Privacy Policy

Brianni Ltd. ("Brianni", "we", "us", or "our"), registered in the United Kingdom, provides a digital legacy management service. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our services.

Legal Framework

This policy complies with UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025

For information about cookies and similar technologies, please see our Cookie Policy.

1. Data Controller

Brianni Ltd. (Companies House number 16744009; ICO Data Protection registration ZC132748; registered office: 167-169 Great Portland Street, London, W1W 5PF) is the data controller of your personal information.

Brianni has appointed a Data Protection Officer (Mr Zee Mudia), as recorded with the Information Commissioner's Office. The DPO can be contacted at privacy@brianni.ai (the email address listed on our ICO registration).

For general privacy questions, contact us at: privacy@brianni.co

2. Information We Collect

We collect and process the following categories of information:

Account Information

Name, email address, phone number, login credentials.

Phone Number

Your phone number is collected to send you SMS notifications including account verification codes, security alerts, death verification notifications to executors, and package delivery notifications to recipients. You consent to receiving these SMS messages when you provide your phone number and agree to our Terms of Service.

Authentication Data

Passkey credentials and authentication tokens (biometric authentication occurs locally on your device and is never transmitted to our servers).

Vault Content (Encrypted)

The substance of what you store — files, documents, the body of personal messages, and other payloads inside vault items and packages — is encrypted on your device using AES-256-GCM with zero-knowledge architecture. We cannot decrypt this content; neither could a court order, a subpoena, or a server breach.

Metadata (Plaintext but Access-Controlled)

Some information about your vault items, packages, and recipients is stored in plaintext on our servers to enable search, organisation, and delivery. This metadata is access-controlled — only you (and, where applicable, firm administrators when you are a client of a Brianni for Advisors firm) can see it through your account — but we acknowledge it is not encrypted and would be visible to us under a valid legal process.

Specifically, the following are stored in plaintext:

Vault item titles, descriptions, and tags
Package names and descriptions
Recipient names, email addresses, phone numbers, relationships, and any notes you add
Executor names and contact details

We treat this metadata as personal data subject to UK GDPR and the rest of this policy.

Executor and Recipient Information

Contact details provided by you to enable legacy package delivery.

Subscription & Payment Information

Billing details processed securely by our payment provider.

Device & Technical Data

Device type, operating system, browser type and version, IP address, approximate location (derived from IP), access times, referring URLs, and session identifiers. This data is collected for service functionality, security monitoring, and fraud prevention.

Security Verification Data

We use Google reCAPTCHA Enterprise for bot protection and fraud prevention. This service may collect your IP address, browser type, operating system, mouse movements, and other behavioural data. This data is processed by Google LLC in accordance with Google's Privacy Policy. See Section 5 (Sharing) and Section 6 (International Transfers) for details.

Error Monitoring Data

We use Sentry (Functional Software, Inc.) for application error monitoring and performance tracking. This service may collect your IP address, browser information, device type, and technical error details to help us identify and fix issues. No vault content or encrypted data is ever sent to Sentry.

Communications

Support requests, feedback, or other messages you send us.

Children's Data

Our services are intended for users aged 18 and over. We do not knowingly collect or process personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly.

3. How We Use Your Information

We process your information for the following purposes:

To provide and maintain your account.
To enable secure authentication through passkeys and device-based security features.
To store your vault content using end-to-end encryption (we cannot access this encrypted data).
To process metadata for search, organization, and service functionality.
To enable executor verification and recipient access.
To deliver communications related to your account and service.
To send SMS notifications including verification codes (OTP), security alerts, death verification notifications to executors, and package delivery notifications to recipients. Message and data rates may apply.
To process payments and manage subscriptions.
To detect and prevent fraud, security breaches, or misuse.
To comply with legal obligations.
With your consent, to send you optional service updates or marketing.

See Section 4 below for the legal basis that applies to each processing purpose.

4. Legal Bases for Processing (UK GDPR / EU GDPR)

We rely on the following legal bases:

Contract (Art. 6(1)(b))

Processing necessary to perform our contract with you, including providing your account, storing vault content, managing subscriptions, processing payments, enabling executor verification and recipient access, and sending transactional communications.

