Consumer Privacy Policy.

How Fyldit collects, uses, shares, stores and protects personal data — written to be clear for users while preserving our operational, security and commercial flexibility.

This Privacy Policy explains how Fyldit collects, uses, shares, stores and protects personal data. It is written to be clear for users while preserving the company's operational, security and commercial flexibility. Read alongside our Terms & Conditions, Acceptable Use Policy, Security Overview, Cookie Policy and Pricing & Refund Policy at fyldit.com/legal.

1. Who we are

Fyldit is a secure digital vault service provided by Funerals & Tech Limited (“we”, “us” or “our”).

ItemDetails
Legal entityFunerals & Tech Limited
Registered jurisdiction[insert DIFC / UAE free zone / UAE mainland details]
Registered number[insert registered number]
Registered office[insert registered office]
Privacy contactprivacy@fyldit.com

For the purposes of applicable data protection law, Funerals & Tech Limited acts as the controller of personal data processed through Fyldit because we determine the purposes and essential means of operating the Service, securing accounts, managing subscriptions, complying with law and administering our platform.

Unless otherwise stated in this policy or a separate notice, Funerals & Tech Limited acts as the controller of personal data collected and processed through Fyldit.

Some features are user-directed. For example, when you upload vault content, organise it, share a document externally, invite a trusted contact, request support or configure legacy access settings, we process the relevant personal data to provide the Service you have chosen and in accordance with your instructions and our Terms of Use. This does not mean we control what external recipients do with a document after they receive or access it.

Where we provide separate partner dashboards, employer programmes, supplier portals, funeral booking, repatriation services or other Funerals & services, our role may differ and a separate privacy notice, agreement or data processing agreement may apply.

2. What this policy covers

This policy applies to the Fyldit consumer digital vault, including fyldit.com, the Fyldit web application, mobile web application and related account services.

It does not apply to separate partner dashboards, employer programmes, supplier portals, funeral booking, repatriation services or other services where a separate privacy notice is provided.

3. Personal data we collect

We collect only the personal data we need to provide, secure, improve and administer Fyldit.

CategoryExamplesWhy we use it
Account dataEmail address, display name, login details, account settingsTo create, authenticate and manage your account.
Subscription and billing dataPlan type, billing status, invoices, payment processor referencesTo manage subscriptions, payments, refunds, renewals, accounting records and tax records.
Security dataIP address, device/browser information, login timestamps, access logs, activity logs, security alertsTo protect accounts, investigate misuse, detect fraud, maintain audit trails and support incident response.
Vault dataFiles, notes, documents, document labels, storage usage and related vault metadataTo store, organise, retrieve, preview, share and deliver the vault features you choose to use.
Trusted and legacy contact dataName, email address, phone number, relationship, status and verification informationTo support sharing, recovery, emergency access, unlock-on-death and unlock-on-incapacity features you choose to enable.
Support dataMessages you send us, attachments, issue details and correspondenceTo respond to support, legal, billing, privacy or security enquiries.
Referral attribution dataPartner code, referral link, registration date, general region, conversion status, commission eligibilityTo administer partner referral programmes, prevent misuse and maintain payment and audit records.
Cookie and analytics dataCookie choices, consent records, public website usage data where allowedTo operate the website, remember choices, manage consent and understand public website performance.

You control what you upload to your vault. We do not require you to upload any specific document type.

4. Sensitive documents and data about other people

You may choose to upload documents that contain sensitive personal data, such as identity documents, bank documents, health information, insurance documents, family records, wills, funeral wishes, religious preferences or information about other people.

You are responsible for deciding what to upload. If you upload, store or share personal data about someone else, you must make sure you have the right or permission to do so and that your use of Fyldit is lawful.

5. Vault protection and encryption

Fyldit is designed as a privacy-first encrypted vault. Your vault content is encrypted and protected. We use industry-standard encryption to secure your data at rest and in transit. We do not review, read or use your vault content for our own company purposes.

Some operational data remains visible to us because it is needed to run and secure the Service. This may include account details, billing status, storage usage, access permissions, timestamps, activity logs, consent records, security logs and support communications.

There are limited cases where Fyldit may technically process selected vault content to complete an action you request. For example, if you choose to preview, download, share, transmit or otherwise make a document available through a feature, we may need to decrypt, render, package, transmit or temporarily process that selected document for the limited purpose of completing your instruction. This is feature-specific processing and is not a general right for Fyldit to access or use vault content for unrelated purposes.

Internal access to vault-related systems is restricted and controlled. Where access to operational systems is necessary for security, support, troubleshooting, legal compliance or incident response, access should be limited, authorised, proportionate and, where applicable, logged.

