Privacy Policy

This policy applies to personal information processed by Heirloom in connection with the Services. It does not apply to services operated by third parties that we do not control.

We collect information you provide, information generated as you use the Services, and information we receive from integrated providers.

• Account and identity data: name, email, password hash, passkey metadata, and OAuth identifiers (including the Google account ID, email, name, and profile image we receive when you sign in with Google).
• Household and family data: household records, family member names and relationships, birthdates, invited user roles, and minor family members entered by the adult account holder.
• Planning and financial data: net worth items, beneficiary records (including last four digits of accounts you enter), charitable giving, distribution allocations, spending plans, and monthly income.
• Connected financial account data: when you choose to connect a bank, credit card, brokerage, or loan through Plaid, we receive and store the institution name, account names, types, and last four digits, current and available balances, transaction history for accounts that produce it (depository and credit-card accounts), and an encrypted Plaid access token. Bank login credentials are entered directly into Plaid Link and are never seen or stored by Heirloom. Plaid also notifies us via webhook when new transactions are available, when a connection needs reauthentication, or when new accounts appear at your institution.
• Values and narrative content: money stories, values, wishes, private notes, and values vault media.
• Legal document data: will drafts, healthcare proxy and power of attorney status, guardian designations, and uploaded PDFs or related documents.
• AI feature data: the prompts you submit to AI features are processed by our AI subprocessors. In our own database we retain only a SHA-256 hash of each prompt along with a redaction flag, rather than the original plaintext.
• Product analytics data: screen and section views and onboarding or subscription lifecycle events, identified only by an internal application user ID. See Section 6.
• Device and technical data: user agent, route path, application version, and IP address.
• Error and diagnostic data: stack traces, component stacks, and the route where an error occurred.
• Support data: support ticket category, subject, description, and any screenshots you attach.
• Third-party contacts you enter: contact details you record for your attorney, CPA, financial advisor, or similar professionals. You represent that you have authority to enter this information.

You are responsible for having appropriate permissions before submitting personal information about other people, including minor family members.

• Operate and secure the Services.
• Provide collaboration features, invitations, and role-based access control.
• Generate the planning and educational outputs you request.
• Connect financial accounts you authorize and keep balance information current.
• Maintain service reliability, provide support, and troubleshoot issues.
• Measure aggregate product usage when you have product analytics enabled.
• Diagnose errors and improve reliability using technical logs.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms.

For users in the European Economic Area, the United Kingdom, and Switzerland, we process personal data under the following lawful bases:

• Contract: to provide the Services you request.
• Legitimate interests: to secure the Services, prevent fraud, and measure aggregate product usage where that does not override your rights. You can object to processing based on legitimate interests at any time, including by turning off product analytics in Settings → Security.
• Consent: for any processing that requires consent under applicable law. You may withdraw consent at any time.
• Legal obligation: where we must retain or disclose information to comply with law.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We share information only as needed to provide the Services, to comply with law, and as described below.

• Within your workspace based on role and permission configuration.
• With Plaid, when you choose to connect a financial institution, so Plaid can authenticate the connection, retrieve the data you authorize, and maintain that connection. Plaid's handling of your information is described in Plaid's End User Privacy Policy at plaid.com/legal.
• With the subprocessors listed below, each bound by contractual obligations to protect your information.
• With AI processing providers when you invoke AI-powered features.
• With legal and compliance advisors and as required by law or legal process.
• As part of a merger, financing, acquisition, or other corporate transaction, with appropriate safeguards.

Our material subprocessors are:

We will provide at least 20 days' advance notice before adding a new material subprocessor, published in this policy and on our website.

We use analytics in two distinct places:

Marketing website analytics. On our marketing website we use Vercel Web Analytics and Google Analytics to understand traffic and site usage. Vercel Web Analytics is cookie-less and provides aggregated page-view and performance metrics. Google Analytics uses cookies or similar identifiers to measure page views, traffic sources, approximate geography, device/browser information, and engagement trends on the marketing website.

Product analytics in the application. Inside the logged-in application we use PostHog for product analytics to understand which parts of the application are working and where people get stuck. Product analytics is on by default for authenticated users and you can turn it off at any time in Settings → Security.

What PostHog collects when product analytics is enabled:

• Event types: screen views, dashboard section views, onboarding start and step events, checkout start, subscription activation, and reveal viewed.
• Event properties: screen or section identifier, app surface, app version, and step or subscription state.
• User identifier: an internal application user ID only. We do not send your name or email address to PostHog.

What PostHog does not collect:

• Your entries, notes, stories, wishes, or messages.
• Financial amounts, budgets, assets, or account numbers.
• Family details, beneficiary information, or guardian designations.
• Uploaded documents, images, or avatars.
• Passwords, tokens, or authentication secrets.
• Your name or email address.

PostHog is configured with autocapture disabled, automatic pageview capture disabled, session recording disabled, and feature flag collection disabled. When you turn product analytics off, the PostHog SDK is reset, any buffered events are cleared, and a no-op adapter is used for all subsequent events until you turn it back on.

