The short version: your vault is encrypted so that we cannot read it, we never sell your data, we share it only at your direction or where the law requires, and you can see, correct, or permanently delete your information at any time. The full detail follows.
By accessing or using the Services, you agree to the practices described in this Policy. If you do not agree, please discontinue use of the Services.
1.Information we collect
1.1 Information you provide directly
- Registration information — name, email address, phone number, and authentication credentials.
- Personal planning information — end-of-life wishes, planning documents, designated Successors and Keyholders, and preferences regarding funeral, medical, legal, and digital matters.
- Sensitive uploaded content — wills, directives, identity documents, passwords or access credentials, insurance policies, account numbers, digital asset lists, and other materials you voluntarily store within your encrypted vault.
- Payment information — processed exclusively by the Apple App Store. FinalKey does not retain payment card details.
1.2 Information collected automatically
- Device identifiers, IP address, operating system type and version, performance metrics, in-app behavior, crash logs, and related analytics.
1.3 Information from third parties
- Identity verification partners
- Death-event verification and certificate-validation services
- Analytics providers
- Cloud hosting platforms (AWS, Render.com)
- AWS S3 — encrypted document storage
- HashiCorp Vault — secure credential storage
- OpenAI — AI-powered features (anonymized queries only)
2.Purposes for which we use information
We use information only for legitimate, disclosed, and user-authorized purposes, including:
- Delivering, maintaining, and improving the Services.
- Securing and encrypting user content in storage and in transit.
- Authenticating users and enforcing access controls.
- Enabling Successor and Keyholder workflows following a verified end-of-life event.
- Processing transactions and managing subscriptions.
- Conducting analytics and operational performance analysis.
- Preventing, detecting, and responding to fraud, security incidents, and misuse.
- Complying with contractual, legal, regulatory, and law-enforcement obligations.
FinalKey does not sell personal data — under any circumstance.
3.Data security, encryption & HIPAA-aligned safeguards
Although FinalKey is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), we voluntarily implement administrative, physical, and technical safeguards that align with HIPAA-grade security principles. This does not constitute a representation of HIPAA applicability or certification.
3.1 Encryption standards
- Data in transit — TLS 1.2 or higher.
- Data at rest — AES-256 or equivalent encryption.
- User-specific vault content is encrypted such that FinalKey personnel cannot access decrypted content ("zero-knowledge architecture," where applicable).
3.2 Cloud infrastructure security
Amazon Web Services (AWS)
- Virtual Private Cloud (VPC) isolation
- Encrypted Amazon RDS databases
- Role-based IAM access restrictions
- RDS Proxy connection pooling
- Automated backups and disaster recovery
Render.com
- Encrypted data at rest and in transit
- Isolated deployment environments
- Automatic patching and continuous monitoring
- Strict role-based and credential-scoped access
3.3 Access controls
- Multi-factor authentication (MFA) where required
- Strict internal role-based permissions
- Comprehensive logging of administrative activity
- Rate limiting and intrusion detection mechanisms
3.4 Incident response
We maintain an incident response protocol for detection, containment, investigation, remediation, and — where required — user notification.
5.Data retention and deletion
We retain personal information only for as long as necessary to:
- Provide and support the Services
- Maintain accurate logs and backups
- Comply with legal and regulatory obligations
- Support Successor and Keyholder transitions
Upon user-initiated deletion:
- Encrypted vault contents are permanently and irreversibly destroyed.
- Residual encrypted backups are purged in accordance with our backup retention schedule.
- Minimal identifying metadata may be retained solely for legal, accounting, or security-related purposes.
You can delete your data or your entire account yourself, at any time, right in the app — see our step-by-step deletion guide.
6.International data transfers
Your information may be processed in the United States or other jurisdictions where our service providers operate. Where legally required, FinalKey employs recognized data-transfer mechanisms, such as Standard Contractual Clauses, to safeguard personal information.
7.Your rights
Subject to applicable law, you may have the right to:
- Access your personal information
- Request corrections
- Request deletion
- Request portability
- Restrict or object to certain processing
- Opt out of non-essential tracking technologies
We may require verification of your identity before fulfilling a request. To exercise any of these rights, contact our support team.
8.SMS messaging
FinalKey sends transactional SMS messages only to phone numbers that have been designated as Secret Code Recipients by a primary FinalKey user and that have confirmed their designation by replying YES to a one-time opt-in message.
What we send
- Opt-in confirmation requests when a primary user first designates a phone as a Secret Code Recipient.
- One-time passcodes sent after a Successor has filed a death-verification request that has passed document-authenticity and database-match checks.
- Administrative messages, such as HELP responses and STOP confirmations.
What we never send
FinalKey does not send marketing, promotional, or recurring campaign messages via SMS, and does not share phone numbers with third parties for marketing.
Opting out
Reply STOP to any message to opt out. Reply HELP for assistance, or contact support@myfinalkey.com. Standard message and data rates may apply.
Data retention
Phone numbers of Secret Code Recipients are retained for as long as the primary user keeps the recipient designation active. Opt-out status is retained indefinitely to honor the opt-out.
Carrier
SMS is delivered via Twilio. By opting in, you consent to FinalKey and Twilio processing your phone number for the purpose of delivering the messages described above.
9.Children's privacy
The Services are intended solely for individuals 18 years of age or older. We do not knowingly collect personal information from children. If such information is identified, it will be deleted promptly.
10.Third-party websites and links
The Services may include links to external websites or applications. FinalKey is not responsible for the privacy practices or content of such third parties. We encourage you to review their respective privacy policies.
11.Policy updates
We may modify this Policy from time to time. Revised versions become effective upon posting within the Services. For material changes, we will provide additional notice as required. Your continued use of the Services constitutes acceptance of the updated Policy.
12.Contact information
My FinalKey, LLC
Email: support@myfinalkey.com
Address: Dallas, TX
For questions regarding this Policy or your privacy rights, you can also use our support form.