Privacy

Privacy Policy

Effective date: May 13th, 2026 Last updated: June 9th, 2026

This Privacy Policy explains how Constellation Digital LLC (“Constellation,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use our website, web app, iOS app, APIs, and related features or services (together, the “Service”).

Table of Contents

• 1. Information we collect
• 2. How we use information
• 3. How we share information
• 4. Third-party providers and integrations
• 5. Cookies and similar technologies
• 6. Social sign-in and account creation
• 7. Push notifications
• 8. Data retention
• 9. Account deletion
• 10. Security
• 11. California privacy notice
• 12. Additional U.S. state privacy rights
• 13. Verification and response timing
• 14. Children
• 15. Digital assets and recordkeeping
• 16. Regulatory scope
• 17. Changes to this Policy
• 18. Contact us

The Service is intended for adults age 18 and older and is currently intended for users in the United States.

1. Information we collect

We collect personal information in a few ways: information you provide, information collected automatically, and information we receive from third parties.

Information you provide

Depending on how you use the Service, you may provide:

• name, email address, phone number, and other contact details
• login and account details
• subscription and billing information
• trusted contact and emergency access information
• estate planning, inventory, and related personal information
• documents, images, files, and other content you upload from your device or computer
• notes, preferences, and instructions
• support messages and other communications
• information you enter into optional features, including discovery and AI-assisted features

Information collected automatically

When you use the Service, we may automatically collect:

• device and browser information
• IP address
• log data
• usage data
• page views, clicks, and feature interactions
• session and authentication metadata
• cookie and similar technology data
• app and device information, such as app version, operating system version, crash data, and diagnostic data

Information from third parties

We may receive information from:

• authentication providers
• payment providers
• cloud and infrastructure providers
• analytics and monitoring providers
• optional integrations you connect
• external services you choose to use with the Service

2. How we use information

We use personal information to:

• provide, maintain, and improve the Service
• create and manage accounts
• authenticate users and support sign-in
• process subscriptions, billing, and taxes
• provide trusted contact and emergency access workflows
• support optional discovery, automation, and AI-assisted features
• send service-related notices, alerts, and notifications
• provide customer support
• monitor, secure, debug, and operate the Service
• detect fraud, abuse, and unauthorized activity
• comply with law and legal process
• enforce our Terms and policies
• analyze usage and improve product performance

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising.

3. How we share information

We share personal information only as needed to operate the Service, support requested features, complete transactions, comply with law, or protect rights and safety.

Service providers and subprocessors

We use third-party service providers and subprocessors to help us operate the Service. These providers may process personal information on our behalf for purposes such as:

• authentication
• hosting and infrastructure
• storage and backups
• email and SMS delivery
• analytics
• error monitoring
• AI features
• payment processing
• optional integrations
• document processing

Optional user-initiated services

If you choose to connect a third-party service, such as a social sign-in provider or email account, that provider may receive or process information according to its own terms and privacy practices.

Legal and safety disclosures

We may disclose information if we believe disclosure is required by law, court order, subpoena, legal process, or to protect the rights, property, security, or safety of Constellation, our users, or others.

Business transfers

We may disclose information in connection with a merger, acquisition, financing, sale of assets, bankruptcy, or similar business transaction.

4. Third-party providers and integrations

Depending on how you use the Service, we may use some or all of the following providers:

Authentication and identity

• Clerk — authentication, account management, MFA, and session management
• Apple Sign In — iOS sign-in support
• Google Sign In — iOS sign-in support
• Microsoft Sign In — iOS sign-in support

Payments and billing

• Stripe — subscription billing, payment processing, billing portal, and webhooks

Hosting, storage, and infrastructure

• Amazon Web Services (AWS) — hosting, storage, secrets management, CDN, scheduling, and backups
• AWS ElastiCache — caching, application state support, and operational coordination
• Amazon RDS — database hosting
• ECS / EventBridge — application hosting and background processing infrastructure
• AWS CloudFront — edge delivery and caching, if used

Email and messaging

• Amazon SES — transactional email delivery
• Amazon Pinpoint SMS/Voice — SMS-based MFA and service notifications

Analytics and error monitoring

• Sentry — application error monitoring
• PostHog — analytics, feature usage measurement, and session recording where enabled

AI / ML features

• OpenAI — AI-assisted features
• Anthropic — AI-assisted features, if enabled

Financial-account and identity-discovery integrations

• Plaid — optional bank account linking
• Have I Been Pwned (HIBP) — breach lookup for identity-protection scans
• Enzoic — email/password breach lookup

Email discovery and external service workflows

• Gmail / Google OAuth — optional email discovery workflows
• Microsoft 365 / Microsoft OAuth — optional email discovery workflows
• Apple Mail / IMAP — optional email discovery workflows

Document processing and other services

• AWS Textract — OCR on uploaded documents
• Brandfetch — logo lookup, if used

We may add, remove, or substitute providers over time. For a current internal list of active vendors and subprocessors, see our internal vendor register and any applicable DPA subprocessor schedule.

