Legal
Privacy Policy
Draft, pending legal review. This policy describes how AmberKey actually handles data today. It will be reviewed by counsel before launch. The defining fact, that the contents of your vault and packet are encrypted on your device and are never available to us, is structural and will not change.
Last updated: July 8, 2026 · Data controller: Tarnover, LLC.
The short version
We collect the minimum needed to reach the right people at the right time, and nothing more. Your secrets, your account list, your letters, and your keys are encrypted on your own device before they reach us; we cannot read them and never receive them. We do not sell or share your data, and there is no third-party tracking anywhere in the product.
What we collect and store
- Encrypted continuity bundles (ciphertext). Versioned encrypted blobs we store so your circle can retrieve the latest one during a recovery. We cannot decrypt them.
- Contact-routing data. Your email and, if provided, phone number; your circle members' email addresses and/or phone numbers, their card IDs, and their group assignments. We do not receive circle members' names, which stay in your encrypted bundle and on printed materials only.
- Liveness and coordination state. Check-in times, escalation position, health-check attestations (a card ID and timestamp only, never the words on a card), ceremony state, and an append-only audit log we show back to you.
- Account and authentication data. Your WebAuthn/passkey public keys (never private keys) and, if you enroll it, an authenticator (TOTP) secret. At launch, billing status from our payment processor (we do not store full card numbers).
- Basic operational logs. Standard server logs for reliability and abuse prevention, kept briefly. We never log plaintext secrets, keys, or share words; this is a tested policy, not just an intention.
What we are unable to see
This list is longer than the one above, on purpose:
- The contents of your packet and vault: accounts, institutions, letters, secrets, instructions.
- Your vault key or any share of it. Share words never touch our servers, not even during a health check.
- Which services or institutions appear in your plan.
- Your circle members' names.
How we use what we collect
- To run the dead man's switch and send you check-in reminders.
- To send circle members health-check and, when a recovery is triggered, ceremony and release messages via their one-time links.
- To store and return your encrypted bundle when legitimately requested.
- To authenticate you and secure your account.
- To operate, debug, and protect the service, and to bill you (at launch).
We do not use your data to build advertising or behavioral profiles. There is none of that here.
Legal bases (for EU/UK users)
Where the GDPR or UK GDPR applies, we process your data to perform our contract with you (running the service you signed up for), on the basis of our legitimate interest in operating and securing the service, and to comply with law. You may object to processing based on legitimate interests as described under "Your rights".
Who processes data for us (subprocessors)
We keep this list short and current. At launch we expect to use:
- A hosting/server provider to run the coordination server and store encrypted bundles.
- An email provider (Resend) to deliver transactional email (check-ins, health checks, ceremony notices). Recipients' addresses and message contents pass through it; no vault contents are ever in these emails.
- An SMS provider (Twilio) to deliver transactional text messages (check-in reminders and recovery alerts) to your mobile number and, if you designate them, your circle members'. Phone numbers and message contents pass through it; no vault contents are ever in these texts.
- A payment processor (at launch) to handle subscriptions. We do not store full payment-card details.
We do not sell, rent, or share your personal data with anyone for their own purposes.
Retention
We keep your account data and encrypted bundles for as long as your account is active. We retain a bounded number of recent bundle versions. Operational logs are kept only briefly. When you delete your account, we delete your bundles, routing data, and account records within a reasonable period, except where we must retain limited records to comply with law. Your local device data and your circle's printed cards are outside our systems and are yours to keep or destroy.
Security
The strongest protection is architectural: your sensitive data is end-to-end encrypted and we cannot read it. Around that, we use WebAuthn-first authentication, rate-limited one-time links for circle members, a locked-down content security policy in the app, and dependency and reproducibility checks in our release process. No system is perfectly secure; our threat model states the residual risks honestly, and our disclosure process is public.
Your rights
You can view your routing data and audit log in the app, export your encrypted bundle at any time, and delete your local data or your entire account. Depending on where you live, you may have rights to access, correct, export, or delete the personal data we hold, and to object to or restrict certain processing. To exercise these, use the in-app controls or email hello@amberkey.app; we may need to verify your identity first. We honor applicable "do not sell/share" requests by default, because we do neither.
Text messages (SMS)
If you add a mobile number, AmberKey sends you transactional text messages only: check-in reminders and account or recovery alerts. If you designate circle members and provide their numbers, they receive texts solely when a recovery or escalation involving you occurs. We send no marketing texts.
- We do not sell or share mobile numbers. Mobile numbers and SMS consent are never shared with third parties or affiliates for their marketing or promotional purposes. Numbers are shared only with our SMS provider (Twilio) for the sole purpose of delivering the messages you signed up for.
- Message frequency varies and is event-driven — tied to your check-in schedule (for example every 30, 60, or 90 days) and to any recovery events. In practice this is typically only a few messages per year.
- Message and data rates may apply, depending on your mobile carrier and plan.
- Opt out anytime by replying STOP to any message, or by removing your number in the app; reply HELP for help. Opting out of texts does not affect email notifications or the rest of the service.
No third-party tracking
The application has no analytics at all. The marketing site counts page views only from our own web-server logs (no cookies, no fingerprinting, no third-party scripts). We do not use advertising trackers anywhere.
Children
The service is not directed to children and is intended for adults (18+).
International transfers
We may process data in the country where our infrastructure is hosted. Where required, we will put appropriate safeguards in place for cross-border transfers. Specifics will be confirmed with counsel before launch.
Changes and contact
We will announce material changes to this policy by email and on the website. Privacy questions: hello@amberkey.app. Security matters: security@amberkey.app.
See also the Terms of Service and the security & threat model.