Privacy Policy

Last updated: 8 November 2025

Version: 1.0

Table of Contents

1. Introduction

Keystone Estate Planning ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our online legal document assembly service.

Who We Are

  • Company: Keystone Estate Planning
  • Service: Online legal document assembly platform for Wills and Lasting Powers of Attorney
  • Jurisdiction: England and Wales
  • Data Controller: Keystone Estate Planning
  • Contact Email: privacy@keystoneestateplanning.co.uk
  • Data Protection Officer: dpo@keystoneestateplanning.co.uk

We are a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy complies with all UK data protection laws and regulations.

2. What Data We Collect

We collect various types of personal data to provide our services effectively and securely:

Personal Identification Data

  • Full name (including previous names if applicable)
  • Date of birth
  • Current and previous addresses
  • Email address
  • Telephone number
  • National Insurance number (for LPA identity verification)

Financial Information

  • Payment card details (processed securely by Stripe - we never store full card numbers)
  • Billing address
  • Transaction history
  • Asset information (for estate planning purposes)

Legal Document Information

  • Will provisions (beneficiaries, executors, guardians, bequests)
  • LPA preferences (attorneys, replacement attorneys, instructions, preferences)
  • Beneficiary and attorney details (names, addresses, relationships)
  • Witness information (when documents are executed)

Special Category Data

We only collect special category data with your explicit consent:

  • Health information: Only for Health & Welfare LPAs, where you may provide preferences regarding medical treatment, life-sustaining treatment decisions, and care preferences
  • This data is essential for creating a valid Health & Welfare LPA and is processed solely for this purpose

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Cookies and similar tracking technologies
  • Usage data (pages visited, time spent, features used)
  • Access logs and security audit trails

Communications

  • Contact form submissions
  • Support ticket correspondence
  • Email communications with our team
  • Survey responses and feedback

3. How We Collect Data

Directly From You

  • Account Registration: When you create an account on our platform
  • Document Questionnaires: When you complete our guided questionnaires for Wills or LPAs
  • Contact Forms: When you submit enquiries or support requests
  • Payment Process: When you purchase our services
  • Direct Communications: When you email or call us

Automatically

  • Cookies: Essential cookies for security and functionality
  • Analytics: Anonymized usage statistics to improve our service
  • Security Logs: Automated logging of access and security events
  • Error Tracking: Technical diagnostics for service reliability

From Third Parties

  • Stripe: Payment confirmation and transaction status
  • Email Delivery Services: Email delivery status and engagement metrics
  • We do not purchase or receive data from data brokers

4. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

Contract Performance

Processing is necessary to fulfill our contract with you to provide legal document assembly services. This includes:

  • Creating and delivering your Will or LPA documents
  • Processing payments
  • Providing customer support
  • Managing your account

Consent

Where we require your explicit consent, including:

  • Processing special category data (health information for LPA-H)
  • Marketing communications (you can opt-out at any time)
  • Non-essential cookies and analytics

Legal Obligation

Processing required by law, including:

  • Maintaining tax records (7 years)
  • Audit trails and compliance records
  • Anti-money laundering checks
  • Responding to lawful requests from authorities

Legitimate Interests

Processing necessary for our legitimate business interests, provided your rights are protected:

  • Fraud prevention and security monitoring
  • Service improvement and analytics
  • Network and information security
  • Business continuity and disaster recovery

5. How We Use Your Data

We use your personal data for the following purposes:

Service Delivery

  • Generate legally valid Will and LPA documents based on your instructions
  • Pre-fill official Office of the Public Guardian (OPG) forms for LPAs
  • Store your documents securely for future access
  • Process and fulfill your orders
  • Provide document delivery services (digital download or postal)

Communication

  • Send order confirmations and status updates
  • Provide customer support and respond to enquiries
  • Send important service notifications (e.g., changes to terms, security alerts)
  • Request feedback to improve our services
  • Send marketing communications (only with your consent, opt-out available)

Legal Compliance

  • Maintain audit trails as required by financial regulations
  • Retain records per UK tax and accounting requirements
  • Comply with court orders and lawful requests
  • Meet anti-money laundering obligations

Security and Fraud Prevention

  • Monitor for fraudulent activity and security threats
  • Enforce our Terms of Service
  • Maintain access controls and audit logs
  • Investigate suspected violations

Service Improvement

  • Analyze usage patterns to improve user experience
  • Test new features and services
  • Conduct research and analytics (using anonymized data)
  • Optimize performance and reliability

6. Data Sharing and Third-Party Processors

We never sell, rent, or trade your personal data to third parties for their marketing purposes.

