Privacy Policy

1. Scope

This Privacy Policy explains how Electric Solidus, Inc. ("Electric Solidus," "Vigil," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you use the Vigil Protocol website, web application, APIs, and related services (the "Service").

This Privacy Policy is intended to satisfy notice obligations under applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"), and comprehensive privacy laws in Virginia, Colorado, Connecticut, Delaware, Indiana, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and other states as they take effect.

This Privacy Policy does not apply where a separate privacy notice is provided.

2. Categories of Personal Information We Collect

We collect the following categories of personal information:

2.1 Identifiers and Contact Information

Name, email address, mailing address, phone number, account identifiers, household role, customer support identifiers, and IP address.

2.2 Account and Authentication Data

Login method (e.g., Google OAuth, email-based authentication), authentication tokens, session identifiers, multi-factor authentication data, account status, and security-related event data. Session management uses server-wide storage, which means your session state is maintained on our servers and not in browser-stored tokens. Sessions may be revoked immediately upon logout or "logout of all devices" action, if available.

2.3 Household, Family, and Relationship Information

Names and contact information for spouses, partners, children, dependents, trusted contacts, fiduciaries, beneficiaries, attorneys, accountants, and other professional contacts; relationship labels; role assignments; and household membership status.

2.4 Financial and Insurance Planning Information

Financial institution names, account nicknames, account types, ownership and titling information, beneficiary designations, approximate balances or ranges you choose to enter, insurance carrier names, policy numbers, coverage descriptions, premium amounts, and location pointers you choose to store.

We do not collect live account credentials, passwords, PINs, private keys, seed phrases, or one-time codes for external accounts.

2.5 Estate and Legal Planning Information

Information from wills, trusts, powers of attorney, health care directives, letters of instruction, and related metadata or structured fields extracted from documents you upload.

2.6 Document Content

Uploaded files, images, PDFs, and text you submit, and information extracted from them through automated and AI-assisted processing.

2.7 Usage, Device, and Network Information

IP address, browser type and version, device type, operating system, unique device identifiers, session logs, time stamps, pages viewed, features used, click paths, performance data, crash data, and diagnostic information.

2.8 Commercial Information

Subscription plan, billing status, invoices, transaction history with us, and limited payment information received from our payment processor (e.g., payment method type, card last four digits, billing address).

2.9 Inferences and AI-Assisted Outputs

Readiness indicators, extracted document fields, confidence markers, data completeness assessments, suggested issues for review, and other outputs generated from information you provide through AI-assisted processing.

2.10 Sensitive Personal Information

Depending on applicable law, some information above may be classified as sensitive personal information or sensitive data, including:

• financial account information (account numbers, balances, and related details you enter);
• contents of estate-planning documents (wills, trusts, powers of attorney, health care directives);
• government-issued identifiers if you upload documents containing them;
• health-related information contained in uploaded documents (e.g., health care directives, insurance records);
• information about minor children or dependents;
• precise geolocation information if you choose to provide it; and
• account login credentials for the Service itself.

We process sensitive personal information only as reasonably necessary to provide the Service you request and for the other limited purposes permitted by applicable law.

3. Sources of Personal Information

We collect personal information from:

• you directly when you create an account, upload documents, enter information, configure settings, or contact us;
• household members and authorized users when they submit information about you or interact with shared household features;
• service providers acting on our behalf, including payment processors (Stripe), authentication providers (Google), cloud hosting providers (AWS), email delivery providers (SendGrid), and AI processing providers (Anthropic);
• your devices and browsers automatically when you use the Service (usage data, device identifiers, IP addresses); and
• communications with you, including support requests and feedback.

We do not purchase personal information from data brokers or third parties for advertising or marketing purposes.

4. How We Use Personal Information

We use personal information for the following purposes:

We do not:

• sell personal information for monetary or other valuable consideration;
• share personal information for cross-context behavioral advertising;
• use personal information for targeted advertising;
• use sensitive personal information to infer characteristics about you beyond what is necessary to provide the Service you request; or
• process personal information for profiling in furtherance of decisions that produce legal or similarly significant effects, unless you specifically request such processing through the Service.

