This is where we say what we actually do with your data — including the parts that are not flattering. If we can't keep a promise yet, we write it down here before we write it on a billboard.
Primary region: EU (London)
Backups: EU only
No training on your entries
DSARs: 30-day response
No training on your entries. EU primary region. DSARs answered in 30 days.
IEncryption
Encryption posture
What's encrypted, what isn't, and what that means.
End-to-end encryption is a design goal. It is not a product claim today. The table below is the current truth.
Entry bodies & voice memos
Readable by our servers
At rest: AES-256 at the managed Postgres + object-storage layerIn transit: TLS 1.3
Our servers can read these to index, back up, and serve them. True end-to-end encryption is a design goal, not a current feature.
Memorial body (photos, stories, contributor names)
Readable by our servers
At rest: AES-256In transit: TLS 1.3
Moderation, exports, and legacy-transfer flows all require server-side access. We log every administrative read and publish the audit schema on request.
These are the fields we render on the public profile, so they exist in plaintext to our application layer.
Email address & sign-in secrets
Readable by our servers
At rest: AES-256; sign-in tokens are single-use and short-livedIn transit: TLS 1.3
We do not store passwords. Magic-link tokens are hashed before write and invalidated after use.
Payment details (if you subscribe)
We never see it
At rest: Held by Stripe, not by usIn transit: TLS 1.3, tokenised at Stripe
We receive a customer id and the last four digits. The card number, CVC, and expiry never touch our database.
Backups & disaster-recovery copies
Readable by our servers
At rest: AES-256, encrypted at both the volume and the backup-tool layerIn transit: TLS 1.3 to our backup region
Backups run daily. Restore drills are rehearsed on a fixed quarterly schedule — results are logged and available on request.
Model posture
Your memory is not training fuel.
The composer offers optional assistance when you ask for it. When you do, the text you send is processed under a zero-retention commitment, never stored by the model provider, and never used to train a model. We refuse features that would require the opposite.
We keep this list short on purpose. Every vendor below has a signed data-processing agreement. We review the list quarterly and notify account holders by email before we add a new one that touches customer content.
Voice-to-text when on-device Whisper is unavailableDeepgram DPA →
Sentry
EU data centre
Error aggregation with server-side PII redactionSentry DPA →
Data residency
EU-primary, by default and on purpose.
Primary: AWS eu-west-2 (London). Backups are replicated to a second EU region. Your customer content is not written to a US region in normal operation. Some narrow, user-initiated features (e.g. voice transcription fallback) may transit a US subprocessor; those are listed above with their DPA.
Data-subject requests
See it, export it, or delete it.
Two routes, both lead to the same team.
From inside the app
The privacy dashboard shows what we store about you, per category. From there you can request a full export or request account deletion. Both open a ticket that a human on our team closes.
Write to hello@confinity.com from the email on your account. We reply within the 30-day UK/EU DSAR window, and usually the same week. We will not ask you to prove your identity beyond what the regulation requires.
No. We have not, we do not, and we contract every model subprocessor on zero-retention terms that prohibit training on any input you send us. If that ever changes, we will say so on this page before it happens.
Is memorial content end-to-end encrypted?
Not currently. Server-side access is required today for moderation, exports, and legacy transfer. We consider end-to-end encryption for a subset of fields a design goal, not a present reality. When it ships, this page and the privacy policy will say so.
Where does my data live?
The primary region is AWS eu-west-2 (London). Backups are replicated to a secondary EU region. No customer content is written to a US region in normal operation. When a US subprocessor like Deepgram is used, the content sent is minimal and limited to the feature you invoked.
How do I request, export, or delete my data?
Start at your privacy dashboard in the app. That page shows what we store about you and offers an export request and an account-deletion request. You can also email hello@confinity.com — we respond inside the UK/EU 30-day DSAR window, and usually much sooner.
What happens if Confinity shuts down?
The published preservation contract defines the shutdown promise: at least 18 months of access after any dissolution and a full export in open formats. Confinity Trust CIC formation is tracked for 2026-Q4; when it is incorporated and contracted, this page will publish the registration and operating receipts.
Is the UK age-gate based on my IP address?
Not yet. The current age gate uses your browser locale and time zone to decide whether to show the notice. IP-based geo is on the roadmap alongside the formal UK-AADC Data Protection Impact Assessment.
More in the Trust Centre
Eight sub-pages for the full, binding version.
This page is the summary. Each sub-page below covers one specific commitment in plain language — backed by the legal document that makes it real.