Privacy Policy

SafeKept Ltd – safekept.co.uk

Version 1.0 – March 2026

Effective Date: 2 May 2026

Introduction

This Privacy Policy describes how SafeKept Ltd ("SafeKept", "we", "us", or "our") collects, uses, stores, protects, and shares your personal information when you use our Services, including when you:

  • Visit our website at https://safekept.co.uk or any website of ours that links to this Privacy Policy.
  • Download and use our mobile application (SafeKept) or any other application of ours that links to this Privacy Policy.
  • Use our digital estate management and bereavement notification platform. SafeKept enables individuals to store financial accounts, documents, and digital assets in an encrypted vault, and enables executors and professional partners to notify financial institutions, government bodies, and other organisations following the death of an account holder.
  • Engage with us in other related ways, including any marketing or events.

Questions or concerns? Contact us at legal@safekept.co.uk.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

SafeKept Ltd
Company No. 17227517 (registered in England and Wales)
ICO Registration: ZC151459
SafeKept, 124 City Road, London EC1V 2NX
legal@safekept.co.uk

Summary of Key Points

  • What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the features you use.
  • Do we process any sensitive personal information? We may process sensitive personal information including financial data, government identifiers, health data where contained in estate documents, and cryptocurrency wallet credentials. We do so only when necessary with your consent or as otherwise permitted by applicable law.
  • Do we collect information from third parties? We may collect limited information from partner organisations who refer clients to us, public records, and our payment processor Stripe.
  • How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so.
  • With whom do we share personal information? We share information only in specific situations – with institutions you instruct us to notify, with carefully selected service providers under Data Processing Agreements, and with regulatory authorities where required by law. We never sell your personal data.
  • How do we keep your information safe? We use AES-256-GCM application-layer encryption for all vault data, TLS encryption for all data in transit, bcrypt password hashing, and row-level database security policies.
  • What are your rights? You may have rights including access, rectification, erasure, restriction, data portability, and the right to object. Contact legal@safekept.co.uk to exercise any of these rights.

Table of Contents

  1. What Information Do We Collect?
  2. How Do We Process Your Information?
  3. What Legal Bases Do We Rely On?
  4. When and With Whom Do We Share Your Personal Information?
  5. Is Your Information Transferred Internationally?
  6. How Long Do We Keep Your Information?
  7. How Do We Keep Your Information Safe?
  8. Do We Collect Information From Minors?
  9. What Are Your Privacy Rights?
  10. Controls for Do-Not-Track Features
  11. Vault Data Access Restriction
  12. Deceased Person Data Handling
  13. No Sale of Personal Data
  14. SMS Text Messaging
  15. Cookies
  16. Do We Make Updates to This Policy?
  17. How Can You Contact Us?
  18. How Can You Review, Update, or Delete Your Data?

1. What Information Do We Collect?

Personal Information You Disclose to Us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

The personal information we collect may include:

  • Names, phone numbers, email addresses, mailing addresses, usernames
  • Passwords (stored as hashed values – never in plain text)
  • Contact preferences, billing addresses
  • Debit/credit card numbers (held by Stripe – not stored by SafeKept)
  • Job titles (for partner account contacts)
  • Date of birth, National Insurance number
  • Financial account numbers, sort codes, and IBANs
  • Financial account usernames and passwords (encrypted at application layer before storage)
  • Cryptocurrency wallet addresses, seed phrases, and private keys (encrypted at application layer before storage)
  • Insurance policy details and pension scheme information
  • Death certificate details and reference numbers
  • Information about deceased persons including name, date of death, and last known address
  • Uploaded documents including wills, identity documents, and financial certificates
  • Executor identity and legal authority documentation
  • Organisation name, type, and registration details (for partner accounts)
  • Two-factor authentication codes and backup codes

Sensitive Information

When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:

  • Financial data
  • Social security numbers or other government identifiers (National Insurance numbers)
  • Health data (where contained in estate documents uploaded by users)
  • Cryptocurrency wallet credentials including seed phrases and private keys
  • Death certificates and estate documents which may contain sensitive personal information about deceased persons

Payment Data

We may collect data necessary to process your payment if you choose to make purchases. All payment data is handled and stored by Stripe. You may find Stripe's privacy notice at stripe.com/gb/privacy. SafeKept accepts online payments through Stripe for consumer subscription plans (Guardian and Estate Pro), the one-off executor access fee, law firm per-case fees, and accountancy firm monthly subscriptions.

Information Collected Automatically

We automatically collect certain information when you visit, use, or navigate the Services. This may include:

  • Log and Usage Data: IP address, browser type, operating system, referring URLs, pages visited, date and time stamps, search terms, error reports, and other actions you take.
  • Device Data: Device manufacturer and model, operating system, IP address, browser type and version, and system configuration information.
  • Location Data: We collect location data such as information about your device's location based on your IP address.
  • Encrypted Vault Data: Financial account details, credentials, cryptocurrency information, and uploaded documents stored at the user's direction. This data is encrypted at the application layer using AES-256-GCM before storage and is not accessible to SafeKept staff in plain text.

