1 Who we are
AngelPass is a trading name of [Company full legal name], a company registered in England and Wales under company number [XXXXXXX], with a registered address at [Registered address].
We are the data controller for personal data collected through our website and services. We are registered with the Information Commissioner's Office (ICO) under registration number [XXXXXXX].
Our designated Data Protection lead can be contacted at privacy@angelpass.co.uk or by writing to us at our registered address.
2 What personal data we collect
We collect different categories of data depending on how you interact with us.
2.1 Account holders (customers)
| Category | Data collected | Source |
|---|---|---|
| Identity | Full name, date of birth | Provided by you at sign-up |
| Contact | Email address, postal address, telephone number | Provided by you at sign-up |
| Account | Subscription plan, account status, authentication code record, USB drive serial number | Generated by us at setup |
| Financial | Payment method type, last four digits of card, billing address | Via our payment processor (Stripe). We never see or store full card numbers. |
| Escrow | One encrypted password (held by us in AWS) and one encrypted Authentication Code (held by our solicitor partner) | Generated by us at setup |
| Communications | Records of your correspondence with us, support requests | Created when you contact us |
| Technical | IP address, browser type, pages visited, access timestamps | Automatically via our website |
2.2 Nominated persons
With your consent, we collect and store the following details about the person(s) you nominate:
- Full name
- Email address
- Postal address
- Telephone number
- Relationship to you
We use this information solely to identify and contact your nominated person when a death claim is made. We do not use it for any other purpose and we do not contact your nominated person at any other time without your instruction.
2.3 Death claim claimants
When a death claim is submitted, we collect additional data from the claimant to verify their identity. This is processed under our special category data framework (see Section 4) and includes:
- Government-issued photo ID (passport or driving licence)
- Certified copy of the death certificate
- Proof of address (utility bill or bank statement)
- Biometric verification data (processed by Thirdfort or similar company, on our behalf)
2.4 Website visitors and enquirers
If you contact us via our website without creating an account, we collect the details you provide in the contact form (name, email, message content) and standard technical data about your visit. We do not use cookies that require your consent beyond essential functional cookies — see Section 9.
3 How we use your data
| Purpose | Data used | Lawful basis |
|---|---|---|
| Providing the escrow service — holding your USB password and releasing it on verified death | Identity, account, escrow data, nominated person details | Contract performance |
| Fulfilling and delivering your USB drive | Identity, contact, account data | Contract performance |
| Processing payments and managing subscriptions | Financial data (via Stripe) | Contract performance |
| Verifying identity on death claims | Photo ID, death certificate, biometric data | Legal obligation & vital interests |
| Communicating with you about your account | Contact data, account data | Contract performance |
| Sending subscription renewal reminders | Contact data, account data | Contract performance & legitimate interests |
| Responding to enquiries and support requests | Identity, contact, communications data | Legitimate interests |
| Complying with legal and regulatory obligations (ICO, GDPR, AML) | All categories as required | Legal obligation |
| Preventing fraud and ensuring security | Technical data, account data, identity data | Legitimate interests & legal obligation |
| Improving our website and services (aggregated, anonymised analytics only) | Technical data (anonymised) | Legitimate interests |
4 Lawful bases for processing
Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following:
4.1 Contract performance
The majority of our data processing is necessary to provide the service you have contracted with us for — holding your password in escrow and releasing it on verified death. Without this processing, we cannot provide the service.
4.2 Legal obligation
We process some data because we are legally required to — for example, verifying the identity of death claim applicants to prevent fraud, complying with anti-money laundering regulations, and cooperating with the ICO if required.
4.3 Legitimate interests
We process some data on the basis of our legitimate interests (and those of our customers) where these are not overridden by your interests or fundamental rights. This includes security monitoring, fraud prevention, and improving our service. We have conducted a Legitimate Interests Assessment for each processing activity relying on this basis.
4.4 Vital interests
In processing death claim documentation — which may include special category data such as health information appearing on a death certificate — we rely on the vital interests basis, as this processing is necessary to protect the fundamental interests of the deceased person's estate and their family.
4.5 Special category data
Death certificates and identity documents submitted during a death claim may contain special category data (health information). We process this data only to the minimum extent necessary to verify the claim, we do not retain it beyond the verified claim period (see Section 7), and we apply enhanced security controls to its handling.
5 Who we share your data with
We share your personal data only where strictly necessary and only with parties bound by appropriate data protection obligations.
5.1 Our solicitor partner firm
Our partner solicitor firm receives and holds the Authenication Code as part of the split-custody security model. They are a data processor acting on our instructions under a formal Data Processing Agreement, and an SRA-regulated firm bound by professional obligations. They do not use your data for any purpose other than holding their half of the password and participating in the death claim authorisation process.
5.2 AWS (Amazon Web Services)
The first half of your encrypted password is stored in AWS Secrets Manager. AWS processes this data as a data processor on our behalf under a Data Processing Agreement compliant with UK GDPR. Data is stored in the UK or EU. AWS does not have access to the unencrypted content of what is stored.
5.3 Stripe
Payment processing is handled by Stripe, Inc. Stripe acts as an independent data controller for payment data. You can review Stripe's privacy policy at stripe.com/gb/privacy. We receive only a payment confirmation and a partial card reference — we never see or store your full card details.
5.4 Thirdfort
Identity verification for death claims is processed by Thirdfort Limited. Thirdfort acts as a data processor on our behalf and processes identity documents and biometric data under a Data Processing Agreement. Their privacy policy is available at thirdfort.com/privacy.
5.5 Regulatory and legal authorities
We may disclose personal data to the Information Commissioner's Office, HMRC, the police, or other regulatory or law enforcement authorities where we are legally required to do so, or where we reasonably believe disclosure is necessary to prevent or detect crime.
