Privacy Policy

Last updated: February 2026

The short version: We collect only what's necessary to make Afterpass work. We don't sell your data. We don't use advertising trackers. Your vault contents are encrypted in transit and at rest. You can delete your account and all associated data at any time.

Afterpass is built by Cloudstacker Group LLC. We created this app to help people protect the information their loved ones would need most — and that means earning your trust with how we handle your data.

This policy covers the Afterpass mobile application and the Afterpass website (collectively, the "Service"). It explains what we collect, why we collect it, how we protect it, and what control you have over your information.

1. Information We Collect

Information You Provide

When you create an account and use Afterpass, you provide us with the following:

Account information: Your full name and email address, used for authentication and communication.
Vault contents: Item names, notes, credentials, and any content you store in your vault. Vault content is protected by server-side Row Level Security (RLS) and encrypted at rest using AES-256 encryption.
File attachments: Photos, PDFs, and documents you upload to vault items.
Pass details: Recipient names, email addresses, phone numbers, relationships, trigger events, and return dates associated with your passes.
Trusted contacts: Names, email addresses, and relationships of people you designate as verifiers.
Preparation Guide responses: Your answers to guided walkthroughs, which are saved as vault items.

Information Collected Automatically

When you use the app, we automatically collect a limited amount of technical information:

Push notification tokens: Used to deliver notifications about pass activity, verifier requests, and account updates. Managed through our push notification service provider.
Subscription status: Your current plan (Free or Pro) and purchase history, managed through our subscription management provider.
Activity logs: Timestamped records of actions within the app (such as "vault item created," "pass shared," or "verifier invited"). These help us maintain the integrity of your account and support troubleshooting.
In-app notification history: Records of notifications delivered within the app.

Biometric Authentication

Afterpass supports Face ID and Touch ID for app lock. No biometric data is collected, transmitted, or stored by Afterpass. Authentication is handled entirely by your device's operating system. We store only a boolean preference ("biometric lock enabled") locally on your device.

What We Do Not Collect

We want to be explicit about what we don't do:

We do not use analytics or tracking SDKs (no Amplitude, Mixpanel, Firebase Analytics, or similar tools).
We do not collect or use advertising identifiers.
We do not perform device fingerprinting.
We do not collect location data.
We do not sell, rent, or share your data with advertisers or data brokers.

2. How We Use Your Information

We use the information we collect for the following purposes:

To provide the Service: Storing vault items, creating and delivering passes, managing shared vaults, and facilitating the verification process.
To communicate with you: Sending transactional emails related to your account, pass notifications, verifier invitations, and critical product updates.
To manage your subscription: Processing payments, managing plan status, and enforcing plan limits.
To maintain security and integrity: Logging activity to detect unauthorized access, support troubleshooting, and maintain audit trails for pass delivery.
To improve the Service: Understanding how features are used in aggregate to improve the product. We do this through internal analysis of activity logs, not through third-party analytics tools.

3. How We Protect Your Information

You're trusting Afterpass with some of the most sensitive information in your life. We take that seriously.

Encryption in transit: All data transmitted between your device and our servers is protected by TLS/HTTPS encryption.
Encryption at rest: All data stored on our servers is encrypted at rest using AES-256 encryption.
Row Level Security: Database access is governed by Row Level Security policies, ensuring users can only access their own data.
Row Level Security: Vault content created in version 1.1 and later is protected by server-side Row Level Security, ensuring that database queries can only return data belonging to the authenticated user.
Zero-access sharing: Pass recipients cannot view vault contents until verification conditions are met.
Multi-party verification: Permanent passes require multiple independent verifiers to confirm a trigger event before access is granted.

4. Third-Party Services

We use a small number of trusted infrastructure providers to operate Afterpass. Each is bound by their own privacy commitments and data processing agreements.

Service Type	Purpose	Data Shared
Cloud database provider	Database, authentication, file storage, server-side functions	All user data (vault content, profiles, passes, activity logs)
Subscription management provider	In-app purchase and subscription management	User ID, purchase and subscription status
Push notification provider	Notification delivery and app build service	Push notification tokens, project ID
Transactional email provider	Email delivery for account and pass notifications	Recipient and verifier email addresses, notification content

No data is sold or shared with advertisers, data brokers, or any parties beyond those listed above.

5. Data Retention

We retain your data as follows:

Vault items and file attachments: Retained for as long as your account is active. Deleted immediately when you remove them or delete your account.
Passes: Active passes are retained for as long as your account is active. Deactivated or revoked passes are retained in a deactivated state for 90 days, then permanently deleted.
Activity logs: Retained for 2 years from the date of the activity, then automatically purged.
In-app notifications: Retained for 1 year, then automatically purged.
Expired vault shares: Automatically revoked and removed by a scheduled process.
Waitlist data: If you signed up for early access, your name and email are retained until you request removal or your account is created.

6. Your Rights and Account Deletion

You have the right to access, correct, and delete your personal information at any time.

Account deletion: You can delete your account directly within the app under Settings. When you delete your account, we permanently remove your authentication record, profile, all vault items and file attachments, all passes (and associated recipient/verifier records), trusted contacts, vault collaborators, activity logs, notifications, subscription records, and Preparation Guide drafts.

Data export: You can export your account data in JSON format from the Settings screen within the app.

If you have questions about your data or need assistance, contact us at [email protected].

7. Children's Privacy

Afterpass is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete that information promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. If we make material changes, we will notify you through the app or by email before the changes take effect. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

9. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, we'd love to hear from you.

Email: [email protected]
Company: Cloudstacker Group LLC