5. How We Disclose Personal Information

5.1 Service Providers and Processors

We disclose personal information to vendors that help us provide the Service, including:

Service providers are contractually obligated to use personal information only to perform services for us and are prohibited from using it for their own purposes except as required by law. We require that AI processing providers do not use your data to train their models or for any purpose other than performing the requested processing.

5.2 Household Members and Designees You Authorize

We disclose information to household members, trusted contacts, professionals, and other designees when you configure the Service to allow that disclosure or when activation rules you have set are satisfied. The scope of disclosure is determined by the permissions and configuration you establish.

5.3 Business Transfers

We may disclose personal information in connection with a merger, financing, acquisition, reorganization, bankruptcy, or sale of all or part of our business. In such events, the acquiring entity will be bound by the terms of this Privacy Policy with respect to personal information collected before the transaction, unless you receive notice and an opportunity to opt out as required by applicable law.

5.4 Legal Compliance and Protection

We may disclose personal information if we reasonably believe disclosure is necessary to:

• comply with applicable law, regulation, legal process, or government request;
• enforce our Terms of Service or other agreements;
• protect the rights, safety, or property of Electric Solidus, our users, or the public;
• detect, prevent, or investigate fraud, security incidents, or violations of our Terms; or
• protect against legal liability.

We will attempt to notify you of legal demands for your information unless prohibited by law or court order.

6. Sales, Sharing, and Targeted Advertising

We do not:

• sell personal information for monetary or other valuable consideration as defined under the CCPA or other state privacy laws;
• share personal information for cross-context behavioral advertising as defined under the CCPA; or
• process personal information for targeted advertising as defined under applicable state privacy laws.

Because we do not engage in these practices, we do not currently display a "Do Not Sell or Share My Personal Information" link. However, we honor Global Privacy Control (GPC) signals and other legally recognized universal opt-out mechanisms. If we detect a GPC signal from your browser, we will treat it as a valid opt-out request to the extent required by applicable law.

If our practices change in the future, we will update this Privacy Policy, provide any required notice, and implement all required opt-out mechanisms before engaging in those activities.

7. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies as follows:

Strictly necessary cookies: Session management, authentication, CSRF protection, fraud prevention, load balancing, and security. These are essential to operate the Service and cannot be disabled.

Functional cookies: User interface preferences and settings. These enhance your experience but are not essential.

We do not use advertising cookies, third-party advertising trackers, or cross-site tracking technologies.

Where legally required, we will obtain your consent before setting non-essential cookies and provide a mechanism to manage your cookie preferences.

8. Sensitive Data Processing

We process sensitive personal information (as defined in Section 2.10) only to provide the Service you request and for the other purposes permitted by applicable law, including:

• providing, maintaining, and securing the Service;
• processing and organizing documents and records you upload;
• performing AI-assisted analysis you request;
• executing activation workflows you configure;
• detecting and preventing fraud and security incidents; and
• complying with legal obligations.

Where applicable state law requires opt-in consent for processing sensitive personal information, we rely on your affirmative submission of that information to the Service, together with any additional just-in-time consent notices we provide within the Service for specific processing activities. You may withdraw consent by deleting the relevant data or your account, subject to our retention obligations.

We do not use sensitive personal information to infer characteristics about you for purposes unrelated to providing the Service.

9. Children's Data

The Service is not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 through child-directed features. If you are a parent or guardian and believe your child under 13 has provided personal information to us without your consent, contact us at legal@vigilprotocol.ai and we will take steps to delete the information.

Users may provide information about minor dependents (e.g., children named as beneficiaries or family members) as part of household continuity planning. The account holder who submits this information represents that they have parental authority or legal guardianship and that the submission is for the lawful purpose of family continuity planning.

We do not sell or share the personal information of consumers we know to be under 16 years of age.

10. AI Processing Disclosure

When you use AI-assisted features (such as document extraction, gap analysis, or readiness assessment), relevant content is sent to third-party AI processing providers to perform the requested processing.

What we send: Document content, extracted text, and structured fields necessary for the requested analysis. We do not send your full account profile, payment information, or authentication credentials to AI providers.

Contractual safeguards: We contractually require AI providers to:

• use your data only to perform the processing we request;
• not use your data to train, improve, or develop their general-purpose models;
• not retain, use, or disclose your data outside of the direct business relationship or any purpose other than performing the processing we have requested;
• not sell your data;
• not combine your data with data from other customers;
• delete your data within 30 days of termination of our agreement with them, except as required by law or to prevent harmful use of their services; and
• implement appropriate security measures.

