AY
AfterYou
Menu

Privacy Policy

Last updated: January 13, 2026

1. Introduction

At AfterYou ("Company," "we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital legacy planning service. In this policy, "Vault" refers to the encrypted storage area within AfterYou where you store your passwords, documents, assets, notes, and other sensitive information.

By using AfterYou, you consent to the data practices described in this policy. If you do not agree with our policies, please do not use our Service. This Privacy Policy should be read together with our Terms of Use.

2. Information We Collect

2.1 Account Information

  • Personal Details: Name, email address, phone number
  • Profile Information: Profile picture, display preferences, account settings
  • Authentication Data: Login credentials, security settings, two-factor authentication configuration

2.2 Nominee Data

  • Names, email addresses, and phone numbers of nominees
  • Relationship to you (as you designate)
  • Verification data (OTP records, identity verification status)
  • Access logs and handover records

2.3 Encrypted Vault Data

Your vault contents (passwords, assets, documents, notes) are encrypted using your master password with zero-knowledge architecture. We do not access, read, or process your decrypted vault data. This data is stored in encrypted form and can only be decrypted with your master password.

2.4 Heartbeat & Activity Data

  • Login times and session activity
  • Heartbeat check-in responses
  • Activity status (active, inactive, unhealthy)
  • Notification acknowledgments

2.5 Automatically Collected Information

  • Device Information: Browser type, operating system, device type
  • Usage Data: Pages visited, features used, timestamps, session duration
  • IP Address: For security, fraud prevention, and approximate location
  • Cookies: For authentication and preferences (see Section 9)

2.6 Communication Records

  • Support requests and correspondence
  • Feedback and suggestions
  • Notification delivery records (email, SMS, WhatsApp)

2.7 Social Media & Integration Data

If you choose to connect social media accounts or other third-party services for enhanced Heartbeat monitoring, we may collect:

  • OAuth tokens necessary to maintain the connection
  • Activity status or timestamps (e.g., last active, recent login)
  • Basic account identifiers to verify the connection

We do not access your messages, posts, contacts, or private content on connected platforms. Integration is entirely optional, and you may disconnect accounts at any time.

YouTube / Google Integration

When you connect your YouTube account, we access the YouTube Data API v3 activities endpoint (GET /youtube/v3/activities) to check for recent activity as proof-of-life.

Data we access:

  • Activity timestamps to detect recent engagement
  • Activity type (e.g., like, subscription, comment) for display purposes
  • Activity count

Data we do NOT access or store:

  • Video content, titles, or descriptions
  • Watch history or viewing preferences
  • Playlist contents or channel details
  • Comment text or subscription lists
  • Any YouTube content beyond activity metadata

Google user data obtained through the YouTube Data API is used solely to provide the heartbeat wellness check feature. We store only: a boolean indicating whether recent activity was detected, the timestamp of the most recent activity, and the activity type for user display.

Prohibited uses: AfterYou's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for:

  • Advertising (targeted, personalized, retargeted, or interest-based)
  • Selling data to third parties or data brokers
  • Training AI or machine learning models
  • Determining creditworthiness or for lending purposes
  • Any purpose unrelated to the core heartbeat service functionality

3. How We Use Your Information

We use your information for the following purposes:

Core Service Operations

  • Provide, maintain, and improve our Service
  • Process account registration and authentication
  • Store and manage your encrypted vault data
  • Operate the Heartbeat Monitor system
  • Manage nominee designations and access conditions
  • Execute data handover to nominees when conditions are met

Communications

  • Send service-related notifications (account alerts, heartbeat reminders, security notices)
  • Respond to your requests and provide customer support
  • Contact you and your nominees as part of the handover process

Security & Fraud Prevention

  • Detect, prevent, and address security threats
  • Monitor for suspicious or unauthorized activity
  • Protect against fraud and abuse

Analytics & Improvement

  • Understand how users interact with our Service
  • Identify and fix issues
  • Develop new features and improve existing ones
  • Generate aggregated, anonymized statistics

Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests and prevent harm
  • Enforce our Terms of Use

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

  • Contract: Processing necessary to perform our contract with you (providing the Service)
  • Consent: Where you have given explicit consent (e.g., marketing communications)
  • Legitimate Interests: For security, fraud prevention, service improvement, and analytics
  • Legal Obligation: Where we are required to process data by law

4. Zero-Knowledge Architecture

AfterYou is built on a zero-knowledge security model:

  • Your vault data is encrypted on your device before reaching our servers
  • Your master password is not stored or transmitted in readable form
  • We store only encrypted data that we do not decrypt and access
  • Even in the event of a data breach, your encrypted vault data remains protected

Recovery Options

Limited administrative recovery options may be available upon your request in certain circumstances. This allows us to help you regain access if you forget your credentials. However, recovery is not guaranteed, and we do not use this capability to access your vault contents for any other purpose.

