Last updated: April 5, 2026
HeirLoft ("we," "us," or "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and how we protect it. HeirLoft is a digital estate management tool — your data is yours, and we handle it with the care that reflects that.
Account information: When you register, we collect your email address and an encrypted password (managed by Supabase Auth).
Content you create: Accounts, domains, successor names, notes, and intent designations you enter are stored in our database and associated with your user ID.
Payment information: When you subscribe to a Pro plan, payment is processed by Stripe. We never see or store your full card number. Stripe provides us with a customer ID and subscription status only.
Gmail data: If you choose to connect Gmail, we request read-only access to your inbox to identify subscription-related emails. We store only an OAuth access token and refresh token — never the contents of your emails. Scans are performed on-demand and the results (service names and estimated costs) are stored as accounts in your vault.
Our Gmail integration uses OAuth 2.0 with the gmail.readonly scope. This means:
— We can only read your emails, never send, delete, or modify them. — We scan for subscription-related senders and receipt patterns only. — Raw email content is never stored on our servers. — You can revoke access at any time via your Google Account settings (myaccount.google.com/permissions) or by disconnecting within HeirLoft.
Our use of Gmail data complies with the Google API Services User Data Policy, including the Limited Use requirements.
— To provide the HeirLoft service and display your estate inventory. — To process subscription payments through Stripe. — To scan your Gmail inbox for subscriptions when you explicitly request a scan. — To generate your downloadable Handoff Guide PDF (generated locally in your browser — we never see its contents). — We do not sell your data to third parties. We do not use your data for advertising.
Your data is stored in Supabase, a SOC 2 Type II compliant database platform hosted on AWS. Data is encrypted at rest and in transit (TLS). Row-level security policies ensure that only authenticated users can access their own records.
OAuth tokens for Gmail are stored encrypted. Passwords are never stored in plain text — they are hashed by Supabase Auth using bcrypt.
Your data is retained for as long as your account is active. If you delete your account, all associated data — accounts, domains, Gmail tokens, and personal information — is permanently deleted within 30 days.
To request account deletion, email us at privacy@heirloft.app.
We use the following third-party services:
— Supabase (database and authentication): supabase.com/privacy — Stripe (payment processing): stripe.com/privacy — Google OAuth (Gmail integration): policies.google.com/privacy — Vercel (hosting): vercel.com/legal/privacy-policy
Each of these services has its own privacy policy governing their use of data.
Depending on your location, you may have rights under GDPR, CCPA, or other privacy laws, including:
— The right to access the data we hold about you. — The right to correct inaccurate data. — The right to delete your data. — The right to export your data.
To exercise any of these rights, contact us at privacy@heirloft.app.
We may update this policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated date. Continued use of HeirLoft after changes constitutes acceptance of the revised policy.
For privacy-related questions or requests:
Email: privacy@heirloft.app HeirLoft · Digital Estate Management