Some third parties may act as independent controllers for certain information they receive, including payment networks, authentication providers, and other external services.

5. Cookies and similar technologies

We use cookies and similar technologies for:

• authentication and session management
• site functionality
• security and abuse prevention
• preferences
• analytics and performance measurement

Some cookies are strictly necessary for the Service to function. Others may be used for analytics or feature support.

We do not use advertising cookies or retargeting tools.

Browser and device controls

You may be able to control cookies through your browser settings and, where available, through preferences we provide in the Service.

Mobile app note

The iOS app may use similar technologies, SDKs, or device-level identifiers for functionality, analytics, security, or sign-in support. Cookie controls mainly apply to the website and web views.

6. Social sign-in and account creation

You may be able to sign in to the iOS app using Apple, Google, or Microsoft. These providers may receive information related to the sign-in process and may process data under their own terms and privacy policies.

New account creation and subscription setup must be completed on the web.

7. Push notifications

We may send push notifications through the iOS app for account, service, or security-related purposes where enabled. You can control push notification permissions through your device settings.

8. Data retention

We retain personal information only for as long as necessary to provide the Services, maintain security, prevent fraud, resolve disputes, comply with legal obligations, and enforce our agreements, unless a longer retention period is required or permitted by law.

Our general retention schedule is:

• Account data: retained while the account is active and generally removed within 30 days after account deletion
• Soft-deleted documents: retained for 30 days, then purged
• Backups: retained up to 35 days
• Audit logs: retained for 2 years
• Application logs: retained for 90 days
• Analytics events: retained for 12 months
• Payment and tax records: retained for 7 years or longer if required by law
• IP addresses in audit logs: anonymized after 90 days

We may retain information longer if needed to:

• comply with legal obligations
• resolve disputes
• enforce agreements
• prevent fraud or abuse
• maintain security
• support business continuity

9. Account deletion

You may request account deletion through the Service or by contacting us at the email below.

If you delete your account, we will delete your account content and personal information from active systems within 30 days, subject to limited retention of certain activity and security logs for up to 2 years for fraud prevention, security monitoring, dispute resolution, and legal compliance. Where technically feasible, IP addresses in retained logs are anonymized after 90 days.

10. Security

We use administrative, technical, and organizational safeguards designed to protect personal information, including access controls, encryption, monitoring, and key management practices.

Please note that the Service is not zero-knowledge. Authorized personnel with appropriate permissions may be able to access certain data for support, operations, legal compliance, or security purposes.

11. California privacy notice

If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including rights to know, access, correct, delete, and limit certain uses of your personal information, subject to applicable law.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising.

If you are a California resident and want to exercise any privacy rights available to you, contact us at the email listed below. We may need to verify your identity before responding to your request.

12. Additional U.S. state privacy rights

Residents of certain U.S. states may have additional privacy rights under applicable law, including rights to access, correct, delete, or opt out of certain processing.

If you believe a state privacy law applies to you, or if you would like to make a request, contact us using the information below. We will review and respond as required by applicable law.

13. Verification and response timing

We may need to verify your identity before responding to a privacy request. We will respond within the timeframe required by applicable law.

If we cannot fulfill a request in full, we will explain the reason, subject to applicable law and any legal exceptions.

14. Children

The Service is intended for adults age 18 and older. We do not knowingly collect personal information from children under 18.

15. Digital assets and recordkeeping

The Service currently supports evidence-grade recordkeeping and organization of information, documents, and instructions related to digital assets and online accounts. We do not currently offer full digital asset designation functionality under RUFADAA or similar laws.

We may offer digital asset designation features in the future, subject to product implementation, applicable law, and any required disclosures or user confirmations.

16. Regulatory scope

The Service is designed as a personal recordkeeping, organization, and workflow platform. It is not intended to function as a regulated financial, insurance, healthcare, tax, or public-company reporting platform unless we expressly state otherwise.

17. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will update the effective date and may provide additional notice where required by law.

Your continued use of the Service after the updated Policy becomes effective means you accept the changes.

18. Contact us

If you have questions about this Policy or our privacy practices, contact:

Constellation Digital LLC
Email: privacy@myconstellationplan.com