Privacy Policy

Akashiica ("we", "us") is a digital legacy platform that allows people to store messages, documents and secrets to be delivered to specific recipients at defined moments or after their death. The service is operated from Costa Rica under the laws of that republic.

For questions related to this policy, you can contact us at privacy@akashiica.com.

2.1 Information you provide directly

• Account data: full name, email address and password (stored as an Argon2id hash; never in plain text).
• Vault content: texts, images, audio and documents you upload. All content is encrypted with AES-256-GCM before storage. We cannot read your content.
• Recipient data: names and email addresses of the people you want to deliver your legacy to.
• Medical documents (Compassion Plan): if you request the Compassion Plan, you may upload a medical document certifying a terminal illness. This document is encrypted, stored temporarily only for administrative review and permanently and immediately deleted once the review is complete, regardless of the outcome.
• Billing data: processed entirely by Paddle (our Merchant of Record). Akashiica never receives or stores credit or debit card data.

2.2 Automatically collected information

• Usage data: IP address, browser or device type, operating system and pages visited within the service, for security and diagnostic purposes.
• Audit logs: actions performed on the account (logins, password changes, deliveries made). These logs are write-only and cannot be modified or deleted, even at the user's request, as they constitute security and compliance traceability.
• Cookies and local storage: we use strictly necessary httpOnly cookies for session management (refresh token). We do not use tracking or advertising cookies.

We use the information exclusively to:

• Create and manage your account.
• Store and deliver your content according to the access rules you define.
• Send you transactional notifications: email verification, Dead Man's Switch (Heartbeat) alerts, delivery confirmation and password reset.
• Process payments through Paddle.
• Detect and prevent fraud, abuse and unauthorized access.
• Comply with applicable legal obligations in Costa Rica.

We do not sell your personal information to third parties. We do not use it for advertising. We do not share vault content with anyone other than the authorized recipient, and only when the delivery trigger you configured is activated.

• Content at rest: all vault content is encrypted with AES-256-GCM. The master encryption key is managed securely and never stored alongside the data.
• Passwords: stored with Argon2id (memoryCost: 65,536, timeCost: 3, parallelism: 4). Never in plain text.
• External tokens (links to recipients, recovery tokens, family invitations): the value is delivered to the user by email and only the SHA-256 hash is stored in the database. The original value never persists.
• Transit: all communication between the browser/app and Akashiica servers uses TLS 1.2 or higher.
• Two-factor authentication (2FA): available for all accounts. The TOTP secret is stored encrypted.

Despite the above measures, no system is 100% infallible. In the event of a security breach affecting your data, we will notify you within the timeframes required by Costa Rican law.

We share minimal and necessary information with the following providers, under data processing agreements:

We do not use Google Analytics, Meta Pixel or any other third-party analytics tool that tracks your behavior outside of Akashiica.

• Account data: retained while the account is active. When you delete your account, personal data is marked for deletion and purged within 30 days, unless there is a legal obligation to retain it.
• Vault content: permanently deleted when the vault or account is deleted.
• Medical documents (Compassion Plan): deleted immediately after administrative review, regardless of the outcome.
• Audit logs: retained for 5 years for security and compliance reasons.
• Billing data: retained according to Paddle's requirements and Costa Rican tax legislation (generally 5 years).

In accordance with Law No. 8968 on the Protection of Persons regarding the Processing of Personal Data (Costa Rica) and, where applicable, the GDPR (EU General Data Protection Regulation), you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request the deletion of your personal data.
• Portability: receive your data in a structured, readable format.
• Objection: object to the processing of your data in certain circumstances.
• Restriction: request that we restrict the processing of your data.

To exercise these rights, write to privacy@akashiica.com. We respond within a maximum of 30 business days.

Note: audit logs are excluded from the right of erasure, as their integrity is essential to the security of the service.

The Akashiica service is directed exclusively at persons over 18 years of age. We do not intentionally collect personal data from minors. If we detect that an account has been created with data from a minor, we will delete it immediately.

Akashiica operates from Costa Rica. Some of our providers (Paddle, Resend, Cloudflare R2) may process data on servers located outside Costa Rica or the European Union. When that occurs, we ensure the transfer is covered by standard contractual clauses or other recognized adequacy mechanisms.

We may update this policy to reflect changes in the service or applicable legislation. When we make material changes, we will notify you by email at least 15 days in advance. Continued use of the service after the effective date of the new policy constitutes your acceptance.

If you have questions, concerns or wish to exercise your privacy rights:

• Email: privacy@akashiica.com
• Website: akashiica.com