Effective Date: 2025-12-24
1. Introduction
This Privacy Policy explains how Mesg Ltd, a private limited company registered in England and Wales (Company Number: 15167645), trading as “Upon” and “Upon Vault”, with its registered office at 86-90 Paul St, London, EC2A 4NE, United Kingdom (“Company”, “we”, “us”, “our”, or “Upon”), collects, uses, stores, shares, and protects your personal data when you use our website, applications, and services.
This Privacy Policy applies to all users of the Upon Vault service, including visitors to our website, registered account holders, and designated beneficiaries. By using our services, you acknowledge that you have read and understood this Privacy Policy.
This Privacy Policy should be read together with our Terms of Service, which govern your use of the Upon Vault service.
2. Definitions
For the purposes of this Privacy Policy:
- “Account Data” means information you provide when creating and managing your account, including name, email address, and authentication credentials.
- “Beneficiary” means any individual you designate to receive access to your Vault Contents upon a Trigger Event.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- “Service” means the Upon Vault website, applications, and all related services.
- “Usage Data” means information collected automatically about your use of the Service.
- “Vault Contents” means the encrypted data you store within your vault.
3. Data Controller
Mesg Ltd is the data controller responsible for your Personal Data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please contact us:
Data Protection Enquiries
Email: support@uponvault.com
Post: Mesg Ltd, 86-90 Paul St, London, EC2A 4NE, United Kingdom
We take all privacy concerns seriously and will respond to your enquiry within 30 days, or sooner where required by law.
4. Personal Data We Collect
We collect different categories of Personal Data depending on how you interact with the Service.
4.1 Account Data
When you create an account, we collect:
- Full name
- Email address
- Password (stored only as a password authenticated key exchange verifier; your raw password is never sent to or stored by Upon)
- Account preferences and settings
4.2 Billing and Payment Data
When you subscribe to the Service, our payment processor Paddle collects:
- Payment card details (held by Paddle, not by us)
- Billing address
- Transaction history
We receive from Paddle: confirmation of payment, subscription status, invoice details, and billing country. We do not receive or store your full payment card number.
4.3 Beneficiary Data
When you designate beneficiaries, we collect:
- Beneficiary names
- Beneficiary email addresses
- Beneficiary contact information (if provided)
- Relationship descriptions (if provided)
This data is necessary to contact and verify beneficiaries upon a Trigger Event.
4.4 Usage Data
We automatically collect information about your use of the Service, including:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
- Date, time, and duration of visits
- Referring website or source
- Actions taken within the Service (excluding Vault Contents)
4.5 Technical and Log Data
Our systems automatically record:
- Server logs and error reports
- Authentication events (login times, failed attempts)
- Security events and anomaly detection data
- Performance metrics
4.6 Communications Data
When you contact us, we collect:
- Email correspondence
- Support ticket contents
- Feedback and survey responses
4.7 Vault Contents — What We Do NOT Collect
Important: Your Vault Contents are end-to-end encrypted. This means:
- We cannot read, access, or decrypt your Vault Contents
- We do not collect or process the information you store in your vault
- We have no knowledge of what digital assets or information you describe
- We cannot comply with requests to disclose Vault Contents because we are technically unable to access them
We store only the encrypted ciphertext of your vault data. The encryption keys remain solely in your control.
5. How We Use Your Personal Data
We process your Personal Data for the following purposes:
5.1 Service Provision
- Creating and managing your account
- Providing access to the Upon Vault service
- Processing beneficiary designations
- Verifying Trigger Events and facilitating beneficiary access
- Processing payments and managing subscriptions
- Providing customer support
Legal Basis: Performance of our contract with you (Article 6(1)(b) UK GDPR)
5.2 Service Operations
- Maintaining and improving the Service
- Monitoring service performance and availability
- Identifying and fixing bugs and errors
- Developing new features and functionality
Legal Basis: Legitimate interests in operating and improving our business (Article 6(1)(f) UK GDPR)
5.3 Security and Fraud Prevention
- Protecting against unauthorised access
- Detecting and preventing fraud, abuse, and security threats
- Monitoring for suspicious account activity
- Enforcing our Terms of Service
Legal Basis: Legitimate interests in protecting our Service and users (Article 6(1)(f) UK GDPR)
5.4 Communications
- Sending service-related notices (account confirmations, security alerts, policy updates)
- Responding to your enquiries and support requests
- Notifying you of material changes to our Service or policies
Legal Basis: Performance of our contract with you; legitimate interests in communicating with users (Article 6(1)(b) and (f) UK GDPR)
5.5 Marketing Communications
With your consent, we may send you:
- Promotional offers and discounts
- Educational content about digital inheritance
- Product updates and new feature announcements
- Surveys and invitations to participate in research
- Newsletters and company news
Legal Basis: Your consent (Article 6(1)(a) UK GDPR)
You may withdraw consent and unsubscribe at any time by:
- Clicking the “unsubscribe” link in any marketing email
- Contacting us at support@uponvault.com
- Adjusting your preferences in your account settings
Unsubscribing from marketing will not affect essential service communications.
