Fyldit Privacy & Cookie Policy

Fyldit is designed to operate without cookies in the Fyldit application. We do not use cookies and we do not run third-party analytics or tracking scripts in the Fyldit application.

Fyldit uses a zero-knowledge architecture by default. This means we store encrypted content and cannot access decrypted document content while zero-knowledge is enabled. Zero-knowledge architecture is a system design where the service provider hosts your encrypted data but does not hold the keys needed to read it.

We authenticate using JSON Web Token (JWT) bearer tokens sent in an Authorisation header, rather than browser cookies.

Session persistence in the Fyldit application uses browser Web Storage on your device, including sessionStorage and, for certain administrative sessions, localStorage, rather than cookies.

Encryption in transit is enforced using Transport Layer Security (TLS) 1.2 as a minimum, with TLS 1.3 preferred where supported.

The Fyldit application is designed to be cookieless in its own operation. Fyldit’s marketing website and related web pages are also designed to minimise cookies and similar technologies, but certain third-party tools, content, features, or integrations made available through the website may use cookies or similar technologies in limited circumstances.

We do not sell, rent, or share your Personal Data for third-party advertising.

1. Who we are

Fyldit is a subscription service for organising and storing documents securely, with optional sharing features. In this Privacy Policy, “Fyldit”, “we”, “us”, and “our” mean:

Legal name: Funerals& Tech Limited

DIFC licence number: CL11807

Registered office: Unit IH-00-01-03-OF-05, Level 3, IH-00-01-CP-05, Dubai International Financial Centre, Dubai, United Arab Emirates

VAT status: not VAT-registered

Privacy enquiries and rights requests: support@fyldit.com

Data Protection Officer contact: dpo@funeralsand.com

2. Scope

This Privacy Policy explains how we collect, use, disclose, store, and protect Personal Data when you use Fyldit.

It applies to:

• account holders;

• recipients who access content shared with them through a Fyldit recipient experience, including a Lite recipient view; Funerals& Tech Limited

• visitors to our website and related web pages; and people who contact us, request support, join a waiting list, or otherwise interact with Fyldit.

It does not apply to third-party websites or services that we do not control, even if they are linked from our service.

Sharing and roles

When you share Content with a recipient, you remain responsible for the decision to share Content you control. If a recipient uploads their own Content into their recipient vault, the recipient is responsible for that Content. Fyldit operates the platform and processes data needed to provide services to both account holders and recipients.

3. Privacy by Design, Cookies and Similar Technologies

Fyldit is designed using privacy-by-design principles. A core part of this is a cookieless approach in the Fyldit application and a broader intention to minimise unnecessary tracking across our digital services.

For clarity, cookies are small text files placed on a device or browser. Similar technologies may include local storage, session storage, pixels, tags, scripts, software development kits, embedded media tools, support widgets, and other technologies that store or access information on a user’s device or browser.

Fyldit distinguishes between:

1. the Fyldit application, which is designed to operate on a cookieless basis in its own operation; and

2. the Fyldit website and related web pages, where certain third-party services, features, content, or integrations may use cookies or similar technologies in limited circumstances.

3.1 Fyldit application: cookieless by design

The Fyldit application is designed to operate without cookies in its own operation.

In particular:

• we do not set cookies in the Fyldit application;

• we do not use cookies or similar tracking technologies for analytics or advertising in the Fyldit application;

• we do not run third-party analytics or tracking scripts in the Fyldit application; and

• we do not use non-essential tracking mechanisms in the Fyldit application.

3.2 Authentication and session persistence without cookies

Authentication is handled using JWT bearer tokens sent via an Authorisation header.

Session persistence uses browser Web Storage on your device, including:

• sessionStorage for active application sessions; and

• localStorage only where needed for limited administrative or technical session continuity.

  
  

  For clarity, browser Web Storage is technically different from cookies, although both involve information being stored on a user’s device or browser. Because tokens are stored on your device in Web Storage, you should keep your device secure, use strong authentication where available, and sign out on shared devices.

3.3 Website cookies and similar technologies

Fyldit’s marketing website and related web pages are also designed to minimise unnecessary tracking. As a general rule, Fyldit does not intend to use non-essential first-party cookies for advertising, behavioural profiling, or cross-site tracking.

However, certain third-party services, features, content, or integrations made available through, embedded in, or linked from the Fyldit website may use cookies or similar technologies on your device or browser.

