# MyFinalMessage — Privacy Policy

**Effective Date:** May 26, 2026
**Last Updated:** May 26, 2026

> **Compliance Basis:** GDPR (EU) 2016/679 Articles 13 & 14 | KVKK (Turkish Law No. 6698) | CCPA / CPRA (California)

---

## Table of Contents

1. [Identity of the Data Controller](#1-identity-of-the-data-controller)
2. [EU Representative](#2-eu-representative)
3. [Data We Collect](#3-data-we-collect)
4. [Special Categories of Personal Data](#4-special-categories-of-personal-data)
5. [How We Use Your Data](#5-how-we-use-your-data)
6. [Third-Party Data: Emergency Contacts & Recipients](#6-third-party-data-emergency-contacts--recipients)
7. [Data Sharing & Subprocessors](#7-data-sharing--subprocessors)
8. [International Data Transfers](#8-international-data-transfers)
9. [Data Retention Schedule](#9-data-retention-schedule)
10. [Your Rights under GDPR](#10-your-rights-under-gdpr)
11. [Your Rights under KVKK](#11-your-rights-under-kvkk)
12. [Your Rights under CCPA / CPRA](#12-your-rights-under-ccpa--cpra)
13. [Automated Decision-Making](#13-automated-decision-making)
14. [Security Measures](#14-security-measures)
15. [Children's Privacy](#15-childrens-privacy)
16. [Cookies & Tracking Technologies](#16-cookies--tracking-technologies)
17. [Changes to This Policy](#17-changes-to-this-policy)
18. [How to Exercise Your Rights](#18-how-to-exercise-your-rights)
19. [Right to Lodge a Complaint](#19-right-to-lodge-a-complaint)
20. [Contact](#20-contact)

---

## 1. Identity of the Data Controller

**Data Controller:**
MyFinalMessage
an online legacy message vault service operated from Turkey
Istanbul, Turkey
Email: **support@myfinalmessage.info**
Website: **myfinalmessage.info**

**MyFinalMessage** ("the Company," "we," "us," or "our") operates the MyFinalMessage platform, accessible at myfinalmessage.info, and is the sole Data Controller for all personal data collected, processed, and stored in connection with the Service.

For the purposes of:
- The **General Data Protection Regulation (GDPR)** (EU) 2016/679: MyFinalMessage is the Data Controller within the meaning of GDPR Article 4(7).
- The **Turkish Personal Data Protection Law (KVKK)**, Law No. 6698: MyFinalMessage is the Data Controller (*veri sorumlusu*) within the meaning of KVKK Article 3(1)(i).
- The **California Consumer Privacy Act (CCPA)**, as amended by the California Privacy Rights Act (CPRA): MyFinalMessage is a "business" within the meaning of Cal. Civ. Code § 1798.140(d).

---

## 2. EU Representative

Pursuant to **GDPR Article 27**, MyFinalMessage will designate an EU Representative to act on behalf of the Company in relation to the Company's obligations under GDPR upon the formal launch of the Service to users in the European Union / European Economic Area:

**EU Representative:**
support@myfinalmessage.info (Direct inquiries handled centrally pending local representative appointment)

EU/EEA residents will be able to contact the EU Representative directly in their own language regarding any GDPR-related matter. In the interim, and until a formal representative is appointed, all GDPR-related queries should be directed to the Data Controller at **support@myfinalmessage.info**.

---

## 3. Data We Collect

MyFinalMessage collects the following categories of personal data, depending on your use of the Service:

### 3.1 Account & Identity Data

| Data Item | Description | Source |
|---|---|---|
| Full name | The name you provide at registration | Provided by user |
| Email address | Your registered email address used for login, check-ins, and notifications | Provided by user |
| Password hash | Your password is never stored in plaintext; the system hashes it using bcrypt before database storage | Generated at registration |
| Phone number | Optional; stored for future compatibility (SMS notifications are currently disabled/unsupported) | Provided by user |
| Account creation timestamp | Date and time your account was created | Generated automatically |
| Account plan status | Free Trial / Essential / Family — your current subscription tier | Generated automatically |
| Check-in interval setting | Your chosen Proof of Life interval (e.g., 6 months, 1 year) | Provided by user |