We do not publish detailed security architecture in this policy because doing so could increase security and commercial risk. We use appropriate technical and organisational safeguards, including encryption, access controls, audit logging, security monitoring and restricted internal access.

6. External document sharing

Fyldit may allow you to share a selected document outside the vault, for example by sending it to an external email address such as a bank, solicitor, adviser, government department, family member or other recipient who does not have a Fyldit account.

When you use an external sharing feature, you instruct and authorise us to process the selected document for the limited purpose of completing your sharing request. Depending on the feature used, this may involve temporarily decrypting, preparing, transmitting, attaching, linking to, rendering or making the selected document available to the recipient.

You are responsible for checking the recipient details before sharing. If you send a document to the wrong recipient, provide an incorrect email address, choose the wrong document, share with an unsuitable recipient or ask us to send a document through a channel that is outside the vault, the consequences may be outside Fyldit's control.

Once a recipient receives or accesses a document, the recipient may store, forward, print, copy, download, screenshot, photograph, upload, retain or otherwise use the document. Fyldit cannot guarantee that an external recipient will handle, delete, secure or not further share a document after receiving or accessing it. External recipients may be independent controllers or independent recipients under applicable privacy laws.

Where available, Fyldit may provide safer sharing options such as secure links, expiry dates, access controls, download controls or activity logs. These controls reduce risk but do not eliminate it. Download restrictions may not prevent screenshots, photographs or onward sharing by a recipient.

Subject to applicable law and our Terms of Use, Fyldit is not responsible for a recipient's handling of a document after it has been sent or made available in accordance with your instruction. This does not limit any responsibility Fyldit may have for its own security, processing or legal obligations.

7. Trusted contacts, legacy contacts and unlock-on-death and incapacity features

If you add a trusted contact or legacy contact, you confirm that it is appropriate for us to process their contact details for the features you enable. We may contact them to invite them to participate, verify their role, send recovery-related information, manage sharing or support unlock-on-death or incapacity workflows.

Unlock-on-death, unlock-on-incapacity and emergency access features may involve sensitive information. We may process account status, contact information, verification records, activity logs and selected vault access settings to operate these features. We may require evidence, checks or manual review before granting access where the product requires it.

Fyldit does not decide inheritance rights, probate rights, executor authority, next-of-kin status or family disputes. The Service operates according to the settings you choose, the evidence submitted, the product rules, our Terms of Use and applicable law.

If we become aware of a dispute, suspected misuse, conflicting evidence, fraud risk, court order, regulator request or legal uncertainty, we may pause, restrict, delay or refuse access while the matter is reviewed. We may require additional evidence or direct the parties to resolve the matter through appropriate legal channels.

Trusted contacts and legacy contacts can contact us about their own personal data, subject to the rights of the account holder, legal requirements, the integrity of the Service and the operation of the relevant feature.

8. Partner referral attribution

If you register for Fyldit using a partner code, affiliate code, referral code or referral link, we may process limited referral attribution data so that we can identify which partner referred you, administer the referral programme, assess whether a commission or reward is payable, prevent misuse and maintain payment and audit records.

Referral attribution data may include the partner code or referral link used, registration date and time, country or general region, sign-up status, trial status, trial-to-paid conversion status, subscription status, cancellation or refund status and commission eligibility.

Partners may see limited aggregated or pseudonymised (key-coded so it cannot directly identify you) dashboard information relating to their referral activity, such as geographic information, sign-up counts, conversion status, trial-to-paid status and commission eligibility.

We do not share your full name, email address, phone number, postal address, payment card details, vault contents, uploaded documents, trusted contact information, legacy contact information, private account information or support communications with the partner.

Partners are not permitted to use referral dashboard information to identify, contact or market to you unless they have a separate lawful basis to do so.

9. How we use personal data and our typical legal basis

The table below explains the main reasons we use personal data and the typical legal basis we expect to rely on. The legal basis may vary depending on your location, the specific feature used and applicable law.

