Our commitment to you
Legacy Vault Kit stores some of the most sensitive personal information you have — financial details, legal documents, health information, and family memories. We take that responsibility very seriously.
We are committed to the principles of UK GDPR: lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity, and accountability. In plain English: we only collect what we need, we keep it secure, we tell you what we do with it, and we give you full control.
Your six rights under UK GDPR
Right of Access
You can request a copy of all personal data we hold about you at any time. We will respond within 30 days.
Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct it.
Right to Erasure
You can ask us to delete your personal data. We will do so unless we are required by law to retain it.
Right to Portability
You can request your vault data in a machine-readable format so you can transfer it to another service.
Right to Restriction
You can ask us to restrict how we process your data in certain circumstances — for example, while a dispute is being resolved.
Right to Object
You can object to us processing your data for legitimate interests. You can also withdraw consent for marketing emails at any time.
How to exercise your rights
To exercise any of your rights, please contact us with your request. We will respond within 30 days. In some cases, we may need to verify your identity before we can process your request.
There is no charge for exercising your rights, unless a request is clearly unfounded or excessive.
How we protect your data
- All data is encrypted at rest and in transit using TLS encryption.
- Vault files are stored in encrypted Amazon S3 buckets in the European Union.
- Access to your vault is protected by your account credentials.
- We do not share your data with third parties for marketing purposes.
- We do not sell your data.
- Staff access to user data is restricted to what is necessary to provide support.
Data retention
We retain your personal data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days to allow you to export it. After 90 days, it is permanently deleted.
Financial records (payment history) are retained for 7 years as required by UK law.
International data transfers
Your vault data is stored in the European Union (Amazon S3, EU region). We do not transfer your personal data outside the UK or EU/EEA without appropriate safeguards in place.
Our payment processor, Stripe, is certified under the EU-US Data Privacy Framework.
Data breach notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, as required by UK GDPR.
The Information Commissioner's Office
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the ICO — the UK's data protection regulator.
Contact our Data Controller
For any data protection queries, please contact us. We aim to respond to all data protection queries within 5 working days.