Privacy Notice
Last updated: July 3, 2026
1. Who we are
HeirLock is operated by Devin R Young ("we", "us", "our"), acting as the data controller for personal data processed through the HeirLock service (the "Service"). You can reach us through the in-app support chat.
2. Personal data we collect
- Account data: name, email address, hashed password, authentication tokens, two-factor delivery email.
- Vault content: encrypted files, notes, credentials, and messages you upload; beneficiary names and email addresses; check-in schedule and status.
- Support messages: conversations with our in-app support assistant.
- Usage & device data: IP address, browser and device identifiers, log events, error reports.
- Billing metadata: subscription status, plan, renewal dates. Payment card and billing address data is collected and stored by Paddle, not by us.
3. Purposes and legal bases
- Provide the Service (contract): create your account, store your vault, run check-ins, and release designated items to your beneficiaries.
- Security and fraud prevention (legitimate interests / legal obligation): two-factor authentication, abuse detection, audit logging.
- Support (contract / legitimate interests): respond to your questions.
- Service improvement (legitimate interests): diagnose errors and improve reliability.
- Legal compliance (legal obligation): respond to lawful requests and enforce our terms.
4. Who we share data with
- Paddle.com Market Ltd — our Merchant of Record for subscription sale, payment processing, tax compliance, and invoicing.
- Hosting & infrastructure providers — for application hosting, database storage, and email delivery.
- Professional advisers — legal and accounting, where necessary.
- Authorities — where required by law.
- Your beneficiaries — the individuals you designate receive the specific vault items you assigned to them, once a release is triggered.
We do not sell your personal data.
5. Data retention
We retain account and vault data for as long as your account is active. If you close your account, we delete or anonymize your personal data within 90 days, except where retention is required for legal, tax, or fraud-prevention purposes. Encrypted backups may persist for a short period before rotation.
6. Security
We use industry-standard technical and organizational measures, including TLS in transit, encryption at rest, access controls, optional two-factor authentication, and audit logging. No system is perfectly secure; you are responsible for keeping your credentials safe.
7. Your rights
Subject to applicable law, you may request access to, correction, deletion, restriction, or portability of your personal data, and object to certain processing. To exercise these rights, contact us through the in-app support chat. You may also lodge a complaint with your local data protection authority.
8. International transfers
Your data may be processed in countries outside your own, including the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.
9. Cookies
We use strictly necessary cookies and local storage for authentication and session management. We do not use advertising cookies.
10. Changes
We may update this notice. Material changes will be announced in-app or by email. Continued use of the Service after an update constitutes acceptance.
11. Contact
Devin R Young — reach us through the in-app support chat.