How it works Security Pricing About Contact
Legal

Privacy Policy

We have written this policy in plain English. We believe you have a right to understand exactly what we do with your data — not just that we comply with the law.

📋 Version: 1.0
📅 Effective: 01 June 2026
🔄 Last reviewed: 01.06.2026
🏛️ ICO Reg: [XXXXXXX]

1 Who we are

AngelPass is a trading name of [Company full legal name], a company registered in England and Wales under company number [XXXXXXX], with a registered address at [Registered address].

We are the data controller for personal data collected through our website and services. We are registered with the Information Commissioner's Office (ICO) under registration number [XXXXXXX].

Our designated Data Protection lead can be contacted at privacy@angelpass.co.uk or by writing to us at our registered address.

What AngelPass does — and doesn't — hold We hold your personal and account details, your nominated person's contact details, and the encrypted password of your USB drive . We do not hold, see, or have any access to the documents you store on your USB drive. Those remain entirely in your home.

2 What personal data we collect

We collect different categories of data depending on how you interact with us.

2.1 Account holders (customers)

Category Data collected Source
Identity Full name, date of birth Provided by you at sign-up
Contact Email address, postal address, telephone number Provided by you at sign-up
Account Subscription plan, account status, authentication code record, USB drive serial number Generated by us at setup
Financial Payment method type, last four digits of card, billing address Via our payment processor (Stripe). We never see or store full card numbers.
Escrow One encrypted password (held by us in AWS) and one encrypted Authentication Code (held by our solicitor partner) Generated by us at setup
Communications Records of your correspondence with us, support requests Created when you contact us
Technical IP address, browser type, pages visited, access timestamps Automatically via our website

2.2 Nominated persons

With your consent, we collect and store the following details about the person(s) you nominate:

  • Full name
  • Email address
  • Postal address
  • Telephone number
  • Relationship to you

We use this information solely to identify and contact your nominated person when a death claim is made. We do not use it for any other purpose and we do not contact your nominated person at any other time without your instruction.

2.3 Death claim claimants

When a death claim is submitted, we collect additional data from the claimant to verify their identity. This is processed under our special category data framework (see Section 4) and includes:

  • Government-issued photo ID (passport or driving licence)
  • Certified copy of the death certificate
  • Proof of address (utility bill or bank statement)
  • Biometric verification data (processed by Thirdfort or similar company, on our behalf)

2.4 Website visitors and enquirers

If you contact us via our website without creating an account, we collect the details you provide in the contact form (name, email, message content) and standard technical data about your visit. We do not use cookies that require your consent beyond essential functional cookies — see Section 9.

What we do not collect We never collect, receive, or store the documents saved on your USB drive. We have no access to your will, bank details, insurance policies, or any other files you choose to store. This is a fundamental design principle, not just a policy commitment.

3 How we use your data

Purpose Data used Lawful basis
Providing the escrow service — holding your USB password and releasing it on verified death Identity, account, escrow data, nominated person details Contract performance
Fulfilling and delivering your USB drive Identity, contact, account data Contract performance
Processing payments and managing subscriptions Financial data (via Stripe) Contract performance
Verifying identity on death claims Photo ID, death certificate, biometric data Legal obligation & vital interests
Communicating with you about your account Contact data, account data Contract performance
Sending subscription renewal reminders Contact data, account data Contract performance & legitimate interests
Responding to enquiries and support requests Identity, contact, communications data Legitimate interests
Complying with legal and regulatory obligations (ICO, GDPR, AML) All categories as required Legal obligation
Preventing fraud and ensuring security Technical data, account data, identity data Legitimate interests & legal obligation
Improving our website and services (aggregated, anonymised analytics only) Technical data (anonymised) Legitimate interests
We do not use your data for marketing We do not send promotional emails, share your data with advertisers, or use your data for any purpose beyond providing and improving the AngelPass service. We will never sell your personal data.

4 Lawful bases for processing

Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following:

4.1 Contract performance

The majority of our data processing is necessary to provide the service you have contracted with us for — holding your password in escrow and releasing it on verified death. Without this processing, we cannot provide the service.

