption at rest;
• Row-level security policies that scope every database read and write to the owning user;
• Single-use, time-limited tokens for check-ins, beneficiary access, and emergency contact responses;
• Passwords stored only as salted hashes — never in plaintext;
• Principle of least privilege for staff and service accounts, with access logged;
• Automated monitoring and rate-limiting on authentication and webhook endpoints.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you without undue delay as required by applicable law.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Delete your account and associated personal data, subject to the retention rules above;
• Export your vault content in a portable format;
• Opt out of optional marketing emails;
• Lodge a complaint with your local data protection authority (residents of the EEA, UK, and similar jurisdictions).

To exercise any of these rights, email us at the address below. We may need to verify your identity before acting on a request.

Life Vault is not directed to children under 18 and we do not knowingly collect personal information from them. If you believe a minor has provided us information, contact us and we will delete it.

Life Vault is operated from the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored, and processed in the United States, which may not have the same data-protection laws as your country.

We may update this Privacy Policy from time to time. Material changes will be announced by email or via an in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

Kholagi Enterprise LLC
Attn: Life Vault Privacy
State of Maryland, USA
Email: privacy@lifevaultapp.app
Website: https://lifevaultapp.app