Privacy Policy

Last updated: 2026-04-20

This Privacy Policy explains how Digital Testament ("we", "us", "our") collects, uses, and protects personal data when you use our service. It also describes your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and how to exercise them.

1. Introduction

This policy covers all personal data processed in connection with the Digital Testament service, including our website, account area, and testament-storage features. It applies to Testators, Beneficiaries, prospective users (e.g. lead sign-ups), and visitors.

2. Data Controller & Contact

The data controller is Digital Testament, based in the Republic of Poland.

All privacy enquiries and data-subject requests: info@digitaltestament.eu.

3. What Data We Collect

  • Account data: email address, hashed password, preferred language, and profile fields (display name, bio, website, visibility).
  • Testament data: encrypted passwords, domains, TOTP seeds, phone numbers, selected crypto-wallet addresses, beneficiary emails and relationships, release-trigger configuration, and grace-period settings.
  • Attached files: documents, images, or other files you upload to a testament entry. All attachments are stored in the European Economic Area (DigitalOcean FRA1 — Paris, France).
  • Payment data: subscription status and a Stripe customer identifier. Card numbers are handled exclusively by Stripe and never reach our servers.
  • Technical data: IP address, user agent, reCAPTCHA risk score, and request/access logs.
  • Marketing data (optional): email address provided to the landing-page lead form, with subscription preference.

4. How We Collect It

  • Directly from you when you register, fill forms, or configure a testament.
  • Automatically via server logs and essential cookies when you use the site.
  • From Stripe for payment and subscription status.
  • From Google reCAPTCHA for bot-risk scoring on forms.

5. Legal Basis (GDPR Art. 6)

  • Art. 6(1)(b) — performance of a contract: running your account, storing Testament Data, and executing Release Triggers.
  • Art. 6(1)(f) — legitimate interests: preventing abuse (reCAPTCHA, rate limiting), security logs, product improvement in aggregate.
  • Art. 6(1)(a) — consent: marketing emails and non-essential communications, which you can withdraw at any time.
  • Art. 6(1)(c) — legal obligation: tax and accounting records for paid subscriptions.

6. Purpose of Processing

We process personal data to: create and secure your Account; store and encrypt Testament Data; verify Release Triggers and deliver Testament Data to Beneficiaries per your instructions; handle billing; reply to support and GDPR requests; comply with legal obligations; and defend against fraud and abuse.

7. Data Retention

  • Account and Testament Data: retained while your Account is active, plus a short grace window (typically 30 days) after deletion, then purged.
  • Payment and invoice records: 5 years, as required by Polish accounting law.
  • Server and security logs: up to 90 days, unless a longer period is needed to investigate a security incident.
  • Lead-form entries: until you unsubscribe or request deletion.

8. Your GDPR Rights

Under the GDPR you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erasure / right to be forgotten (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time without affecting prior lawful processing (Art. 7(3)).
  • Lodge a complaint with a supervisory authority, in particular the Polish DPA — Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

To exercise any of these rights email info@digitaltestament.eu with subject line "GDPR request". We will respond within 30 days; this period may be extended by up to two further months for complex requests, in which case we will inform you.

9. Data Sharing & Third Parties

We share personal data only with processors and recipients strictly necessary to run the Service:

  • Stripe — payment processing (EU / US, covered by Standard Contractual Clauses where applicable).
  • Google reCAPTCHA — bot and abuse detection on forms.
  • DigitalOcean — infrastructure, database, attached-file storage, and transactional email delivery. All user data, including uploaded files and Testament Data, is stored in DigitalOcean's FRA1 datacenter (Paris, France). DigitalOcean is a US-headquartered provider; any administrative access from outside the EEA is covered by Standard Contractual Clauses.
  • Beneficiaries — receive the encrypted Testament Data you addressed to them, only after a verified Release Trigger.
  • Authorities — if required by a lawful, binding request under Polish or EU law.

10. International Transfers

Your Account data, Testament Data, and uploaded files are stored in the European Economic Area — specifically DigitalOcean's FRA1 datacenter in Paris, France. Where a processor is headquartered outside the EEA (e.g. DigitalOcean, Stripe, Google reCAPTCHA) and any administrative or support access to personal data may occur from outside the EEA, such transfers are covered by the European Commission's Standard Contractual Clauses (SCCs) or another valid transfer mechanism under Chapter V of the GDPR.

11. Security

We apply appropriate technical and organisational measures: encryption at rest for Testament Data using a token-derived release-encryption scheme, TLS in transit, hashed passwords, reCAPTCHA on sensitive forms, principle of least privilege, and access logging. Security of your master key and the accuracy of your Release Trigger configuration remain your responsibility.

12. Cookies

We use only strictly necessary cookies to run the site:

  • csrftoken — CSRF protection.
  • sessionid — keeps you signed in.
  • django_language — remembers your language preference.
  • reCAPTCHA cookies set by Google on forms for bot detection.

We do not currently use analytics or marketing cookies. If this changes, we will publish a cookie banner and obtain consent where required.

13. Children

The Service is not intended for persons under 18. We do not knowingly process personal data of children. If we become aware that we have, we will delete the data promptly.

14. Automated Decision-Making

We do not make decisions producing legal or similarly significant effects on you based solely on automated processing (GDPR Art. 22). reCAPTCHA scores may gate specific actions, but human review is available on request via our contact email.

15. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes we will notify you by email at least 30 days before the changes take effect and update the "Last updated" date above.

16. Contact

Privacy or GDPR questions? Email info@digitaltestament.eu.