Privacy Policy

Aftercare ("we", "us") is operated by [CONTROLLER_NAME], registered at [CONTROLLER_ADDRESS]. For any privacy question, contact us at [CONTACT_EMAIL].

We are the data controller for the personal data described in this policy. We are committed to handling data about you — and about the people you administer estates for — with the seriousness this situation requires.

Information you provide

• Your account: email address (for sign-in and notifications), optional full name.
• Case data about the deceased: name, dates of birth and death, last address, national identification number (NI / PPS / BSN / SSN), place of birth, marital and working status, the type of assets and liabilities held (property, pension, bank accounts, etc.).
• Tasks & notes: what you've marked done, snoozed, or written down.
• Documents you upload: death certificates, wills, identity documents.
• Letters you generate or edit: the formal letters drafted by our AI on your behalf, including any reference numbers and statuses you record.
• Family members you invite: their email addresses.

Information we collect automatically

• Essential cookies: a sign-in cookie set by Supabase Auth, a language-preference cookie. We do not use advertising or tracking cookies.
• AI usage logs: for every letter our AI generates, we record token counts and cost. This is used to enforce plan limits and to investigate billing questions. We do not store the prompt or letter body in the AI usage log — only the metadata.

Information from third parties

• Lemon Squeezy (our payment processor, acting as merchant of record) shares your customer ID, subscription/order status, and renewal dates so we can apply your plan. They — not us — hold your card and billing-address details.

We rely on the following legal bases under Article 6 GDPR:

• Performance of a contract — for everything needed to provide the service you signed up for.
• Legitimate interests — for service security, fraud prevention, AI cost monitoring, and product improvement (you can object at any time).
• Consent — for any non-essential cookies (currently none).
• Legal obligation — to retain transaction records for the period required by tax law.

Information about deceased persons is generally not personal data under GDPR (GDPR applies to living individuals). We still treat it with the same care.

We share only what is required to provide the service. We never sell personal data, and we never share it for advertising.

• Supabase — our database and authentication provider (data hosted in the EU).
• Anthropic — the AI provider that drafts letters from the case data you supply. Prompts and outputs are processed transiently and are not used to train models for other customers.
• Vercel — our hosting provider.
• Lemon Squeezy — payment processing and VAT remittance (merchant of record).
• Resend — transactional email (sign-in links, invitations).
• Sentry — error tracking. We exclude personal data from error reports.
• PostHog — product analytics. Aggregate events only (e.g. "letter generated"), no letter content.

Each of these vendors is bound by a Data Processing Agreement and either operates in the EU/UK or is covered by Standard Contractual Clauses for international transfers.

• Account & case data — for as long as your account is open. Deleting your account erases everything (see "Your rights").
• Documents you upload — same lifecycle as the case they belong to.
• Billing records — at least 7 years where tax law requires it, even after account deletion.
• Error and access logs — 90 days.

Under UK and EU GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data — most fields you can edit yourself in the app; the rest, email us.
• Erase your account and all associated data — use the Delete my account button on the Billing page. We retain billing records as required by tax law.
• Restrict or object to processing — email us.
• Portability — request an export of your case data.
• Withdraw consent — where processing is based on consent.
• Lodge a complaint with your data-protection authority — for the UK, the Information Commissioner's Office (ico.org.uk); for Ireland, the Data Protection Commission (dataprotection.ie); for the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

All data is encrypted in transit (TLS) and at rest. Row-Level Security is enabled on every database table so users can only read their own cases. Documents uploaded to our storage are scoped to the case they belong to. Webhook payloads are HMAC-signed and verified before any account changes. We do not store payment card details — those are handled by Lemon Squeezy.

We use AI (Anthropic Claude) to draft formal letters from the case details you supply. The AI is a drafting tool — every letter is reviewed and sent by you. We do not make significant decisions about you using automated processing alone.

Aftercare is a self-help organisational tool. Nothing on this site constitutes legal, tax, or financial advice. The checklists, templates, and AI-drafted letters are general guidance only. Always consult a qualified solicitor or accountant for advice specific to your circumstances.

We will email account holders before any material change. The "Last updated" date at the top reflects the most recent revision.