4.2 Legal obligation

We process some data because we are legally required to — for example, verifying the identity of death claim applicants to prevent fraud, complying with anti-money laundering regulations, and cooperating with the ICO if required.

4.3 Legitimate interests

We process some data on the basis of our legitimate interests (and those of our customers) where these are not overridden by your interests or fundamental rights. This includes security monitoring, fraud prevention, and improving our service. We have conducted a Legitimate Interests Assessment for each processing activity relying on this basis.

4.4 Vital interests

In processing death claim documentation — which may include special category data such as health information appearing on a death certificate — we rely on the vital interests basis, as this processing is necessary to protect the fundamental interests of the deceased person's estate and their family.

4.5 Special category data

Death certificates and identity documents submitted during a death claim may contain special category data (health information). We process this data only to the minimum extent necessary to verify the claim, we do not retain it beyond the verified claim period (see Section 7), and we apply enhanced security controls to its handling.

5 Who we share your data with

We share your personal data only where strictly necessary and only with parties bound by appropriate data protection obligations.

5.1 Our solicitor partner firm

Our partner solicitor firm receives and holds the Authenication Code as part of the split-custody security model. They are a data processor acting on our instructions under a formal Data Processing Agreement, and an SRA-regulated firm bound by professional obligations. They do not use your data for any purpose other than holding their half of the password and participating in the death claim authorisation process.

5.2 AWS (Amazon Web Services)

The first half of your encrypted password is stored in AWS Secrets Manager. AWS processes this data as a data processor on our behalf under a Data Processing Agreement compliant with UK GDPR. Data is stored in the UK or EU. AWS does not have access to the unencrypted content of what is stored.

5.3 Stripe

Payment processing is handled by Stripe, Inc. Stripe acts as an independent data controller for payment data. You can review Stripe's privacy policy at stripe.com/gb/privacy. We receive only a payment confirmation and a partial card reference — we never see or store your full card details.

5.4 Thirdfort

Identity verification for death claims is processed by Thirdfort Limited. Thirdfort acts as a data processor on our behalf and processes identity documents and biometric data under a Data Processing Agreement. Their privacy policy is available at thirdfort.com/privacy.

5.5 Regulatory and legal authorities

We may disclose personal data to the Information Commissioner's Office, HMRC, the police, or other regulatory or law enforcement authorities where we are legally required to do so, or where we reasonably believe disclosure is necessary to prevent or detect crime.

5.6 Business successors

In the event of a business sale, merger, or transfer, personal data may transfer to the acquiring entity. Any such transfer will be conducted under appropriate contractual protections and we will notify affected customers in advance. See also our business continuity commitments in our FAQ.

We do not share your data with Advertisers, data brokers, social media platforms, marketing companies, or any other third party for commercial purposes. Your data is never sold.

6 How we protect your data

The security of your data — and your family's trust in us — is the foundation our business is built on. We apply the following measures:

  • Encryption at rest: All escrow password data is encrypted using AES-256 via AWS KMS (Key Management Service).
  • Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.3.
  • Split custody: Your USB password and authentication Code is never stored together in any single system. The split-custody model means that compromising one custodian alone cannot expose your password.
  • Access controls: Access to personal data within our organisation is limited to those who need it to perform their role, with multi-factor authentication required for all system access.
  • Audit logging: All access to escrow data is logged and auditable. Unauthorised access attempts trigger immediate alerts.
  • Cyber Essentials certification: We hold UK government-backed Cyber Essentials certification, independently assessed.
  • Third-party assessment: We conduct regular security reviews and penetration testing.
  • Staff training: All staff with access to personal data receive GDPR and data security training.

6.1 Data breaches

In the event of a personal data breach, we will notify the ICO within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals' rights and freedoms. Where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected individuals without undue delay.

We will always be transparent about security incidents. Our current security status is available on our Security page.