These technologies may arise in connection with, for example:

• website analytics tools;

• embedded content or media;

• support or chat widgets;

• payment or checkout services;

• identity verification or fraud-prevention tools;

• scheduling or booking tools;

• advertising measurement or remarketing tools; and

• other third-party services used on or through the website.

Where such technologies are controlled by third parties, their operation may also be subject to the relevant third party’s own privacy or cookie practices.

3.4 Types of technologies that may be encountered

Where cookies or similar technologies are encountered through our website or linked services, they are most likely to fall into one of the following categories:

a) Strictly necessary technologies

These may be used where required for the operation, security, or integrity of a service you actively request, such as:

• load balancing;

• fraud prevention or security controls;

• session continuity;

• authentication steps;

• consent preference storage; or

• essential service delivery.

Where these are genuinely necessary, consent may not be required under applicable rules, although users should still be informed.

b) Third-party embedded content or integrations

If Fyldit uses or links to third-party content or services, those providers may set cookies or use similar technologies. This can occur, for example, through:

• video players;

• maps;

• chat or support widgets;

• social media embeds;

• payment providers;

• identity verification tools;

• analytics dashboards supplied by third parties; or

• external scheduling, form, or communication tools.

c) Analytics or measurement technologies

Fyldit may from time to time use privacy-respecting, cookieless analytics solutions. However, if any analytics provider uses cookies or similar technologies that are not strictly necessary, those technologies will only be enabled where required consent has been obtained.

d) Advertising or targeting technologies

Fyldit does not intend to use first-party advertising or cross-site targeting cookies on its own website. If any third-party service were to introduce such technologies, they would need to be subject to appropriate notice, control, and consent where required.

3.5 Third-party cookies and similar technologies

Although Fyldit is cookieless in its own application design, third parties may still place cookies or use similar technologies through their own tools, content, or services.

These technologies are controlled by the relevant third party, not Fyldit directly. Depending on the service, the third party may collect information such as:

• Internet Protocol (IP) address;

• browser type;

• device information;

• pages viewed;

• timestamps;

• referral Uniform Resource Locator (URL) information; and

• interaction data.

Third-party cookies can present particular privacy risks, especially where they enable tracking across sites or devices. Fyldit will seek, where practicable, to:

• assess third-party technologies before deployment;

• block non-essential third-party cookies until consent is given, where legally required;

• maintain information about the categories of third-party technologies used; and

• require appropriate contractual and privacy commitments from providers where applicable.

3.6 Consent for non-essential technologies

Where a cookie or similar technology is strictly necessary to provide a service you have explicitly requested, Fyldit may rely on the relevant legal exemption where available.

Where a cookie or similar technology is not strictly necessary, Fyldit will seek to ensure that it is not placed or activated unless and until the required consent has been obtained, where applicable law requires this.

Where consent is required, it should be freely given, specific, informed, and unambiguous. Consent requests should be clearly presented and separate from general terms.

3.7 Managing preferences and browser controls

Where Fyldit uses a consent banner, preference centre, or similar settings tool on its website, users will be able to manage non-essential cookie or similar-technology preferences through that mechanism.

Users may also be able to control cookies and similar technologies through their browser or device settings, including by blocking, restricting, or deleting stored information.

Please note that disabling certain technologies may affect the availability or functionality of some third-party website features.

Where third-party services are involved, users may also need to review the privacy, cookie, or device-permission settings made available by the relevant provider.

3.8 International privacy and cookie context

Fyldit aims to align its practices with applicable privacy and data protection requirements, including, where relevant:

• the DIFC Data Protection Law;

• the United Kingdom General Data Protection Regulation;

• the European Union General Data Protection Regulation; and

• related rules governing cookies and similar technologies.

Fyldit’s approach is intended to collect the minimum necessary data needed to operate the relevant website or application functionality.

4. Zero-knowledge architecture

Fyldit is designed with zero-knowledge encryption enabled by default.

When zero-knowledge is on:

• your content is encrypted client-side;

• we store encrypted content; and

• we cannot access decrypted document content.

You may choose to turn off zero-knowledge in settings. If you do, some server-side processes may access decrypted content or server-managed keys to deliver features you enable.

Where a feature requires zero-knowledge to be turned off, we intend to make this clear within the product experience before you enable that feature.

5. The Personal Data we collect

The Personal Data we collect depends on how you use Fyldit.

5.1 Account and profile data

This may include:

• full name;

• email address;

• mobile number, if provided;

• account credentials and authentication-related information;

• plan type;

• billing status;

• profile settings; and

• user preferences.

