Your privacy is at the heart of everything we do. This policy explains, in plain language, what data we collect, why, and how we protect it β in accordance with the General Data Protection Regulation (GDPR) and applicable Luxembourg and EU law.
Last updated: February 7, 2026
Your memories are encrypted with AES-256 and a unique per-user key
We never sell, rent, or trade your personal information
Access, export, rectify, or delete your data at any time
Built with privacy by design and by default (Art. 25 GDPR)
The data controller responsible for processing your personal data is:
Hailoom S.Γ r.l.
Luxembourg
Contact: support@hailoom.com or via our contact form on the Support page
Data Protection Officer: available via the contact form
We collect different categories of personal data depending on your use of the platform. We apply the principle of data minimisation (Art. 5(1)(c) GDPR): we only collect data that is strictly necessary for each purpose.
When you create and use your Hailoom account:
Content you voluntarily create in your memory vaults:
Important: Your vault entries may contain sensitive personal data (Art. 9 GDPR) such as health information, religious beliefs, or deeply personal reflections. This content is processed on the legal basis of your explicit consent and is encrypted at all times.
When you designate beneficiaries to receive your legacy content, we collect about them:
In accordance with Art. 14 GDPR, beneficiaries are informed within one month that their data has been collected, the purpose of the processing, and their rights. They may exercise their rights independently by contacting us.
To ensure security and improve the service:
When you subscribe to a paid plan, processed via Stripe:
Under Art. 6 GDPR, every processing activity must have a legal basis. We use one legal basis per purpose β they are never combined. The table below maps each processing activity to its legal basis.
| Processing Activity | Legal Basis (Art. 6 GDPR) | Purpose |
|---|---|---|
| Account creation & profile management | Contract (Art. 6(1)(b)) | Necessary to provide the Hailoom service |
| Vault entry storage & encryption | Contract (Art. 6(1)(b)) | Core service: storing and protecting your memories |
| Beneficiary designation & management | Contract (user) / Legitimate interest (beneficiary) | Executing the user's digital legacy instructions |
| Post-mortem content delivery | Contract (user) / Legitimate interest (beneficiary) | Delivering content to designated beneficiaries |
| Death notification & verification | Legitimate interest (Art. 6(1)(f)) | Preventing fraudulent claims, protecting users' legacies |
| Subscription & payment processing | Contract (Art. 6(1)(b)) | Managing paid subscriptions via Stripe |
| AI writing assistance | Consent (Art. 6(1)(a)) | Optional feature activated by user choice |
| Transactional emails | Contract (Art. 6(1)(b)) | Service-related notifications (security, delivery, billing) |
| Analytics (Google Analytics) | Consent (Art. 6(1)(a)) | Understanding anonymised usage patterns to improve the service |
| Security logging & error tracking | Legitimate interest (Art. 6(1)(f)) | Detecting and preventing fraud, maintaining system integrity |
For vault content that may contain sensitive data (Art. 9 GDPR), the additional legal basis is your explicit consent (Art. 9(2)(a)). You may withdraw this consent at any time by deleting the relevant content or your account.
We process your personal data exclusively for the following purposes:
We will never:
Hailoom offers optional AI writing assistance to help you compose your memories. When you use this feature:
AI assistance is entirely optional. You can write all your entries without ever using this feature. The legal basis for this processing is your consent (Art. 6(1)(a) GDPR), which you give by actively choosing to use the AI coach.
We share personal data with the following sub-processors, each bound by a Data Processing Agreement (Art. 28 GDPR):
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (PostgreSQL) | Database hosting, authentication, storage | All user data (encrypted at rest) | EU (Frankfurt, Germany) |
| Stripe | Payment processing, subscriptions | Customer ID, subscription data, billing info | USA (EU SCCs in place) |
| Resend | Transactional email delivery | Recipient email, name, email content | USA (EU SCCs in place) |
| Anthropic (Claude) | AI writing assistance (premium users) | Text prompts, memory type, content context | USA (EU SCCs in place) |
| OpenAI | AI writing assistance (free-tier users) | Text prompts, memory type, content context | USA (EU SCCs in place) |
| Google Analytics | Anonymised usage analytics (consent-based) | Anonymised IP, page views, device type | USA (EU SCCs in place) |
| Sentry | Error tracking and monitoring | Error logs, stack traces (anonymised where possible) | USA (EU SCCs in place) |
Each sub-processor is contractually bound to process data only on our instructions, maintain appropriate security measures, and assist us in fulfilling your rights. We regularly review their compliance.
Some of our sub-processors are located outside the European Economic Area (EEA). When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:
You may request a copy of the applicable transfer safeguards by contacting our Data Protection Officer via the contact form on our Support page.
All vault content is encrypted using AES-256 encryption with a unique per-user encryption salt generated at account creation. Your encryption keys are derived from your credentials and are never stored in plain text on our servers. Data is encrypted both in transit (TLS 1.3) and at rest.
We maintain strict internal access controls following the principle of least privilege. Administrative access is limited to authorised personnel, all access is logged, and we use role-based permissions (user/admin) enforced at the database level.
