Data Protection & GDPR

Your privacy and data security are our top priorities. Learn how we protect your information in full compliance with UK GDPR and Data Protection Act 2018.

Our commitment to data protection

At Keystone Estate Planning, we understand that you're entrusting us with some of your most sensitive personal information. We take this responsibility seriously and have implemented comprehensive measures to protect your data.

We are registered with the Information Commissioner's Office (ICO) and fully comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

GDPR principles we follow

Our data handling practices are built on these core principles

Lawfulness, Fairness & Transparency

We process your data lawfully, fairly, and in a transparent manner. You always know what data we collect and why.

Purpose Limitation

We collect your data for specific, explicit, and legitimate purposes only - creating your estate planning documents.

Data Minimisation

We only collect data that is necessary for providing our services. Nothing more, nothing less.

Accuracy

We take reasonable steps to ensure your personal data is accurate and kept up to date.

Storage Limitation

We keep your data only as long as necessary for legal and service purposes, then securely delete it.

Integrity & Confidentiality

Your data is protected with bank-level encryption and strict security measures against unauthorized access.

Your rights

Under UK GDPR, you have comprehensive rights over your personal data

Right to be informed

You have the right to know how your data is being used. Our privacy policy provides clear information.

Right of access

You can request a copy of all personal data we hold about you through your dashboard.

Right to rectification

If your data is inaccurate or incomplete, you can update it directly in your account settings.

Right to erasure

You can request deletion of your personal data, subject to legal retention requirements.

Right to restrict processing

You can request that we temporarily limit how we use your data in certain circumstances.

Right to data portability

You can request your data in a structured, machine-readable format to transfer to another service.

Right to object

You can object to certain types of data processing, such as direct marketing.

Rights related to automated decision making

We do not use automated decision making or profiling that produces legal effects.

To exercise any of these rights, visit your account dashboard or contact us directly.

Request your dataContact us

How we protect your data

Technical and organizational security measures we have in place

Encryption

All data is encrypted in transit (TLS/SSL) and at rest (AES-256).

Secure Infrastructure

Hosted on secure UK-based servers with regular security audits.

Access Controls

Strict role-based access controls and multi-factor authentication for staff.

Audit Logging

All access to personal data is logged and monitored for security.

Regular Backups

Daily encrypted backups stored securely in multiple locations.

Incident Response

Documented procedures for handling any potential data breaches.

Data retention policy

Active accounts: We retain your personal data while your account is active and for the period necessary to provide our services.

Legal retention requirements: For estate planning documents, we are required to retain certain records for up to 7 years after account closure for legal and regulatory purposes.

Account deletion: When you request account deletion, we will delete or anonymize your personal data within 30 days, except where we have a legal obligation to retain it.

Backups: Deleted data may persist in encrypted backups for up to 90 days before permanent deletion.

Third-party data sharing

We do not sell, rent, or trade your personal data with third parties for marketing purposes. We only share your data when necessary to provide our services:

  • Payment processing: Stripe (PCI-DSS compliant) for secure payment handling
  • Email communications: AWS SES for transactional emails only
  • Document storage: Secure UK-based cloud storage providers
  • Legal requirements: When required by law, court order, or regulatory authority

All third-party processors are carefully vetted and bound by data protection agreements that meet GDPR standards.

Questions about data protection?

Our Data Protection Officer is here to help with any questions or concerns about how we handle your personal information.

Contact our DPORead privacy policy

Last updated: 6 December 2025