Some features use AI model providers to extract structured data from text you write and to draft educational outputs. Prompt text is routed to our AI subprocessor (OpenRouter) and the underlying model provider (for example, OpenAI).

In our own database we retain only a SHA-256 hash of each prompt, along with a redaction flag and the model used. We do not store the original prompt plaintext.

When you use AI features you are interacting with an automated system. AI outputs may be incomplete or inaccurate; you are responsible for review, and you should use licensed professionals for legal, tax, and investment decisions. Do not submit data you are not authorized to share.

We do not use AI to make automated decisions about you that produce legal or similarly significant effects. Final decisions about your plan remain solely yours.

We use cookies and local storage in three categories:

• Essential: authentication, session, and security. Always on.
• Functional: UI preferences and the cached analytics opt-out state keyed as heirloom:product-analytics:{userId}. No third parties.
• Analytics: marketing website traffic analytics (Vercel Web Analytics and Google Analytics), and in-app product analytics (PostHog) which is enabled by default for authenticated users and can be turned off at any time from Settings → Security. See Section 6.

We do not use third-party behavioral advertising cookies and do not participate in ad networks.

Global Privacy Control (GPC): we treat a valid GPC signal as a request to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, so this signal has no additional effect on our processing. To control product analytics in the application, use the toggle in Settings → Security.

Do Not Track (DNT): there is no consensus on how DNT should be interpreted, so we do not respond differently to DNT signals.

Financial account information you record in Heirloom and the encrypted Plaid access tokens we hold are Sensitive Personal Information under the California Privacy Rights Act (CPRA) and similar state laws. We do not hold your bank login credentials. We use Sensitive Personal Information only for the purposes permitted under CCPA Regulation §7027(m) — to provide the Services you have requested. We do not use Sensitive Personal Information to infer characteristics about you.

The healthcare wishes, directives, and proxy designations you store in Heirloom are voluntary disclosures you make as part of the planning service you have requested. Heirloom is not a covered entity or business associate under HIPAA.

For Washington residents and any data subject to the Washington My Health My Data Act, we treat this information as consumer health data. We collect it only at your direction to provide the planning features you use, and we do not share it with third parties except as needed to provide the Services and as described in this policy. You can remove health-related entries from within the application at any time, and you can request deletion of health data by emailing hello@planheirloom.comwith "Health Data Request" in the subject line.

Heirloom is not a financial institution under the Gramm-Leach-Bliley Act. We do not provide financial advice, extend credit, or broker transactions. Financial information you record in Heirloom is treated as Sensitive Personal Information under applicable state privacy law (see Section 9).

We do not collect, store, or transmit biometric identifiers. Any device-level biometric authentication you use (for example, Face ID or Touch ID with a passkey) takes place entirely on your device. The biometric data itself is never transmitted to Heirloom's servers.

Access to your account after your death or during incapacity is handled consistent with the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) and applicable state law. We do not currently offer an in-product Legacy Contact designation, so requests follow the default statutory process.

• Your personal representative or court-appointed fiduciary may request access by providing a written request, a certified copy of your death certificate, and letters testamentary, letters of administration, or a small-estate affidavit where available.
• Access during incapacity requires proof of appointment of a fiduciary by a court of competent jurisdiction.
• We will disclose the content of electronic communications and other digital assets only to the extent permitted by RUFADAA and applicable state law.

Requests should be sent to hello@planheirloom.comwith "Fiduciary Access Request" in the subject line.

We retain data for as long as needed to provide the Services, to maintain security, to satisfy legal obligations, and to resolve disputes.

• Active account data is retained while your account is open.
• Financial connections (Plaid): balances, transactions, and the encrypted access token are retained while the connection is active so we can show your accounts and ongoing activity. When you disconnect an institution from Settings → Connections, we always call Plaid's /item/remove endpoint to revoke our access at the bank, and you choose what happens to the data we already hold: (a) Keep history retains the past balances and transactions with the live balance set to zero, so you can still review historical activity for closed accounts or paid-off debt for your own records, and the connection is marked disconnected; (b) Delete everything removes the accounts, balance history, and transactions for that institution permanently. All connection data is removed when you delete your account (Section 15).
• When you delete your account, your account data and associated planning records, including locally stored Plaid connection rows, are removed from production systems as part of the deletion flow described in Section 15. Residual copies may remain in routine encrypted backups until those backups rotate out under our standard schedule, after which they are no longer recoverable.
• Audit logs and security event records may be retained for a longer period to support compliance, security investigations, and dispute resolution.
• AI prompt hashes are retained to support deduplication and abuse prevention.
• Product analytics events are retained according to the retention configured with our analytics subprocessor.
• We may retain information longer where required by law (for example, tax, accounting, or legal hold obligations).

You can delete your account from Settings → Security → Delete Account. To confirm, you will be asked to type "DELETE" and, if your account uses password sign-in, re-enter your password. Accounts that sign in only with a passkey or a linked OAuth provider do not require a password to delete. Deletion is immediate on confirmation; there is no separate email confirmation step beforehand.