2. How Do We Process Your Information?

We process your personal information for the following purposes:

  • To facilitate account creation and authentication and otherwise manage user accounts.
  • To deliver and facilitate delivery of services to the user, including vault storage, estate notification, and partner portal access.
  • To respond to user enquiries and offer support to users.
  • To send administrative information to you including details about products, services, and policy changes.
  • To fulfil and manage your orders, payments, and subscriptions.
  • To enable user-to-user communications between consumers and their invited executors, and between partners and linked estate cases.
  • To protect our Services from fraud and security threats.
  • To verify the identity of executors and personal representatives before activating estate cases and granting access to deceased users' vault data.
  • To generate, format, and dispatch formal bereavement notification letters to financial institutions, government bodies, and other organisations on behalf of executors.
  • To maintain an audit trail of estate notifications sent, responses received, and estate case progress.
  • To maintain records for audit, legal, and compliance purposes.
  • To improve the quality and accuracy of our institution database using aggregated and anonymised data.

3. What Legal Bases Do We Rely On?

UK GDPR requires us to explain the valid legal bases we rely on in order to process your personal information.

3.1 Consent. We may process your information if you have given us permission for a specific purpose. You can withdraw consent at any time.
3.2 Performance of a Contract. We process your personal data where it is necessary to fulfil our contractual obligations to you, including providing our Services, account creation, vault storage, estate case processing, and payment processing.
3.3 Legitimate Interests. We process your information when we believe it is reasonably necessary to achieve our legitimate business interests, including to analyse how our Services are used, to diagnose problems and prevent fraudulent activities, to protect the platform and users' encrypted vault data, and to ensure only lawfully authorised individuals can access deceased persons' vault data.
3.4 Legal Obligations. We process your information where necessary for compliance with our legal obligations, including cooperating with law enforcement, regulatory agencies, and in respect of litigation.
3.5 Vital Interests. We may process your information where necessary to protect your vital interests or the vital interests of a third party.

4. When and With Whom Do We Share Your Personal Information?

We have contracts in place with all third-party processors which are designed to safeguard your personal information. They cannot do anything with your personal information unless we have instructed them to do it.

4.1 Institutions. When an Executor instructs SafeKept to send a notification to a financial institution, government body, or other organisation, we share the relevant personal data about the Deceased with that Institution. This is done only with the Executor's explicit instruction.
4.2 Third-Party Service Providers. We share your data with the following carefully selected service providers who process data on our behalf:
  • Invoice and Billing: Stripe
  • Transactional Email Delivery: Resend
  • SMS and Two-Factor Authentication: Twilio
  • Application Hosting: Railway
  • Postal Notification Letter Printing and Dispatch: Docmail / CFH Docmail Ltd
  • Product Analytics: PostHog
  • Database Hosting: Supabase
4.3 Business Transfers. We may share or transfer your information in connection with any merger, sale, financing, or acquisition of all or a portion of our business. We will notify you before personal data becomes subject to a different privacy policy.
4.4 Business Partners. Where a Partner (such as a solicitor or accountancy firm) is linked to an estate case, relevant estate data is shared with that Partner to enable them to assist with estate administration. This sharing is authorised by the Executor when they link the Partner to their case.
4.5 Government and Regulatory Authorities. We may share personal data with government or public authorities including HMRC, the DWP, the DVLA, courts, regulatory bodies, the Information Commissioner's Office, and law enforcement agencies where required by law.

5. Is Your Information Transferred Internationally?

Our servers are located in the United States. If you are a resident in the United Kingdom, your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties with whom we may share your personal information, including facilities in the United Kingdom and United States.

We have implemented Standard Contractual Clauses for transfers of personal information between us and our third-party providers. These clauses require all recipients to protect all personal information originating from the UK in accordance with UK data protection laws and regulations. Our Standard Contractual Clauses can be provided upon request.

6. How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law. No purpose in this policy will require us to keep your personal information for longer than seventy-two (72) months past the termination of the user's account.

  • Active accounts: Personal data is retained for as long as your account is active.
  • Closed accounts: Following account deletion, we retain data for 6 years (72 months) to comply with our legal obligations.
  • Estate cases: Estate case data is retained for 6 years from the completion of the estate case.
  • Payment records: Transaction records are retained for 7 years in accordance with HMRC requirements.
  • Sensitive personal data: Retained for no longer than is necessary and in any event for no longer than 6 years unless required by law.

7. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process, including:

  • AES-256-GCM application-layer encryption for all sensitive vault data before it reaches our database.
  • TLS 1.2 or higher (HTTPS) for all data in transit.
  • Bcrypt password hashing – passwords are never stored in plain text.
  • JWT authentication with refresh token rotation for user sessions.
  • Row-level database security policies ensuring users can only access their own data.
  • Two-factor authentication required for all administrative access.
  • Regular security scanning and vulnerability monitoring.
  • Automated backups to prevent data loss.
  • Data Processing Agreements with all third-party service providers.

