Privacy Policy

Last updated: January 2025

Who we are

AfterLoss is a service that helps you manage the practical tasks that follow a bereavement. We are the data controller for the personal information you provide when using our service.

For privacy enquiries, contact us at support@afterloss.uk

What data we collect

We collect the following categories of personal data:

Category	Examples
Account data	Email address, password, name
Case data	Deceased person's name, date of death, jurisdiction
Task data	Completed steps, notes, progress
Documents	Files you upload (certificates, wills, correspondence)
Contacts	Names, relationships, and contact details of professionals and family
Communications	Records of your interactions with organisations
Whereabouts	Locations of important items and documents
Digital accounts	Online account information for the deceased
Usage data	How you interact with the service

Why we collect it

We process your data under two legal bases:

Contract: Processing necessary to provide the service you signed up for. This covers account data, case data, tasks, documents, contacts, communications, whereabouts, and digital accounts.
Legitimate interests: Processing to improve and secure the service. This covers usage data and analytics.

Some information you provide may indirectly reveal sensitive details such as religious beliefs (funeral arrangements) or health conditions. We process this only as necessary to provide the service, with your explicit consent through your use of these features.

How we use your data

To provide and maintain the AfterLoss service
To track your progress through bereavement administration tasks
To store and organise your documents and records
To enable collaboration with family members or professionals you invite
To generate summaries and exports of your case information
To improve the service based on how it is used
To ensure the security and integrity of your data

Who we share data with

We do not sell your personal data. We share it only with:

Recipient	Purpose	Safeguards
Supabase Inc. (US)	Database hosting and authentication	Standard Contractual Clauses, SOC 2 certified

International transfers: Supabase stores data in the United States. We rely on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism under UK GDPR.

We may add additional service providers in the future. This policy will be updated to reflect any changes.

How long we keep your data

Situation	Retention period
Active account	For the life of your account
After account closure	2 years, then permanently deleted

After the 2-year grace period following account closure, all your personal data is permanently deleted. You can request earlier deletion at any time.

Your rights

Under UK GDPR, you have the right to:

Access – Request a copy of your personal data
Rectification – Correct inaccurate or incomplete data
Erasure – Request deletion of your data
Restriction – Limit how we process your data
Portability – Receive your data in a portable format
Object – Object to processing based on legitimate interests
Withdraw consent – Where consent is the legal basis

To exercise any of these rights, email support@afterloss.uk. We will respond within one month.

If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO).

Security

We protect your data with:

Encryption in transit (TLS) and at rest
Row-level security ensuring you only see your own data
Secure authentication with password and magic link options
Access controls limiting who can access production systems

Children

AfterLoss is not intended for users under 18. We do not knowingly collect personal data from children.

Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by email or through the service.

Contact

For any questions about this privacy policy or your personal data, contact us at support@afterloss.uk