Privacy policy

Last updated: [DATE — placeholder]

This copy is a draft scaffold. The canonical privacy policy is being prepared with our legal team and will replace this text before production launch.

Data controller

Octopus Legacy Ltd (registered in England and Wales, company number [NUMBER], registered office [ADDRESS]) is the data controller for personal data processed through this service. You can contact our Data Protection Officer at privacy@octopuslegacy.com.

Data we collect

We collect the minimum personal data needed to deliver estate planning, bereavement and probate services: account identifiers (Legacy ID, last name), interactions with our services, and technical telemetry (approximate location, device category, session identifiers).

Lawful bases

We rely on three lawful bases under UK GDPR: consent (for optional analytics and marketing cookies), contract (to deliver the services your employer has arranged for you), and legitimate interest (security, fraud-prevention and service improvement).

Third parties

We share data only with processors that support the service: AWS (hosting, logging, data storage), Amazon Cognito (authentication), Vercel (frontend delivery), and our email provider for transactional notifications. All processors are bound by data-processing agreements.

Retention

Account and interaction data is retained for the duration of the employer contract plus six years (UK statutory limitation). Telemetry and analytics data is retained for 26 months.

Your rights

You can request access, correction, deletion, restriction, portability, or objection at any time by emailing privacy@octopuslegacy.com. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk).

Updates

When we make material changes to this policy we bump the version in cookie_consent_v1 so that returning visitors are re-prompted to review their consent.