How Aftr Limited collects, uses, and protects your personal information. Includes CCPA rights for California residents.
Aftr Limited (“Aftr”, “we”, “our”) is a New Zealand company (NZBN 9429120) that operates the Aftr service at app.aftr.co.nz, accessible globally at useaftr.com. We provide a digital estate planning tool for individuals.
This policy explains what personal information we collect, why we collect it, who we share it with, and your rights. It also includes a specific section for California residents explaining your rights under the California Consumer Privacy Act (CCPA / CPRA).
This policy is governed by New Zealand law and applies to users accessing Aftr from anywhere in the world.
When you register, we collect your name, email address, and a bcrypt hash of your password. Your password is never stored in readable form. We also store an optional date of birth if you provide one.
Your Vault stores credentials, identity documents, notes, files, Bookshelf entries, Letters, and Life Story content. All Vault content is encrypted with AES-256-GCM before it reaches our servers using a key derived from your password on your device. We cannot read your Vault contents.
If you use the Life Story feature, we collect voice recordings, photos, scrapbook entries, and text entries you create. These are sent to OpenAI for transcription or story generation (see below), then encrypted and stored on our servers.
When you add a guardian or executor, we store their name and email address to send invitations and notifications.
Names, relationships, and optionally email addresses and dates of birth for family members you add.
Payments are processed by Stripe. We do not store card numbers or full payment details. We store only a Stripe customer ID and subscription ID.
If you submit your email address on our website via the interest capture form, we store your email address to send you product updates. You can unsubscribe at any time.
We log IP addresses, browser/device type, and actions taken in the app for security and compliance. Anonymised audit log entries are retained for 7 years. Raw IP address and device data is retained for 90 days, then anonymised.
We may derive inferences about your preferences from your use of the service (for example, feature engagement patterns). These are used only for product improvement via PostHog analytics and are not used for profiling or advertising.
Aftr uses a zero-knowledge architecture for your Vault and Life Story content. Your encryption key is derived from your master password on your own device. This key is never transmitted to our servers.
This has an important consequence: if you forget your master password, your Vault and Life Story content is permanently inaccessible. We cannot decrypt your data even if compelled by a court order.
The Life Story feature uses OpenAI for voice transcription and AI story generation. By using these features, your voice recordings and transcript content leave our servers and are processed by OpenAI in the United States.
You can use written Life Story entries without any data being sent to OpenAI.
We use Meta Pixel on our marketing website, including the sign-up and registration pages. Meta Pixel collects information about your visit and actions and sends it to Meta to help us measure the effectiveness of our advertising and show our ads to relevant audiences on Facebook and Instagram.
We also use Meta Conversions API (CAPI), which sends server-side event data to Meta. We send:
Meta Pixel does not fire on authenticated dashboard pages inside the app.
California residents: This constitutes “sharing” of personal information under CCPA/CPRA for cross-context behavioural advertising purposes. You may opt out via Global Privacy Control (GPC) in your browser. See “Global Privacy Control” below.
You can also opt out of Meta interest-based advertising at facebook.com/help or via optout.aboutads.info.
We use PostHog (US Cloud) for product analytics on our website and app. PostHog uses cookies and local storage to track sessions and page interactions. We use a reverse proxy at /ingest/* for analytics traffic. We also use PostHog feature flags to manage which features are visible to which users.
We use Sentry for error monitoring. Sentry may capture browser type, page URL, and error context.
We use Betterstack for uptime monitoring. Betterstack does not receive personal data.
If you submit your email address via the interest capture form, we will add it to our mailing list via Resend and send a short series of product update emails (currently three emails over approximately 14 days). Each email includes a one-click unsubscribe. You can unsubscribe at any time.
Transactional emails (account verification, guardian invitations, attestation notifications, password reset) cannot be unsubscribed from as they are essential to service delivery.
We use the personal information we collect to:
We do not sell personal information to third parties for their own marketing purposes.
When 3 or more of your guardians attest to your death, the service enters a 72-hour dispute window. After this window, your designated executor receives a single-use access token by email. The executor does not need an Aftr account.
Access via the executor token is logged. The Bookshelf ON_DEATH auto-release feature is currently disabled and will not be activated without a further update to this policy.
Subscription lapse does not trigger deletion. Your data is preserved unless you explicitly delete your account. See the Terms of Service for the 30-day recovery window.
If you join before 1 September 2026, your account is flagged as a Founding Member. This flag is stored in your account record to determine your pricing entitlement. No additional personal data is collected for this program.
You have the right to:
To exercise these rights, email us at privacy@aftr.co.nz. We will respond within 45 days.
We collect the above categories for the purposes described in “How we use your data” above: service delivery, billing, security, analytics, and advertising measurement.
No. Aftr does not sell personal information to third parties.
Yes, in a limited way. We use Meta Pixel and Meta Conversions API on our marketing pages to measure advertising effectiveness. Under CCPA/CPRA, sharing personal information with Meta for cross-context behavioural advertising purposes may constitute “sharing” even if no payment changes hands.
You may opt out of this sharing by:
Submit a request by emailing privacy@aftr.co.nz with “California Privacy Request” in the subject line. For logged-in users, the data export and account deletion tools in your account settings are the most direct way to exercise your right to know and right to delete. We will respond within 45 days. We may extend this by an additional 45 days where reasonably necessary.
We will verify your identity before processing requests. Logged-in users can verify identity via their account. For non-account requests, we may ask you to confirm the email address associated with any inquiry we have from you.
We detect and honour Global Privacy Control (GPC) signals. GPC is a browser-level signal that indicates you do not want your personal information shared or sold for advertising purposes.
When a GPC signal is detected on our marketing website, Meta Pixel will not fire for that session. This is the recommended method to opt out of our Meta Pixel sharing for California residents.
GPC detection is client-side. It applies to the current browser session and any future sessions in the same browser where GPC remains enabled.
All Aftr application data is hosted in AWS ap-southeast-6 (Auckland, New Zealand). Sub-processors with US-based processing are Stripe, Resend, OpenAI, Meta, PostHog, Sentry, and Langfuse. By using Aftr, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, including New Zealand and the United States.
Our security measures include AES-256-GCM encryption for vault content (client-side, zero-knowledge), bcrypt password hashing, TLS in transit, passkey-first authentication (WebAuthn), and AWS encryption at rest. If we confirm a notifiable privacy breach, we will notify affected users by email within 72 hours.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date above.