Legal Obligation (Art. 6(1)(c))

Processing necessary to comply with legal requirements, including maintaining financial and tax records (typically 7 years under UK tax law), responding to lawful requests from regulators, and complying with data protection legislation.

Legitimate Interests

Specifically:

Account security and fraud prevention
Service improvement and system maintenance
Processing metadata for search and organizational functionality
Prevention of unauthorized access
Secure authentication and access control

Consent

For optional marketing communications (where applicable).

6. International Transfers

Your information may be transferred to and processed in countries outside the United Kingdom and European Economic Area, including the United States and the European Union. We ensure that all international transfers are protected by appropriate safeguards:

United Kingdom (IONOS UK): Our application VPS is hosted in the United Kingdom by IONOS Cloud Limited. No cross-border transfer occurs for application hosting itself.
European Union (PostHog, IONOS SE for transactional email):Where personal data is processed in the EU (e.g. PostHog's EU region for consent-based product analytics, or IONOS SE for some transactional email infrastructure), the EU has been granted adequacy status by the UK under UK GDPR Article 45 — your data receives equivalent protection.
United States (AWS, Stripe, Google, Sentry): Transfers to the US are protected by the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) where the recipient is certified, and/or by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. Note that encrypted vault content is stored in AWS S3 in the eu-west-1 (London) region; metadata, billing, and operational data may be processed in AWS US regions.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@brianni.co.

7. Data Retention

We keep your information only as long as necessary:

Account data: For as long as your account is active.
Authentication credentials: Stored securely until you remove them or delete your account.
Vault content: End-to-end encrypted data retained until account deletion (we cannot access this content).
Metadata: Retained to enable search and organization functionality until account deletion.
Executor/recipient contact details: Until legacy package delivery is complete or account is deleted.
Payment data: As required by law (typically 7 years for financial records).
Communications: As long as needed to respond to support or inquiries (typically 2 years maximum).
Post-death retention: Following verified passing of an account holder, vault content and legacy packages are retained for a period sufficient to complete all package deliveries to designated recipients (typically 30-90 days). After all deliveries are complete or delivery windows expire, encrypted vault content is securely deleted within 30 days. Account metadata and audit logs relating to the death verification and delivery process are retained for 2 years.

When data is no longer required, it is securely deleted.

8. Your Rights

Under UK and EU data protection law, you have the right to:

Access your personal data.
Request correction of inaccurate data.
Request deletion ("right to be forgotten").
Request restriction of processing.
Object to processing in certain circumstances.
Request data portability. For unencrypted data (account information, metadata), we will provide an export in a standard format (e.g., JSON or CSV). For encrypted vault content, we provide in-app tools for you to download your content directly, as our zero-knowledge architecture means we cannot decrypt it on your behalf.
Withdraw consent where processing is based on consent.

Making a Complaint

If you have concerns about how we handle your personal data, you can:

• Contact us directly using our electronic complaint form at complaints@brianni.co
• We will acknowledge your complaint within 30 days and respond without undue delay
• You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. Website: ico.org.uk | Telephone: 0303 123 1113 | Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concerns before you contact the ICO.

Automated Decision-Making

We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you. Where we use automated tools (such as fraud detection or spam filtering), these are used to assist human decision-making, not to replace it. You have the right not to be subject to a decision based solely on automated processing under UK GDPR Article 22.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption at rest: Vault content is encrypted using AES-256 with zero-knowledge architecture (client-side encryption — we never hold your keys)
Encryption in transit: All data transmitted between your device and our servers is protected by TLS 1.3
Authentication security: Passkey-based authentication using FIDO2/WebAuthn standards; biometric data is processed locally on your device
Infrastructure security: Hosting on ISO 27001-certified cloud infrastructure with regular security assessments
Access controls: Role-based access controls, audit logging, and principle of least privilege

No system is 100% secure. While we take extensive measures to protect your data, we cannot guarantee absolute security. In the event of a personal data breach likely to result in a risk to your rights, we will notify the ICO within 72 hours and notify you without undue delay where required.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) under UK GDPR Article 35 for processing activities that are likely to result in a high risk to individuals, including our death verification and executor identity verification processes. These assessments evaluate the necessity and proportionality of the processing, identify risks to data subjects, and establish measures to mitigate those risks. DPIAs are reviewed and updated when there are significant changes to our processing activities.

