Privacy Policy

Last updated: April 6, 2026

What We Collect

We collect the information you provide when creating your legacy plan: your name, email address, passphrase (stored only as a bcrypt hash — we cannot read it), and the content you choose to preserve (letters, wishes, documents, and personal milestones). We also collect payment information through our payment processor, Authorize.net, which receives card details directly — Last Wish never sees or stores your card number.

How We Use Your Data

Your data is used solely to provide the Last Wish service — storing your legacy plan, enabling delivery of sealed letters according to your instructions, and communicating with you about your account. We do not sell, share, rent, or monetize your personal data in any form.

Encryption & Storage

All data is encrypted in transit (TLS 1.2+). Your passphrase is hashed with bcrypt and never stored in plain text. Your vault content is stored in our managed PostgreSQL database (Railway), which encrypts data at rest at the infrastructure level. We use httpOnly secure cookies for session management, CSRF tokens for form protection, and rate limiting on authentication endpoints. We do not currently perform client-side or zero-knowledge encryption — this is on our roadmap and we will update this policy when it ships.

Third-Party Services

We use the following services to operate Last Wish:

• Railway — application hosting and managed PostgreSQL database (us-west2)
• Resend — transactional email delivery (welcome emails, password reset)
• Authorize.net — payment processing (PCI-DSS compliant)

Each service processes only the minimum data necessary and is bound by their own privacy policies. We do not use advertising networks, analytics trackers, or session recording tools.

Your Rights

You have the right to access, export, correct, and delete your data at any time:

• Access & export: download your entire legacy plan as a structured file from Settings
• Correction: edit any letter, wish, or personal detail directly in the vault
• Deletion: permanently remove your account from Settings (see retention below)
• Portability: the export is a structured JSON file you can import into other tools

These rights apply to all users, not just those in GDPR or CCPA jurisdictions. To exercise any right, email privacy@solivana.ai.

Cookies

We use two essential cookies: auth_token (your session) and csrf_token (form protection). Both are httpOnly, secure, and cannot be accessed by JavaScript. We do not use analytics, tracking, or advertising cookies.

Data Retention & Deletion

Your data is retained as long as your account is active. When you delete your account, it enters a 30-day grace period during which it can be restored by contacting support — this exists to protect irreplaceable legacy content from accidental deletion. After 30 days, all associated data is permanently and irrevocably removed from our systems, including backups. Cancelled paid accounts retain data for 90 days before being moved into the deletion grace period.

Delivery of Your Messages

Automated delivery (date-triggered release, executor verification, and post-passing delivery) is under active development. Today, letters and wishes are preserved in your private vault. You or your named executor can trigger delivery manually by exporting your plan at any time. We will notify every user by email before enabling any automated release mechanism so you can review and approve the process.

Children

Last Wish is not intended for users under 18 years of age.

Contact

For privacy-related questions, contact us at privacy@solivana.ai.