### 3.2 Video & Audio Content Data

| Data Item | Description | Source |
|---|---|---|
| Video file (encrypted blob) | Your uploaded personal video message, stored in AES-256-GCM encrypted form on Google Cloud Storage | Uploaded by user |
| Encrypted Data Encryption Key (DEK) | The AES-256-GCM key used to encrypt your video, itself encrypted by the Google Cloud KMS root Key Encrypting Key (KEK); stored in Cloud Firestore | Generated automatically at upload |
| Nonce / Initialization Vector (IV) | Cryptographic nonce used in AES-256-GCM encryption; stored in Cloud Firestore alongside the encrypted DEK | Generated automatically at upload |
| Video metadata | File name, file size, upload timestamp, dispatch status ("pending" / "dispatched"), associated recipient IDs | Generated automatically at upload |

### 3.3 Emergency Contact Data

| Data Item | Description | Source |
|---|---|---|
| Emergency contact full name | Name of each emergency contact you designate | Provided by user |
| Emergency contact email address | Email address of each emergency contact | Provided by user |
| Emergency contact phone number | Phone number of each emergency contact (optional) | Provided by user |

### 3.4 Recipient Data

| Data Item | Description | Source |
|---|---|---|
| Recipient full name | Name of each video recipient you designate | Provided by user |
| Recipient email address | Email address to which the video delivery link will be sent | Provided by user |
| Recipient phone number | Phone number of recipient; stored for future compatibility (SMS notifications are currently disabled/unsupported) | Provided by user |

### 3.5 Check-In & Escalation History

| Data Item | Description | Source |
|---|---|---|
| Check-in timestamps | Date and time of each successful Proof of Life check-in response | Generated automatically |
| Escalation event log | Log of each escalation email sent, emergency contact notification, and dispatch trigger event | Generated automatically |
| Dispatch timestamp | Date and time the Video Dispatch Engine was triggered | Generated automatically |

### 3.6 Payment & Transaction Data

| Data Item | Description | Source |
|---|---|---|
| Dodo Payments checkout transaction token | A non-sensitive reference identifier returned by Dodo Payments after a successful payment; not a card number | Generated by Dodo Payments |
| Transaction amount | Amount paid in the applicable currency | Generated at purchase |
| Transaction date | Date and time of each payment | Generated at purchase |
| Plan purchased | Which plan (Essential / Family) was purchased | Generated at purchase |

> **We do not collect, see, or store your credit card number, CVV, or bank account details. All payment card data is handled exclusively by Dodo Payments, Inc. (operating as Dodo Payments)**

### 3.7 Technical & Usage Data

| Data Item | Description | Source |
|---|---|---|
| IP address | Your IP address at the time of login, registration, and certain in-app actions | Collected automatically |
| Device information | Browser type, operating system, screen resolution (collected via session) | Collected automatically |
| Session tokens | JSON Web Tokens (JWT) used to maintain your logged-in state | Generated automatically |
| Log data | Server-side logs of platform requests, errors, and security events | Collected automatically |

---

## 4. Special Categories of Personal Data

**4.1 Video and Audio as Biometric / Special Category Data.** The video and audio recordings you upload to MyFinalMessage may contain:

- Your **facial image**, which may constitute biometric data under GDPR Article 4(14) and KVKK Article 3(1)(b) (sensitive personal data / *özel nitelikli kişisel veri*);
- Your **voiceprint**, which may constitute biometric data to the extent it is used to uniquely identify you;
- Information about your **health, beliefs, opinions, or other sensitive matters** that you voluntarily include in your video content.

Such data constitutes **special category personal data** under **GDPR Article 9** and **sensitive personal data** under **KVKK Article 6**.

**4.2 Legal Basis for Processing Special Category Data.** We process special category data only on the basis of your **explicit consent** (GDPR Article 9(2)(a); KVKK Article 6(3)). This explicit consent is obtained when you:

- (a) affirmatively check the Terms of Service / Privacy Policy acceptance checkbox at registration; and
- (b) actively upload a video file to your MyFinalMessage vault.

The act of uploading constitutes an affirmative, specific, informed, and unambiguous act of consent to the storage and posthumous dispatch of content that may contain biometric and special category data.

