We use cookies

    We use cookies to enhance your experience, maintain your session, and remember your preferences. Some cookies are essential for the platform to function properly. Learn more in our Privacy Policy

    EstateCopolot logo

    Privacy Policy

    Last updated: 8 April 2026

    1. Introduction

    EstateCopilot ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use our estate administration platform. It applies to all users of the platform and to individuals whose data is entered into the platform by others (for example, beneficiaries and co-executors).

    We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA). The DUAA received Royal Assent on 19 June 2025 and its principal data protection provisions came into force on 5 February 2026. Where this policy refers to "UK data protection law", it means the UK GDPR as amended by the DUAA, together with the DPA 2018 and any associated regulations including the Privacy and Electronic Communications Regulations 2003 (PECR) as amended.

    We are the data controller for the personal data described in this policy. For questions about how we handle your data, contact us at privacy@estatecopilot.co.uk.

    2. Who This Policy Covers

    This policy applies to three categories of individuals:

    • Executors - individuals who create an account and use EstateCopilot to administer an estate. You provide your data directly to us.
    • Beneficiaries - individuals named as beneficiaries of an estate by an executor. Your name, email address, and relationship to the deceased are provided to us by the executor, not directly by you. If you receive an invitation link, this policy explains how your data is processed before you create an account.
    • Co-executors - individuals invited by a primary executor to collaborate on an estate. Your email address is provided to us by the primary executor. This policy applies to you from the point your data is entered.

    If you are a beneficiary or co-executor whose data was entered by an executor, the sections below marked (indirect data subjects) are particularly relevant to you. We are required by Article 14 of the UK GDPR to provide you with this information, which is also delivered when you access an invitation link.

    3. Information We Collect

    3.1 Data Collected Directly From You (Executors)

    • Account Information: Name, email address, password
    • Estate Information: Deceased person's details, asset information, debt information, task records, correspondence
    • Payment Information: Processed securely through Stripe; we do not store full card details
    • Communications: Support requests, feedback, and correspondence

    3.2 Data Provided by an Executor About Third Parties (Indirect Data Subjects)

    Executors enter the following personal data about beneficiaries and co-executors:

    • Beneficiaries: Full name, email address, relationship to the deceased, financial allocation (percentage or fixed amount), specific gifts, and whether the beneficiary is a minor (under 18)
    • Co-executors: Email address and access level granted

    Source of this data: This data is provided to us by the executor administering the estate. If you are a beneficiary or co-executor, your data was not collected from you directly - it was entered by the executor.

    3.3 Automatically Collected Information

    • Usage Data: Pages visited, features used, time spent on platform
    • Device Information: IP address, browser type, operating system
    • Cookies: Session cookies for authentication and functionality (see Section 9)

    4. Lawful Bases for Processing (UK GDPR Article 6)

    We rely on different lawful bases depending on the category of data subject and the purpose of processing:

    4.1 Executors

    PurposeLawful Basis
    Providing the estate administration serviceArt 6(1)(b) - performance of a contract
    Processing paymentsArt 6(1)(b) - performance of a contract
    Security, fraud prevention, and audit logsArt 6(1)(f) - legitimate interests
    Financial record-keepingArt 6(1)(c) - legal obligation
    Direct marketing and product updatesArt 6(1)(a) - consent (you may withdraw at any time)
    Platform improvement and analyticsArt 6(1)(f) - legitimate interests

    4.2 Beneficiaries and Co-Executors (Indirect Data Subjects)

    We process beneficiary and co-executor data under Art 6(1)(f) - legitimate interests. Our legitimate interest is facilitating lawful estate administration, which benefits beneficiaries directly (they have an interest in receiving their entitlement) and co-executors (they have agreed to assist with administration). We have conducted a Legitimate Interests Assessment (LIA) and concluded that this interest is not overridden by your rights and freedoms.

    Once a beneficiary or co-executor creates an account and accepts an invitation, subsequent processing of their account data is on the basis of Art 6(1)(b) - performance of a contract.

    You have the right to object to processing based on legitimate interests at any time. See Section 7 for how to exercise this right.

    4.3 Note on "Recognised Legitimate Interests" (DUAA 2025)

    The DUAA 2025 introduced a new category called "recognised legitimate interests" — a defined list of processing activities (such as national security, crime detection, and safeguarding of vulnerable individuals) for which the standard balancing test is automatically satisfied. EstateCopilot does not rely on this new basis. All of our processing under Art 6(1)(f) continues to be assessed through the standard three-part legitimate interests test (purpose, necessity, and balancing), as described above.

