Privacy Policy

Kicking the Bucket ("we", "us", "our") operates the website kickingthebucket.app and provides digital legacy planning services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

If you have questions about this policy, you can reach us at support@kickingthebucket.app.

Information You Provide

• Account information: Your email address, provided when you sign up or join our waitlist.
• Profile information: Your name and any other details you choose to add to your profile.
• Vault content: Documents, credentials, notes, videos, audio files, contact cards, checklists, and any other content you store in your buckets. This is the core of what we protect for you.
• Trusted contact details: Names and email addresses of people you designate as trusted contacts.
• Scheduled messages: Messages you create for future delivery to your contacts.

Information Collected Automatically

• Usage data: How you interact with our service, including features used, pages visited, and actions taken.
• Device information: Browser type, operating system, and device identifiers.
• Log data: IP addresses, access times, and referring URLs.

Information We Do NOT Collect

• We do not collect payment card details. All billing is handled by our Merchant of Record, Lemon Squeezy, which processes payments on our behalf.
• We do not use cookies for advertising or third-party tracking.

We use your information to:

• Provide, maintain, and improve our digital legacy planning service.
• Authenticate your identity via passwordless email verification.
• Encrypt and securely store your vault content.
• Operate the Dead Man's Switch feature, including sending check-in reminders and notifying your trusted contacts when activated.
• Deliver scheduled messages to your designated recipients.
• Send transactional emails (verification codes, account notifications, Dead Man's Switch alerts).
• Respond to your support requests.
• Detect and prevent fraud, abuse, or security incidents.

We never use your vault content for advertising, analytics, machine learning training, or any purpose other than providing the service to you and your designated contacts.

Security isn't just a feature — it's the foundation of everything we do. Here's how we keep your data safe:

• Encryption at rest: All vault content is encrypted using AES-256-GCM before being stored. Files uploaded to our vault are encrypted server-side using AWS KMS (SSE-KMS).
• Encryption in transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher.
• Credential encryption: Sensitive fields in credential items (passwords, API keys, etc.) receive an additional layer of AES-256-GCM encryption with user-specific keys.
• Passwordless authentication: We use one-time passcodes sent to your email — no passwords to steal or leak.
• Infrastructure: Our backend runs on AWS with DynamoDB for structured data and S3 for file storage, both with encryption enabled and strict access controls.
• Access controls: API keys use SHA-256 hashing. JWT tokens expire after 1 hour. Refresh tokens expire after 30 days.

We share your information only in the following circumstances:

• With your trusted contacts: When the Dead Man's Switch activates or you manually grant access, your designated contacts can access the items you've assigned to them. This is the entire point of the service.
• Service providers: We use AWS for infrastructure (compute, storage, email delivery) and Lemon Squeezy for payment processing. These providers process data on our behalf under strict contractual obligations.
• Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation.
• Safety: We may disclose information if we believe it's necessary to prevent harm, fraud, or illegal activity.

We never sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

• Active accounts: We retain your data for as long as your account is active and the service is operational.
• Deleted accounts: When you delete your account, we permanently remove your profile, vault items, contacts, messages, and associated files from our systems. This process is irreversible.
• Waitlist data: If you joined our waitlist, we retain your email address until you unsubscribe or we launch and you convert to an account.
• Backups: Encrypted backups may persist for up to 30 days after deletion for disaster recovery purposes, after which they are permanently purged.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and all associated data.
• Export your data in a portable format.
• Object to processing of your data for certain purposes.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at support@kickingthebucket.app. You can also delete your account directly from the Settings page in the app.

Our infrastructure is hosted on Amazon Web Services in the Africa (Cape Town) region (af-south-1). If you access the service from outside South Africa, your data will be transferred to and processed in South Africa. By using the service, you consent to this transfer.

We ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws, including the South African Protection of Personal Information Act (POPIA) and, where applicable, the European General Data Protection Regulation (GDPR).

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

• Amazon Web Services (AWS): Infrastructure, compute, storage, and email delivery. Subject to the AWS Privacy Policy.
• Lemon Squeezy: Payment processing and subscription management. Subject to the Lemon Squeezy Privacy Policy.

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. For significant changes, we'll notify you via email or a prominent notice on our website. We encourage you to review this policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: