Skip to content

FinalVault Privacy Statement & GDPR Compliance

Last Updated: 04 Aug 2025
Effective Date: 04 Aug 2025

Your Privacy is Our Foundation

At FinalVault, protecting your family's most sensitive information is not just our business—it's our sacred responsibility. This Privacy Statement explains how we collect, use, protect, and share your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Zero-Knowledge Security: FinalVault operates with client-side encryption, meaning we cannot access your vault contents under normal circumstances. Your documents and sensitive information are encrypted on your device before being stored, ensuring that only you and your designated beneficiaries can access your family's private information.

1. Who We Are

Data Controller: FinalVault Limited
Company Registration:  SC856871
Registered Address: Third Floor 3 Hill Street, Edinburgh, EH2 3JP
Contact Email: privacy@finalvault.co.uk
Phone: 0131 381 7956

FinalVault is a UK-based digital inheritance service that helps families securely store, organise, and share important documents and digital asset information for estate planning purposes.

2. Information We Collect

2.1 Account Information

When you create a FinalVault account, we collect:

  • Personal Details: Name, email address, phone number, date of birth
  • Billing Information: Payment method details, billing address
  • Authentication Data: Password (encrypted), security questions, two-factor authentication details
  • Emergency Contact Information: Details of designated beneficiaries and emergency contacts

2.2 Documents and Digital Assets

  • Uploaded Documents: Wills, insurance policies, financial documents, personal records
  • Digital Asset Information: Account details, passwords, access credentials for online services
  • Personal Notes: Messages, instructions, and guidance for beneficiaries
  • Media Files: Photos, videos, audio recordings uploaded to your vault

2.3 Technical Information

  • Device Data: IP address, browser type, operating system, device identifiers
  • Usage Analytics: How you interact with our platform, features used, time spent (processed through HubSpot CRM)
  • Security Logs: Login attempts, access patterns, security events
  • Communication Records: Support tickets and email correspondence (managed through HubSpot)
  • Payment Data: Transaction information processed securely through Stripe (FinalVault never stores card details)

2.4 Information from Third Parties

  • Professional Advisors: Data shared by solicitors, financial advisors, or accountants with your consent
  • Stripe Payment Data: Transaction confirmations and payment status updates (no card details stored)
  • Identity Verification: Information from identity verification services when required
  • HubSpot Analytics: Aggregated usage patterns for customer support optimisation (no vault content data)

3. How We Use Your Information

3.1 Primary Service Delivery

  • Secure Storage: Maintaining your encrypted digital vault through Wasabi cloud infrastructure
  • Access Management: Controlling who can access your information and when (without FinalVault being able to view contents)
  • Inheritance Planning: Facilitating the transfer of vault access to designated beneficiaries
  • Account Management: Processing payments through Stripe, managing subscriptions, providing customer support through HubSpot
  • Zero-Knowledge Operations: All vault operations performed without FinalVault accessing your encrypted content

3.2 Security and Fraud Prevention

  • Identity Verification: Confirming your identity and that of authorized users
  • Threat Detection: Monitoring for suspicious activity and potential security breaches (system-level monitoring only)
  • Compliance Monitoring: Ensuring adherence to legal and regulatory requirements
  • Audit Trails: Maintaining records of access and changes for security purposes (metadata only, not vault contents)
  • Payment Security: Fraud prevention through Stripe's advanced security systems

3.3 Service Improvement

  • Platform Enhancement: Improving our features based on usage patterns
  • Customer Support: Providing personalized assistance and resolving issues
  • Product Development: Developing new features that better serve our users' needs
  • Quality Assurance: Testing and maintaining platform reliability and performance

3.4 Legal Obligations

  • Regulatory Compliance: Meeting UK financial services and data protection requirements
  • Court Orders: Responding to lawful requests from authorities
  • Estate Administration: Facilitating legitimate inheritance processes
  • Professional Standards: Working with regulated professionals in accordance with their obligations

4. Legal Basis for Processing

We process your personal data under the following legal bases:

4.1 Contract Performance

  • Providing the FinalVault service as outlined in our Terms of Service
  • Processing payments and managing your subscription
  • Delivering customer support and technical assistance

4.2 Legitimate Interests

  • Security: Protecting your account and data from unauthorized access
  • Service Improvement: Enhancing our platform based on user feedback and usage data
  • Business Operations: Managing our business efficiently and effectively
  • Fraud Prevention: Detecting and preventing fraudulent activities

4.3 Legal Obligation

  • Regulatory Compliance: Meeting requirements under UK financial services regulations
  • Law Enforcement: Responding to lawful requests from authorities
  • Professional Standards: Complying with standards for working with regulated professionals