10. Updates to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated to you by email or through the service at least 30 days in advance.

11. Contact

If you have questions about this Privacy Policy or how your information is handled, please contact us at:

Brianni Ltd.

Registered Office: 167-169 Great Portland Street, London, W1W 5PF

Email: privacy@brianni.co

For data protection matters specifically, you may also contact our Data Protection Officer at: privacy@brianni.ai

Legal Framework

This policy complies with UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025

For information about cookies and similar technologies, please see our Cookie Policy.

1. Data Controller

For general privacy questions, contact us at: privacy@brianni.co

2. Information We Collect

We collect and process the following categories of information:

Account Information

Name, email address, phone number, login credentials.

Phone Number

Authentication Data

Passkey credentials and authentication tokens (biometric authentication occurs locally on your device and is never transmitted to our servers).

Vault Content (Encrypted)

Metadata (Plaintext but Access-Controlled)

Specifically, the following are stored in plaintext:

Vault item titles, descriptions, and tags
Package names and descriptions
Recipient names, email addresses, phone numbers, relationships, and any notes you add
Executor names and contact details

We treat this metadata as personal data subject to UK GDPR and the rest of this policy.

Executor and Recipient Information

Contact details provided by you to enable legacy package delivery.

Subscription & Payment Information

Billing details processed securely by our payment provider.

Device & Technical Data

Security Verification Data

Error Monitoring Data

Communications

Support requests, feedback, or other messages you send us.

Children's Data

3. How We Use Your Information

We process your information for the following purposes:

To provide and maintain your account.
To enable secure authentication through passkeys and device-based security features.
To store your vault content using end-to-end encryption (we cannot access this encrypted data).
To process metadata for search, organization, and service functionality.
To enable executor verification and recipient access.
To deliver communications related to your account and service.
To send SMS notifications including verification codes (OTP), security alerts, death verification notifications to executors, and package delivery notifications to recipients. Message and data rates may apply.
To process payments and manage subscriptions.
To detect and prevent fraud, security breaches, or misuse.
To comply with legal obligations.
With your consent, to send you optional service updates or marketing.

See Section 4 below for the legal basis that applies to each processing purpose.

4. Legal Bases for Processing (UK GDPR / EU GDPR)

We rely on the following legal bases:

Contract (Art. 6(1)(b))

Legal Obligation (Art. 6(1)(c))

Legitimate Interests

Specifically:

Account security and fraud prevention
Service improvement and system maintenance
Processing metadata for search and organizational functionality
Prevention of unauthorized access
Secure authentication and access control

Consent

For optional marketing communications (where applicable).

6. International Transfers

United Kingdom (IONOS UK): Our application VPS is hosted in the United Kingdom by IONOS Cloud Limited. No cross-border transfer occurs for application hosting itself.
European Union (PostHog, IONOS SE for transactional email):Where personal data is processed in the EU (e.g. PostHog's EU region for consent-based product analytics, or IONOS SE for some transactional email infrastructure), the EU has been granted adequacy status by the UK under UK GDPR Article 45 — your data receives equivalent protection.
United States (AWS, Stripe, Google, Sentry): Transfers to the US are protected by the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) where the recipient is certified, and/or by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. Note that encrypted vault content is stored in AWS S3 in the eu-west-1 (London) region; metadata, billing, and operational data may be processed in AWS US regions.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@brianni.co.

