How we respond when someone asks us for your data.

MyVaultedLife is operated by MyVaultedLife LLC, a U.S. company organized in Rhode Island. We disclose user information only when we are legally compelled by valid U.S. legal process, or in the narrow emergency circumstances described below.

What we expect, at a minimum:

• Subpoena for basic account record information (the limited metadata described under “What we can produce”).
• Court order or search warrant for anything beyond basic account records, to the extent such data exists in a form we can produce.
• Proper service. Requests must identify the specific account (typically by the exact email address on file), identify the requesting agency and officer, and be served through the channel described under “How to serve us.”

We review each request for legal validity and scope. We narrow or object to requests that are overbroad, vague, facially deficient, or that ask for data we do not hold. A request for “all of a user's data” will not produce vault contents, because those contents are encrypted with keys we do not possess (see below).

Most of what you keep in MyVaultedLife is end-to-end encrypted. Your vault is encrypted in your browser, with a key derived from your password (Argon2id) that we never receive, before any data reaches us. We store only ciphertext, and we hold no key that can open it. As a result, in response to legal process we cannot provide the plaintext of:

• Vault field values. Everything you enter across your medical, financial, identity, home, digital, and people sections.
• Custom fields and your responses to prompts.
• Uploaded documents and files. Stored as ciphertext encrypted under per-section keys we cannot read.

This is a property of the system's design, not a policy choice we can waive: we could not decrypt this data for ourselves either. If compelled, we can produce only the encrypted ciphertext, which is not usable without the user's key. We will state this in response rather than create the impression that more is available.

Some information is necessarily readable on our side in order to operate the service. In response to valid legal process, the categories we may be able to provide include:

• Basic account records. The email address and display name on the account, and account creation date.
• Subscription and plan status. Whether an account is free, Personal, or Family, and its current standing.
• Sign-in and activity timestamps and associated technical log data (such as IP addresses captured in server or error logs), to the extent retained.
• Structural vault metadata. Which sections exist and how complete they are. This never includes the contents of any field.
• Personal “final” messages. Messages you leave to be delivered to loved ones are, by necessity, encrypted under a key we hold rather than end-to-end (we have to be able to deliver them on your behalf, often to people who hold no key). That means they are within the set of data we could be compelled to produce. We disclose this deliberately, and we say it elsewhere too: do not put secrets in a message; put them in your vault.

Payment data. We never store full card numbers. Payments are processed by Stripe, which holds the payment records. Requests for billing or payment-instrument details should be directed to Stripe.

Our policy is to notify a user before disclosing their information in response to legal process, so that they have an opportunity to seek to limit or challenge the request, unless we are legally prohibited from doing so (for example, by a non-disclosure order or where notice is barred by law), or in a genuine emergency involving a risk of death or serious physical harm.

In emergencies involving an imminent risk of death or serious physical injury, we may disclose the limited information we hold (see “What we can produce”) to law enforcement without legal process, where we believe in good faith that disclosure is necessary to prevent that harm. Emergency requests should be clearly marked as such and submitted through the channel below.

MyVaultedLife is a U.S.-based service. We respond to valid U.S. legal process. Requests from authorities outside the United States should generally be made through a Mutual Legal Assistance Treaty (MLAT) or letter rogatory, or another recognized form of cooperation, so that they are presented to us as valid U.S. legal process.

We can only produce data that still exists when a request arrives. If you delete your account, your data is purged from our active systems within 30 days, and encrypted backups are rotated and overwritten on a schedule (residual data for up to 12 months). Billing records are retained as required by law. We do not retain data solely in anticipation of legal requests, and we do not create logs we would not otherwise keep. See our Privacy Policy for full retention details.

Law enforcement and legal requests should be directed to legal [at] myvaultedlife.com. Please include the requesting agency and officer, a callback contact, the specific account identifier (the exact email address on the account), the legal authority for the request, and any deadline.

Email submission helps us route and review requests promptly, but does not waive any requirement of formal service or alter the legal standard we apply. We do not accept service of process through customer support channels.

We believe users deserve to know how often their data is sought. We intend to report, in aggregate, the volume of government and legal requests we receive and how we responded. As of the date above, this section will be updated as that reporting becomes available.

If you are a user with questions about this policy, please contact us. For the technical details behind our encryption, see our Security overview.

MyVaultedLife LLC
United States