Limitations: AI outputs may be inaccurate, incomplete, out of date, or misleading. AI may fail to identify relevant information, may misinterpret data, or may produce results that conflict with professional analysis. You should independently review and verify all AI outputs.

11. Data Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, subject to our legal obligations.

Specific retention periods:

When retention is no longer necessary, we will delete, de-identify, or securely isolate the information. Deletion may be delayed by backup cycles (typically up to 90 days) and legal hold obligations.

We will not retain personal information for longer than reasonably necessary for the disclosed purposes, consistent with applicable law.

12. Your Privacy Rights

Depending on your state of residence and subject to applicable exemptions, verification requirements, and legal thresholds, you may have the following rights:

How to submit a request:

• Email: legal@vigilprotocol.ai
• In-app: Account settings (where available)

Verification: We will take reasonable steps to verify your identity before processing a request, which may include confirming your email address, account information, or other identifiers. We will not fulfill a request if we cannot reasonably verify that the requester is the person (or authorized agent of the person) whose information is the subject of the request.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide written authorization from you and may require you to verify your identity directly.

Response timing: We will respond to verifiable requests within the timeframes required by applicable law (generally 45 days, with extensions as permitted).

Appeal process: If we deny your request, we will explain the basis for the denial. If your state provides an appeal right, you may appeal by emailing legal@vigilprotocol.ai with the subject line "Privacy Appeal." We will respond to appeals within the timeframes required by applicable law. If your appeal is denied and your state law allows it, we will provide instructions for contacting your state attorney general.

13. Universal Opt-Out Signals

We recognize and honor the Global Privacy Control (GPC) signal and other legally recognized universal opt-out preference signals. If your browser or device transmits a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of personal information and targeted advertising to the extent those activities apply and as required by applicable law.

Currently, because we do not sell or share personal information for cross-context behavioral advertising, the practical effect of a GPC signal is confirmatory. If our practices change, GPC signals will be automatically applied.

14. California Privacy Notice (CCPA/CPRA)

This section provides additional disclosures required for California residents to the extent the CCPA applies.

14.1 Categories Collected, Sources, and Purposes

In the preceding 12 months, we have collected the following CCPA categories from the sources and for the purposes described in Sections 2 through 4:

• Identifiers (Cal. Civ. Code 1798.140(v)(1)(A))
• Personal information described in Cal. Civ. Code 1798.80(e)
• Characteristics of protected classifications (only if you choose to provide them)
• Commercial information
• Internet or other electronic network activity information
• Geolocation data (only if you provide location-based records)
• Audio, electronic, visual, or similar information (in uploaded files)
• Professional or employment-related information (only if you provide it)
• Education information (only if present in uploaded records)
• Inferences
• Sensitive personal information

14.2 Disclosures for Business Purposes

We have disclosed the categories described in Section 14.1 to the categories of service providers and recipients listed in Sections 5 and 6 for the business purposes described in Section 4.

14.3 No Sale or Sharing

We have not sold or shared (as those terms are defined under the CCPA) the personal information of California residents in the preceding 12 months.

14.4 Sensitive Personal Information

We collect and process sensitive personal information (as identified in Section 2.10) only as reasonably necessary and proportionate to provide the Service, perform the services you request, ensure security and integrity, prevent fraud, comply with law, and for other purposes that do not require an opt-out right under the CCPA. We do not use or disclose sensitive personal information for purposes beyond those permitted by CCPA Section 1798.121.

14.5 Retention

We retain each category of personal information for the periods described in Section 11, which are tailored to the purpose for which the information was collected, our legal obligations, and the sensitivity of the information. For sensitive personal information specifically, retention periods are:

• financial account and insurance information: duration of account plus 30 days after deletion processing;
• estate-planning document content: duration of account plus 30 days;
• health-related information in uploaded documents: duration of account plus 30 days;
• government-issued identifiers in uploaded documents: deleted upon account deletion, not retained separately;
• minor children information: duration of account plus 30 days.

14.6 Financial Incentives

We do not offer financial incentives or price differences in exchange for the retention or sale of personal information.

