Legal
Privacy Policy
Last updated: March 20, 2026
1. Introduction
HeirVault Pte. Ltd. ("HeirVault", "we", "us", "our"), a company incorporated in the Republic of Singapore, respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our digital asset inheritance platform at heirvault.xyz and heirvault.com (the "Service"). This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Singapore's Personal Data Protection Act (PDPA), and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
HeirVault Pte. Ltd.
Singapore
Data Protection Officer: dpo@heirvault.xyz
3. Information We Collect
3.1 Blockchain Data (Public)
When you connect your wallet and interact with our smart contracts, we process publicly available blockchain data including wallet addresses, transaction hashes, vault contract addresses, and on-chain vault state. This data is inherently public on the blockchain and cannot be deleted.
3.2 Authentication Data
We use Sign-In with Ethereum (SIWE) and equivalent authentication methods for other supported chains. We store your wallet address, ENS name (if available), and generate session tokens (JWT). We do not collect passwords, seed phrases, or private keys.
3.3 Notification Data (Optional)
If you opt in to notifications, we collect and store your email address and/or Telegram ID. This data is encrypted at rest using Fernet symmetric encryption. You can disable notifications and request deletion of this data at any time through notification settings.
3.4 KYC/AML Data (Conditional)
Where legally required or enabled for a risk review, we may collect identity verification data including: government-issued ID, selfie photograph, name, date of birth, and nationality. This data is collected through our third-party identity verification provider, encrypted at rest using industry-standard encryption, and retained only for the minimum period required by applicable AML regulations.
3.5 Contact Form Data
When you submit our contact form, we collect your name, email address, and message content. This data is used solely to respond to your inquiry.
3.6 Technical Data
We collect standard server logs including IP addresses, browser type, device type, operating system, referrer URL, and request timestamps for security monitoring and error diagnosis. We use Sentry for error tracking, which may collect anonymized technical data including stack traces, browser metadata, and session replay data (without personal identifiers). If you accept optional analytics cookies, Google Analytics receives aggregate usage events with vault, wallet, transaction, invite, and recovery identifiers redacted before custom events are sent.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data on the following legal bases:
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Authentication (wallet address, JWT) | Contract performance | Art. 6(1)(b) |
| Notifications (email, Telegram) | Consent | Art. 6(1)(a) |
| KYC/AML identity data | Legal obligation | Art. 6(1)(c) |
| Server logs, error tracking | Legitimate interest (security) | Art. 6(1)(f) |
| Optional analytics | Consent | Art. 6(1)(a) |
| Contact form submissions | Consent / Legitimate interest | Art. 6(1)(a) / (f) |
5. How We Use Your Information
- To provide and maintain the Service, including vault state indexing, event monitoring, and notifications.
- To send you notifications about vault events (check-in reminders, claims, deposits) when you opt in.
- To fulfill legal obligations including AML/KYC screening, sanctions compliance, and suspicious activity monitoring.
- To respond to your support inquiries submitted through the contact form.
- To detect and prevent security threats, fraud, and abuse.
- To monitor system health, diagnose errors, and improve Service reliability.
- To generate aggregate analytics about Service usage when you consent to optional analytics cookies.
6. Data Storage and Security
- Personal data (email addresses, Telegram IDs) is encrypted at rest using Fernet symmetric encryption with unique keys.
- KYC data is encrypted at rest and access-controlled with audit logging.
- Database connections use TLS encryption in transit.
- API access is authenticated via RS256 asymmetric JWT tokens with 15-minute access tokens and rotating 3-day refresh tokens.
- We implement rate limiting (slowapi), CORS restrictions, Content Security Policy (CSP) headers, and HTTPS-only connections.
- Infrastructure is hosted on dedicated servers with restricted access. No shared hosting environments.
- We do not store private keys, seed phrases, or wallet credentials at any time.
7. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We may share data with the following categories of third parties, solely for the purposes described:
| Provider | Purpose | Data Shared |
|---|---|---|
| Resend | Transactional email delivery | Email address only |
| Telegram Bot API | Push notifications | Telegram ID (when opted in) |
| Sentry | Error tracking & monitoring | Anonymized technical data |
| Blockchain RPC providers | On-chain data reading | Public blockchain data, IP address |
| Chainalysis | AML/sanctions screening | Wallet addresses |
| Google Analytics | Optional aggregate product analytics | Redacted event metadata after consent |
| KYC provider (Sumsub / Onfido) | Identity verification | ID document, selfie (when required) |
We may disclose information if required by law, court order, subpoena, or regulatory request, or to protect the rights, safety, and security of our users and the Service.
