Legal

Privacy Policy

Effective date18 March 2026

Last updated28 March 2026

Applies toAfter Me iOS app & myafterme.co.uk

Governing lawUK GDPR · Data (Use and Access) Act 2025

Plain English summary

This is the full legal document. Here is what it says in plain English:

Your documents never leave your phone. We cannot see them. We do not store them. They are encrypted on your device using AES-256 GCM and we have no access to the keys.
We collect very little about you. When you download the app, we do not create an account for you. The only personal data we may collect is your email address if you join our waitlist, and anonymous crash reports if you opt in.
We do not sell your data. Ever. To anyone. We do not use your data for advertising.
We do not use third-party analytics inside the app. No Google Analytics, no Facebook Pixel, no tracking SDKs inside After Me.
The website uses minimal cookies for basic functionality only. No tracking cookies without your consent.
You have full rights over any personal data we hold — access, correction, deletion, portability. Contact us any time.
If you use cloud backup (optional), your vault is encrypted before it leaves your device. Neither Apple, Google, nor After Me can read it.

Contents

1. Who we are
2. Scope of this policy
3. What personal data we collect and why
4. Your documents and vault contents
5. Our legal basis for processing
6. Third parties and data sharing
7. Cloud backup
8. Cookies and website tracking
9. How long we keep your data
10. Security
11. Your rights
12. California residents (CCPA / CPRA)
13. Children
14. International data transfers
15. Complaints
16. Changes to this policy
17. Contact us

1. Who we are

The After Me app and website are operated by TITADE Ltd, a company registered in England and Wales (company number 17106008). Our registered office address is shown on the Companies House public register.

For the purposes of UK data protection law — including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 — TITADE Ltd is the data controller of any personal data we collect from you.

TITADE Ltd is registered with the Information Commissioner's Office (ICO) as a data controller under reference ZC109721. You can verify our registration at ico.org.uk.

We can be reached at privacy@myafterme.co.uk for all privacy-related enquiries.

2. Scope of this policy

This privacy policy applies to:

The After Me iOS application (the "App")
The After Me website at myafterme.co.uk (the "Website")
Any communications between you and us, including email and support requests

This policy does not apply to third-party websites or services that we may link to. We encourage you to review the privacy policies of any third-party services you use.

This policy should be read alongside our Terms of Service.

3. What personal data we collect and why

After Me is designed around a principle of minimal data collection. The App's core function — storing and encrypting your documents — requires no personal data to reach us at all. Below is a complete account of everything we do and do not collect.

3.1 Data we collect when you use the App

Data type	Why we collect it	Where it is stored
In-app purchase receipt Confirmation of your payment	To unlock premium features. Handled entirely by Apple's StoreKit — we receive only a confirmation token, not your payment details.	Apple's servers and your device. We hold only an anonymised purchase confirmation.
Crash reports (opt-in only) Anonymous technical error data	To fix bugs and improve stability. Contains device type, iOS version, and error stack trace. PII is scrubbed before transmission. Never contains document content, names, or identifying information.	Sentry (see Section 6). Retained for 90 days then deleted automatically.
iCloud vault backup (opt-in only) Your encrypted vault file	To protect your vault if your device is lost or damaged. The vault is encrypted on your device before upload. See Section 7.	Your personal iCloud account. We have no access to it.

Important: The App does not collect your name, email address, location, contacts, or any biometric data. Face ID and Touch ID authentication is handled entirely by Apple's LocalAuthentication framework on your device. We never receive or store any biometric data.

3.2 Data we collect on the Website

Data type	Why we collect it	Retention
Email address Provided voluntarily via waitlist form	To notify you when After Me launches and send you early access information. We will only send you what you signed up for.	Until you unsubscribe, or 24 months from collection, whichever is sooner.
Support enquiries Email content and address when you contact us	To respond to your question or complaint and maintain a record of support interactions.	3 years from last contact, then deleted.
Server logs IP address, browser type, pages visited, timestamp	Standard web server logs for security monitoring and diagnosing technical issues.	30 days, then automatically deleted.

3.3 Data we do NOT collect

For complete clarity, we do not collect, process, or have access to:

The documents, images, or files you store in your vault
Your vault encryption keys
Your biometric data (Face ID or Touch ID)
Your contacts, calendar, or location
Your browsing history or behaviour within the App
Any data for advertising or profiling purposes
Data from your Family Kit QR code or the documents it contains

4. Your documents and vault contents

This section is important. Please read it carefully.

All documents, images, personal messages, and metadata you store within the After Me vault are encrypted on your device using AES-256 GCM encryption before they are stored. The encryption keys are generated on your device and held in Apple's Secure Enclave. We do not hold, transmit, receive, or have any means of accessing your encryption keys.