We share your data only with trusted third-party service providers who help us deliver our services. All processors are carefully vetted and bound by data processing agreements:

Stripe (Payment Processing)

  • Purpose: Secure payment processing
  • Data Shared: Name, email, billing address, payment card details
  • Certification: PCI DSS Level 1 compliant
  • Privacy Policy: stripe.com/gb/privacy

Amazon Web Services (AWS) - Hosting & Storage

  • Purpose: Cloud hosting, data storage, and infrastructure
  • Data Shared: All platform data (encrypted)
  • Location: UK and EU regions only
  • Certification: ISO 27001, SOC 2, UK GDPR compliant
  • Privacy Policy: aws.amazon.com/privacy

Email Service Provider

  • Purpose: Transactional emails (order confirmations, notifications)
  • Data Shared: Name, email address, order details
  • Certification: UK GDPR compliant

Docmail (Optional Postal Service)

  • Purpose: Printing and postal delivery (only if you select this option)
  • Data Shared: Name, postal address, document content
  • Certification: ISO 27001, UK GDPR compliant

Legal Disclosures

We may disclose your personal data if required by law or in response to:

  • Valid court orders or legal processes
  • Requests from law enforcement or regulatory authorities
  • Protection of our legal rights or prevention of fraud
  • Emergency situations involving danger to persons or property

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and your rights regarding your data.

7. Data Security

We implement comprehensive technical and organizational security measures to protect your personal data:

Encryption

  • In Transit: TLS 1.3 encryption for all data transmitted over the internet
  • At Rest: AES-256 encryption for all stored data
  • Field-Level: Additional encryption for personally identifiable information (PII)
  • Database: Encrypted database storage with encrypted backups

Access Controls

  • Role-Based Access: Staff access limited to what is necessary for their role
  • Multi-Factor Authentication: Required for all administrative access
  • Audit Logging: All data access is logged and monitored
  • Regular Reviews: Access permissions reviewed quarterly

Infrastructure Security

  • Enterprise-grade firewalls and intrusion detection systems
  • Regular security patches and updates
  • Vulnerability scanning and penetration testing
  • DDoS protection and rate limiting
  • Secure development practices and code reviews

Organizational Security

  • Staff security training and awareness programs
  • Confidentiality agreements for all personnel
  • Background checks for staff with data access
  • Incident response and breach notification procedures
  • Regular security audits and compliance reviews

Your Role in Security

Please help us protect your data by:

  • Using a strong, unique password for your account
  • Enabling two-factor authentication if available
  • Not sharing your login credentials with others
  • Logging out after using shared or public computers
  • Reporting any suspicious activity immediately

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations:

Draft Documents

Retention Period: 90 days from last activity

Incomplete documents and questionnaires are automatically deleted after 90 days of inactivity to minimize data storage.

Completed Documents

Retention Period: 7 years from order completion

Finalized Wills and LPAs are retained to allow you to access copies if needed and to comply with professional indemnity requirements.

Payment Records

Retention Period: 7 years from transaction date

Required by HMRC for tax and accounting purposes under UK law.

Audit Logs

Retention Period: 7 years minimum

Security and access logs retained for compliance, dispute resolution, and forensic purposes.

Account Data

Retention Period: Until deletion request or 7 years of inactivity

Account information retained while account is active. Dormant accounts (7+ years inactive) are automatically deleted.

Marketing Data

Retention Period: Until consent is withdrawn

Marketing preferences and communication history retained only while consent is active.

Early Deletion

You may request deletion of your data at any time (see "Your Rights" below). However, we may be required to retain certain data for legal compliance (e.g., tax records) even after a deletion request.

Secure Disposal

When data reaches the end of its retention period, it is securely deleted using industry-standard methods that prevent recovery.

9. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights regarding your personal data:

1.Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you.

  • We will provide this free of charge within one month
  • You can request this via email to privacy@keystoneestateplanning.co.uk
  • We may require ID verification to protect your data

2.Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

  • You can update most information directly in your account settings
  • Contact support for assistance with corrections
  • We will respond within one month

3.Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances.

  • You can delete your account at any time via account settings
  • Some data may need to be retained for legal compliance (e.g., tax records)
  • We will inform you if we cannot delete certain data and explain why

4.Right to Restrict Processing

You have the right to request that we limit how we use your data in certain circumstances.

  • Useful if you contest the accuracy of data or object to processing
  • We may still store the data but will not use it further
  • Contact privacy@keystoneestateplanning.co.uk to request restriction

5.Right to Data Portability

You have the right to receive your personal data in a machine-readable format.

  • Applies to data you provided based on consent or contract
  • We will provide data in JSON or CSV format
  • You can transfer this data to another service provider

6.Right to Object

You have the right to object to processing based on legitimate interests or for marketing purposes.

  • Absolute right to object to direct marketing (opt-out anytime)
  • Right to object to processing for legitimate interests (we will cease unless we have compelling grounds)
  • Unsubscribe links provided in all marketing emails

7.Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

  • Withdrawal does not affect the lawfulness of prior processing
  • Manage consent preferences in your account settings
  • Some services may not function without certain consents (e.g., we cannot create an LPA-H without consent to process health data)

8.Right to Lodge a Complaint

You have the right to complain to the UK supervisory authority if you believe we have not handled your data properly.