If you hold an heir account and are under 18, your deletion request is sent to an adult family member in your workspace for review before the account is removed.

• On confirmation, your account, personal planning data, uploaded documents, and related records are removed as described in Section 14.
• If you have connected a financial institution through Plaid, account deletion calls Plaid's /item/remove endpoint for each connection and removes the stored Plaid connection data from production systems.
• Any active or trialing subscription is automatically canceled as part of deletion.
• A goodbye confirmation email is sent to your account email address after deletion completes.
• Aggregated, de-identified, or retention-obligated records (such as audit logs and tax records) may be retained as required by law.

We maintain an information security program designed to protect the personal information you entrust to us, including encrypted transport, access controls, session protections, audit logging, and monitoring.

• A designated security coordinator oversees our security program.
• We require subprocessors to protect your information through contractual obligations (see Section 5).
• Plaid access tokens are encrypted at rest using AES-GCM before storage and are never exposed to the browser.
• We provide security and privacy training to personnel with access to production systems.
• We maintain an incident response process for security events.
• Passkey and WebAuthn authentication are supported. Active sessions can be revoked from Settings → Security.

If a security incident affects your personal information, we will notify you in the most expedient time possible and without unreasonable delay, consistent with California Civil Code §1798.82 and other applicable law. As a company commitment, we aim to notify affected individuals within 30 calendar days of discovery unless a shorter window is required by law or a longer window is permitted to support law enforcement or restore system integrity. No security program can guarantee absolute security.

Heirloom is designed for households and families. When you invite other people into your workspace, they can access, modify, or delete workspace data according to the role and permissions you assign, regardless of other privacy settings.

• By entering information about another person, including minor children, you represent that you have authority to do so and, where required by law, appropriate consent.
• Invited members who create or sign in to a Heirloom account are, like all users, bound by these Terms and this Privacy Policy when they use the Services.
• Heirloom is not responsible for disputes between household members over access, edits, or content.

Depending on where you live, you may have the following rights. Submit a request by emailing hello@planheirloom.comwith "Privacy Request" in the subject line. We may need to verify your identity before completing a request and will respond within the timelines required by applicable law (typically 30 to 45 days).

18a. All users. Access, correction, deletion, portability, and the ability to appeal a denial.

18b. California residents (CCPA/CPRA). Right to know, delete, correct, opt out of sale or sharing (we do neither), limit use of Sensitive Personal Information (see Section 9), non-discrimination, and the right to use an authorized agent.

18c. EU, UK, and Swiss residents (GDPR / UK GDPR). Access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right to lodge a complaint with your local supervisory authority. Heirloom acts as the data controller for information processed under this policy. We will publish contact information for our EU representative, if one is required, as soon as it is appointed.

18d. Canadian residents. Rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Quebec Law 25. Requests can be directed to our Privacy Officer at hello@planheirloom.com.

18e. Other U.S. state residents. Residents of Virginia, Colorado, Connecticut, Utah, Texas, Iowa, Indiana, Montana, Oregon, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, Rhode Island, Kentucky, Nebraska, and Nevada have consumer privacy rights under their state laws, including access, deletion, correction, portability, and opt-out of sale or targeted advertising (we do neither). Nevada residents may opt out of sale under SB 220 by contacting us using the process above.

Heirloom uses a three-tier account model for minors and adults:

• Under 13: children under 13 cannot be invited to create a Heirloom account. Adult account holders may record information about a child under 13 as family data, but that child does not have their own account, sign-in, or direct interaction with the Services. We do not knowingly collect personal information directly from children under 13.
• Ages 13 to 17 (heir accounts): a minor aged 13 to 17 may have a Heirloom heir account when invited by an adult family member with appropriate authority (for example, a parent or legal guardian). Heir accounts have limited scope appropriate to their role. Deletion requests by an heir under 18 are routed to an adult family member for review.
• 18 and older: workspace owners, partners, and advisors must be at least 18 years old. Only an adult can create a Heirloom workspace or invite others.

Adult account holders are responsible for ensuring they have appropriate authority and, where required, consent to invite a minor family member or to enter information about other people.

If you believe a child under 13 has provided us with personal information directly, please contact hello@planheirloom.com and we will take appropriate steps to remove it.

We operate in and from the United States. If you use the Services from outside the United States, your information may be processed in the United States and in other jurisdictions where our subprocessors operate. Where required for transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards.

We strive to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you encounter an accessibility barrier, please contact us at hello@planheirloom.com so we can work with you to resolve it.

If you believe you have discovered a security vulnerability in Heirloom, please report it to security@planheirloom.com. We will not pursue legal action against researchers who report vulnerabilities in good faith, avoid privacy violations, refrain from exfiltrating data beyond what is necessary to demonstrate the issue, and give us a reasonable opportunity to remediate before public disclosure.

We may update this policy over time. We will update the "Last Updated" date and, for material changes, provide at least 20 days' advance notice by email or in-app notice before the changes take effect, except where applicable law requires shorter or different notice.

Heirloom

Email: hello@planheirloom.com

Security and vulnerability reports: security@planheirloom.com