**4.3 Withdrawal of Consent.** You may withdraw your consent to the processing of special category data at any time by deleting the relevant video from your vault or by deleting your account entirely. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

---

## 5. How We Use Your Data

We process your personal data only for the following specified, explicit, and legitimate purposes, with the identified legal basis under GDPR:

| Purpose | Data Used | Legal Basis (GDPR) | KVKK Basis |
|---|---|---|---|
| **Account creation and authentication** | Name, email, password hash, session tokens | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **Service delivery: video storage** | Encrypted video blob, DEK, IV, video metadata | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **Service delivery: Proof of Life check-in emails** | Email address, check-in interval | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **Service delivery: escalation email sequence** | Email address, escalation event log | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **Service delivery: emergency contact notification** | Emergency contact name, email, phone | Art. 6(1)(f) — legitimate interest (enabling posthumous dispatch as contracted) | Art. 5(2)(f) — legitimate interest |
| **Service delivery: video dispatch to recipients** | Recipient name, email, phone; encrypted video (decrypted client-side in browser) | Art. 6(1)(b) + Art. 6(1)(a) (explicit consent for biometric content dispatch) | Art. 5(2)(c) + Art. 6(3) |
| **Payment processing** | Dodo Payments Transaction ID, transaction data | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **Transaction record retention (tax/legal)** | Transaction data (amount, date, plan) | Art. 6(1)(c) — legal obligation (Turkish tax law, 7-year retention) | Art. 5(2)(ç) — legal obligation |
| **Platform security and fraud prevention** | IP address, session tokens, log data | Art. 6(1)(f) — legitimate interest (platform security) | Art. 5(2)(f) — legitimate interest |
| **Abuse prevention (re-registration block)** | SHA-256 email hash (post-deletion) | Art. 6(1)(f) — legitimate interest (abuse prevention) | Art. 5(2)(f) — legitimate interest |
| **Platform communications (service notices, updates)** | Email address | Art. 6(1)(b) — performance of contract | Art. 5(2)(c) — necessary for contract |
| **GDPR/KVKK/CCPA compliance** | As required by the applicable request | Art. 6(1)(c) — legal obligation | Art. 5(2)(ç) — legal obligation |

**5.1 No Marketing Use.** We do not use your personal data for marketing, advertising, profiling, or sale to third parties. We do not send promotional emails unless you have explicitly opted in to receiving platform update newsletters (opt-out available at any time).

**5.2 No Automated Profiling for Other Purposes.** The only automated decision-making applied to your data is the Proof of Life escalation and dispatch system, described in detail in Section 13. No other automated profiling occurs.

---

## 6. Third-Party Data: Emergency Contacts & Recipients

**6.1 Applicability of GDPR Article 14.** Your emergency contacts and your video recipients are **not registered users of MyFinalMessage**. Their personal data is provided to us by you. This Section constitutes the required Article 14 GDPR disclosure for data subjects whose data is collected from a third party (the registered user).

**6.2 Categories of Data Stored About Third Parties.**

*Emergency contacts:*
- Full name
- Email address
- Phone number (if provided)

*Video recipients:*
- Full name
- Email address
- Phone number (if provided)

**6.3 Legal Basis for Processing Third-Party Data.** Third-party personal data is processed on the basis of the **legitimate interest** of the registered user and MyFinalMessage (GDPR Article 6(1)(f)), specifically: (a) enabling the posthumous delivery of video messages that the user has contracted MyFinalMessage to dispatch; and (b) enabling emergency contacts to intervene in the escalation sequence before false dispatch occurs. We have assessed that these legitimate interests are not overridden by the rights and freedoms of the data subjects, given the limited nature of the data collected and the clear expectation that emergency contacts and recipients are designated by persons known to them.

**6.4 Notification of Third Parties.** Emergency contacts and recipients are notified by MyFinalMessage in the following circumstances:

| Person | When Notified | Method | Content of Notification |
|---|---|---|---|
| Emergency contact | When the escalation sequence reaches Step 5 (Section 6.3 of Terms of Service) | Email via Amazon SES | Informed that the user has designated them as an emergency contact; asked to confirm whether the user is alive or deceased; informed of the consequences of their response |
| Video recipient | When the Video Dispatch Engine dispatches the user's video | Email via Amazon SES (SMS notifications are currently disabled/unsupported) | Informed that the user has sent them a personal video message; provided a secure, time-limited link to access the video; informed of the 90-day access window |

**6.5 Third Parties' Rights.** Emergency contacts and recipients whose data we hold have the following rights:
- **Right to access:** Request confirmation of whether we hold their data and obtain a copy.
- **Right to erasure:** Request deletion of their data. Note: deletion of an emergency contact's data may prevent us from fulfilling the user's escalation sequence.
- **Right to object:** Object to processing based on legitimate interest. We will comply unless we have a compelling legitimate ground.