In the event of a personal data breach, we will notify the relevant supervisory authority (CNPD) within 72 hours (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will notify you within 30 days of discovering the breach (Art. 34 GDPR), with details of the breach and recommended protective measures. This timeline also satisfies applicable US state breach notification laws.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected (Art. 5(1)(e) GDPR). The following table specifies our retention periods:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion | Necessary for service provision; deleted on account closure |
| Vault content (memories) | Duration of account + post-mortem delivery completion | Core purpose: legacy preservation and delivery to beneficiaries |
| Beneficiary data | While designating user's account is active + delivery window | Needed to execute legacy instructions |
| Payment & invoice data | 5 years after last transaction | Legal obligation: Luxembourg tax and commercial law |
| Authentication logs & sessions | 7 days (session tokens) | Security: detect unauthorised access |
| Security reports & error logs | 12 months | Legitimate interest: security monitoring and incident response |
| Email queue records | 30 days after successful delivery | Operational: troubleshooting delivery issues |
| Cookie consent preferences | 13 months (CNIL recommendation) | Compliance: record of consent, re-consent cycle |
When you delete your account, all personal data and vault content is permanently erased within 30 days via cascading database deletion. Backups containing your data are purged within 90 days. Data required for legal compliance (e.g., invoices) is moved to restricted archival storage.
We follow the CNIL's three-phase data lifecycle: active database (operational use), intermediate archival (restricted access for legal obligations), and final deletion or anonymisation.
Hailoom's core purpose is digital legacy management. This involves unique data processing when a user passes away. We are transparent about the full data lifecycle.
During the verification process, we collect the reporter's name, email, phone, place of death, and IP address (for fraud prevention). Supporting documents are analysed for authenticity. If funeral home information is provided, we may contact the funeral home to independently verify the passing. This data is processed on the legal basis of legitimate interest (Art. 6(1)(f) GDPR) β specifically the prevention of fraudulent death claims and the protection of our users' digital legacy.
Beneficiaries who are designated by users have independent rights under GDPR. They may contact us to: access the data we hold about them, request rectification or deletion of their personal data (name, email, relationship), or object to their designation. However, the vault content itself belongs to the creator and is delivered according to the creator's instructions β beneficiaries cannot modify the creator's content.
When a reporter provides funeral home information (name, phone number, address, contact person), we process this data under GDPR Article 6(1)(f) β legitimate interest in verifying death claims and preventing fraud. This data is: used solely for verification purposes, shared only with authorized verification staff, retained for 7 years for legal compliance, and securely deleted after the retention period. Funeral homes contacted for verification are informed of the purpose and are not provided with any vault content or beneficiary information.
Under the GDPR and Luxembourg law, you have the following rights regarding your personal data:
To exercise your rights, use the self-service options in your account settings (data export, profile editing, account deletion) or contact us via the contact form on our Support page. We may need to verify your identity before processing your request.
We will respond to your request within one month (Art. 12(3) GDPR). If your request is complex, we may extend this period by two additional months, in which case we will inform you within the first month.
Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission Nationale pour la Protection des DonnΓ©es (CNPD), the Luxembourg supervisory authority, or with the supervisory authority in your country of residence. CNPD: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg β www.cnpd.lu
We use cookies and similar technologies on our platform. In accordance with the CNIL's recommendations and Art. 5(3) of the ePrivacy Directive, we obtain your consent before setting any non-essential cookies.
| Cookie Name | Category | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Essential | Supabase authentication session | 7 days |
| hailoom_theme | Functional (consent required) | Remember your theme preference | 1 year |
| hailoom_language | Functional (consent required) | Remember your language preference | 1 year |
| hailoom_timezone | Functional (consent required) | Remember your timezone setting | 1 year |
| hailoom_preferences | Functional (consent required) | General UI preferences | 1 year |
| _ga, _gid | Analytics (consent required) | Google Analytics: distinguish users, sessions | _ga: 2 years, _gid: 24h |
| _ga_* | Analytics (consent required) | Google Analytics: property-specific tracking | 2 years |
When you first visit Hailoom, a consent banner allows you to accept all cookies, reject all non-essential cookies, or customise your preferences by category. Your consent choice is stored locally and you can change it at any time via the Cookie Settings link in the footer.
Essential cookies cannot be disabled as they are strictly necessary for the platform to function. All other cookies require your prior consent. You can also manage cookies through your browser settings. The site is fully functional with only essential cookies β rejecting optional cookies does not limit your access to any Hailoom features.
Hailoom is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16 (Art. 8 GDPR). If you are under 16, you may not create an account. If we discover that we have inadvertently collected data from a child under 16, we will promptly delete that data and the associated account. If you believe a child has provided us with personal data, please contact us via the contact form on our Support page.
If you are a resident of certain US states, you may have additional privacy rights under state privacy laws including the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA).
Hailoom does not sell your personal information. We do not share your personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes other than providing the Service.
To exercise your rights, use the self-service options in your account settings or contact us at support@hailoom.com. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days for complex requests).
California residents may designate an authorised agent to submit requests on their behalf. The agent must provide proof of authorisation.
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The 'Last updated' date at the top of this page indicates when it was last revised.
For material changes that affect how we process your personal data, we will notify you by email and/or through a prominent notice on the platform at least 30 days before the changes take effect. Where required by law, we will obtain your consent to material changes. If our cookie consent policy version changes, you will be asked to re-consent.
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, contact us at support@hailoom.com or use our contact form:
For all privacy-related questions, data subject requests, or general enquiries, email support@hailoom.com or use our contact form.
Go to contact formOur Data Protection Officer can be reached via the contact form. Please select 'Privacy / GDPR' as the subject category to ensure your request is routed to the DPO.
Commission Nationale pour la Protection des DonnΓ©es (CNPD) β 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg β www.cnpd.lu. You may also contact the supervisory authority in your country of residence.