7 How long we keep your data

Data category Retention period Reason
Account and identity data (active customer) Duration of subscription + 12 months Grace period for lapsed subscriptions; pending claims
Escrow password halves Duration of subscription + 12 months, then securely destroyed As above; we notify you before destruction
Financial transaction records 7 years from transaction date HMRC legal obligation
Death claim documents (death certificate, ID) 6 years from date of claim completion Legal limitation period for potential disputes
General correspondence and support records 3 years from last contact Legitimate interests (dispute resolution)
Website analytics (anonymised) 26 months Industry standard for anonymised analytics
Nominated person details (unused — account holder still living) Duration of customer's subscription Required for service delivery

When data reaches the end of its retention period, it is securely and permanently deleted or anonymised. We do not retain personal data beyond what is necessary for its stated purpose.

8 Your rights

Under UK GDPR, you have the following rights in relation to your personal data. These rights apply to AngelPass as the data controller. To exercise any right, contact us at privacy@angelpass.co.uk or via our contact page.

👁️ Right of access

You can request a copy of all personal data we hold about you (a Subject Access Request). We will respond within 30 days.

✏️ Right to rectification

If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. We will do so promptly.

🗑️ Right to erasure

You can ask us to delete your personal data where it is no longer necessary, you withdraw consent (where applicable), or you object and we have no overriding legitimate interest.

⏸️ Right to restrict processing

You can ask us to restrict how we use your data in certain circumstances — for example, while you contest its accuracy.

📦 Right to data portability

Where we process your data by automated means on the basis of your consent or a contract, you can ask for it in a structured, machine-readable format.

🚫 Right to object

You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

🤖 Automated decision-making

We do not make any decisions about you solely by automated means that produce legal or similarly significant effects.

📋 Right to complain

If you are unhappy with how we handle your data, you have the right to complain to the ICO. See Section 12 for details.

Response timeframes We will acknowledge your request within 5 working days and provide a full response within 30 days. If we need to extend this (for complex requests), we will let you know within the initial 30-day period and explain why.

8.1 Identity verification before fulfilling requests

To protect your privacy, we will verify your identity before fulfilling any data rights request. We may ask for proof of identity such as a government-issued ID document. This is a security measure, not an obstacle — we want to ensure personal data is only disclosed to the person it belongs to.

9 Cookies

Our website uses a minimal set of cookies.

9.1 Essential cookies (no consent required)

These cookies are strictly necessary for the website to function. They cannot be disabled.

  • Session cookie: Maintains your session while you use the site. Expires when you close your browser.
  • Security cookie: Protects against cross-site request forgery attacks. Expires after 24 hours.
  • Cookie consent cookie: Remembers your cookie preferences. Expires after 12 months.

9.2 Analytics cookies (consent required)

We use anonymised analytics to understand how visitors use our website and improve it. We do not use Google Analytics. Our analytics tool processes no personally identifiable information and does not use cross-site tracking. If you decline analytics cookies, your visit will not be tracked and the experience of our website will be unaffected.

9.3 No advertising or social media cookies

We do not use advertising cookies, retargeting pixels, social media tracking buttons, or any cookies that share your data with third-party advertisers. None. We mean this.

You can manage your cookie preferences at any time using our cookie preference centre [LINK — add when implemented], or by adjusting your browser settings.

10 Children

AngelPass is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at privacy@angelpass.co.uk and we will delete it promptly.

The nominated person named on an AngelPass account may be over or under 18, but the account holder — who enters into a contract with us — must be 18 or over.

11 Changes to this policy

We may update this privacy policy from time to time. Where we make material changes, we will notify you by email at least 30 days before the changes take effect, and update the version history below.

The most current version of this policy is always available at angelpass.co.uk/privacy.

Version Date Summary of changes
1.0 01 June 2026 Initial publication

12 Contact & complaints

12.1 Data protection enquiries

For any question about this policy or how we handle your personal data, contact our Data Protection lead:

12.2 Subject Access Requests

To request a copy of your personal data, please use our account contact form and select "Request my data (Subject Access Request)" from the dropdown. We will attempt to acknowledge within 5 working days and respond in full within 30 days.

12.3 Complaints

If you are not satisfied with how we have handled your personal data or responded to your data rights request, you have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always prefer the opportunity to address any concern directly before you contact the ICO — please do reach out to us first and we will do our best to resolve the matter promptly.

Our commitment We take every data rights request and complaint seriously. We will never make exercising your rights difficult, and we will never penalise you for doing so.