Privacy Policy

When you create an account, we collect your name, email address, and a hashed version of your password (we never see the plain text). When you subscribe, payment information is collected and processed by Stripe — we never store credit card numbers ourselves.

When you use Capsulated, we store the content you upload — photos, videos, voice recordings, written stories, memoirs, life-story answers, family tree information, time capsules, and any private documents you choose to add. We also keep operational logs (sign-in times, device fingerprints used for security) and minimal usage counts (storage consumed, item counts) so the product can function.

We do not track your behaviour across other websites. We do not use advertising cookies. We do not build advertising profiles. There is no marketing pixel on any page of this product.

The short version: we use your data to operate your vault and nothing else.

Specifically, we use your information to:

• Show you the contents of your own vault and the vaults you've been invited into.
• Send you account-related notifications you've opted into.
• Deliver time capsules and posthumous content on the schedule you set.
• Detect unauthorised access and protect your account.
• Process subscription payments through Stripe.
• Generate features you explicitly use — AI Living Biography, AI Interview transcripts, voice-to-text on your recordings — using third-party processors that operate as our subprocessors and are bound by confidentiality.

We do not use your content to train AI models. We do not sell or rent your data. We do not analyse your content to serve you targeted messaging or upsells. Not in a clever-loophole way. Not at all.

Your account data and metadata are stored in a managed Postgres database hosted by Supabase, with row-level security policies enforcing per-user access at the database layer.

Photos, voice recordings, written content, and uploaded documents are stored in Cloudflare R2 object storage. Video recordings (including AI Interviews and memorial videos) are stored in Cloudflare Stream.

All data is encrypted in transit (TLS 1.2+) and encrypted at rest using the underlying providers' standard server-side encryption. Private documents you mark as legal/financial (wills, letters of wishes, posthumous letters) are stored under additional access controls and are never readable by AI features.

Capsulated relies on a small number of vetted third parties to operate. Each one only sees the data it needs for its function. We do not authorise any of them to use your data for their own purposes.

• Supabase — managed Postgres database and authentication. Sees: your account record, vault metadata, encrypted password hash.
• Cloudflare R2 & Stream — file and video storage / delivery. Sees: encrypted file blobs and video frames. Does not parse or analyse content.
• Stripe — payment processing. Sees: your name, email, billing address, card details (Stripe stores card numbers, not us). Subject to Stripe's privacy policy.
• Resend — transactional email delivery (sign-up confirmations, password resets, time-capsule unlocks, posthumous-delivery notifications). Sees: your email address and the message body.
• Anthropic API (Claude) — powers the AI Living Biography and AI Interview features. Receives: the specific vault content you choose to feed each feature (memories, life-story answers, memoirs, timeline). Anthropic's commercial API does not train on customer data. Does not receive your private documents or sealed time capsules.
• ElevenLabs — text-to-speech for the AI Interview voice. Receives: the interview's question text only. Does not receive any of your personal content.
• Deepgram — speech-to-text transcription for voice memories and AI Interview recordings. Receives: the audio content you choose to transcribe.
• Vercel — application hosting. Sees: HTTP request metadata only (no application data persists at Vercel beyond the running runtime).

We do not engage advertising networks, marketing-attribution services, behavioural analytics platforms, or data brokers. Ever.

Your content lives in your vault for as long as your account is active. If you cancel a subscription, you have 30 days to export everything before deletion. After 30 days, your vault content is permanently deleted from our primary databases and queued for removal from backups according to provider retention schedules (typically 30–90 days).

One important exception: memorial profiles.

When a vault transitions into a memorial after the owner's passing, that memorial — and all the content the owner chose to make part of it — becomes permanent. Memorial profiles cannot be deleted by anyone, including the original creator (now deceased), their Trusted Guardians, family members, or Capsulated itself, except where required by valid legal order. This permanence is the central promise of Capsulated and we disclose it prominently.

Depending on where you live, you have legal rights over your personal data. We honour all of these rights regardless of your location:

• Right to access — request a copy of all data we hold about you.
• Right to rectification — correct anything that's inaccurate.
• Right to deletion — request deletion of your account and all associated data, subject to the memorial-profile exception above.
• Right to portability — export your vault contents in standard formats (photos as their original files, voice and video as their original media files, written content as Markdown or plain text, structured data as JSON).
• Right to opt out of non-essential processing — including AI features. Opting out of AI features does not affect any other vault functionality.

These rights are granted by the EU General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA), among others. To exercise any right, email privacy@capsulated.app. We respond within 30 days.

Capsulated treats your vault as part of your digital estate. The Death Activation system is the legal and operational core of how we handle data after a user's passing.

Death Activation can be triggered in three ways, all of which you configure during your lifetime:

• Trusted Guardian confirmation — two of your designated Trusted Guardians independently confirm your passing, after which a 48–72 hour grace period begins before posthumous content is delivered.
• Death certificate upload — a Trusted Guardian uploads a death certificate, which Capsulated verifies and processes without the inactivity grace period.
• Inactivity timer — extended account inactivity (durations you configure, typically 12–24 months) triggers a multi-stage Trusted Guardian confirmation flow.

When Death Activation completes, your vault transitions into a memorial. The recipients you designated receive the specific letters, voice notes, videos, time capsules, and private documents you addressed to them — exactly as you configured during your lifetime. Capsulated does not modify, summarise, or interpret your posthumous content. We deliver what you set up.

Trusted Guardians have legally limited authority. They can confirm your passing and trigger the activation flow. They cannot read your private documents, access content not addressed to them, edit or delete any memorial content, or override deceased-owner decisions about who receives what.

Memorial profiles, once created, are permanent. See “How long we keep your data” above for details.

We do not knowingly collect personal data from children under 13 without verified parental consent. Account creation requires you to be at least 18 years old.

For families with minor children, the Parental Admin system allows a parent (the account owner) to add a child to their family tree and gate that child's outside connections. When an Inner Circle invitation is directed at a minor, it routes to the parent for approval before any contact is established. Family-tree connections to blood relatives the parent has already added are not gated.

We may update this policy from time to time. If we make material changes, we will notify you by email at least 30 days before they take effect. The current version is always available at capsulated.app/privacy.

For privacy-related questions, data access requests, deletion requests, or any other concerns covered by this policy, email privacy@capsulated.app. For general support, email support@capsulated.app.