Legal

Privacy Policy

Effective date: May 13, 2026

Fern & Echo is built on a single architectural principle: we cannot read your vault. All sensitive data is encrypted in your browser before it ever reaches our servers. This policy explains what we do collect, why, and how it is handled.

Data Flow

  [ Your Browser ]
      │
      ├─ You enter your vault passphrase
      ├─ Encryption key derived locally  (PBKDF2 · 310,000 iterations)
      ├─ Data encrypted before leaving   (AES-256-GCM · unique IV per field)
      │
      │         ← server boundary →
      │
      ▼
  [ Fern & Echo Servers ]
      │
      ├─ Receive : encrypted blobs only
      ├─ Store   : ciphertext (mathematically unreadable without your key)
      ├─ Never   : your passphrase, derived key, or entry contents/titles
      ├─ Always : section names, entry counts, timestamps (structural metadata only)
      ├─ Opt-in  : field usage patterns (boolean filled/not-filled per field, no values)
      │
      ▼
  [ You unlock on any device ]
      │
      ├─ Encrypted blobs retrieved from server
      ├─ Decrypted locally in your browser
      └─ Plaintext exists only in your session · never written to disk or server

What Fern & Echo Can and Cannot See

The table below shows every category of data we handle, a real example of what it looks like in our database, and the realistic risk if that data were exposed. We believe you deserve to see this clearly.

Data	Example	Risk if exposed	Visibility
Account information — always collected
Name & email	Tommy W Jenkins · [email protected]	Identity + contact vector for phishing or social engineering	Plaintext
Subscription tier	free / monthly / annual	Indicates financial relationship with service	Plaintext
Account created	2026-05-04 16:47:11	Low risk — account age only	Plaintext
Structural metadata — always collected
Section names & types	[financial] Banking · [account] Email	Reveals domains of life — financial, legal, medical. Can indicate life stage, net worth bracket, institution targets for phishing	Plaintext
Entry counts per section	Banking — 2 entries · Email — 1 entry	Low risk alone. Combined with section names reveals vault completeness and account density	Plaintext
Entry timestamps	created: 2026-05-04 · updated: 2026-05-04	Activity patterns. Rapid updates can correlate to life events — estate planning, account changes, emergencies	Plaintext
Dependency graph	entry:55 → entry:56 (depends)	ID-only edges. Low risk without titles — reveals account structure but not account names	Plaintext
Entry content — client-side encrypted
Entry titles	ifmvSzkcD/kGZHAL:akj...	Ciphertext only. Previously the highest-value leak — now encrypted client-side	Encrypted
MFA methods	Cy1jFSu4sorjUnOR:D5M...	Ciphertext only. Would reveal security posture — now encrypted	Encrypted
Credentials, URLs, notes	url_encrypted · notes_encrypted · extra_encrypted	Ciphertext only. Mathematically unreadable without vault key	Encrypted
Field usage analytics — opt-in only
Field usage logs	[financial] url: empty · custom:test: filled	Boolean only — no values collected. Reveals which fields users fill, not what they contain. Used for form improvements only	Opt-in

* We plan to encrypt section names in a future release, which will further reduce the structural metadata visible to us.

1. What We Collect

We collect the minimum information necessary to operate the service:

Account information — your name and email address, used for authentication and service communications.
Encrypted vault data — ciphertext blobs generated in your browser. We store these blobs but they are mathematically unreadable to us without your vault key, which never leaves your device.
Access logs — timestamps and IP addresses of login attempts, used for security monitoring and IP-based abuse prevention.
Share activity — metadata about vault shares you create (who you shared with, when, and access status). Shared content is also encrypted.
Billing information — if you subscribe to a paid plan, payment is processed by a third-party provider (Stripe). We do not store card numbers.

2. What We Cannot See

Your vault contents are encrypted client-side using AES-GCM with a key derived from your vault passphrase. This encryption happens entirely in your browser. As a result:

We cannot read your vault entry titles, credentials, notes, or any content stored within entries. Entry titles and MFA methods are encrypted client-side before reaching our servers.
We can see the names and types of your vault sections (e.g. "Banks", "Legal") and the number of entries per section. This structural metadata is stored unencrypted to enable navigation.
We cannot recover your vault if you lose your passphrase. There is no server-side key escrow.
Even in the event of a data breach, your vault contents are protected by your passphrase.
Support staff cannot inspect, export, or recover vault contents on your behalf.

3. Structural Metadata

While vault entry contents and titles are encrypted client-side, certain structural metadata is stored unencrypted on our servers to enable the service to function:

Section names and types — for example "Banks" or "Legal". These are visible to Fern & Echo.
Entry counts — the number of entries per section.
Timestamps — when entries and sections were created or last updated.
Dependency relationships — numeric identifiers linking entries to each other (without labels or titles).

We store this metadata because it is required to render your vault structure, calculate your readiness score, and enable navigation before your vault is unlocked. This metadata does not include entry contents, credentials, or titles.

We intend to encrypt section names in a future release, further reducing the structural metadata visible to us.

Optional field usage analytics — if you opt in via vault settings, we additionally collect anonymized field usage patterns: which fields you fill when saving entries, recorded as true/false per field key. No field values are ever collected. This data is used solely to improve default form layouts. You can opt out at any time from vault settings.

