Effective Date: March 2, 2026 | Last Updated: March 2, 2026
This Privacy Policy describes how The Forever Vault ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use our website and services (collectively, the "Service"). By using the Service, you consent to the practices described in this Privacy Policy.
1.1 Information You Provide Directly
When you create an account and use the Service, we collect the following categories of information: account information, including your name, email address, and password (or Google authentication credentials); Capsule content, including text messages, uploaded images, audio files, video files, and other attachments; Recipient information, including names, email addresses, and phone numbers of individuals you designate to receive Capsules; Trusted Contact information, including names, email addresses, and relationship descriptions of individuals you designate for legacy release verification; payment information processed through Stripe, including billing address and payment method details (we do not directly store credit card numbers); and scavenger hunt data, including clue content, GPS coordinates, answers, and codes.
1.2 Information Collected Automatically
We automatically collect certain information when you use the Service, including: login timestamps and last active date; device and browser information; IP addresses associated with account access; and actions performed within the Service as recorded in our audit logs.
We use the information we collect for the following purposes: to provide, maintain, and improve the Service; to store and deliver your Capsules to designated Recipients at the scheduled time or upon legacy release conditions; to process payments and manage your subscription; to verify User inactivity and facilitate the legacy release process through Trusted Contact confirmation; to send you transactional emails, including delivery confirmations, inactivity notifications, and account alerts; to maintain audit logs for security and accountability purposes; to enforce our Terms of Service and protect the rights, safety, and property of our Users and the public; and to comply with applicable legal obligations. We do not sell, rent, or trade your personal information to third parties for marketing purposes.
We take the security of your data seriously and implement the following measures: Capsule content (including message text and attachment references) is encrypted at rest using AES-256 encryption; all data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security); access to your data is restricted by Firebase Authentication and Firestore Security Rules that enforce per-user authorization; audit logs are maintained for all significant account actions and are immutable (they cannot be edited or deleted); and file attachments are stored in Firebase Storage with per-user access controls. Despite these measures, no system is completely secure. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures or misuse any personal information. You acknowledge that you provide your personal information at your own risk.
Capsule content is treated as private and confidential. Only you can view your Capsule content while it is stored in your vault. Recipients can access Capsule content only after delivery has been triggered (either by scheduled date or legacy release). Our administrative staff do not have the ability to read encrypted Capsule content during normal operations. In the event of a valid legal order, subpoena, or court order, we may be required to provide access to or disclose Capsule content to law enforcement or governmental authorities. We will make reasonable efforts to notify you of such requests unless prohibited by law.
We use the following third-party services to operate the Service. Each provider has its own privacy policy governing its use of your data: Firebase by Google (authentication, database, and file storage) — see Google Cloud Privacy Policy; Stripe (payment processing) — see Stripe Privacy Policy; and email delivery services (for Capsule delivery, notifications, and transactional emails). We share only the minimum information necessary for each third-party provider to perform its function. We do not share your Capsule content with any third-party provider except as strictly necessary for storage and delivery.
When a User adds Recipients or Trusted Contacts, we collect and store their name and email address (and optionally their phone number and relationship to the User). This information is used solely for the purpose of delivering Capsules and facilitating legacy release verification. We do not create accounts for Recipients or Trusted Contacts unless they independently register. Recipients and Trusted Contacts who wish to have their information removed from our system may contact us at the email address provided below.
We retain your data for as long as your account is active or as needed to provide the Service. Capsule data that has been delivered to Recipients may remain accessible to those Recipients indefinitely, unless the Recipient requests deletion. Upon account deletion, we will permanently remove all personal data, Capsules, attachments, Recipient records, Trusted Contact records, and audit logs associated with your account within thirty (30) days. Certain anonymized or aggregated data that cannot be used to identify you may be retained for analytical and operational purposes. Backup copies of data may persist in our backup systems for up to ninety (90) days following deletion before being permanently purged.
In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected Users within seventy-two (72) hours of confirming the breach. Notification will be sent via the email address associated with your account and, where appropriate, posted on our website. We will provide information about the nature of the breach, the types of data affected, the steps we are taking to address the breach, and recommended actions you can take to protect yourself. We will also notify applicable regulatory authorities as required by law.
You have the following rights regarding your personal data: the right to access and review all personal information we hold about you; the right to correct inaccurate or incomplete personal information; the right to export your data in a portable format; the right to delete your account and all associated personal data; and the right to withdraw consent for data processing at any time by deleting your account. To exercise any of these rights, you may use the account settings within the Service or contact us at the email address provided below. We will respond to data rights requests within thirty (30) days.
We use only essential cookies required for authentication and session management through Firebase. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not engage in cross-site tracking or behavioral advertising.
The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, please contact us immediately.
Your data is stored and processed in the United States using Google Cloud infrastructure (Firebase). If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, and the right not to be discriminated against for exercising your privacy rights. We do not sell personal information as defined under the CCPA.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. We will notify you of material changes by sending an email to the address associated with your account and by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: privacy@theforevervault.com