This means:

We cannot read your documents under any circumstances
We cannot comply with a request to provide your documents to third parties, because we do not have them
If you are locked out of your vault, we cannot recover your data — this is a deliberate feature of the zero-knowledge architecture
If your device is destroyed and you have not created a Family Kit or enabled cloud backup, your vault data cannot be recovered by anyone

The .afterme file format is an open, documented standard. The specification and a reference decoder are published at myafterme.co.uk/format-spec. This means your family can access your vault documents using any compatible tool, not just our App.

Because your vault contents never reach our systems, we are not a data controller or data processor in relation to the documents you store. You are the sole controller of your vault contents.

5. Our legal basis for processing

Under UK GDPR and the Data (Use and Access) Act 2025, we must have a valid legal basis for each processing activity. Our legal bases are as follows:

Processing activity	Legal basis
Processing your in-app purchase and providing premium features	Contract — necessary to fulfil our agreement with you when you purchase the App.
Sending you waitlist emails and launch notifications	Consent — you provided your email address and agreed to receive these communications. You can withdraw consent at any time by unsubscribing.
Responding to support requests	Legitimate interests — we have a legitimate interest in resolving your queries and maintaining a record of support interactions. This does not override your rights.
Processing anonymous crash reports (if you opt in)	Consent — you choose whether to share crash data when first using the App. You can change this in Settings at any time.
Website server security logs	Legitimate interests — we have a legitimate interest in maintaining the security and integrity of our website infrastructure.

6. Third parties and data sharing

We do not sell, rent, or trade your personal data to any third party.

We may share limited personal data with the following categories of third party, only to the extent necessary:

6.1 Apple Inc.

The App is distributed through the Apple App Store. Apple processes transaction data when you make a purchase and may collect device identifiers and usage data in accordance with Apple's Privacy Policy. We receive only a purchase confirmation token — not your payment card details.

6.2 Sentry (Functional Software, Inc.)

If you opt in to crash reporting, anonymous technical error data (device model, iOS version, stack traces) is processed by Sentry, our crash reporting service. Personally identifiable information and all document content are excluded via SDK-level PII scrubbing before transmission. Data may be processed in the EU or US. See Sentry's Privacy Policy.

6.3 Vercel Inc. (web hosting)

Our website is hosted by Vercel. Standard server log data (see Section 3.2) is processed on Vercel's infrastructure. We have a data processing agreement in place. See Vercel's Privacy Policy.

6.4 Email service provider

We use a third-party email service to manage our waitlist and send launch notifications. Your email address is stored on their servers solely for the purpose of sending emails on our behalf. We have a data processing agreement in place with this provider prohibiting any other use of your data.

6.5 Legal requirements

We may disclose personal data if required to do so by law, court order, or at the request of a regulatory authority. We will notify you of any such requirement where we are legally permitted to do so.

6.6 Business transfer

If After Me is acquired by or merged with another company, your personal data may be transferred to the new owners. We will notify you before your data is transferred and becomes subject to a different privacy policy.

What we will never do: Share your data with advertisers, sell your data to data brokers, use your data to build advertising profiles, or provide your data to social media platforms for targeting purposes.

7. Cloud backup

After Me offers an entirely optional encrypted cloud backup feature. On iOS, backups are stored in iCloud; on Android, in Google Drive. It can be enabled or disabled in Settings at any time.

When cloud backup is enabled:

Your vault is encrypted on your device using AES-256 GCM before being uploaded to iCloud
The encryption key remains in your device's Secure Enclave — it is not uploaded to iCloud
Apple cannot read the contents of your backed-up vault
We cannot read the contents of your backed-up vault
The backup is stored in your personal iCloud (iOS) or Google Drive (Android) account, subject to Apple's Privacy Policy and your iCloud storage limits

Cloud backup is governed by the terms of your cloud provider (Apple for iCloud, Google for Google Drive). We have no contractual relationship with these providers in relation to your cloud storage — this is a service between you and your provider.

8. Cookies and website tracking

The After Me App does not use cookies.

The After Me Website (myafterme.co.uk) uses a small number of cookies. Under UK GDPR and PECR as amended by the Data (Use and Access) Act 2025, we are required to obtain your consent before placing non-essential cookies on your device.

The data controller for personal data processed through the website (including via cookies) is TITADE Ltd (ICO registration ZC109721). See Who we are above.

8.1 Strictly necessary cookies

These cookies are required for the website to function and cannot be disabled. They do not collect personal data for marketing purposes.

Cookie name	Purpose	Duration
session	Maintains your session state	Session
csrf_token	Security: prevents cross-site request forgery	Session

8.2 Analytics cookies

We do not currently use analytics cookies. If we introduce them in future, we will request your consent via a cookie banner before placing them.

8.3 Managing cookies

You can control and delete cookies through your browser settings: Chrome · Safari · Firefox

9. How long we keep your data

We keep personal data only for as long as necessary for the purpose it was collected, and no longer than required by law.