3. How We Use Your Information

To authenticate you and maintain your session.
To store and retrieve your encrypted vault blobs.
To send transactional emails — account verification, password reset, share notifications (if enabled).
To detect and block abuse — repeated failed logins, suspicious IPs.
To process subscription billing through our payment provider.

We do not sell your data, run advertising, or share your information with third parties for marketing purposes.

4. Executor Setup & Estate Planning Features

Fern & Echo includes an optional executor designation feature designed to help your chosen representative act on your behalf after your passing or incapacitation. We want to be transparent about how this works and what we store.

What the executor feature does
When you designate an executor, you are granting a specific, named person access to your vault contents. This access uses the same technical mechanism as vault sharing — your vault data is encrypted with a key that only you and your designated executor can access. Fern & Echo cannot read your vault contents, and neither can your executor until you have completed the key exchange process.

What we store as part of executor setup

The email address of your designated executor
The order in which you want your vault sections presented to your executor
Your customized executor playbook — a checklist of tasks you want your executor to complete, which may include personal notes you have written

This information is not encrypted with your vault key. It is stored as standard account metadata, similar to your name and email address. We store it this way because it needs to be accessible to render your executor's experience correctly, and because it does not contain sensitive financial, medical, or personal credential information.

What your executor can access
Your executor can only access your vault contents after you have completed the key exchange — a process that happens in your browser and is initiated by you. Fern & Echo does not have the ability to grant executor access on your behalf, override your designation, or provide access to any party not explicitly designated by you. There is no backdoor, no trigger mechanism, and no escrow. If you have not completed the key exchange, your executor cannot access your vault, regardless of circumstances.

Executor playbook and resource library
The executor playbook is a customizable checklist stored in your account. Default playbook items are provided by Fern & Echo as a starting point — you may add, remove, or reorder them. Playbook items may link to guides in the Fern & Echo resource library. These guides are publicly accessible pages and are not personalized or tied to your account data. They exist to help executors understand common tasks — notifying banks, filing final tax returns, closing accounts — regardless of whether they have an Fern & Echo account.

Why we built it this way
We believe people deserve to know exactly what happens to their digital life after they are gone, and their loved ones deserve the tools to manage it without confusion or delay. The executor feature exists to make that process as clear and actionable as possible. We do not use executor setup data for advertising, analytics profiling, or any purpose other than rendering your executor's experience as you configured it.

5. Data Retention

Your encrypted vault data and account information are retained for as long as your account is active. If you delete your account, your data is permanently removed from our systems. Access logs are retained for a rolling 90-day window for security purposes.

Unverified accounts — accounts where email verification has not been completed — are automatically deleted after 30 days. This is consistent with data minimization principles under GDPR and CCPA. To prevent deletion, simply verify your email address using the link sent at registration.

6. Cookies and Local Storage

We use session cookies strictly for authentication. We do not use tracking cookies or third-party analytics. Your vault key is stored temporarily in sessionStorage for the duration of your browser session and is never written to a cookie or sent to the server.

7. Third-Party Services

Stripe — payment processing for paid plans. Subject to Stripe's own privacy policy.
Email provider — transactional email delivery. Emails contain no vault content.

No analytics platforms, ad networks, or data brokers are used.

8. Your Rights

You may request a copy of your account data, correction of inaccurate information, or deletion of your account at any time. Because vault contents are encrypted and unreadable to us, any data export we provide will include the raw encrypted blobs. To exercise these rights, contact us at the address below.

9. Changes to This Policy

If we make material changes to this policy, we will notify you by email or by a notice on the dashboard prior to the change taking effect. Continued use of the service after changes constitutes acceptance.

10. Contact

Questions about this policy or your data can be directed to us at [email protected]. If you are using a self-hosted instance of Fern & Echo, contact your administrator directly.

To formally exercise your rights under GDPR or CCPA, use our privacy request form. We will respond within 30 days.

11. GDPR & CCPA

If you are located in the European Economic Area, United Kingdom, or California, you have additional rights regarding your personal data:

The right to access, correct, or delete your account data at any time.
The right to data portability — you may request an export of your account information.
The right to object to or restrict processing of your data.
California residents may request disclosure of any personal information shared with third parties for direct marketing purposes. We do not share data for this purpose.

To exercise any of these rights, email [email protected]. Because vault contents are client-side encrypted, any export will contain ciphertext only — we have no means to provide plaintext vault data.

12. Law Enforcement & Legal Requests

Fern & Echo is designed so that we cannot access your vault contents — not by policy, but by architecture. All vault data is encrypted client-side before it reaches our servers. We hold ciphertext we cannot read.

What we can provide in response to a valid legal request:

Account metadata — email address, account creation date, subscription status, last login timestamp
Audit log actions — events such as vault unlocked, entry created, export downloaded (no content)
Share relationship records — who shared with whom, timestamps (no vault contents)
IP addresses associated with failed login attempts only — we do not log IPs for successful vault access

What we cannot provide under any circumstances:

Vault contents — entries, titles, URLs, notes, account numbers, or any encrypted field
Vault encryption keys — these exist only in the user's browser session and are never transmitted to or stored on our servers
Plaintext versions of any encrypted data

All legal requests must be directed to [email protected]. We review every request for legal sufficiency before responding. We will notify affected users of requests to the extent permitted by law.

We publish an annual transparency report summarizing the number and type of legal requests received. See our Transparency Report.

Policy Changelog

Date	Change
2026-05-13	Initial policy published.
2026-05-01	Added executor setup & estate planning features section.