15. Other State Privacy Disclosures

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), Nebraska (NDPA), New Hampshire (SB 255), New Jersey (NJDPA), Oregon (OCPA), Rhode Island (RIDPL), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and other states with applicable comprehensive privacy laws may exercise rights similar to those described in Section 12, subject to the thresholds, exemptions, and procedures of their respective state laws.

State-specific notes:

• Opt-in consent for sensitive data: Where your state law requires affirmative opt-in consent (rather than opt-out) for processing sensitive data, we obtain consent through your affirmative submission of information to the Service and any additional consent flows provided within the Service.
• Profiling: We do not currently engage in profiling that produces legal or similarly significant effects. If this changes, we will provide notice and any required opt-out or consent mechanisms.
• Appeals: The appeal mechanism in Section 12 applies to all states that provide an appeal right. If your appeal is denied and your state law permits it, you may contact your state's attorney general.
• Data protection assessments: Where required by applicable law, we conduct data protection assessments for processing activities that present a heightened risk of harm, including processing of sensitive data and processing for activation workflows.

16. Non-Account Holders

Users may provide us with personal information about family members, beneficiaries, trusted contacts, professionals, and other third parties as part of their continuity planning.

If you are not an account holder but believe your personal information is stored in our systems, you may contact us at legal@vigilprotocol.ai to exercise any rights available to you under applicable law. We will take reasonable steps to verify your identity and the existence of your information.

Please note that fulfilling certain requests (such as deletion) may require us to notify the account holder who submitted the information, and may be subject to the account holder's configuration and applicable legal exceptions.

17. Post-Death and Estate Data Rights

Because the Service is designed for continuity planning, we recognize that data rights may be exercised after an account holder's death.

• Executors and personal representatives: A legally authorized executor, personal representative, or administrator of a deceased account holder's estate may exercise the account holder's privacy rights by providing satisfactory evidence of their legal authority (e.g., letters testamentary, court order, or equivalent).
• Designated contacts: Where an account holder has configured activation workflows, designated contacts may receive information made available through such activation workflows, subject to the activation verification process. This access arises from the account holder's configuration, not from any independent legal right of the designated contact.
• Retention after death: We will retain account data for a reasonable period after notification of the account holder's death to support activation workflows, comply with legal obligations, and respond to estate requests. We will process deletion requests from authorized estate representatives in accordance with applicable law.

18. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including:

• encryption in transit (TLS) and at rest (AES-256 via KMS);
• server-side session management with instant-revocation capability;
• encryption at rest for database records at the infrastructure level via AWS managed encryption;
• user-facing activation workflow audit records, append-only, hash-chained audit logging;
• role-based access controls and least-privilege principles;
• regular security assessments and monitoring; and
• contractual security obligations for service providers.

No security measure is perfect. We cannot guarantee absolute security, and we are not liable for unauthorized access resulting from circumstances beyond our reasonable control, your failure to safeguard your credentials, or the inherent risks of internet-based systems.

If we become aware of a security breach involving your personal information, we will notify you and any applicable regulators in accordance with applicable breach notification laws.

19. International Transfers

The Service is operated in and intended primarily for the United States. All personal information is stored and processed in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service from outside the United States, you acknowledge this transfer.

We do not currently transfer personal information to countries outside the United States for processing, except to the extent that third-party service providers with whom we contract may process data in other jurisdictions as part of their globally distributed infrastructure. Where such transfers occur, they are subject to our contractual safeguards.

20. Third-Party Links and Services

The Service may contain links to third-party websites or reference third-party services. We are not responsible for the privacy practices of third parties. This Privacy Policy applies only to the Service. We encourage you to review the privacy policies of any third-party services you access.

21. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. There is no universally accepted standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we do honor Global Privacy Control (GPC) signals as described in Section 13.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will provide notice through the Service, by email, or by other means reasonably calculated to reach you before the changes take effect, and where required by law, we will obtain your consent.

The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically.

23. Contact Us

Privacy questions, rights requests, and appeals:

legal@vigilprotocol.ai

General support:

support@vigilprotocol.ai

Mailing address:

Electric Solidus, Inc.
26565 W. Agoura Rd, Suite 200, Calabasas, CA 91302