How Aftr Limited collects, uses, and protects your personal information, and your rights under the New Zealand Privacy Act 2020.
Aftr Limited (“Aftr”, “we”, “our”) operates the Aftr service at app.aftr.co.nz and this website at aftr.co.nz. We provide a digital estate planning tool for individuals.
This policy explains what personal information we collect, why we collect it, who we share it with, and your rights under the New Zealand Privacy Act 2020. We are bound by the twelve Information Privacy Principles (IPPs) set out in that Act.
When you register, we collect your name, email address, and a bcrypt hash of your password. Your password is never stored in readable form. We also store an optional date of birth if you provide one.
Your Vault stores credentials, identity documents, notes, files, Bookshelf entries (personal books and scrapbooks), Letters (sealed messages addressed to specific recipients), and Life Story content (voice recordings, photos, and written entries). All Vault content is encrypted with AES-256-GCM before it reaches our servers, using a key derived from your password on your device. We store only the encrypted ciphertext, the initialisation vector, and the authentication tag. We cannot read your Vault contents.
If you use the Life Story feature, we collect: voice recordings you record in the app; photos and scrapbook entries you upload; and text entries you write. These are sent to OpenAI for transcription or story generation (see below), then encrypted and stored on our servers.
When you add a guardian or executor, we store their name and email address to send invitations and notifications.
Names, relationships, and optionally email addresses and dates of birth for family members you add.
Payments are processed by Stripe. We do not store card numbers. We store only a Stripe customer ID and subscription ID.
If you submit your email address on our marketing website (aftr.co.nz) via the interest capture form, we store your email address to send you product updates. You can unsubscribe at any time. See “Email marketing” below.
We log IP addresses, browser/device type, and actions taken in the app for security and compliance. Anonymised audit log entries are retained for 7 years. Raw IP address and device data is retained for 90 days, then anonymised.
Aftr uses a zero-knowledge architecture for your Vault and Life Story content. Your encryption key is derived from your master password on your own device using PBKDF2-HMAC-SHA-256. This key is never transmitted to our servers.
This has an important consequence: if you forget your master password, your Vault and Life Story content is permanently inaccessible. We do not have a backdoor. We cannot decrypt your data even if compelled by a court order, because we do not hold the key.
The Life Story feature uses OpenAI for:
OpenAI processes this data under its own API usage policies. By using the Life Story feature, you acknowledge that your voice recordings and transcript content will leave New Zealand and be processed by OpenAI in the United States.
If you do not want your content sent to OpenAI, do not use the voice recording or AI story generation features. Written Life Story entries do not leave our servers.
We use Meta Pixel (a JavaScript tracking tool operated by Meta Platforms, Inc.) on our marketing website at aftr.co.nz, including the sign-up and registration pages.
Meta Pixel collects information about your visit and actions (such as page views and registrations) and sends it to Meta to help us measure the effectiveness of our advertising and show our ads to relevant audiences on Facebook and Instagram.
We also use Meta Conversions API (CAPI). This sends server-side event data directly to Meta. We send two event types:
Meta Pixel fires on marketing pages only. It does not fire on authenticated dashboard pages inside the app. The data sent to Meta may be used by Meta for its own advertising and analytics purposes, subject to Meta’s privacy policy.
You can opt out of Meta interest-based advertising at facebook.com/help or via the Digital Advertising Alliance opt-out at optout.aboutads.info.
We use PostHog (US Cloud) for product analytics on aftr.co.nz and app.aftr.co.nz. PostHog uses cookies and local storage to track sessions and page interactions. We use a reverse proxy at /ingest/* for analytics traffic. PostHog data is transmitted to the United States. We also use PostHog feature flags to manage which features are visible to which users.
We use Sentry for error monitoring. Sentry may capture limited technical data including browser type, page URL, and error context. Sentry data is transmitted to the United States.
We use Betterstack for uptime monitoring and a public status page. Betterstack does not receive personal data.
If you submit your email address via the interest capture form on our website, we will add it to our mailing list managed via Resend. We send a short series of product update emails (currently three emails over approximately 14 days). Each email includes a one-click unsubscribe link. You can unsubscribe at any time.
Transactional emails (account verification, guardian invitations, attestation notifications, password reset) are also sent via Resend and cannot be unsubscribed from as they are essential to service delivery.
We comply with the Unsolicited Electronic Messages Act 2007.
We use the personal information we collect to:
We do not sell your data to any third party. We do not profile you for marketing purposes beyond what is described in “Meta Pixel and advertising” above.
We share personal information with the following third-party service providers, and only to the extent necessary to deliver the service:
We may also disclose personal information if required by New Zealand law or a court order. We will notify you where legally permitted to do so before making such a disclosure.
Several sub-processors are located outside New Zealand. We rely on your consent (for OpenAI, given at the point of use) and on contractual safeguards with each provider to meet our obligations under Information Privacy Principle 12 of the Privacy Act 2020.
Aftr is designed so that your nominated executor can access your estate dossier after your death, subject to the guardian attestation process.
When you delete your account, we keep your data for 30 days so you can change your mind. After 30 days, we permanently delete everything: your vault, financial records, files, and your Stripe customer record. Recovery after 30 days is not possible.
If your subscription expires or you cancel, your data is preserved. You lose access to the service until you resubscribe, but nothing is deleted. Subscription lapse alone never triggers deletion.
Audit logs and billing records are kept for 7 years for compliance. Your user ID is removed from audit logs at deletion. Audit logs cannot be associated back to you after that point.
Deletion by our support team at your explicit written request is immediate and permanent. There is no 30-day recovery window for admin-initiated deletions.
The Founding Members program is a time-limited offer for early subscribers. If you join before 1 September 2026, your account is flagged as a Founding Member. This flag is stored in your account record and determines your pricing entitlement. The Founding Member status is non-transferable and attached to your account.
No additional personal data is collected for the Founding Members program. The foundingMember boolean and your original subscription date are the only additional data points stored.
Under the New Zealand Privacy Act 2020, you have the right to:
To exercise your access or correction rights, email us at [email protected]. We will respond within 20 working days, as required by the Privacy Act 2020.
All Aftr application data is hosted in AWS ap-southeast-6 (Auckland, New Zealand). Sub-processors with US-based processing are limited to Stripe, Resend, OpenAI, Meta, PostHog, Sentry, and Langfuse.
We use the following cookies and local storage:
.aftr.co.nz domain so it persists between the website and the app.Our security measures include:
If we confirm a notifiable privacy breach (as defined by the Privacy Act 2020), we will notify affected users by email within 72 hours of confirming the breach, and concurrently notify the Office of the Privacy Commissioner.
If you have questions about this Privacy Policy, contact us at:
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date above.