4.4 Vital Interests

  • Emergency Situations: Facilitating access to critical information in genuine emergencies
  • Health and Safety: Protecting the physical safety of you or others when necessary

4.5 Consent

  • Marketing Communications: Sending promotional emails and updates (with your explicit consent)
  • Optional Features: Providing enhanced services that require additional data processing
  • Third-Party Integrations: Connecting with external services you choose to link

5. Data Sharing and Disclosure

5.1 Designated Beneficiaries

  • Information is shared with your chosen beneficiaries only after proper verification and according to your specific instructions
  • Access is granted in accordance with the inheritance triggers you have configured
  • All beneficiary access is logged and monitored for security purposes

5.2 Professional Partners

  • Solicitors and Legal Advisors: When you engage their services through our platform
  • Financial Advisors: When facilitating estate planning services with your consent
  • Accountants: For tax planning and business succession purposes with your authorization

5.3 Service Providers

  • Cloud Storage: Secure, encrypted cloud storage infrastructure for your vault data
  • Stripe Payment Processing: PCI DSS compliant payment processing for billing and subscription management
  • HubSpot CRM: Customer relationship management for support tickets and communication tracking
  • Technical Support: Carefully vetted technology partners who assist with platform maintenance

5.4 Legal Requirements

  • Court Orders: When compelled by lawful court orders requiring vault access
  • Power of Attorney: When requested by registered power of attorney holders with proper legal documentation
  • Regulatory Authorities: When required by UK financial services or data protection regulators
  • Law Enforcement: In response to legitimate law enforcement requests with proper legal authorization

Important Note: FinalVault operates with zero-knowledge encryption. We cannot access your vault contents under normal circumstances. Access is only possible when legally compelled by court order or legitimate power of attorney requests, and requires specific technical procedures to decrypt vault contents.

5.5 Business Transitions

  • In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity
  • You will be notified of any such transfer with details about the new data controller
  • Your rights under this Privacy Statement will continue to apply

6. International Data Transfers

6.1 Data Storage Architecture

  • Cloud Storage: Primary data storage utilises Wasabi's secure cloud infrastructure
  • Encryption at Rest: All vault data is encrypted before transmission to cloud storage
  • Geographic Distribution: Data stored across multiple secure data centers for redundancy
  • Access Controls: Zero-knowledge architecture prevents FinalVault staff from accessing vault contents

6.2 Limited International Transfers

When international transfers are necessary:

  • Adequacy Decisions: Transfers only to countries with adequate data protection standards
  • Standard Contractual Clauses: Using EU/UK-approved contract terms for data protection
  • Explicit Consent: Obtaining your specific consent for any transfers outside adequate jurisdictions
  • Necessary Transfers: Only when essential for service delivery or legal compliance

6.3 Security Measures

  • All international transfers use end-to-end encryption
  • Data is pseudonymized or anonymized whenever possible
  • Access controls ensure only authorized personnel can access transferred data
  • Regular audits confirm the security of all transfer arrangements

7. Data Security Measures

7.1 Technical Safeguards

  • Zero-Knowledge Encryption: Client-side AES-256 encryption ensuring FinalVault cannot access your vault contents
  • Cloud Secure Storage: Enterprise-grade cloud storage with multiple redundancy and security layers
  • TLS 1.3: Secure transmission for all data in transit
  • Multi-Factor Authentication: Required for all account access
  • Stripe Security: PCI DSS Level 1 compliant payment processing with tokenization
  • Regular Security Audits: Quarterly penetration testing and vulnerability assessments

7.2 Organizational Measures

  • Staff Training: Regular data protection and security training for all employees
  • Access Controls: Strict role-based access to systems and data
  • Background Checks: Comprehensive screening for all personnel with data access
  • Incident Response: 24/7 monitoring and rapid response procedures
  • Secure Development: Security-by-design in all platform development

7.3 Physical Security

  • Data Centers: ISO 27001 certified facilities with biometric access controls
  • 24/7 Monitoring: Continuous surveillance and security personnel
  • Environmental Controls: Fire suppression, climate control, and power backup systems
  • Asset Management: Secure disposal of hardware and storage media

7.4 Business Continuity

  • Data Backups: Multiple, encrypted backups stored in geographically diverse locations
  • Disaster Recovery: Comprehensive plans for service continuity in emergencies
  • Redundancy: Multiple systems and fail-safes to prevent data loss
  • Testing: Regular testing of all backup and recovery procedures

8. Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

8.1 Right of Access

  • Data Portability: Download your data in a common, machine-readable format
  • Access Requests: Receive a copy of all personal data we hold about you
  • Processing Information: Understand how and why we process your data
  • Response Time: We respond to access requests within one month

8.2 Right to Rectification

  • Correction: Update or correct inaccurate personal information
  • Completion: Add missing information to your profile
  • Real-Time Updates: Make changes to your account information at any time
  • Verification: We may require verification for significant changes

8.3 Right to Erasure ("Right to be Forgotten")

  • Account Deletion: Permanently delete your account and associated data
  • Selective Deletion: Remove specific documents or information from your vault
  • Limitations: Some data may be retained for legal obligations or legitimate interests
  • Confirmation: We provide confirmation when erasure is complete

8.4 Right to Restrict Processing

  • Temporary Suspension: Limit how we process your data in specific circumstances
  • Dispute Resolution: Suspend processing while resolving accuracy disputes
  • Objection Pending: Restrict processing while considering objections
  • Status Updates: Regular updates on the status of processing restrictions

8.5 Right to Data Portability

  • Standard Formats: Export your data in JSON, CSV, or PDF formats
  • Direct Transfer: Where technically feasible, transfer data directly to another service
  • Complete Records: Include all documents, notes, and account information
  • Secure Transfer: All exports are encrypted and securely transmitted

8.6 Right to Object

  • Marketing: Opt out of marketing communications at any time
  • Legitimate Interests: Object to processing based on our legitimate interests
  • Profiling: Object to automated decision-making or profiling
  • Balancing Test: We assess your objection against our legitimate interests

8.7 Rights Related to Automated Decision-Making

  • Human Review: Request human review of any automated decisions
  • Explanation: Understand the logic behind automated processing
  • Challenge: Contest decisions made solely by automated systems
  • Alternative Processing: Request manual processing where appropriate

9. Data Retention

9.1 Active Account Data

  • Account Information: Retained while your account is active
  • Documents: Stored until you delete them or close your account
  • Usage Data: Aggregated analytics retained for service improvement
  • Communication Records: Support tickets retained for quality assurance

9.2 Closed Account Data

  • Grace Period: 90-day period to reactivate closed accounts
  • Beneficiary Access: Data retained according to your inheritance instructions
  • Legal Requirements: Some data retained for regulatory compliance (typically 7 years)
  • Anonymised Analytics: Non-personal usage patterns for service improvement

9.3 Inheritance Scenarios

  • Beneficiary Instructions: Data retained and transferred according to your specifications
  • Verification Period: Temporary retention while verifying beneficiary identity
  • Legal Processes: Extended retention if required for estate administration
  • Final Transfer: Secure transfer to verified beneficiaries or estate representatives

9.4 Legal and Regulatory Retention

  • Financial Records: 7 years for tax and regulatory purposes
  • Security Logs: 12 months for incident investigation and response
  • Compliance Documents: As required by relevant regulations
  • Court Orders: As specified in legal proceedings

10. Children's Privacy

10.1 Age Restrictions

  • Minimum Age: FinalVault is not intended for children under 18

10.2 Family Information

  • Children as Beneficiaries: Children under 18 cannot be included as a beneficiary keyholder

10.3 Special Protections

  • Limited Processing: Minimal data collection related to children

11. Marketing and Communications

11.1 Consent-Based Marketing

  • Opt-In Required: Explicit consent for all marketing communications
  • Clear Choices: Granular options for different types of communications
  • Easy Unsubscribe: One-click unsubscribe from all marketing emails
  • Preference Center: Manage your communication preferences online

11.2 Service Communications

  • Account Notifications: Important updates about your account or service
  • Security Alerts: Notifications about security events or required actions
  • Legal Updates: Changes to terms, privacy policies, or legal requirements
  • Billing Information: Payment confirmations, renewal notices, and billing issues

11.3 Educational Content

  • Estate Planning Guides: Helpful information about digital inheritance
  • Security Best Practices: Tips for protecting your digital assets
  • Product Updates: Information about new features and improvements
  • Industry News: Relevant updates about digital estate planning

11.4 Partner Communications

  • Professional Referrals: Information from trusted professional partners (with consent)
  • Joint Services: Communications about collaborative services
  • Educational Webinars: Invitations to educational events and seminars
  • Industry Updates: Relevant professional and regulatory updates

12. Cookies and Tracking Technologies

12.1 Essential Cookies

  • Authentication: Remembering your login status and session information
  • Security: Protecting against fraud and unauthorized access
  • Preferences: Storing your language and accessibility preferences
  • Functionality: Enabling core platform features and navigation