Third parties may exercise these rights by contacting **support@myfinalmessage.info**.

**6.6 Data Minimisation.** We collect only the name, email address, and (optionally) phone number of emergency contacts and recipients. We do not collect any additional data about these individuals, and we do not contact them for any purpose other than those described in Section 6.4.

---

## 7. Data Sharing & Subprocessors

MyFinalMessage shares personal data only with the following third-party subprocessors, each engaged under a binding data processing agreement (DPA), for the strictly limited purposes described:

| Subprocessor | Role | Data Shared | Location | DPA / Compliance Basis |
|---|---|---|---|---|
| **Google LLC** (Google Cloud Platform — GCP, Cloud Firestore, Cloud Storage, Cloud KMS, Cloud Run) | Cloud infrastructure; hosting; encrypted video storage; metadata database; key management | All categories of data listed in Section 3 (stored in encrypted or hashed form); bcrypt password hashes | europe-west1 (Saint-Ghislain, Belgium) | Google Cloud Data Processing Addendum; Standard Contractual Clauses (SCCs) |
| **Google LLC** (Google Ads) | Conversion tracking and campaign optimization | Cookie data; conversion events (registrations and purchases); transactional metadata | USA / Global | Google Controller-Controller Data Protection Terms; EU Standard Contractual Clauses (SCCs) |
| **Dodo Payments, Inc. (operating as Dodo Payments)** | Payment processing | Payment card data (handled solely by Dodo Payments); Dodo Payments checkout transaction token; transaction metadata | USA (Dodo Payments global infrastructure) | Dodo Payments Data Processing Agreement; PCI-DSS Level 1 |
| **Twilio Inc.** | SMS delivery (currently disabled/unsupported; retained for future compatibility) | Recipient phone number; emergency contact phone number (where SMS is used); message content | USA (Twilio global infrastructure) | Twilio Data Protection Addendum |
| **Amazon Web Services, Inc. (Amazon SES)** | Transactional email delivery (check-in emails; escalation emails; dispatch notification emails to recipients; emergency contact emails) | Registered user email; emergency contact email; recipient email; email content | AWS EU region selected for SES sending, with AWS global infrastructure support | AWS Data Processing Addendum |

**7.1 No Sale of Data.** We do not sell, rent, license, or trade your personal data to any third party for marketing or advertising purposes. We do not disclose personal data to data brokers.

**7.2 Business Transfers & Asset Acquisitions (Outright Sale).** In the event of a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets (specifically including an outright bulk sale of the platform, codebase, domain, and data assets), the database containing your personal data, emergency contact data, recipient data, metadata, and all other user-associated records will be transferred to the acquiring or successor entity as a core business asset. Upon transfer, the buyer/successor acquires full ownership and control over the database and data processing activities. The buyer/successor is not bound to maintain the operational, cryptographic, or privacy commitments of the prior administration and reserves the unrestricted right to govern, process, and utilize the transferred data under its own terms and revised privacy policies, subject only to providing users with notifications required by applicable data protection laws.

**7.3 Law Enforcement Requests.** If we receive a valid and legally binding request from a law enforcement or governmental authority under Turkish law or other applicable international legal assistance frameworks, we will comply to the minimum extent legally required, and will notify affected users where permitted to do so.

---

## 8. International Data Transfers

**8.1 Transfer Outside Turkey and the EEA.** All user data processed by MyFinalMessage is stored on Google Cloud Platform in the **europe-west1 region (Saint-Ghislain, Belgium)**. Since Belgium is a member of the European Union, storing personal data in this region guarantees compliance with GDPR requirements. Storing personal data within the European Economic Area (EEA) complies with GDPR Chapter V requirements without requiring international data transfer safeguards.

**8.2 Safeguards for EU/EEA to USA Transfer.** International transfers of personal data from the EEA to Google LLC's US infrastructure are covered by:

- **Standard Contractual Clauses (SCCs):** The European Commission-approved Standard Contractual Clauses (Controller-to-Processor) incorporated into Google's Cloud Data Processing Addendum, pursuant to GDPR Article 46(2)(c).
- **Google Cloud Data Processing Addendum (GCP DPA):** Available at [https://cloud.google.com/terms/data-processing-addendum](https://cloud.google.com/terms/data-processing-addendum). This DPA governs Google's processing of personal data on our behalf and incorporates the applicable SCCs.

