Privacy Policy

Passed Plan, Inc. ("Passed Plan," "we," "us," or "our") operates the Passed Plan digital estate planning service available at passedplan.com and through our mobile applications (collectively, the "Service"). Our registered address and contact information are available at support@passedplan.com.

We use the information we collect to:

• Create and manage your account and subscription
• Deliver the Service, including storing and serving encrypted vault data
• Process payments through Stripe
• Send transactional emails (account notices, check-in reminders, death-event alerts) via Resend
• Send SMS notifications where you have opted in, via Twilio
• Verify identity during the trusted-contact access flow, via Persona and VitalChek
• Generate AI-assisted estate planning guidance via Anthropic's Claude API (prompts contain no vault ciphertext)
• Host and serve video Last Goodbyes via Mux and store encrypted media files via Backblaze B2
• Detect fraud, abuse, and security threats
• Comply with legal obligations
• Improve and develop the Service using aggregated, de-identified analytics

We do not sell your personal information to third parties. We do not use your data for advertising.

We share data with the following categories of processors only to the extent necessary to deliver the Service:

Each provider is bound by data processing agreements that restrict them from using your data for purposes beyond the services they provide to us.

Passed Plan is designed so that we are technically incapable of reading your vault contents. Your vault passphrase never leaves your device. All encryption and decryption occurs locally in your browser or application before any data is sent to our servers. The keys we store are encrypted with your passphrase; without it, they are useless.

Practical implications:

• We cannot recover your vault passphrase if you forget it.
• We cannot comply with government requests to disclose vault contents because we do not have the plaintext.
• We cannot search, index, or train AI models on your vault data.
• If you lose your passphrase and have no recovery keys configured, your vault data is permanently inaccessible.

You may designate one or more trusted contacts who are authorised to access your vault after your death. When a trusted contact initiates an access request, the following process applies:

1. The trusted contact submits a death certificate for verification via VitalChek.
2. The trusted contact completes identity verification via Persona.
3. A 72-hour fraud window begins, during which you (if alive) can halt access using the I'm Alive function.
4. After 72 hours with no halt, the trusted contact is granted access to the decryption keys you have pre-authorised for them.

This process involves sharing your name and date of birth with VitalChek and the trusted contact's identity documents with Persona. We retain verification records as part of our immutable audit log.

• Active accounts: We retain all account and vault data for as long as your subscription remains active.
• After cancellation: We retain your data for 90 days following the end of your subscription to allow reactivation. After 90 days, all vault data is permanently and irreversibly deleted from our systems and backups.
• After death and vault access: Data is retained for 12 months following successful trusted-contact access, then permanently deleted unless the estate requests earlier deletion.
• Audit logs: Immutable audit records are retained for 7 years for fraud prevention and legal compliance.
• Backups: Encrypted backups cycle on a 30-day rolling window and are subject to the same retention schedule.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you (excluding encrypted vault contents, which only you can decrypt).
• Correction: Ask us to correct inaccurate account information.
• Deletion: Request deletion of your account and all associated data. Note the 90-day retention window described above.
• Export: Request a machine-readable export of your account metadata. Vault data is always available for export through the application itself because only you hold the decryption key.
• Objection: Object to certain processing activities.
• Restriction: Request that we restrict processing in certain circumstances.

To exercise any of these rights, email support@passedplan.com. We will respond within 30 days. We may need to verify your identity before processing your request. Note that export requests are subject to a 90-day waiting period from subscription start to prevent fraudulent data harvesting.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Opt Out of Sale: We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Correct: You may request correction of inaccurate personal information.

To submit a CCPA request, contact us at support@passedplan.com with the subject line "CCPA Request." You may also designate an authorised agent to make a request on your behalf; the agent must provide written authorisation.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it promptly. If you believe we may have collected such information, please contact us at support@passedplan.com.

Our services are operated primarily from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate. We rely on Standard Contractual Clauses and other lawful transfer mechanisms for transfers from the European Economic Area and United Kingdom.

We employ technical and organisational measures to protect your data, including TLS in transit, AES-256-GCM encryption at rest, multi-factor authentication for administrative access, and immutable audit logging. For a detailed description of our security practices, see our Security Overview.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a notice in the application at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes. The date at the top of this page reflects the most recent revision.

For privacy-related questions, requests, or concerns, please contact our privacy team: