Privacy Policy

Last Updated: 21 May 2026

1. Introduction

AfterEcho Ltd ("AfterEcho", "we", "us", "our") is committed to protecting the privacy, dignity and security of all individuals who use the AfterEcho platform, website, applications and related services ("Services").

This Privacy Policy explains:

how personal data is collected;
how personal data is used;
how personal data is stored and protected;
users' legal rights regarding personal data;
the lawful basis for processing.

AfterEcho is intended to operate as: a calm, compassionate and ethically responsible digital legacy platform designed to honour personal wishes while protecting users, recipients and vulnerable individuals with dignity and care.

This Privacy Policy applies to:

users;
Recipients;
Legacy Guardians;
website visitors;
support contacts;
other individuals interacting with the Services.

2. Data Controller

AfterEcho Ltd acts as the data controller for personal data processed through the Services unless otherwise stated.

Official contact details and legal notices shall be made available through official platform channels.

3. Categories of Personal Data Collected

Depending on how the Services are used, AfterEcho may collect and process:

3.1 Identity & Account Information

Including:

name;
email address;
username;
authentication credentials;
contact details;
date of birth;
verification information.

3.2 Legacy & Recipient Information

Including:

Recipient names;
contact details;
Legacy Guardian details;
relationship information;
delivery preferences.

3.3 Uploaded Content

Including:

written messages;
photographs;
videos;
audio recordings;
documents;
memorial materials;
scheduled communications.

Certain uploaded materials may contain sensitive or emotionally significant information.

3.4 Technical & Usage Information

Including:

IP addresses;
browser type;
device information;
operating systems;
login activity;
usage analytics;
security logs;
cookie identifiers.

3.5 Payment Information

Payment transactions may be processed through third-party payment providers.

AfterEcho generally does not store complete payment card information.

3.6 Safeguarding & Verification Information

Including:

verification documentation;
death verification materials;
safeguarding review records;
fraud prevention information;
account security records.

4. Lawful Bases for Processing

AfterEcho processes personal data under one or more lawful bases recognised under UK GDPR including:

4.1 Contractual Necessity

Processing necessary to:

provide Services;
manage Accounts;
deliver scheduled communications;
maintain platform functionality.

4.2 Legitimate Interests

Including:

safeguarding users and Recipients;
fraud prevention;
cyber security;
operational integrity;
platform improvement;
moderation and risk management.

Where legitimate interests are relied upon, AfterEcho seeks to ensure processing remains proportionate and balanced.

4.3 Legal Obligations

Including compliance with:

court orders;
regulatory obligations;
safeguarding obligations;
law enforcement requests;
fraud prevention obligations.

4.4 Consent

Where required, AfterEcho may rely upon user consent including:

marketing communications;
optional cookies;
certain sensitive processing activities.

Users may withdraw consent where applicable.

5. Special Category & Sensitive Information

Users may voluntarily upload Content containing:

health information;
bereavement information;
emotional or psychological material;
philosophical or religious reflections;
sensitive personal memories.

AfterEcho does not encourage unnecessary disclosure of sensitive information.

Where sensitive information is processed:

access restrictions may apply;
safeguarding controls may apply;
encryption and security protections may apply;
human review access may be restricted.

6. How Personal Data Is Used

AfterEcho may use personal data to:

operate and maintain the Services;
create and manage Accounts;
store and preserve legacy Content;
process scheduled delivery requests;
verify identity and legitimacy;
perform safeguarding reviews;
investigate fraud or misuse;
improve platform security;
communicate with users;
comply with legal obligations;
respond to lawful requests.

AfterEcho may also use limited technical information for:

service analytics;
reliability monitoring;
cyber security analysis;
operational improvements.

7. Automated Systems & Safeguarding Review

Uploaded Content may be processed using automated systems designed to identify:

explicit suicide intent;
threats of violence;
coercive behaviour;
unlawful material;
platform abuse.

Automated systems:

are intended to support safeguarding;
are not infallible;
may produce inaccurate results;
may involve human review in elevated-risk cases.