8. Cookies and Local Storage
For details on cookies and similar technologies, please see our Cookie Policy. We use minimal browser storage for authentication, wallet connections, preferences, and cookie consent. Optional analytics is disabled unless you accept it.
9. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (wallet address) | Duration of account activity | Contract performance |
| Notification data (email, Telegram) | Until disabled by user | Consent |
| Notification history and queues | Generally 90 days for operational notification records | Legitimate interest / security |
| KYC/AML data | Minimum period required by applicable AML rules when collected | Legal obligation (AML regulations) |
| Audit and security records | At least 2 years; audit log entries are append-only and may be retained longer for evidence | Legal obligation / legitimate interest |
| Server logs | Configured monitoring retention; generally 14-90 days unless needed for incident investigation | Legitimate interest |
| Contact form submissions | 12 months | Consent |
| Blockchain data | Permanent (immutable on-chain) | Public data, not erasable |
10. Your Rights Under GDPR (EEA Residents)
If you are a resident of the European Economic Area (EEA), you have the following rights under the GDPR:
- Right of Access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) — Request deletion of your personal data, subject to legal retention requirements (e.g., AML data must be retained for 5 years). Note: blockchain data is public and immutable and cannot be erased.
- Right to Restriction (Art. 18) — Request restriction of processing in certain circumstances.
- Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format. Your vault data is publicly available on-chain and can be accessed independently.
- Right to Object (Art. 21) — Object to processing based on legitimate interest.
- Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time (e.g., disable notifications) without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint — File a complaint with your local Data Protection Authority (DPA).
To exercise these rights, contact our DPO at dpo@heirvault.xyz. We will respond within 30 days.
11. Your Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we share it.
- Right to Delete — Request deletion of your personal information, subject to legal exceptions.
- Right to Correct — Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
Categories of personal information collected in the last 12 months: Identifiers (wallet address, email, Telegram ID), internet activity (server logs, browser type), geolocation data (IP-derived country/region for compliance). We do not collect sensitive personal information as defined by the CCPA beyond what is necessary for KYC/AML compliance.
To submit a verifiable consumer request, contact us at privacy@heirvault.xyz.
12. Your Rights Under PDPA (Singapore Residents)
Under Singapore's Personal Data Protection Act (PDPA), you have the right to:
- Access — Request access to your personal data held by us and information about how it has been used or disclosed in the past year.
- Correction — Request correction of errors or omissions in your personal data.
- Withdrawal of Consent — Withdraw consent for the collection, use, or disclosure of your personal data, subject to legal and contractual restrictions.
- Data Portability — Request your data in a commonly used machine-readable format (where applicable under the Data Portability Obligation).
Contact our DPO at dpo@heirvault.xyz to exercise these rights. We will respond within 30 business days.
13. International Data Transfers
Your data may be processed in jurisdictions outside your own, including Singapore and other countries where our infrastructure providers operate. For transfers of personal data from the EEA to countries not covered by an EU adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) with our data processors.
- Data Processing Agreements (DPAs) with all third-party providers that process personal data on our behalf.
- Additional safeguards including encryption in transit and at rest, access controls, and contractual obligations on sub-processors.
You may request a copy of the applicable SCCs by contacting our DPO.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33); (b) notify affected individuals without undue delay if the breach is likely to result in high risk (GDPR Art. 34); and (c) comply with Singapore PDPA notification obligations (within 3 calendar days of assessment). We maintain an incident response plan and conduct regular security assessments.
15. Children's Privacy
HeirVault is not intended for use by individuals under 18 years of age (or the age of digital consent in your jurisdiction, e.g., 16 under GDPR). We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child, we will delete it promptly.
16. Automated Decision-Making
We use automated systems for AML/sanctions screening of wallet addresses. These automated checks may result in restricted access to the Service where screening returns a sanctions hit. Some chain/address formats may require manual review when automated screening is unavailable. You have the right to request human review of any automated decision that significantly affects you by contacting our DPO.
17. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance through the Service and/or via email (if provided). The "Last updated" date at the top reflects the most recent revision. Continued use after the effective date constitutes acceptance.
18. Contact
For privacy-related inquiries:
- Data Protection Officer: dpo@heirvault.xyz
- General privacy inquiries: privacy@heirvault.xyz
- CCPA requests: privacy@heirvault.xyz(subject line: "CCPA Request")
- Or use our contact form.
HeirVault Pte. Ltd.
Singapore