What We Can and Cannot See

Trust comes from specifics, not slogans. So instead of saying "your privacy matters," this article tells you plainly what LivingWill can technically see, what it cannot, and why we are this direct about both.

What we cannot see

This is the heart of the design, and we state it without hedging.

Your content. Your will text, your letters, your videos, and your vault items are encrypted on your device before they reach us. We store scrambled data. We cannot read any of it. Not on request, not for support, not under legal or physical pressure, not after a breach. There is no internal tool that decrypts your content, because we do not hold the key.

Your passphrase. We never store your passphrase in a form we can read. It is processed through a slow key-derivation step on your side, and the readable version never reaches us.

Your recovery phrase. We do not hold it and cannot reconstruct it. This is exactly why we cannot reset it for you.

If someone, including a LivingWill employee or a court order directed at us, demanded the readable contents of your account, the honest and complete answer is that we are not able to produce them. That inability is intentional and is the strongest privacy guarantee we can offer.

What we can technically see

Being trustworthy means being honest about the other side too. Operating any service requires some data that is not your encrypted content.

Account and billing basics. Information needed to run your account, such as your email and records required to provide and bill the service.

Operational metadata. Facts about activity rather than its content: that you signed in, that an item was created or updated, that a posthumous claim was submitted, timestamps, and similar. This is the kind of information reflected in your audit log. It describes that actions happened, not what your private content says.

Things you deliberately send us in the clear. For example, if you contact support and choose to describe your situation, that message is not your encrypted vault. Share with support only what you are comfortable sharing.

We design to minimize this category and never use it to reach inside your encrypted content, which we could not do regardless.

Why we tell you both sides

Plenty of services say "we value your privacy" and stop there. We think you deserve the specifics, including the limits, for two reasons.

First, informed trust is the only real trust. If we only listed reassurances, you could not judge them. By naming exactly what is and is not visible, you can verify our claims against how the system actually behaves, including the open-source decryption tool that lets families confirm the cryptography independently.

Second, knowing the boundary helps you use the product wisely. Put sensitive content where it belongs, in the encrypted vault and your letters and videos, and treat support messages and metadata with normal, sensible care.

The short version

We cannot see your content, your passphrase, or your recovery phrase, by design and without exception. We can see the operational facts needed to run the service, like account basics and the metadata in your audit log. We tell you both because privacy you cannot verify is just a promise, and we would rather give you something you can check. See your encryption and your recovery phrase for the mechanisms behind these guarantees.