AfterEcho retains discretion to undertake confidential safeguarding reviews where reasonably necessary.

Safeguarding reviews may involve:

authorised personnel;
proportionate intervention measures;
verification procedures;
delayed transmission decisions.

8. Disclosure of Personal Data

AfterEcho does not sell personal data.

Personal data may be disclosed where reasonably necessary to:

cloud hosting providers;
payment processors;
infrastructure providers;
cyber security providers;
verification providers;
professional advisers;
law enforcement;
regulators.

Disclosure shall be limited where reasonably practical.

AfterEcho may disclose information where reasonably necessary to:

prevent immediate harm;
investigate fraud;
comply with legal obligations;
enforce Terms & Conditions;
protect vulnerable individuals.

9. International Transfers

Certain service providers or infrastructure systems may process data outside the United Kingdom.

Where international transfers occur, AfterEcho seeks to implement appropriate safeguards including:

adequacy regulations;
standard contractual clauses;
contractual protections;
reputable infrastructure providers.

10. Data Security

AfterEcho implements commercially reasonable security measures including:

encrypted storage;
authentication protections;
access controls;
infrastructure monitoring;
account protection systems;
cyber incident procedures;
backup replication.

However:

no online platform can guarantee absolute security;
no digital storage system is entirely immune from cyber threats.

Users acknowledge the inherent risks associated with internet-based services.

11. Data Retention

Personal data may be retained:

while Accounts remain active;
for future scheduled delivery;
for safeguarding review purposes;
for legal compliance obligations;
for fraud prevention;
for operational continuity.

Users may request deletion subject to:

identity verification;
safeguarding obligations;
pending disputes;
lawful retention obligations.

Older or inactive Content may be migrated to secure archival storage.

AfterEcho does not guarantee perpetual storage.

12. User Rights

Subject to applicable law, users may possess rights including:

the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to object;
the right to data portability;
the right to withdraw consent;
the right to complain to the Information Commissioner's Office ("ICO").

Requests may require identity verification.

Certain rights may be limited where lawful exemptions apply including:

safeguarding obligations;
fraud prevention;
legal compliance;
protection of third parties.

13. Recipient & Legacy Guardian Privacy

Users are responsible for ensuring that:

Recipient information is accurate;
Legacy Guardian information is lawfully provided;
designated contacts are aware their information may be used in connection with the Services.

Recipients may:

opt out of future communications;
request restriction of certain processing;
contact AfterEcho regarding privacy concerns.

14. Children

AfterEcho is intended solely for individuals aged 18 or over.

The Services are not directed toward children.

If AfterEcho becomes aware that personal data relating to a child has been unlawfully collected, reasonable steps may be taken to remove such data.

15. Marketing Communications

Where legally permitted, AfterEcho may send:

service announcements;
operational notices;
product updates;
marketing communications.

Users may opt out of marketing communications at any time.

Operational or legal notices may still be issued where necessary.

16. Third-Party Links & Services

The Services may contain links to third-party websites or services.

AfterEcho is not responsible for:

third-party privacy practices;
external websites;
independent services.

Users should review third-party privacy policies independently.

17. Changes to This Privacy Policy

AfterEcho may update this Privacy Policy periodically to reflect:

legal developments;
safeguarding improvements;
technological changes;
operational changes.

Material updates may be communicated through:

website notices;
email notifications;
Account notifications.

Continued use of the Services following updates may constitute acceptance of revised terms.

18. Complaints

Users may contact AfterEcho regarding privacy concerns through official platform channels.

Users may also lodge complaints with the Information Commissioner's Office:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

19. Ethical Privacy Commitment

AfterEcho recognises that legacy communications may contain deeply personal and emotionally sensitive material.

Accordingly, AfterEcho seeks to operate with:

dignity;
restraint;
compassion;
safeguarding awareness;
proportionality;
privacy-first principles.

While no digital platform can eliminate all technological or operational risk, AfterEcho seeks to maintain careful stewardship of entrusted materials.