PurposeWhat this meansTypical legal basis
Provide Fyldit account servicesCreate accounts, authenticate users, operate account settings and provide core vault functionality.Contract; legitimate interest for service administration and platform integrity.
Store and organise vault contentStore, retrieve, organise, preview and display vault content according to the actions and settings you choose.Contract; user instruction; legitimate interest for secure service operation.
External sharing and document transmissionProcess selected documents only where you instruct us to share, send, link, download, render or otherwise make them available.Contract; user instruction; legitimate interest for logs, proof of transmission and security.
Trusted contacts and unlock-on-death featuresInvite contacts, verify status, process access settings, record evidence and operate emergency or legacy workflows.Contract; legitimate interest; legal obligation where applicable; consent where required for optional participation.
Billing and subscriptionsProcess payments, invoices, refunds, renewals, plan changes, tax and accounting records.Contract; legal obligation.
Security and fraud preventionProtect accounts, detect misuse, investigate suspicious activity, monitor systems and maintain audit logs.Legitimate interest; legal obligation where applicable.
Service communications and supportSend service emails, account notices, security alerts, payment notices and support replies.Contract; legitimate interest.
Referral attributionIdentify partner referral source, prevent referral misuse, validate conversion status and maintain commission records.Legitimate interest; contract where relevant; legal obligation for accounting records.
Cookies, analytics and marketingOperate essential cookies, manage consent and use optional analytics or marketing tools where permitted.Consent where required; legitimate interest for strictly necessary service operation.
Legal and complianceRespond to lawful requests, enforce terms, defend claims, support audits and meet regulatory requirements.Legal obligation; legitimate interest; establishment, exercise or defence of legal claims.
Service improvementUse aggregated, anonymised or de-identified information to understand performance and improve the Service.Legitimate interest; consent where required.

Where consent is required, you may withdraw consent at any time. Withdrawal does not affect processing that already took place lawfully.

10. Cookies, analytics and tracking

We use cookies and similar technologies to operate Fyldit, keep accounts secure, remember choices, process payments, measure public website performance and manage consent.

Strictly necessary cookies are used to provide the website and account services. Optional analytics or tracking technologies are used only where permitted by law and, where required, only after you give consent.

Where analytics tools such as Microsoft Clarity are deployed, their use is restricted to selected public website pages. Analytics tools are not permitted to record vault content, document upload screens, document previews, recovery workflows, trusted contact workflows, payment pages or any other sensitive or authenticated areas of the Service.

You can manage cookie choices through the cookie banner or cookie settings link where available. More information is provided in our separate Cookie Policy.

11. Who we share personal data with

We share personal data only where it is necessary to provide Fyldit, to comply with applicable law, to protect our legal rights, to process payments, to operate security controls, or to deliver features that you choose to use.

Where we use service providers to process personal data on our behalf, we require appropriate contractual protections, including data processing agreements where required. These providers must process personal data only for authorised purposes and apply appropriate security and data-protection standards.

Some third parties, such as payment processors, authentication providers, external document recipients, legal advisers, regulators or other independent organisations, may act as separate controllers or independent recipients for their own processing activities.

Recipient typeWhat may be sharedRole / safeguard
Hosting and infrastructure providersEncrypted vault storage, databases, application hosting, email delivery, backups, monitoring and security operations.Usually processors acting under contract and data processing terms.
Payment processorsPayment and subscription data. We do not store full card numbers.May act as independent controllers or processors depending on the service.
Authentication providersLogin information if you choose a third-party sign-in option.May act as independent controllers for their own account services.
Email and communication providersTransactional emails, support communications and external document sharing where you instruct us to send documents.Processors for platform communications; external recipients may be independent recipients.
Analytics and cookie providersPublic website usage and consent-based analytics where enabled.Processors or independent controllers depending on provider configuration.
Trusted or legacy contactsInformation required for sharing, recovery or unlock-on-death features you choose to enable.Recipients under user-enabled features.
Partners in referral programmesLimited aggregated or pseudonymised referral dashboard information only, as described above.Recipients under referral programme controls.
Professional advisers and authoritiesInformation required for legal, accounting, compliance, dispute resolution, fraud prevention or lawful requests.Independent controllers or authorised recipients.
Business transfer recipientsLimited information if we are involved in a merger, acquisition, investment, reorganisation or sale of business assets, subject to appropriate safeguards.Recipients subject to confidentiality and transaction safeguards.

Our key service providers may include Amazon Web Services, Stripe, Google sign-in services, Microsoft Clarity and other providers used to operate, secure and support Fyldit. Provider use may change over time. We require service providers to apply appropriate security and data-protection standards.

12. International transfers

Fyldit operates using third-party infrastructure and service providers located in various countries. Personal data may be processed in, accessed from or transferred to countries outside the country where you are located, including for purposes such as hosting, payments, authentication, analytics, security, support, email delivery, backups, logs and business administration.

Where personal data is transferred internationally, we use appropriate safeguards where required by applicable law. These may include data processing agreements, DIFC Standard Contractual Clauses, EU or UK Standard Contractual Clauses where applicable, adequacy arrangements, transfer risk assessments, access controls, encryption, anonymisation, data minimisation and other lawful transfer mechanisms.

The safeguards used will depend on the country, provider, data type, processing purpose and applicable legal framework. We aim to limit international transfers to what is necessary for the relevant service, security, support, payment or business purpose.

13. How long we keep data

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Retention periods must align with actual product behaviour, system logs, backup rotation, sharing records, tax records and legal requirements.

