← Back to home

Privacy Policy

Last updated: February 2026

1. Introduction

LegacyLists (“we”, “our”, or “us”) is operated by Testate Technologies Ltd, a company registered in England and Wales. We are committed to protecting the personal data of our users and their clients in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what data we collect, how we use it, and your rights regarding that data. It applies to all users of legacylists.co.uk and our associated services.

2. What We Collect

We collect the following categories of personal data:

  • Account information: Your name, work email address, firm name, and password (securely hashed). If you subscribe, your billing address and the last four digits of your payment card.
  • Client estate data:Information you enter about your clients' estates, including properties, assets, beneficiaries, and related documents. This data is entered by authorised users and forms the core of the service we provide.
  • Usage data: How you interact with the platform, including pages visited, features used, browser type, device information, and IP address. We use this solely to improve the service.

3. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the LegacyLists service.
  • Process your subscription payments securely via Stripe.
  • Send you transactional emails (account verification, password resets, subscription confirmations).
  • Respond to your support enquiries and provide customer service.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations, including tax and accounting requirements.

We do notsell your personal data or your clients' data to third parties. We do not use estate data for advertising or marketing purposes.

4. Data Storage & Security

Your data is stored on servers operated by Supabase within the European Union. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include role-based access controls, row-level security policies on our database, regular security audits, and automated vulnerability scanning.

5. Data Processing for Professional Users

As a professional user, you act as a data controller for the client estate data you enter into LegacyLists. We act as a data processor on your behalf. We process client data solely for the purpose of providing the service and in accordance with your instructions.

A Data Processing Agreement (DPA) is available on request for firms that require one. Please contact us at privacy@legacylists.co.uk.

6. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may ask us to correct inaccurate or incomplete data.
  • Right to erasure: You may request that we delete your personal data, subject to legal retention requirements.
  • Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
  • Right to restriction: You may ask us to restrict processing of your data in certain circumstances.
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, please contact us at privacy@legacylists.co.uk. We will respond within 30 days of receiving your request.

7. Cookies

We use strictly necessary cookies to maintain your authenticated session and remember your preferences. We do not use advertising or tracking cookies. Analytics data is collected in an anonymised form and does not require cookie consent under UK GDPR.

8. Data Retention

We retain your account and client estate data for as long as your account is active. If you close your account, we will remove your personal data within 30 days, except where retention is required by law (e.g., financial records retained for 6 years under HMRC requirements).

Anonymised usage data may be retained indefinitely for service improvement purposes.

9. Third-Party Services

We share limited data with the following third-party processors, each of whom maintains their own GDPR-compliant privacy policies:

  • Stripe: Payment processing. Stripe receives your billing details and payment card information directly. We never store your full card number.
  • SendGrid: Transactional email delivery. SendGrid receives your email address to deliver account-related messages.
  • Supabase: Database hosting and authentication infrastructure, operating within the EU.
  • Sentry: Error monitoring. Sentry may receive anonymised technical data to help us diagnose and fix issues.
  • Vercel: Application hosting. Vercel processes requests to serve the application.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you via email or through a prominent notice on our platform. We encourage you to review this page periodically.

11. Contact

If you have any questions about this privacy policy or our data practices, please contact our Data Protection Officer:

  • Email: privacy@legacylists.co.uk
  • Company: Testate Technologies Ltd
  • Supervisory authority:You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.