However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach and will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

8. Do We Collect Information From Minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years of age. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from children under age 18, please contact us at support@safekept.co.uk.

9. What Are Your Privacy Rights?

In the UK and EEA, you have certain rights under applicable data protection laws. These may include:

  • Right of access: the right to request access to and obtain a copy of your personal information.
  • Right to rectification: the right to request that we correct inaccurate or incomplete personal data.
  • Right to erasure: the right to request deletion of your personal data in certain circumstances.
  • Right to restrict processing: the right to request that we suspend our use of your personal data in certain circumstances.
  • Right to data portability: the right to receive your personal data in a structured, commonly used, and machine-readable format. You can download your data in JSON format from your account Settings under Privacy and Data.
  • Right to object: the right to object to our processing of your personal data where we rely on legitimate interests as our legal basis.

You can make such a request by contacting us at legal@safekept.co.uk.

If you are located in the UK and believe we are unlawfully processing your personal information, you have the right to complain to the UK data protection authority at ico.org.uk.

You can unsubscribe from marketing communications at any time via your account Settings, by clicking unsubscribe in any email, by texting STOP in response to any marketing SMS, or by contacting support@safekept.co.uk.

10. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

11. Vault Data Access Restriction

SafeKept stores all vault data including financial account credentials, passwords, cryptocurrency seed phrases, and private keys in encrypted form using AES-256-GCM encryption applied at the application layer before the data reaches our database. SafeKept staff cannot access, read, or view the contents of any user's vault in plain text at any time. Vault data is decrypted only at the point of delivery to the authenticated account holder or their authorised executor. No SafeKept employee or contractor has the ability to retrieve unencrypted vault data.

12. Deceased Person Data Handling

Personal data relating to deceased persons is not protected by UK GDPR. However, SafeKept applies the same technical security standards, access controls, and data retention policies to information about deceased persons as it does to information about living individuals.

Estate case data including the deceased's name, date of birth, National Insurance number, date of death, and financial account details is processed solely for the purpose of enabling the authorised executor to send bereavement notifications to institutions. This data is not used for any other purpose, is not shared with any third party except as necessary to send the requested notification, and is retained in accordance with our standard retention policy of six years from the completion of the estate case.

13. No Sale of Personal Data

SafeKept does not sell, rent, trade, or otherwise transfer any personal data to third parties for commercial purposes. SafeKept does not allow third-party advertisers to access user data. SafeKept does not use personal data stored in users' vaults for advertising, profiling, or any commercial purpose beyond the provision of the Services described in this Privacy Policy. This commitment applies to all categories of personal data including vault data, estate case data, and user account data.

14. SMS Text Messaging

By opting into SMS text messaging on the SafeKept Platform, you expressly consent to receive text messages to your mobile number. SafeKept SMS messages may include account alerts, security verification codes (two-factor authentication), and estate case status notifications.

You may opt out of SMS messages at any time via the Settings section of your account under notification preferences, or by replying STOP to any SMS message. Please be aware that message and data rates may apply.

15. Cookies

We use cookies and similar tracking technologies to collect and store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy.

Strictly Necessary Cookies: Essential for the Services to function. Required for user authentication, maintaining your session, and keeping your account secure. You cannot opt out of these cookies as the Services cannot function without them.
Functionality Cookies: These cookies remember your preferences such as language settings, dark mode preference, and notification settings.
Security Cookies: Used to help identify and prevent potential security risks, including detecting unusual login activity.
Analytics and Performance Cookies: Collect information about how you use the Services. We use PostHog for privacy-first analytics. Analytics cookies are only set with your consent.

16. Do We Make Updates to This Policy?

Yes, we will update this policy as necessary to stay compliant with relevant laws and to reflect changes in our business activities or data processing practices. If we make material changes, we may notify you either by prominently posting a notice or by directly sending you a notification to the email address registered to your account. We encourage you to review this Privacy Policy frequently.

17. How Can You Contact Us About This Policy?

If you have questions or comments about this notice, you may contact us at:

SafeKept Ltd
Company No. 17227517 (registered in England and Wales)
SafeKept, 124 City Road, London EC1V 2NX
England, United Kingdom

We will respond to all data protection enquiries within one month of receipt.

If you believe we are unlawfully processing your personal information, you also have the right to complain to the Information Commissioner's Office (ICO):
Website: www.ico.org.uk · Telephone: 0303 123 1113

18. How Can You Review, Update, or Delete Your Data?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. To request to review, update, or delete your personal information, please contact us at legal@safekept.co.uk.

You can also update most of your account information directly from your account Settings, and download your data in JSON format from the Privacy and Data section of Settings.