**8.3 Safeguards for Turkey to USA Transfer.** Transfers of personal data from Turkey to Google's US infrastructure are addressed through contractual mechanisms and our assessment of appropriate safeguards in accordance with KVKK Article 9 and secondary KVKK regulations. We rely on Google's standard contractual protections and the GCP DPA as a mechanism providing equivalent protection.

**8.4 Transfer Impact Assessment.** We have reviewed Google's Data Centre Security practices, encryption standards, and legal compliance frameworks and have determined that the safeguards in place provide an essentially equivalent level of protection to that afforded in the EEA and Turkey.

**8.5 Dodo Payments, Twilio, and AWS Transfers.** Transfers of limited personal data to Dodo Payments, Inc. (operating as Dodo Payments), Twilio Inc. (SMS delivery is currently disabled/unsupported), and AWS/Amazon SES for payment processing and email communications delivery are covered by their respective Data Processing Agreements, which incorporate applicable SCCs or other recognized transfer mechanisms.

---

## 9. Data Retention Schedule

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The following table sets out our complete data retention schedule:

| Data Category | Retention Period | Basis |
|---|---|---|
| **Encrypted video files (GCS)** | Indefinitely while account is active, subject to 180-day post-dispatch dormancy delete | Service delivery (contract) |
| **Encrypted DEK + IV (Firestore)** | Indefinitely while account is active, subject to 180-day post-dispatch dormancy delete | Service delivery (contract) |
| **Emergency contact data** (name, email, phone) | Indefinitely while account is active, subject to 180-day post-dispatch dormancy delete | Legitimate interest (contract performance) |
| **Recipient data** (name, email, phone) | Indefinitely while account is active, subject to 180-day post-dispatch dormancy delete | Legitimate interest (contract performance) |
| **Check-in history & account metadata** | Indefinitely while account is active, subject to 180-day post-dispatch dormancy delete | Service delivery (contract) |
| **Session tokens** | Until session expiry or logout | Technical necessity |
| **Temporary dispatch copy** (post-dispatch) | 90 days from date of dispatch, then deleted | Temporary service delivery |
| **Original encrypted file (post-dispatch)** | 180 days from date of dispatch, then deleted | Legitimate interest (cost control, data minimization) |
| **Audit/backup logs** | 90 days from creation | Legitimate interest (security, incident investigation) |
| **Dodo Payments transaction receipts** | 7 years from transaction date | Legal obligation (Turkish tax law) |
| **SHA-256 email hash** (post-account deletion) | 2 years from account deletion | Legitimate interest (abuse prevention) |
| **Raw PII** (post-account deletion) | 0 days — **immediate purge** | GDPR Art. 17 / KVKK Art. 7 compliance |
| **Expired Free Trial data** | Auto-deleted 180 days after trial expiry (7-day warning issued) | Legitimate interest; data minimisation |
| **IP address / device info / log data** | 90 days rolling | Legitimate interest (security) |

---

## 10. Your Rights under GDPR

If you are located in the European Economic Area, you have the following rights under GDPR:

**10.1 Right of Access (Art. 15).** You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data and information about how it is processed.

**10.2 Right to Rectification (Art. 16).** You have the right to request correction of inaccurate or incomplete personal data we hold about you. You can correct most account data directly within your account settings.

**10.3 Right to Erasure ("Right to be Forgotten") (Art. 17).** You have the right to request the deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. Exercising this right by deleting your account triggers the immediate purge described in Section 9. The SHA-256 email hash retained for 2 years is pseudonymous personal data, which we retain under the lawful basis of legitimate interest (abuse prevention) as it cannot be used to contact you directly or reconstruct your email in plaintext, but we note this retention in the interests of full transparency.

**10.4 Right to Restriction of Processing (Art. 18).** You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or have objected to processing.

**10.5 Right to Data Portability (Art. 20).** You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller. For video content, this right is satisfied through the self-service download function. For structured personal data (account metadata), submit a portability request to **support@myfinalmessage.info**.

**10.6 Right to Object (Art. 21).** You have the right to object to processing based on our legitimate interest (GDPR Art. 6(1)(f)). Upon receipt of an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

**10.7 Right Not to be Subject to Automated Decision-Making (Art. 22).** You have the right not to be subject to a decision based solely on automated processing that produces significant legal effects concerning you. The Proof of Life escalation and dispatch system constitutes automated decision-making. Please refer to Section 13 for a full explanation of this system and your right to request human review and to challenge dispatch decisions.

