Privacy Policy.

“Afterward,” “we,” and “us” mean [FLAG: legal entity name, registered address, and registration number to be confirmed by counsel], the company that operates the Afterward service at afterward.care and app.afterward.care.

This policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it. It applies to the marketing site, the web application, and the mobile applications we publish.

Account information. Your email address, a password hash (we never store your password itself), and the basics needed to authenticate you. If you sign in with a third-party identity provider, we receive the identifiers that provider returns.

Billing information. If you subscribe to the Family plan, our payment processor [FLAG: payment processor name to be confirmed — likely Stripe — counsel to confirm processor list and addendum] handles your card details directly. We receive a token, the last four digits, the card brand, and the billing country. We do not store full card numbers.

Binder content. The text and files you place in your binder are encrypted on your device before they reach us. We store the encrypted form. We do not have, and cannot derive, the keys to read it.

Recipient details. The names, email addresses, and phone numbers of the people you choose as recipients, so we can deliver the read-link if and when you ask us to. Recipients do not need an Afterward account.

Operational telemetry. Aggregate usage data — page loads, error rates, performance metrics — and the timestamps we need to run the courtesy interval (the date you last opened the application). We do not inspect the contents of any binder to produce this telemetry.

Communications with us. If you write to us, we keep a record of that conversation so we can follow up.

The contents of your binder. Including everything you mark as a sealed envelope. The architecture is end-to-end encrypted; we hold an unreadable copy.

Behavioural profiles for advertising. Afterward does not run advertising and is not built to support it. We do not build a profile of you to sell, share, or rent.

Data brokered from third parties. We do not buy lists or augment your account with information acquired from data brokers.

Training data for artificial intelligence. We do not use your binder content to train, fine-tune, or evaluate machine-learning models, and we do not provide it to third parties for those purposes.

We use what we collect to:

• Operate the Afterward service — store your encrypted binder, deliver read-links to the recipients you named, and run the courtesy interval that allows the binder to do its job if you cannot reach for it yourself.
• Communicate with you about your account, billing, and the courtesy-interval check-ins.
• Provide support when you write to us.
• Improve the product based on aggregate usage patterns and the technical telemetry described above. We do not inspect binder content to do this.
• Comply with legal obligations and enforce our terms.

[FLAG: identify lawful bases under GDPR per processing purpose — counsel to draft the legal-bases table and confirm whether contract, legitimate interest, or consent applies in each case]

You. You can see, edit, export, and erase everything in your account.

The recipients you name. They see the parts of the binder you have shared with them, on the schedule you set. They do not need to install an application or create an account; they read in a browser through a single-use sign-in link.

Service providers we contract with. Cloud infrastructure, email delivery, payment processing, error monitoring, and customer-support tooling, each under a written agreement that limits what they can do with the information they handle on our behalf. [FLAG: full list of subprocessors and their roles to be published as a separate page; counsel to confirm contractual addendum requirements per jurisdiction]

Legal authorities. If we receive a valid legal request — a subpoena, court order, or equivalent — we evaluate it carefully and respond as the law requires. What we are able to provide is the encrypted form of your binder, which is unreadable without the keys you and your recipients hold. We do not have the keys, and we will not engineer a way to obtain them. Where the law allows, we will notify you before complying.

Acquirers. If Afterward is acquired or its assets are transferred, your information may transfer with it, subject to this policy and any successor policy that gives you at least equivalent protection.

No one else. We do not sell personal information. We do not rent it. We do not share it with advertising networks or data brokers.

We use a small number of cookies to keep you signed in, remember the basics of how you have set up the application, and measure aggregate usage in a privacy-respecting way. [FLAG: full cookie inventory and durations to be drafted by counsel and surfaced on a dedicated cookie page; confirm whether a consent banner is required per visitor jurisdiction]

We do not use third-party advertising cookies. We do not use cross-site tracking. The marketing site loads fonts from Google Fonts; the application loads no third-party fonts.

We keep your binder for as long as your account is active, plus a short window after you close it so an export can be retrieved. [FLAG: specific post-closure retention window to be confirmed by counsel — recommend a number that is short and stated]

Operational logs and telemetry are retained for [FLAG: log retention duration to be confirmed by counsel — recommend a short, fixed window with deletion documented].

Communications with our support team are retained for as long as we may need them to provide you continuity of service, and no longer.

You can ask us to erase your account at any time. The contents are deleted from our active systems and from backups within [FLAG: backup-deletion window to be confirmed by counsel — typically 30 to 90 days for rolling backups].

Afterward is built on an end-to-end encrypted architecture. Your binder is encrypted on your device using a data key that is wrapped by two parallel paths — one based on a passkey on your device, and one based on a recovery passphrase you set up at signup. Either path can unwrap the data key; both are required to exist so you have a working backup if a device is lost. We hold the encrypted forms; we do not hold the keys.

We use industry-standard transport encryption between your devices and our servers, restrict employee access to systems that hold customer data, log administrative access, and run regular security reviews. [FLAG: specific certifications (SOC 2 Type II, ISO 27001, etc.) and audit cadence to be confirmed by counsel and the security team — do not claim certifications we have not earned]

A detailed plain-language description of the architecture, including the precise cryptographic primitives, lives on the security page.

No security architecture is absolute. If we discover a breach affecting your information, we will notify you as the law requires and as quickly as we reasonably can.

Depending on where you live, you may have rights to access, correct, port, restrict, or erase the personal information we hold about you, to object to certain kinds of processing, and to lodge a complaint with a supervisory authority. [FLAG: enumerate jurisdiction-specific rights for GDPR (EEA / UK), CCPA / CPRA (California), Quebec Law 25, and other applicable frameworks; counsel to confirm the canonical list and the response timelines]

You can exercise the rights that apply to you by writing to privacy@afterward.care. We will respond within the timeframes the law requires and will ask for verification before acting on requests that could expose your account to a third party.

Many of these rights you can also exercise yourself, directly, from inside the application — export your data, edit any field, change recipients, or close the account.

Afterward stores data on servers located in [FLAG: list of regions / data centres to be confirmed by counsel and the infrastructure team — typically named per processor]. If you are using Afterward from outside those regions, your information will be transferred and processed in them, under safeguards intended to provide equivalent protection.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on [FLAG: identify transfer mechanism — Standard Contractual Clauses, UK IDTA, adequacy decisions where applicable; counsel to confirm and link to the executed instruments].

Afterward is for adults. The service is not directed to children under [FLAG: minimum-age threshold to be confirmed by counsel per jurisdiction — typically 13 in the US (COPPA), 16 in the EU absent a lower national age], and we do not knowingly collect personal information from children. If you believe a child has signed up, write to us and we will erase the account.

We will update this policy from time to time. When the changes are material, we will tell you in the application and by email at least [FLAG: notice period for material changes to be confirmed by counsel — recommend at least 30 days where the change reduces your rights] before they take effect, and we will keep the previous version archived so you can compare them.

Non-material changes — clarifying language, fixing a typo, updating an address — take effect when posted, and the “Last updated” date at the top of this page changes accordingly.

For privacy questions, write to privacy@afterward.care. For everything else, write to hello@afterward.care. A real person reads both.

For postal mail, or for matters that require a registered Data Protection Officer or EU/UK representative, see [FLAG: postal address, DPO contact, EU representative (Art. 27 GDPR), and UK representative to be confirmed by counsel and added here before publication].