5. Information Sharing

We do not sell your personal information. We may share information in the following circumstances:

With Your Nominees

When the access conditions you configured are met (e.g., Heartbeat inactivity threshold reached), your designated nominees will receive access to the data you have assigned to them. This is the core function of our Service.

Service Providers

We use trusted third-party services to help operate our platform:

  • Hosting: Amazon Web Services (AWS)
  • Analytics: Posthog, Rybbit (privacy-focused)
  • Error Tracking: Sentry
  • Payment Processing: Dodopayments, Razorpay (depending on your location and payment method). Dodopayments may act as the Merchant of Record for certain transactions.
  • Communications: Email, SMS, and WhatsApp service providers

Service providers receive only the minimum data necessary to perform their services and are bound by data processing agreements.

Legal Requirements

We may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. However, due to our zero-knowledge encryption, your encrypted vault data cannot be accessed or disclosed — we can only provide unencrypted account information (such as your name, email, and activity logs).

Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

With Your Consent

We may share information when you explicitly authorize us to do so.

6. Data Location & Transfers

AfterYou is operated by a partnership firm registered in Uttarakhand, India.

Your vault data (passwords, documents, assets) is encrypted on your device before being transmitted to our servers — we store only the encrypted version. Account information, profile data, and nominee details are stored in unencrypted form to enable service functionality. Our servers are located in:

  • AWS Mumbai, India
  • AWS US East-1 (Virginia, USA)

Your information may be transferred to and processed in countries other than your own. By using our Service, you consent to the transfer of your information to facilities located outside your country, which may have different data protection laws. We implement appropriate safeguards for international data transfers.

7. Data Retention

We retain your information as follows:

  • Active accounts: Data is retained while your account is active
  • Account deletion by you: Data is permanently deleted within 45 days
  • Subscription lapsed: Data is retained for 45 days, then permanently deleted
  • Heartbeat unhealthy (unclear status): Data is retained until your status is resolved through check-in or handover
  • User deceased (pending handover): Data is retained for up to 365 days to complete nominee handover
  • Backups: Backup copies may persist for up to 30 days after deletion from active systems

We may retain certain information longer as required for legal compliance, dispute resolution, or enforcement of our Terms.

8. Data Security

We implement industry-standard security measures to protect your data:

  • Client-side encryption — your vault data is encrypted on your device before reaching our servers
  • AES-256 encryption for vault data
  • TLS encryption for all data in transit
  • Two-factor authentication option
  • Secure infrastructure with access controls (AWS)
  • Regular security monitoring

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, though we strive to protect your information using commercially reasonable measures.

9. Cookies & Analytics

We use cookies and similar technologies to:

  • Keep you signed in to your account
  • Remember your preferences
  • Understand how you use our Service
  • Improve our Service and user experience

Analytics Tools

We use privacy-focused analytics tools including Posthog and Rybbit to understand how users interact with our Service. These tools help us improve the user experience while respecting your privacy. We may also use Sentry for error tracking and debugging.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our Service.

10. Communications

By using AfterYou, you consent to receive communications from us via:

  • Email: Account alerts, heartbeat reminders, security notices, handover notifications
  • SMS: Urgent notifications, verification codes
  • WhatsApp: Notifications as configured by you
  • Phone calls: Heartbeat check-ins as configured by you

Service-related communications are essential to the functioning of our platform and cannot be opted out of while using the Service. You may configure notification preferences and channels within your account settings.

Marketing Communications

We may occasionally send promotional communications. You may opt out at any time by clicking "unsubscribe" in any marketing email or adjusting your preferences in account settings. Opting out will not affect essential service notifications.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your account and data
  • Portability: Export your data in a portable format
  • Objection: Object to certain processing activities
  • Withdrawal: Withdraw consent where applicable

To exercise these rights, please contact us at [email protected]. We will respond within a reasonable timeframe (typically within 30 days).

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act. We do not sell your personal information. We will not discriminate against you for exercising any of your privacy rights.

12. Children's Privacy

AfterYou is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected] and we will promptly delete such information.

13. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

  • Investigate and contain the breach promptly
  • Assess the risk to affected users
  • Notify affected users within 72 hours when required by law
  • Report to relevant regulatory authorities as required
  • Provide guidance on protective actions you can take

Note that because your vault data is encrypted with your master password, encrypted data remains protected even if our servers were to be compromised.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on our website, sending you an email, or through in-app notifications. We will provide at least 30 days' notice for significant changes.

Your continued use of the Service after changes constitutes acceptance of the updated policy. If you do not agree to the changes, you may terminate your account.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: