We collect what we need to run Sucesio — nothing more. Here is exactly what we do with it, in plain language.
Effective: 1 January 2026 — Last updated: April 2026
The data controller for personal data processed through sucesio.io and app.sucesio.io is Sucesio (legal entity to be confirmed upon incorporation). Contact: hello@sucesio.io
Data Protection Officer (DPO): hello@sucesio.io — subject line: "DPO Request"
We collect only strictly necessary data. Here is the complete breakdown:
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account | Name, email, country, language | Account creation & management | Art. 6(1)(b) — Contract |
| Succession profile | Asset inventory, heir designations, instructions | Core service delivery | Art. 6(1)(b) — Contract |
| Sensitive succession data | Crypto wallet locations, account details, personal messages | User-initiated sensitive storage | Art. 6(1)(a) — Explicit consent |
| Check-in data | Check-in timestamps, anonymised device signal | Check-in mechanism operation | Art. 6(1)(b) — Contract |
| Payment | Billing name, country, payment token (Stripe) | Subscription billing | Art. 6(1)(b) — Contract |
| Support | Email correspondence, issue logs | Customer support | Art. 6(1)(f) — Legitimate interest |
| Analytics | Anonymised session data (Umami — no personal data) | Product improvement | Art. 6(1)(f) — No consent needed |
Succession data is among the most sensitive personal information that exists. We treat it accordingly:
For full technical details: Security page →
We work with three sub-processors only. All operate under GDPR-compliant Data Processing Agreements:
| Sub-Processor | Role | Location | GDPR safeguard |
|---|---|---|---|
| Supabase | Database — all user data | EU (Frankfurt, DE) | EU DPA / SCCs |
| Resend | Transactional emails | EU region | EU DPA |
| Stripe | Payment processing | EU (Ireland) | EU DPA / BCR |
No data is transferred to third parties for advertising, marketing, or commercial purposes. Ever.
Sucesio is designed to operate after your death. This section explains exactly how your data is handled in that situation.
France (Loi pour une République Numérique, 2016): You may designate a "digital executor" (mandataire numérique) who can exercise your data rights after your death. Sucesio supports this through the designated contact feature. Absent instructions, your heirs may exercise data access and deletion rights.
Spain (LOPDGDD 2018, Art. 3): Your heirs and designated persons may request access to, rectification of, or deletion of your data after your death. We will verify the identity and standing of requestors before granting access.
Other jurisdictions: We will respond to requests from persons who can demonstrate a legitimate legal interest (executor, legal heir) in accessing a deceased user's data, subject to documentation requirements.
Upon receiving a confirmed death notification with supporting documentation:
Under the GDPR (Arts. 15–22) or UK GDPR, you have:
To exercise any right: email us. We respond within 30 days (extendable to 60 for complex requests, with notice).
✉️ hello@sucesio.ioYou also have the right to lodge a complaint with your local DPA:
| Data category | Retention period |
|---|---|
| Account & succession data (active) | Until deletion + 90 days |
| Account data (terminated) | 90 days post-termination, then deleted |
| Billing records | 10 years (legal requirement) |
| Deceased user accounts | 12 months post confirmed death, then deleted |
| Support correspondence | 3 years from last interaction |
| Security & audit logs | 24 months |
Sucesio uses only strictly necessary cookies and cookieless analytics. No advertising or tracking:
We may update this Privacy Policy. For any substantial change, you will be notified by email at least 30 days before it takes effect.
The date of last update is shown at the top of this page. Questions? hello@sucesio.io