    5. How We Use Your Information

    • Providing and maintaining estate administration services
    • Generating probate and inheritance tax forms (PA1P, PA1A, C1, IHT205)
    • Enabling beneficiaries to view their allocation details via invitation links
    • Enabling co-executors to collaborate on estate management
    • Processing payments and managing subscriptions
    • Providing customer support
    • Improving the platform and developing new features (anonymised analytics)
    • Ensuring platform security and preventing fraud
    • Complying with legal obligations

    6. Data Storage and Security

    We implement industry-standard security measures to protect your data:

    • Encryption: All data is encrypted in transit (TLS/SSL) and at rest
    • Sensitive fields: Certain financial fields (bank account details in payment records) are encrypted at the column level using pgcrypto
    • Infrastructure: Hosted on secure infrastructure; our database provider (Supabase) holds SOC 2 Type II certification
    • Access Controls: Row-level security policies restrict every database query to authorised users only
    • Backups: Regular automated backups with encryption
    • Monitoring: Continuous security monitoring and incident response

    We have obtained Cyber Essentials certification, meeting all requirements to keep your data safe.

    7. Your Rights (UK GDPR)

    Under UK data protection law, you have the following rights. These apply to all data subjects, including beneficiaries and co-executors whose data was entered by an executor:

    • Access (Art 15): Request a copy of the personal data we hold about you
    • Rectification (Art 16): Request correction of inaccurate or incomplete data
    • Erasure (Art 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
    • Restriction (Art 18): Ask us to limit how we process your data in certain circumstances
    • Portability (Art 20): Receive your data in a structured, machine-readable format (applies where processing is based on consent or contract)
    • Object (Art 21): Object to processing based on legitimate interests - we must stop unless we have compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.
    • Withdraw Consent (Art 7(3)): Withdraw consent at any time where processing is based on consent (e.g. marketing emails). Withdrawal does not affect the lawfulness of prior processing.
    • Complain to us directly (from 19 June 2026): Under the DUAA 2025, you will have the right to submit a formal data protection complaint directly to us as the data controller, in addition to your existing right to complain to the ICO. We will acknowledge your complaint within 30 days and respond without undue delay. You retain the right to escalate to the ICO at any time (see Section 16). We are implementing a formal complaints process ahead of 19 June 2026.

    To exercise any of these rights, contact us at privacy@estatecopilot.co.uk. We will respond within one month. We may need to verify your identity before acting on a request.

    8. Data Retention

    We retain personal data for as long as necessary for the purpose it was collected and to comply with legal obligations:

    • Active Accounts: Retained while the account is active
    • Estate Records: Retained for 12 years after estate closure. This reflects the limitation period for probate-related claims under the Limitation Act 1980 (12 years for actions on a speciality) and provides protection against late-arising disputes or HMRC enquiries.
    • Financial / Payment Records: Retained for a minimum of 6 years to comply with HMRC record-keeping requirements
    • Beneficiary and Co-executor Data: Retained for the same period as the associated estate records
    • Marketing Data: Retained until you opt out or request deletion
    • Security Logs and Audit Trails: Retained for up to 2 years for fraud prevention and security purposes

    On expiry of the relevant retention period, data is securely deleted or anonymised.

    9. Cookies and Tracking

    We use cookies and similar technologies to provide, protect, and improve our services.

    9.1 What Are Cookies?

    Cookies are small text files stored on your device when you visit a website. We also use localStorage, which stores data locally in your browser.

    9.2 Cookie Categories

    The DUAA 2025 (in force from 5 February 2026) amended PECR to exempt two categories of cookies from the consent requirement: cookies that collect statistical information about how a website is used (analytics), and cookies that adapt a website's appearance or functions based on user preferences (functional/preference cookies). These categories may now be set without prior consent under UK law.

    EstateCopilot handles sensitive estate and bereavement data. We therefore continue to offer users a clear choice over analytics cookies as a matter of best practice. Functional cookies — which store only low-risk UI preferences such as sidebar state and theme — are set without a consent requirement in line with the DUAA exemption, since they do not process personal data for tracking or profiling purposes.

    Essential Cookies (Required)

    These cookies are necessary for the platform to function and cannot be disabled.

    Cookie/StoragePurposeDurationProvider
    Supabase Auth SessionMaintains your login session and authenticates requestsSession / 1 hour refreshSupabase
    Stripe CookiesPayment processing, fraud prevention, and security during checkoutSession / VariesStripe

    Functional Cookies (Consent-Exempt)

    These cookies remember your interface preferences to provide enhanced functionality. Under the DUAA 2025, cookies that adapt a website's appearance or functions based on user preferences do not require consent. These cookies store only UI state (sidebar position, theme, completed tours) and contain no personal data used for tracking or profiling.

    Cookie/StoragePurposeDurationProvider
    sidebar:stateRemembers whether your dashboard sidebar is expanded or collapsed7 daysEstateCopilot
    Product Tour StatusTracks which product tours you have completed to avoid showing them againPersistentEstateCopilot
    cookie-consent-preferencesStores your cookie preferences so we remember your choicesPersistentEstateCopilot
    Theme PreferenceRemembers your light/dark mode preferencePersistentEstateCopilot

    Analytics Cookies (Consent-Exempt — Opt-in Offered)

    These cookies help us understand how visitors interact with our platform. Under the DUAA 2025, cookies used solely to collect statistical information about website usage do not require consent. However, given the sensitive nature of our platform, we continue to seek your opt-in consent for analytics cookies as a matter of best practice. You can accept or decline analytics cookies via our cookie banner when you first visit the platform.