5.6 Business successors
In the event of a business sale, merger, or transfer, personal data may transfer to the acquiring entity. Any such transfer will be conducted under appropriate contractual protections and we will notify affected customers in advance. See also our business continuity commitments in our FAQ.
6 How we protect your data
The security of your data — and your family's trust in us — is the foundation our business is built on. We apply the following measures:
- Encryption at rest: All escrow password data is encrypted using AES-256 via AWS KMS (Key Management Service).
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.3.
- Split custody: Your USB password and authentication Code is never stored together in any single system. The split-custody model means that compromising one custodian alone cannot expose your password.
- Access controls: Access to personal data within our organisation is limited to those who need it to perform their role, with multi-factor authentication required for all system access.
- Audit logging: All access to escrow data is logged and auditable. Unauthorised access attempts trigger immediate alerts.
- Cyber Essentials certification: We hold UK government-backed Cyber Essentials certification, independently assessed.
- Third-party assessment: We conduct regular security reviews and penetration testing.
- Staff training: All staff with access to personal data receive GDPR and data security training.
6.1 Data breaches
In the event of a personal data breach, we will notify the ICO within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals' rights and freedoms. Where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected individuals without undue delay.
We will always be transparent about security incidents. Our current security status is available on our Security page.
7 How long we keep your data
| Data category | Retention period | Reason |
|---|---|---|
| Account and identity data (active customer) | Duration of subscription + 12 months | Grace period for lapsed subscriptions; pending claims |
| Escrow password halves | Duration of subscription + 12 months, then securely destroyed | As above; we notify you before destruction |
| Financial transaction records | 7 years from transaction date | HMRC legal obligation |
| Death claim documents (death certificate, ID) | 6 years from date of claim completion | Legal limitation period for potential disputes |
| General correspondence and support records | 3 years from last contact | Legitimate interests (dispute resolution) |
| Website analytics (anonymised) | 26 months | Industry standard for anonymised analytics |
| Nominated person details (unused — account holder still living) | Duration of customer's subscription | Required for service delivery |
When data reaches the end of its retention period, it is securely and permanently deleted or anonymised. We do not retain personal data beyond what is necessary for its stated purpose.
8 Your rights
Under UK GDPR, you have the following rights in relation to your personal data. These rights apply to AngelPass as the data controller. To exercise any right, contact us at privacy@angelpass.co.uk or via our contact page.
Right of access
You can request a copy of all personal data we hold about you (a Subject Access Request). We will respond within 30 days.
Right to rectification
If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. We will do so promptly.
Right to erasure
You can ask us to delete your personal data where it is no longer necessary, you withdraw consent (where applicable), or you object and we have no overriding legitimate interest.
Right to restrict processing
You can ask us to restrict how we use your data in certain circumstances — for example, while you contest its accuracy.
Right to data portability
Where we process your data by automated means on the basis of your consent or a contract, you can ask for it in a structured, machine-readable format.
Right to object
You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
Automated decision-making
We do not make any decisions about you solely by automated means that produce legal or similarly significant effects.
Right to complain
If you are unhappy with how we handle your data, you have the right to complain to the ICO. See Section 12 for details.
8.1 Identity verification before fulfilling requests
To protect your privacy, we will verify your identity before fulfilling any data rights request. We may ask for proof of identity such as a government-issued ID document. This is a security measure, not an obstacle — we want to ensure personal data is only disclosed to the person it belongs to.
9 Cookies
Our website uses a minimal set of cookies.
9.1 Essential cookies (no consent required)
These cookies are strictly necessary for the website to function. They cannot be disabled.
- Session cookie: Maintains your session while you use the site. Expires when you close your browser.
- Security cookie: Protects against cross-site request forgery attacks. Expires after 24 hours.
- Cookie consent cookie: Remembers your cookie preferences. Expires after 12 months.
9.2 Analytics cookies (consent required)
We use anonymised analytics to understand how visitors use our website and improve it. We do not use Google Analytics. Our analytics tool processes no personally identifiable information and does not use cross-site tracking. If you decline analytics cookies, your visit will not be tracked and the experience of our website will be unaffected.
9.3 No advertising or social media cookies
We do not use advertising cookies, retargeting pixels, social media tracking buttons, or any cookies that share your data with third-party advertisers. None. We mean this.
You can manage your cookie preferences at any time using our cookie preference centre [LINK — add when implemented], or by adjusting your browser settings.
10 Children
AngelPass is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at privacy@angelpass.co.uk and we will delete it promptly.
The nominated person named on an AngelPass account may be over or under 18, but the account holder — who enters into a contract with us — must be 18 or over.
11 Changes to this policy
We may update this privacy policy from time to time. Where we make material changes, we will notify you by email at least 30 days before the changes take effect, and update the version history below.
The most current version of this policy is always available at angelpass.co.uk/privacy.
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | 01 June 2026 | Initial publication |
12 Contact & complaints
12.1 Data protection enquiries
For any question about this policy or how we handle your personal data, contact our Data Protection lead:
- Email: privacy@angelpass.co.uk
- Post: AngelPass, Data Protection, 124 City Road, London EC1V 2NX
12.2 Subject Access Requests
To request a copy of your personal data, please use our account contact form and select "Request my data (Subject Access Request)" from the dropdown. We will attempt to acknowledge within 5 working days and respond in full within 30 days.
12.3 Complaints
If you are not satisfied with how we have handled your personal data or responded to your data rights request, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would always prefer the opportunity to address any concern directly before you contact the ICO — please do reach out to us first and we will do our best to resolve the matter promptly.