Data type	Retention period
Your vault contents	Not held by us — stored locally on your device only
Waitlist email address	Until you unsubscribe, or 24 months from collection, whichever is sooner
Purchase confirmation	7 years (required for VAT and tax purposes under UK law)
Support correspondence	3 years from last contact
Crash reports	90 days, then automatically deleted
Website server logs	30 days, then automatically deleted

When retention periods expire, data is permanently deleted or anonymised so it can no longer be associated with you.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.

App-level: AES-256 GCM encryption of all vault contents; keys stored in Apple's Secure Enclave; biometric authentication required for vault access; zero-knowledge architecture
Website-level: HTTPS enforced across all pages; minimal data collection to reduce attack surface
Organisational: Access to personal data is restricted to team members who require it. All team members are trained in data protection obligations.

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify you without undue delay as required by UK GDPR Articles 33 and 34.

The security of your vault also depends on keeping your device passcode and Family Kit QR card secure. We recommend storing your Family Kit in a physically secure location.

11. Your rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights in relation to the personal data we hold about you. These rights apply to data we hold — they do not apply to your vault contents, which we cannot access.

Right of access

Request a copy of the personal data we hold about you (a Subject Access Request). We must respond within one month.

Right to rectification

Ask us to correct inaccurate or incomplete personal data we hold about you.

Right to erasure

Ask us to delete your personal data ("the right to be forgotten"). Some exceptions apply where we are required to keep records by law.

Right to restrict processing

Ask us to pause processing your personal data in certain circumstances, for example while you contest its accuracy.

Right to data portability

Receive a copy of your personal data in a structured, machine-readable format, and transfer it to another organisation.

Right to object

Object to processing based on legitimate interests. We must stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Automated decisions

We do not make automated decisions about you with legal or similarly significant effects. This right is not currently applicable.

To exercise any of these rights, contact us at privacy@myafterme.co.uk. We will respond within one month. We may need to verify your identity before processing your request. Exercising your rights is free of charge.

12. California residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and California Privacy Rights Act.

We do not sell your personal information. We have never sold personal information and have no intention of doing so. Because we do not sell or share personal information for cross-context behavioural advertising, there is no sale to opt out of.

Right to Know: The only personal data we process is anonymised crash metadata (device model, OS version, stack traces). We do not collect your name, email, location, or any identifying information within the App.

Right to Delete: Delete your data at any time by removing documents in-app or deleting the app entirely. To request deletion of any data held on our servers, email privacy@myafterme.co.uk.

Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

13. Children

After Me is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. The App's subject matter — end-of-life planning and estate management — is intended for adults only.

If you believe we have inadvertently collected personal data from a child under 18, please contact us at privacy@myafterme.co.uk and we will delete it promptly.

In accordance with our obligations under the Data (Use and Access) Act 2025 regarding children's higher protection matters, we have implemented age-appropriate design measures appropriate to the nature of our service.

14. International data transfers

Your documents never leave your device, so there are no international transfers of vault content.

Some of our third-party service providers may process data on servers located outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, including:

Adequacy decisions made by the UK Secretary of State
International data transfer agreements (IDTAs) incorporating the ICO's standard contractual clauses

Specifically, Sentry may process anonymised crash data on infrastructure in the EU or United States under applicable data transfer frameworks. No document content is ever transferred.

You can obtain more information about any international transfers by contacting us at privacy@myafterme.co.uk.

15. Complaints

If you have a concern about how we handle your personal data, please:

Contact us first at privacy@myafterme.co.uk. We will acknowledge your complaint within 5 working days and aim to resolve it within 28 days.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

Information Commissioner's Office

Websiteico.org.uk

Helpline0303 123 1113

AddressWycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You also have the right to seek a judicial remedy through the courts, separate from and in addition to your right to complain to the ICO.

16. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, the services we offer, or legal requirements. We will notify you of significant changes by:

Updating the "Last updated" date at the top of this document
Displaying a notice in the App on your next login, for material changes affecting App users
Sending an email to waitlist subscribers, for material changes affecting website users who have provided their email address

Where a change requires your consent under UK GDPR, we will seek that consent before the new processing begins. Previous versions of this policy are available on request.

17. Contact us

For privacy-related questions, data subject requests, or to opt out of crash reporting, please contact us:

After Me — Data Controller

CompanyTITADE Ltd

Company no.17106008 (England and Wales)

Registered officeAs shown on the Companies House register

Emailprivacy@myafterme.co.uk

Supportsupport@myafterme.co.uk

ICOZC109721

We aim to respond to all privacy-related enquiries within 5 working days and to resolve them within one month.

After Me Privacy Policy · Version 2.1 · Effective 18 March 2026 · Last updated 28 March 2026 (controller: TITADE Ltd, ICO ZC109721)

Governing law: UK GDPR · Data Protection Act 2018 · Data (Use and Access) Act 2025