    Cookie/StoragePurposeDurationProvider
    Google Analytics (_ga, _gid)Anonymised usage statistics to understand how visitors use our platformUp to 2 yearsGoogle

    9.3 Managing Your Cookie Preferences

    • Cookie Banner: When you first visit our platform, you can choose which optional cookies to accept via our cookie consent banner.
    • Browser Settings: Most browsers allow you to control cookies through their settings.
    • Opt Out: For Google Analytics, install the Google Analytics Opt-out Browser Add-on.

    Disabling essential cookies may prevent you from using certain features of our platform.

    10. Data Sharing and Disclosure

    We do not sell your personal data. We share information only with the following parties:

    • Supabase (database and authentication): Our primary data processor, providing database hosting, authentication services, and storage. Infrastructure is hosted in the EU.
    • Vercel (web hosting): Hosts the EstateCopilot web application.
    • Stripe (payment processing): Processes subscription payments. We do not store card details.
    • Resend (transactional email): Used to send transactional emails (account verification, payment receipts, invitations). Only the recipient's email address and the content necessary to send the email are shared.
    • Brevo (marketing email automation): Used to send helpful guides and estate administration content to users who have opted in to marketing emails. We share your name, email address, account creation date, and behavioural signals (whether you have created an estate and whether you have purchased a plan) with Brevo solely to determine which emails are relevant to you. We only share data with Brevo where you have given your consent at the point of account creation. You can withdraw this consent at any time by clicking "Unsubscribe" in any marketing email, or by contacting us at privacy@estatecopilot.co.uk.
    • Legal Requirements: When required by law, court order, or a regulatory authority (e.g. HMRC, ICO)
    • Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to the same privacy protections

    All third-party data processors are bound by Data Processing Agreements and SCCs requiring them to protect your data in accordance with UK GDPR.

    11. International Data Transfers

    Our data processors may transfer and store data outside the UK. Where this occurs, we ensure that the protections afforded to your data are not materially lower than those required under UK data protection law, as required by the DUAA 2025. We apply the ICO's updated three-step transfer assessment (published January 2026) when evaluating restricted transfers, and rely on the following transfer mechanisms:

    • Supabase: EU-based infrastructure; transfers to Supabase's US parent are covered by UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses
    • Vercel: US-based; transfers covered by IDTAs
    • Stripe: US-based; covered by the UK-US Data Bridge adequacy framework and IDTAs
    • Resend: US-based; transfers covered by IDTAs
    • Brevo: EU-based (France); subject to EU GDPR and covered by the UK Adequacy Decision for EU transfers. No additional transfer mechanism required.

    12. Children's Privacy

    The EstateCopilot platform is not designed to be accessed directly by individuals under 18. We do not knowingly create accounts for minors.

    However, minors are commonly named as beneficiaries in wills. Executors may record a minor beneficiary's name, relationship to the deceased, and financial allocation within the platform. Where a beneficiary is flagged as a minor:

    • We do not generate or send invitation links directly to the minor
    • The executor is instructed to contact the minor's parent or legal guardian directly to arrange any necessary communication
    • The minor's data is held with the same protections as all other beneficiary data and is used solely to facilitate the lawful administration of the estate

    If you are a parent or guardian and believe a minor's data has been incorrectly handled, please contact us at privacy@estatecopilot.co.uk and we will address your concern promptly.

    13. Executors' Responsibilities

    When an executor enters personal data about beneficiaries or co-executors into EstateCopilot, the executor acts as a data controller in their own right for that data. Executors should ensure:

    • They have a lawful basis for providing that data to EstateCopilot (their legal duty as executor under probate law is sufficient)
    • The data they enter is accurate and kept up to date
    • They make beneficiaries and co-executors aware that their data will be processed by EstateCopilot (the invitation mechanism satisfies this obligation)
    • They do not enter more data than is necessary for estate administration purposes

    14. Changes to This Policy

    We may update this Privacy Policy periodically. We will notify you of significant changes by:

    • Email notification to registered users
    • Prominent notice on our platform
    • Updated "Last updated" date at the top of this policy

    15. Contact Us

    For privacy-related questions, data subject rights requests, or concerns:

    We will acknowledge your request within 5 working days and respond in full within one calendar month (extendable by a further two months for complex requests, with notice).

    Formal data protection complaints (from 19 June 2026): Under the DUAA 2025, you will have the right to submit a formal data protection complaint directly to us. We are implementing a dedicated complaints process ahead of this date. From 19 June 2026, complaints submitted to privacy@estatecopilot.co.uk with the subject line "Formal Data Protection Complaint" will be acknowledged within 30 days and responded to without undue delay. This is in addition to — not instead of — your right to complain to the ICO at any time (see Section 16).

    16. Supervisory Authority

    If you are not satisfied with how we handle your data or your rights request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

    This Privacy Policy is effective as of 8 April 2026 and applies to all users of the EstateCopilot platform and to individuals whose data is processed by EstateCopilot as described above.