7. Data Retention

We keep your information only as long as necessary:

Account data: For as long as your account is active.
Authentication credentials: Stored securely until you remove them or delete your account.
Vault content: End-to-end encrypted data retained until account deletion (we cannot access this content).
Metadata: Retained to enable search and organization functionality until account deletion.
Executor/recipient contact details: Until legacy package delivery is complete or account is deleted.
Payment data: As required by law (typically 7 years for financial records).
Communications: As long as needed to respond to support or inquiries (typically 2 years maximum).
Post-death retention: Following verified passing of an account holder, vault content and legacy packages are retained for a period sufficient to complete all package deliveries to designated recipients (typically 30-90 days). After all deliveries are complete or delivery windows expire, encrypted vault content is securely deleted within 30 days. Account metadata and audit logs relating to the death verification and delivery process are retained for 2 years.

When data is no longer required, it is securely deleted.

8. Your Rights

Under UK and EU data protection law, you have the right to:

Access your personal data.
Request correction of inaccurate data.
Request deletion ("right to be forgotten").
Request restriction of processing.
Object to processing in certain circumstances.
Request data portability. For unencrypted data (account information, metadata), we will provide an export in a standard format (e.g., JSON or CSV). For encrypted vault content, we provide in-app tools for you to download your content directly, as our zero-knowledge architecture means we cannot decrypt it on your behalf.
Withdraw consent where processing is based on consent.

Making a Complaint

If you have concerns about how we handle your personal data, you can:

• Contact us directly using our electronic complaint form at complaints@brianni.co
• We will acknowledge your complaint within 30 days and respond without undue delay
• You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. Website: ico.org.uk | Telephone: 0303 123 1113 | Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concerns before you contact the ICO.

Automated Decision-Making

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption at rest: Vault content is encrypted using AES-256 with zero-knowledge architecture (client-side encryption — we never hold your keys)
Encryption in transit: All data transmitted between your device and our servers is protected by TLS 1.3
Authentication security: Passkey-based authentication using FIDO2/WebAuthn standards; biometric data is processed locally on your device
Infrastructure security: Hosting on ISO 27001-certified cloud infrastructure with regular security assessments
Access controls: Role-based access controls, audit logging, and principle of least privilege

Data Protection Impact Assessments

10. Updates to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated to you by email or through the service at least 30 days in advance.

11. Contact

If you have questions about this Privacy Policy or how your information is handled, please contact us at:

Brianni Ltd.

Registered Office: 167-169 Great Portland Street, London, W1W 5PF

Email: privacy@brianni.co

For data protection matters specifically, you may also contact our Data Protection Officer at: privacy@brianni.ai

Legal Framework

1. Data Controller

2. Information We Collect

Account Information

Phone Number

Authentication Data

Vault Content (Encrypted)

Metadata (Plaintext but Access-Controlled)

Executor and Recipient Information

Subscription & Payment Information

Device & Technical Data

Security Verification Data

Error Monitoring Data

Communications

Children's Data

3. How We Use Your Information

4. Legal Bases for Processing (UK GDPR / EU GDPR)

Contract (Art. 6(1)(b))

Legal Obligation (Art. 6(1)(c))

Legitimate Interests

Consent

5. Sharing of Information

Important

6. International Transfers

7. Data Retention

8. Your Rights

Making a Complaint

Automated Decision-Making

9. Security

Data Protection Impact Assessments

10. Updates to This Policy

11. Contact

Have Privacy Questions? We're Here to Help

Privacy Policy

Legal Framework

1. Data Controller

2. Information We Collect

Account Information

Phone Number

Authentication Data

Vault Content (Encrypted)

Metadata (Plaintext but Access-Controlled)

Executor and Recipient Information

Subscription & Payment Information

Device & Technical Data

Security Verification Data

Error Monitoring Data

Communications

Children's Data

3. How We Use Your Information

4. Legal Bases for Processing (UK GDPR / EU GDPR)

Contract (Art. 6(1)(b))

Legal Obligation (Art. 6(1)(c))

Legitimate Interests

Consent

5. Sharing of Information

Important

6. International Transfers

7. Data Retention

8. Your Rights

Making a Complaint

Automated Decision-Making

9. Security

Data Protection Impact Assessments

10. Updates to This Policy

11. Contact

Have Privacy Questions? We're Here to Help