Information Commissioner's Office (ICO)

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can address your concerns directly.

How to Exercise Your Rights

To exercise any of these rights, please:

  1. Email us at privacy@keystoneestateplanning.co.uk
  2. Clearly state which right you wish to exercise
  3. Provide sufficient information to identify your account
  4. Include proof of identity (to protect your data from unauthorized access)

We will respond to all requests within one month (may be extended by two months for complex requests).

10. Cookies

We use cookies and similar tracking technologies to enhance your experience and improve our service. For detailed information, please see our Cookie Policy.

Types of Cookies We Use

Essential Cookies (Cannot be Disabled)

These cookies are necessary for the website to function:

  • Session Cookie: Keeps you logged in and maintains your session
  • CSRF Token: Protects against cross-site request forgery attacks
  • Cookie Consent: Remembers your cookie preferences

Analytics Cookies (Opt-Out Available)

These cookies help us understand how visitors use our website:

  • Anonymized usage statistics (page views, navigation patterns)
  • Performance monitoring
  • No personally identifiable information is collected
  • You can opt-out in your cookie settings

Third-Party Cookies

  • Stripe: Payment processing (essential for checkout)
  • We do not use advertising or tracking cookies
  • We do not allow third-party advertising networks

Managing Cookies

You can control cookies through:

  • Our Cookie Settings: Manage preferences in your account or via the cookie banner
  • Browser Settings: Most browsers allow you to block or delete cookies
  • Note: Disabling essential cookies will prevent the website from functioning properly

11. International Transfers

We take the security of international data transfers seriously and ensure appropriate safeguards are in place.

Primary Data Storage

All data is primarily stored in:

  • AWS UK and EU regions
  • No routine transfers outside the UK/EU
  • Backups remain within UK/EU jurisdictions

Exceptional Transfers Outside UK/EU

In limited circumstances, data may be transferred outside the UK/EU (e.g., some third-party processors have operations in other countries). When this occurs, we ensure:

  • Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for data transfers
  • Adequacy Decisions: We transfer to countries recognized by the UK government as providing adequate protection
  • Additional Safeguards: Encryption in transit and at rest, access controls, and audit rights
  • Data Processing Agreements: Contractual obligations requiring processors to protect your data

Your Rights

You have the right to request information about international transfers of your data and to obtain copies of the safeguards in place. Contact privacy@keystoneestateplanning.co.uk for details.

12. Children's Privacy

Age Requirement

Our service is not intended for individuals under the age of 18. You must be at least 18 years old to:

  • Create an account
  • Use our services
  • Make a legally valid Will (minimum age requirement in England and Wales)
  • Create a Lasting Power of Attorney

Guardian Appointments

While you may name guardians for your minor children in your Will, and may include information about minors as beneficiaries:

  • We do not directly collect personal data from children
  • Information about minors is provided by adults (parents/testators)
  • Such information is limited to what is necessary for the legal document
  • Parents/guardians are responsible for the accuracy of information about minors

Inadvertent Collection

We do not knowingly collect personal data from children under 18 directly. If we discover that we have inadvertently collected such data, we will delete it promptly. If you believe we have collected data from a child, please contact us immediately at privacy@keystoneestateplanning.co.uk.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You

  • Material Changes: We will notify you by email and/or prominent notice on our website at least 30 days before changes take effect
  • Minor Changes: We will update the "Last Updated" date at the top of this policy
  • Version History: We maintain a version history for transparency

Your Acceptance

By continuing to use our services after changes take effect, you accept the updated Privacy Policy. If you do not agree with the changes:

  • You may delete your account before the changes take effect
  • You may download your data using the data portability right
  • Contact us if you have concerns about the changes

Reviewing This Policy

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your data. The current version is always available at keystoneestateplanning.co.uk/privacy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Enquiries

Email: privacy@keystoneestateplanning.co.uk

Response Time: Within 3 business days

Data Protection Officer

Email: dpo@keystoneestateplanning.co.uk

For: GDPR rights requests, data concerns

Customer Support

Email: support@keystoneestateplanning.co.uk

For: Account issues, general help

Postal Address

Suite RA01, 195-197 Wood Street

London, E17 3NU

United Kingdom

Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve your concerns.

If you remain dissatisfied, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

Website: ico.org.uk/make-a-complaint

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Privacy Policy Summary

We Collect:

  • Personal identification data
  • Legal document information
  • Payment information (via Stripe)
  • Health data (LPA-H only, with consent)

We Use It For:

  • Creating your legal documents
  • Processing orders and payments
  • Providing customer support
  • Legal compliance and security

Your Data is Protected By:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access controls
  • Regular security audits

Your Rights:

  • Access your data
  • Correct inaccuracies
  • Request deletion
  • Data portability

This summary is for convenience only. Please read the full Privacy Policy above for complete details.

← Terms of ServiceCookie Policy →