12.2 Analytics Cookies

  • Usage Statistics: Understanding how visitors use our website and platform
  • Performance Monitoring: Identifying technical issues and areas for improvement
  • Feature Usage: Analyzing which features are most valuable to users
  • Conversion Tracking: Measuring the effectiveness of our marketing efforts

12.3 Marketing Cookies

  • Advertising: Delivering relevant advertisements on third-party websites
  • Retargeting: Showing relevant content to previous visitors
  • Social Media: Enabling social media sharing and integration features
  • Partner Integration: Supporting partnerships with professional service providers

12.4 Cookie Management

  • Consent Banner: Clear choices about cookie usage upon first visit
  • Cookie Settings: Granular control over different types of cookies
  • Browser Controls: Instructions for managing cookies through browser settings
  • Regular Review: Periodic assessment and cleanup of unnecessary cookies

13. Data Breach Notification

13.1 Detection and Response

  • 24/7 Monitoring: Continuous monitoring for potential security incidents
  • Rapid Response: Immediate containment and investigation of any breaches
  • Expert Team: Dedicated cybersecurity professionals and incident response specialists
  • External Support: Relationships with leading cybersecurity firms for additional expertise

13.2 Regulatory Notification

  • 72-Hour Rule: Notification to the ICO within 72 hours of breach discovery
  • Risk Assessment: Detailed analysis of potential impact on individuals
  • Mitigation Measures: Immediate steps taken to contain and resolve the breach
  • Follow-Up Reports: Ongoing updates to regulators as investigation progresses

13.3 Individual Notification

  • High Risk Threshold: Direct notification if breach poses high risk to your rights and freedoms
  • Clear Communication: Plain English explanation of what happened and what it means
  • Immediate Actions: Specific steps you should take to protect yourself
  • Ongoing Support: Dedicated support team to answer questions and provide assistance

13.4 Prevention and Learning

  • Root Cause Analysis: Thorough investigation to prevent similar incidents
  • System Improvements: Implementation of additional safeguards based on lessons learned
  • Staff Training: Enhanced training programs based on incident findings
  • Transparency Reports: Annual reports on security incidents and improvements

14. Third-Party Services

14.1 Key Service Providers

Wasabi Technologies (Cloud Storage)

  • Service: Secure cloud storage infrastructure for encrypted vault data
  • Security: Enterprise-grade security with 99.999999999% (11 9's) durability
  • Compliance: SOC 2 Type II, ISO 27001 certified facilities
  • Data Protection: Your data is encrypted before transmission; Wasabi cannot decrypt vault contents

Stripe (Payment Processing)

  • Service: Secure payment processing and billing management
  • Compliance: PCI DSS Level 1 certified, highest level of payment security
  • Data Minimization: Only payment-related information is shared
  • Tokenization: Card details are tokenized and never stored by FinalVault

HubSpot (Customer Relationship Management)

  • Service: Customer support ticket management and communication tracking
  • Data Shared: Contact information, support interactions, account status (non-vault data only)
  • Privacy: GDPR compliant with EU-US Data Privacy Framework certification
  • Access Control: Support staff can only access customer service data, never vault contents

14.2 Due Diligence Process

  • Security Assessment: Comprehensive evaluation of third-party security practices
  • Privacy Compliance: Verification of GDPR compliance and data protection standards
  • Contractual Protections: Strong data processing agreements with all partners
  • Regular Audits: Ongoing monitoring of third-party compliance and performance

14.3 Data Sharing Controls

  • Minimal Data: Only sharing information necessary for specific services
  • Purpose Limitation: Clear restrictions on how partners can use your data
  • Access Controls: Technical and organizational measures to limit access
  • Deletion Requirements: Mandatory deletion of data when services are complete

14.4 Partner Accountability

  • Performance Monitoring: Regular assessment of partner service quality
  • Compliance Verification: Ongoing verification of privacy and security compliance
  • Incident Response: Clear procedures for addressing partner-related security incidents
  • Contract Enforcement: Strong legal remedies for partner non-compliance

15. Updates and Changes

15.1 Policy Updates

  • Advance Notice: 30 days notice for any material changes to this Privacy Statement
  • Clear Explanation: Plain English summary of changes and their impact
  • Continued Consent: Opportunity to review and accept updated terms
  • Historical Versions: Access to previous versions of our Privacy Statement

15.2 Service Changes

  • Feature Updates: Notification of new features that may affect data processing
  • Integration Changes: Updates about new third-party integrations or partnerships
  • Security Enhancements: Information about improvements to security measures
  • Regulatory Changes: Updates related to changes in applicable laws or regulations

15.3 Communication Methods

  • Email Notification: Direct email to your registered address
  • Platform Notification: In-app notifications when you log in
  • Website Updates: Prominent notices on our website
  • Social Media: Updates through our official social media channels

15.4 Your Options

  • Accept Changes: Continue using the service under updated terms
  • Object to Changes: Exercise your right to object to specific processing activities
  • Account Closure: Close your account if you disagree with material changes
  • Data Export: Download your data before any changes take effect

16. Contact Information and Complaints

16.1 Data Protection Enquiries

Primary Contact:

  • Email: privacy@finalvault.co.uk
  • Phone: 0131 381 7956
  • Address: Third Floor, 3 Hill Street, Edinburgh, EH2 3JP
  • Response Time: Within 5 business days for initial response

16.2 Complaint Process

Internal Process:

  1. Initial Contact: Submit your complaint via email or phone
  2. Acknowledgment: Written acknowledgment within 2 business days
  3. Investigation: Thorough investigation within 30 days
  4. Resolution: Written response with our findings and any remedial action
  5. Appeal: Right to appeal our decision to senior management

External Options:

  • ICO Complaint: Right to complain to the Information Commissioner's Office
  • ICO Contact: ico.org.uk or 0303 123 1113
  • Legal Advice: Right to seek independent legal advice
  • Compensation: Right to claim compensation for material or non-material damage

16.3 Emergency Contacts

Security Incidents:

  • 24/7 Hotline: 0131 381 7956
  • Email: security@finalvault.co.uk
  • Incident Response: Immediate response for security emergencies

Urgent Access Requests:

  • Family Emergency Line: 0131 381 7956
  • Verification Process: Streamlined process for genuine emergencies
  • Documentation Required: Death certificates, legal authorisation

16.4 Professional Support

Legal Professionals:

  • Dedicated Support: Specialised assistance for solicitors and legal advisors
  • Professional Line: 0131 381 7956
  • Partnership Queries: hello@finalvault.co.uk

Technical Integration:

  • API Support: Technical support for professional service integrations
  • Developer Resources: Documentation and support for technical implementations
  • System Integration: Assistance with connecting to existing professional systems

17. Definitions and Interpretation

17.1 Key Terms

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, and use
  • Data Controller: FinalVault Limited, which determines the purposes and means of processing
  • Data Processor: Third parties who process personal data on behalf of FinalVault
  • Data Subject: You, as the individual to whom personal data relates

17.2 Service-Specific Terms

  • Digital Vault: Your secure online storage area within the FinalVault platform
  • Beneficiary: Individuals designated to receive access to your vault after specified triggers
  • Emergency Access: Streamlined access procedures for genuine family emergencies
  • Inheritance Trigger: Events that activate beneficiary access to your vault
  • Professional Partner: Vetted legal, financial, or estate planning professionals

17.3 Technical Terms

  • Encryption: Mathematical algorithms that protect data by making it unreadable without a key
  • Zero-Knowledge: System design where FinalVault cannot access your encrypted data
  • Multi-Factor Authentication: Security process requiring multiple forms of identity verification
  • End-to-End Encryption: Protection of data throughout its entire journey from sender to recipient

17.4 Legal Terms

  • UK GDPR: United Kingdom General Data Protection Regulation
  • Data Protection Act 2018: UK legislation implementing and supplementing GDPR
  • ICO: Information Commissioner's Office, the UK's data protection regulator
  • Legitimate Interest: Legal basis for processing when there is a genuine and justified need

18. Effective Date and Governing Law

18.1 Effective Date

This Privacy Statement is effective from 04 August 2025 and applies to all data processing activities from that date forward. Previous versions of our Privacy Statement governed data processing activities before this date.

18.2 Governing Law

This Privacy Statement is governed by and interpreted in accordance with the laws ode to the UK. Any disputes arising from this Privacy Statement will be subject to the exclusive jurisdiction of the courts of the UK.

18.3 Severability

If any provision of this Privacy Statement is found to be invalid or unenforceable, the remaining provisions will continue to be valid and enforceable to the fullest extent permitted by law.

18.4 Language

This Privacy Statement is written in English. If translated into other languages, the English version will take precedence in case of any discrepancies.

Questions or Concerns?

We're committed to transparency and protecting your privacy. If you have any questions about this Privacy Statement or how we handle your personal data, please don't hesitate to contact us at privacy@finalvault.co.uk or call 0131 381 7956.

Your trust is the foundation of our service, and we're here to ensure you feel confident about how your family's most important information is protected.

This Privacy Statement was last updated on 04 August 2025. We recommend reviewing this statement periodically to stay informed about how we protect your privacy.