5.6 Legal Compliance
- Complying with applicable laws and regulations
- Responding to lawful requests from authorities
- Establishing, exercising, or defending legal claims
- Fulfilling tax and accounting obligations
Legal Basis: Legal obligation (Article 6(1)(c) UK GDPR); legitimate interests in legal compliance (Article 6(1)(f) UK GDPR)
5.7 Analytics and Research
- Understanding how users interact with the Service
- Analysing usage patterns and trends
- Conducting aggregated statistical analysis
- Improving user experience
Legal Basis: Legitimate interests in understanding and improving our Service (Article 6(1)(f) UK GDPR)
We use analytics data in aggregate or anonymised form where possible.
6. Cookies and Tracking Technologies
6.1 What Are Cookies
Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies (such as local storage and pixels) to operate the Service, remember your preferences, and understand how you use our website.
6.2 Types of Cookies We Use
Strictly Necessary Cookies Essential for the website to function. These cannot be disabled.
- Authentication and session management
- Security features
- Load balancing
Functional Cookies Remember your preferences and settings.
- Language preferences
- Display settings
- Previously entered information
Analytics Cookies Help us understand how visitors use our website.
- Page views and navigation paths
- Time spent on pages
- Error encounters
Marketing Cookies (with consent) Used to deliver relevant advertisements and measure campaign effectiveness.
- Conversion tracking
- Retargeting pixels
6.3 Managing Cookies
You can control cookies through:
- Our cookie consent banner when you first visit our website
- Your browser settings (note: blocking essential cookies may impair functionality)
- Third-party opt-out tools for analytics and advertising cookies
6.4 Third-Party Cookies
We use the following third-party services that may set cookies:
| Service | Purpose | Privacy Policy |
|---|---|---|
| PostHog | Analytics | posthog.com/privacy |
| Google Tag Manager | Tag management | policies.google.com/privacy |
We will update this table as we add or change service providers.
7. Data Sharing and Disclosure
We do not sell, rent, or trade your Personal Data to third parties for their marketing purposes. We share your data only as described below.
7.1 Service Providers
We share data with trusted third-party providers who assist in operating our business:
| Provider | Purpose | Data Shared |
|---|---|---|
| Paddle | Payment processing | Billing data, transaction data |
| Cloud hosting provider | Infrastructure | All service data (encrypted at rest) |
| Email service provider | Communications | Email address, name |
| Analytics provider | Usage analytics | Usage data (anonymised where possible) |
All service providers are bound by data processing agreements and are prohibited from using your data for any purpose other than providing services to us.
7.2 Beneficiaries
Upon verification of a Trigger Event, we will share access to your Vault Contents with your designated beneficiaries. This is a core function of the Service that you explicitly authorise when designating beneficiaries.
7.3 Legal Requirements
We may disclose your Personal Data if required to:
- Comply with applicable laws, regulations, or legal processes
- Respond to valid requests from public authorities (courts, law enforcement, regulators)
- Enforce our Terms of Service and other agreements
- Protect the rights, property, or safety of Upon, our users, or others
- Detect and prevent fraud or security threats
Where legally permitted, we will notify you of such requests.
Note: We cannot disclose Vault Contents even if legally requested, as we are technically unable to decrypt them.
7.4 Business Transfers
In connection with any merger, acquisition, corporate restructuring, sale of assets, or similar business transaction, your Personal Data may be transferred to the acquiring entity. We will:
- Notify you of any such transfer
- Ensure the receiving entity is bound by this Privacy Policy or equivalent protections
- Provide you the opportunity to delete your account if you object
7.5 With Your Consent
We may share your data for other purposes if you provide explicit consent.
8. International Data Transfers
8.1 Where We Store Data
We are headquartered in the United Kingdom. Your Personal Data may be transferred to and processed in:
- The United Kingdom
- The European Economic Area (EEA)
- The United States
- Other jurisdictions where our service providers operate
8.2 Safeguards for Transfers
When we transfer data outside the UK, we ensure appropriate safeguards are in place:
- UK-EU transfers: Protected under the UK GDPR adequacy framework
- Transfers to other countries: Protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office, or other legally recognised mechanisms
- Additional measures: We implement supplementary technical and organisational measures where required
You may request a copy of the safeguards we use by contacting us.