5.2 Document and vault-related data

This may include:

• document metadata, such as file name, type, upload date, folder or category, expiry date, and sharing settings;

• encrypted document content;

• notes and labels you create;

• recipient and sharing information;

• legacy contact and trusted contact information you choose to provide; and

• release-rule or after-death workflow settings you configure.

Where zero-knowledge is enabled, document content is stored in encrypted form and is not accessible to us in decrypted form.

5.3 Recipient and shared-access data

This may include:

• recipient identity and contact details;

• data relating to invitations, access events, and sharing activity;

• content uploaded by recipients into their own recipient vault space; and

• recipient plan or Lite-status data.

5.4 Payments and subscription data

This may include:

• subscription plan;

• transaction and billing records;

• payment status;

• invoices; and

• limited payment-related metadata supplied by our payment providers.

Fyldit does not intentionally store full payment card numbers. Subscription billing, auto-renewal, cancellation, trial eligibility, and refund rules are governed by the Terms of Service. At launch, Fyldit uses Stripe as its primary payment processor for direct subscription payments, although payment providers may change over time and app-store billing may apply where subscriptions are purchased through a mobile platform.

5.5 Technical and security data

This may include:

• IP address;

• device and browser information;

• operating system;

• application logs;

• security logs;

• timestamp data;

• audit events; and

• diagnostic information used to maintain service integrity and security.

5.6 Website and communications data

This may include:

• enquiry details;

• support correspondence;

• waitlist or marketing form submissions;

• website interaction information; and

• cookie or similar-technology information where used in accordance with this Privacy Policy.

6. How we collect Personal Data

We collect Personal Data:

• directly from you when you create an account, upload content, complete forms, contact support, make payments, or configure sharing and legacy settings;

• from recipients or other users where they provide your details in connection with sharing, trusted-contact, or legacy features;

• automatically from your use of the platform for security, technical, and operational purposes;

• from payment providers, identity or fraud-prevention providers, and other service providers who support our operations; and

• from third-party website tools or integrations where those are enabled and used in line with this Privacy Policy.

7. How we use Personal Data

We use Personal Data to:

• provide, operate, maintain, and improve Fyldit;

• authenticate users and secure accounts;

• enable document storage, retrieval, organisation, and sharing;

• operate trusted-contact, recipient, and legacy-access features;

• process subscriptions, billing, and payment status;

• provide customer support;

• monitor, investigate, and prevent fraud, abuse, and security incidents;

• maintain logs, audit trails, and platform integrity;

• send service, transactional, legal, and security communications;

• comply with legal, regulatory, and contractual obligations; and

• administer and improve our website and related services.

Where zero-knowledge is enabled, our ability to access content is limited by that architecture.

8. Legal bases for processing

Depending on the circumstances and applicable law, we rely on one or more of the following legal bases:

• performance of a contract with you;

• legitimate interests, including operating, securing, improving, and administering Fyldit;

• compliance with legal or regulatory obligations;

• your consent, where required; and

• protection of vital interests, where applicable and lawful.

Where consent is relied on, you may withdraw it at any time, although this will not affect the lawfulness of processing carried out before withdrawal.

9. Sharing and disclosure of Personal Data

We may disclose Personal Data:

• to service providers and subprocessors who help us operate Fyldit;

• to payment providers and billing providers;

• to identity verification, fraud prevention, security, hosting, infrastructure, support, and communications providers;

• to recipients, trusted contacts, legacy contacts, or other persons you authorise through the product;

• where required by law, regulation, court order, or lawful request from a competent authority;

• in connection with a business reorganisation, merger, financing, sale, or transfer of assets, subject to appropriate protections; and

• where otherwise permitted or required by law.

We do not sell, rent, or share Personal Data for third-party advertising.

10. International transfers and hosting locations

• Websites & Apps: Both the corporate sites (funeralsand.com, fyldit.com) and the apps (customer, admin, and mobile) are hosted on AWS Amplify. This acts as a fast, global delivery network.

• The Backend: Logic and logins run on AWS Lambda. It’s "serverless," meaning it only switches on when needed to save resources.

• The Vault (Database): All account info is kept in Stockholm. It’s mirrored across two locations, so if one fails, the other takes over instantly.

• File Storage: Encrypted documents (like wills or passports) are stored in Amazon S3 (Stockholm), acting as a highly secure digital filing cabinet.

