Privacy Policy

The short version
Testament is a zero-knowledge encryption app. We never see your documents, your identity information, or your encryption keys. Your encrypted files are stored in your own Google Drive — not on our servers. The only data we process is what's needed to sign you in with Google and manage your subscription.

1. Who we are

Testament is operated by [TODO: YOUR FULL NAME], an individual developer based in Thailand. For privacy inquiries, contact us at [TODO: YOUR EMAIL].

2. What data we collect

Data we never collect, store, or transmit

Data type	What happens
Identity numbers (NID, passport, SSN, etc.)	Used momentarily on your device for encryption key derivation, then immediately discarded. Never leaves your device.
Dates of birth	Same as identity numbers — on-device only, discarded after use.
Secret phrases	Same as identity numbers — on-device only, discarded after use.
Document content (plaintext)	Encrypted on your device before upload. We never see the original file.
Encryption keys	Derived on your device, used once, zeroed from memory. Never transmitted.

Data we do process

Data type	Purpose	Where stored	Retention
Google account email and name	Sign-in, account display	Your device (secure storage)	Until you sign out
Google OAuth tokens	Authenticate with Google Drive	Your device (OS keychain) + briefly on our auth proxy during token exchange	Device: until sign out. Proxy: not stored (pass-through only)
Subscription status	Determine your plan tier and features	Apple/Google/Stripe (payment provider)	As long as subscription is active
Organization membership (Business plan)	Link your account to your firm's org	Cloudflare KV (email, role, join date only)	Until removed from org
Client portal snapshots (Business plan)	Render read-only document status page for clients	Cloudflare KV (encrypted, with TTL expiry)	Until link expires or is revoked

Data stored on your device only

Google OAuth refresh token (encrypted via OS keychain)
Account display name and email
App preferences and settings
No document content, no identity data, no encryption keys

3. Your encrypted files

Your encrypted .testament files are stored in your own Google Drive account, inside a "Testament Vault" folder. We have no access to your Google Drive. The files are encrypted with AES-256-GCM before leaving your device — even Google cannot read them without the identity factors.

We do not backup, cache, index, or analyze your encrypted files. We do not have a server-side copy of any user's documents.

4. Our auth proxy

Testament uses a Cloudflare Worker as an authentication proxy. This proxy performs one function: exchanging Google OAuth authorization codes for access tokens, so that the app doesn't need to embed the OAuth client secret.

The proxy:

Receives an authorization code from the app
Sends it to Google's token endpoint with the client secret
Returns the tokens to the app
Does not log, store, or retain any tokens
Does not see document content, identity information, or encryption keys

5. Organization data (Business plan)

If you use the Business plan, we store the following in Cloudflare KV to manage your organization:

Organization name
Member email addresses and roles (admin/member)
Invite tokens and their status
Seat count and subscription reference

This data contains no identity documents (NID, DOB, etc.), no encryption keys, and no document content. It is the minimum needed to manage team membership and billing.

6. Client portal snapshots (Business plan)

When an attorney generates a signed web link for a client, we store an encrypted snapshot in Cloudflare KV containing:

Firm name and attorney contact information
Client name
Document names, recipients, security levels, and status

The snapshot is encrypted with AES-256-GCM at rest. It does not contain document content, identity information, or encryption keys. Snapshots are automatically deleted when they expire (based on the TTL set by the attorney) or when the attorney revokes the link.

7. Payment processing

We do not process credit cards or payment information directly. All payments are handled by:

Apple (App Store) — for iOS and macOS subscriptions
Google (Play Store) — for Android subscriptions
Stripe — for web and desktop subscriptions

Each payment provider has its own privacy policy. We receive only subscription status information (active/expired, plan tier, renewal date) — never card numbers, bank details, or billing addresses.

8. Analytics and tracking

Testament does not use any third-party analytics, tracking, or advertising SDKs. We do not track your usage, do not build profiles, and do not sell data to anyone. We do not display ads.

9. Cookies

The Testament web app and landing pages do not use cookies. The client portal (signed web link) does not use cookies. No tracking cookies, no analytics cookies, no advertising cookies.

10. Children's privacy

Testament is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. International data transfers

Our auth proxy and KV storage run on Cloudflare's global network. Data may be processed in any country where Cloudflare has infrastructure. Cloudflare maintains Standard Contractual Clauses (SCCs) for EU data transfers. Your encrypted documents remain in your Google Drive, subject to Google's data residency policies.

12. Data protection rights

For all users

You can:

Delete your encrypted files from Google Drive at any time (we have no copy)
Sign out to remove all local data from your device
Request deletion of your org membership data by contacting us

PDPA (Thailand)

Under Thailand's Personal Data Protection Act, you have the right to access, correct, delete, restrict, and port your personal data. Since Testament stores virtually no personal data (identity information is never stored, documents are in your own Drive), most PDPA rights are satisfied by design. For any PDPA request, contact [TODO: YOUR EMAIL].

GDPR (European Union)

Under the General Data Protection Regulation, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Our legal basis for processing is legitimate interest (providing the service you signed up for) and contract performance. For any GDPR request, contact [TODO: YOUR EMAIL]. We will respond within 30 days.

CCPA (California)

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. California residents have the right to know what data we collect (see Section 2 above), request deletion, and opt out of sale (not applicable — we don't sell data). Contact [TODO: YOUR EMAIL] for any CCPA request.

13. Data breach notification

In the unlikely event of a data breach affecting personal data we hold (org membership data), we will notify affected users within 72 hours via email and update this page. Note that document content cannot be breached through us — we don't have it.

14. Changes to this policy

We may update this privacy policy to reflect changes in the app or legal requirements. Significant changes will be announced in the app and on this page. The "last updated" date at the top always reflects the most recent version.

15. Contact

For privacy questions, data requests, or concerns:

Email: [TODO: YOUR EMAIL]
Location: Thailand
Response time: within 14 days (30 days for formal GDPR/PDPA requests)