Data typeRetention approach
Account dataFor as long as your account is active, then normally up to 12 months after closure or plan expiry unless a longer period is required.
Encrypted vault contentUntil you delete it, close your account or the deletion period after plan expiry ends. We currently expect deletion after 30 days from plan expiry unless legally or technically required otherwise.
External sharing recordsNormally up to 24 months, or longer where needed for security, dispute resolution, legal claims, audit or evidence of user instruction.
Activity and security logsNormally up to 24 months, or longer where needed for security, fraud prevention, legal claims, regulatory purposes or incident response.
Billing and invoice recordsNormally 7 years, or longer if required by tax, accounting or commercial law.
Trusted and legacy contact dataUntil removed by you, your account is deleted, or the data is no longer needed for the relevant feature, subject to legal and operational requirements.
Referral and commission recordsNormally up to 7 years where needed for accounting, audit, tax, commission or dispute records.
Support communicationsNormally up to 24 months after closure of the support issue, or longer where needed for legal, security or operational reasons.
Consent and cookie recordsFor the period required to evidence consent and manage preferences.
BackupsDeleted or overwritten through normal backup rotation, normally within 90 days, unless a longer period is required for security, continuity or legal reasons.

Deletion may not be immediate from all systems because information may remain temporarily in backups, security logs, audit records, payment records or legal holds. We may retain data for longer where required to comply with law, resolve disputes, prevent fraud, enforce our terms, protect users, maintain security or defend legal claims.

14. Security and data breach response

We use appropriate technical and organisational measures designed to protect personal data. These may include encryption, restricted access, account security controls, audit logs, monitoring, backups, staff access controls, incident response procedures and supplier due diligence.

If we become aware of a suspected or actual personal data breach, we will assess it, take appropriate containment and remediation steps, and notify relevant regulators and affected individuals where required by applicable law. We may also notify users where we believe this is appropriate to help them protect their account or information.

No online service, storage system, email system or transmission method is completely secure. You are responsible for keeping your login details safe, using strong authentication where available, keeping recovery information secure and sharing documents only with trusted recipients.

15. Your rights

Depending on where you live and which laws apply, you may have rights to:

  • access personal data we hold about you;
  • correct inaccurate personal data;
  • delete personal data;
  • restrict or object to certain processing;
  • receive certain data in a portable format;
  • withdraw consent where processing is based on consent;
  • complain to a relevant data protection authority.

To exercise rights, contact privacy@fyldit.com. We may need to verify your identity before responding. We aim to respond within 30 days, or within the period required by applicable law.

These rights are not absolute. We may not be able to comply with a request where an exemption applies, where we must retain data for legal, tax, accounting, security or dispute purposes, where disclosure would affect another person's rights, where the request is manifestly unfounded or excessive, or where the requested data is no longer technically available in readable form.

Because vault content is encrypted, we will not be able to provide a readable copy from our systems. Where available, you can export your vault content directly from your account.

If you have shared data with an external recipient, deleting it from Fyldit may not delete copies held by that recipient. You may need to contact the recipient directly about their handling of the information.

16. Children

Fyldit accounts are intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we learn that a person under 18 has registered for a Fyldit account, we will take appropriate steps to delete their personal data or close the account.

Where a Fyldit account holder includes a child as part of their family circle or trusted contact arrangement, the account holder is responsible for ensuring that any personal data relating to that child is shared or processed lawfully and with appropriate authority. We do not create Fyldit accounts for children in this context. Where an account holder nominates a trusted or legacy contact who holds an email address provided by a third-party platform that permits users below the age of 18, we rely on the account holder to confirm that the individual has authority to act in that capacity and that any relevant parental or guardian consents have been obtained.

17. Legal requests and protection of rights

We may disclose personal data where we believe disclosure is required by law, court order, regulator, law enforcement request, legal process, fraud investigation, security incident response, dispute resolution or to protect the rights, safety and property of Fyldit, users or others.

Where vault content is encrypted and we do not have access to the readable content, we may only be able to provide encrypted content or operational information available to us. Where you have used features that involve external sharing or transmission, records or copies may exist outside the normal encrypted vault environment depending on the feature used and the recipient's handling.

18. Changes to this policy

We may update this policy from time to time. We will publish the updated version with a new effective date. If changes are material, we will take reasonable steps to notify you, such as by email, in-app notice or website notice.

19. Contact

Contact typeEmail
Privacyprivacy@fyldit.com
Supportsupport@fyldit.com
Legallegal@fyldit.com

This policy is governed by the laws applicable to Funerals & Tech Limited in its place of incorporation and operation. Nothing in this policy limits any mandatory privacy rights you may have under laws that apply in your country or region.