Non-production environments may operate in other regions, including Europe and India, and are intended to use anonymised, masked, or synthetic data rather than live identifiable personal data wherever appropriate for the relevant environment.

Where Personal Data is transferred internationally, we will seek to ensure that appropriate safeguards are applied where required by law. Such safeguards may include contractual commitments, technical controls, organisational measures, data minimisation, and region-specific hosting design.

11. Data retention

We keep Personal Data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain appropriate records.

11.1 Active accounts

We retain Personal Data associated with an active account for as long as the account remains active and for a reasonable period thereafter where needed for legitimate business, legal, security, and audit purposes.

11.2 Non-payment and account suspension

Where an account is affected by non-payment, we may provide a 30-day grace period to restore access, subject to the terms of the relevant plan and our operational policies.

11.3 Account deletion

If you request deletion of your account, we may place the account into a 14-day recoverable state before final deletion, to protect against accidental deletion and permit secure recovery where available.

11.4 Recipient trial expiry and Lite access

Where a recipient has access through a recipient trial, and that trial expires:

• recipient-uploaded content may become greyed out after expiry;

• a further 30-day grace period may apply before deletion; and

• certain specified items, such as Passport and Driving Licence, may remain visible or available within a Lite experience where that is part of the product design in force at the time.

11.5 Residual copies

Residual copies may remain temporarily in backups, logs, archives, and disaster-recovery systems until overwritten or deleted in the ordinary course, subject to applicable safeguards.

If a law requires us to retain certain information for longer, we may do so.

12. Security

We use technical and organisational measures designed to protect Personal Data and service integrity. These measures include, where relevant:

• encryption in transit using TLS 1.2 minimum, preferring TLS 1.3 where supported;

• encryption at rest where appropriate;

• zero-knowledge client-side encryption by default for content;

• password hashing using bcrypt;

• access controls for systems and data;

• security and audit logging for sensitive actions;

• role-based access control and related administrative safeguards; and

• monitoring, investigation, and incident response processes.

No system is 100% secure. You are responsible for keeping your credentials, email account, and devices secure.

12.1 Account recovery

Fyldit uses Shamir’s Secret Sharing to support secure account recovery without compromising the intended zero-knowledge design of the service. The exact recovery process may depend on the product flow in force at the relevant time.

13. Children

Fyldit is not directed to children and is not intended for use by individuals under the age of 18.

If we become aware that we have collected Personal Data directly from a child in circumstances not permitted by applicable law, we will take steps to delete that information or otherwise bring the processing into compliance.

Account holders may upload and manage a childs or dependents records where they have the lawful authority to do so.

14. Your rights

Depending on your location and applicable law, you may have rights including:

• the right to access your Personal Data;

• the right to request correction of inaccurate Personal Data;

• the right to request deletion of Personal Data;

• the right to object to or restrict certain processing;

• the right to withdraw consent where processing is based on consent;

• the right to data portability, where applicable; and

• the right to lodge a complaint with a competent supervisory authority.

We may need to verify your identity before acting on a request. We may also retain information where required by law, where necessary to establish, exercise, or defend legal claims, or where another lawful basis applies. 

15. Data breach notification

If we become aware of a data breach that affects your Personal Data, we will notify you and relevant authorities where required by applicable law.

We will generally provide notice by email to your registered email address.

Where required by law, including for example under the General Data Protection Regulation where applicable, we will notify without undue delay and no later than 72 hours after becoming aware of the breach.

The notice will describe the nature of the breach, the likely consequences, and the measures we are taking to address it.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, technology, our service providers, our product features, or our operations.

We will post the updated version in the application and on our website.

If the change is material, we will provide a prominent notice in the application and/or on the website before it takes effect, where appropriate.

Fyldit does not maintain a separate standalone Cookie Policy at this time. Fyldit’s use of cookies and similar technologies is described in this Privacy Policy.

17. Governing law

This Privacy Policy is governed by the laws applicable in the Dubai International Financial Centre (DIFC), Dubai, United Arab Emirates.

18. Contact us

Support and privacy enquiries: support@fyldit.com

Data Protection Officer: dpo@funeralsand.com

Postal address: Unit IH-00-01-03-OF-05, Level 3, IH-00-01-CP-05, Dubai International Financial Centre, Dubai, United Arab Emirates

If Fyldit becomes required to register with any additional privacy regulator in a jurisdiction where it operates, we may update this Privacy Policy to include those details.