9. Data Retention
9.1 Retention Periods
We retain your Personal Data only as long as necessary for the purposes described in this Privacy Policy:
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account plus 30 days after deletion |
| Vault Contents (encrypted) | Duration of account plus 30-day grace period after deletion |
| Billing Records | 7 years (UK tax/legal requirements) |
| Usage Data | 24 months, then anonymised |
| Log Data | 12 months |
| Support Communications | 3 years after resolution |
| Marketing Preferences | Until consent withdrawn |
9.2 After Account Deletion
When you delete your account:
- We initiate deletion of your Personal Data within 30 days
- Some data may be retained longer where required by law (e.g., billing records)
- Anonymised or aggregated data may be retained indefinitely for analytics
- Encrypted Vault Contents are scheduled for permanent deletion
9.3 Beneficiary Data Retention
Beneficiary information is retained for the duration of your account. After a Trigger Event is processed, we retain records as required for legal and compliance purposes.
10. Data Security
10.1 Technical Measures
We implement robust technical safeguards including:
- End-to-end encryption: Vault Contents are encrypted using strong cryptographic algorithms; only you (and your beneficiaries after a Trigger Event) hold the decryption keys
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: All data stored on our servers is encrypted
- Secure authentication: Password hashing using industry-standard algorithms; support for multi-factor authentication
- Access controls: Strict role-based access limiting employee access to Personal Data
10.2 Organisational Measures
We maintain organisational safeguards including:
- Security policies and procedures
- Employee training on data protection
- Confidentiality agreements with all staff and contractors
- Regular security assessments and audits
- Incident response procedures
10.3 Your Security Responsibilities
You are responsible for:
- Maintaining the security of your login credentials
- Using a strong, unique password
- Safeguarding your encryption keys and recovery phrases
- Notifying us immediately of any unauthorised access
10.4 Security Incidents
In the event of a data breach affecting your Personal Data, we will:
- Notify the Information Commissioner’s Office within 72 hours where required
- Notify you without undue delay if the breach poses a high risk to your rights
- Take immediate steps to contain and remediate the breach
- Document the incident and our response
11. Your Rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your Personal Data:
11.1 Right of Access
You may request a copy of the Personal Data we hold about you. We will provide this within one month of your request.
11.2 Right to Rectification
You may request that we correct inaccurate Personal Data or complete incomplete data.
11.3 Right to Erasure (“Right to Be Forgotten”)
You may request deletion of your Personal Data where:
- It is no longer necessary for the purposes collected
- You withdraw consent (where processing is based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
We may retain data where necessary for legal compliance or legal claims.
11.4 Right to Restrict Processing
You may request that we restrict processing of your Personal Data in certain circumstances.
11.5 Right to Data Portability
You may request your Personal Data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
11.6 Right to Object
You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
You have an absolute right to object to direct marketing at any time.
11.7 Rights Related to Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
11.8 Right to Withdraw Consent
Where we rely on your consent for processing, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
11.9 Exercising Your Rights
To exercise any of these rights:
- Email us at support@uponvault.com
- Use the privacy controls in your account settings
- Write to us at the address in Section 3
We will respond within one month. In complex cases, we may extend this by two months with notice. We will verify your identity before processing requests.
There is no fee for most requests, but we may charge a reasonable fee for manifestly unfounded or excessive requests.
11.10 Complaints
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
12. Children’s Privacy
The Upon Vault service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children.
If you believe we have inadvertently collected data from a child, please contact us immediately at support@uponvault.com. We will take steps to delete such data promptly.
13. Third-Party Links
Our website may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.
We are not responsible for the privacy practices or content of third-party websites.
14. Do Not Track Signals
Some browsers transmit “Do Not Track” (DNT) signals. There is no industry consensus on how to respond to DNT signals. Currently, our website does not respond to DNT signals. You can control tracking through our cookie consent tools and your browser settings.
15. California Privacy Rights
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). While our primary legal framework is UK GDPR, we extend similar rights to California residents:
- Right to know what Personal Data we collect and how it is used
- Right to delete your Personal Data
- Right to opt out of “sales” of Personal Data (we do not sell Personal Data)
- Right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us at support@uponvault.com.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes to our data practices
- New features or services
- Legal or regulatory requirements
- Feedback from users
16.1 Notification of Changes
- Material changes: We will notify you by email and/or prominent notice on our website at least 30 days before changes take effect
- Minor changes: Updated policy will be posted with a new effective date
16.2 Your Continued Use
Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and delete your account.
16.3 Review Previous Versions
You may request copies of previous versions of this Privacy Policy by contacting us.
17. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
Mesg Ltd (trading as Upon / Upon Vault)
Email: support@uponvault.com
Post: Mesg Ltd, 86-90 Paul St, London, EC2A 4NE, United Kingdom
We aim to respond to all enquiries within 30 days.
By using the Upon Vault service, you acknowledge that you have read and understood this Privacy Policy.