**10.8 Right to Withdraw Consent (Art. 7(3)).** Where processing is based on your consent (particularly for special category / biometric data under Art. 9(2)(a)), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

**10.9 Right to Lodge a Complaint (Art. 77).** You have the right to lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement. See Section 19.

---

## 11. Your Rights under KVKK

Pursuant to **KVKK Article 11**, all data subjects (regardless of location) whose data is processed by MyFinalMessage have the following rights:

**11.1 Right to Learn.** You have the right to learn whether your personal data is being processed by MyFinalMessage.

**11.2 Right to Access.** You have the right to request information about the processing of your personal data if it has been processed.

**11.3 Right to Know the Purpose.** You have the right to know the purpose of the processing of your personal data and whether it is being used in accordance with that purpose.

**11.4 Right to Know Third Parties.** You have the right to know the identities of third parties to whom your personal data has been transferred, domestically or internationally.

**11.5 Right to Rectification.** You have the right to request correction of incomplete or inaccurate personal data.

**11.6 Right to Erasure or Destruction.** You have the right to request the deletion or destruction of personal data where the reasons requiring its processing have ceased to exist, subject to applicable legal retention obligations.

**11.7 Right to Request Notification to Third Parties.** You have the right to request that correction or erasure of your personal data be notified to the third parties to whom it was transferred.

**11.8 Right to Object to Automated Processing.** You have the right to object to results arising from the automated analysis of your personal data that are to your detriment.

**11.9 Right to Claim Damages.** You have the right to claim compensation for any damage arising from unlawful processing of your personal data.

To exercise your KVKK rights, submit a written request to **support@myfinalmessage.info**. We will respond within **30 calendar days** of receipt of a valid request, in accordance with KVKK Article 13.

---

## 12. Your Rights under CCPA / CPRA

If you are a resident of the State of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

**12.1 Right to Know (Cal. Civ. Code § 1798.100).** You have the right to request disclosure of: (a) the categories of personal information we collect about you; (b) the categories of sources from which we collect it; (c) our business or commercial purpose for collecting it; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we have collected about you.

**12.2 Right to Delete (Cal. Civ. Code § 1798.105).** You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligation to retain, completion of a transaction you requested).

**12.3 Right to Correct (Cal. Civ. Code § 1798.106).** You have the right to request correction of inaccurate personal information we maintain about you.

**12.4 Right to Opt-Out of Sale or Sharing (Cal. Civ. Code § 1798.120).** **MyFinalMessage does not sell, share, or rent your personal information to any third party for money or other valuable consideration.** We do not share personal information for cross-context behavioral advertising purposes. Accordingly, there is no opt-out mechanism required for this purpose at this time. If this practice changes, we will update this Policy and implement an opt-out mechanism before any such sharing begins.

**12.5 Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code § 1798.121).** Under the CPRA, you have the right to direct us to limit our use of your sensitive personal information (including biometric data in your video content) to what is necessary to perform the services you have requested. MyFinalMessage already limits its use of video content strictly to storage and posthumous dispatch as requested by you. No additional limitation request is currently necessary, but you may contact us to confirm this.

**12.6 Right to Non-Discrimination (Cal. Civ. Code § 1798.125).** We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not result in denial of services, different pricing, or different quality of service.

**12.7 Authorized Agent.** California residents may designate an authorized agent to make a CCPA request on their behalf. We may require: (a) proof that the agent is authorized to act on your behalf; and (b) verification of your own identity directly.

**12.8 Shine the Light (Cal. Civ. Code § 1798.83).** California residents may request information about personal information shared with third parties for direct marketing purposes. **We do not share personal information for direct marketing purposes.**

**12.9 Categories of Personal Information Collected (Cal. Civ. Code § 1798.140).** For CCPA disclosure purposes, we collect:

| CCPA Category | Examples from MyFinalMessage |
|---|---|
| Identifiers | Name, email address, IP address |
| Personal information (Cal. Civ. Code § 1798.80(e)) | Name, email, phone number |
| Biometric information | Facial image and voiceprint in user-uploaded videos |
| Internet or other electronic network activity | Session tokens, log data, device info |
| Geolocation data | IP-derived approximate location only |
| Audio, electronic, visual, or similar information | Video and audio recordings uploaded by user |
| Commercial information | Payment transaction records (plan purchased, amount) |
| Inferences drawn from the above | Dispatch status (presumed deceased) — used solely for service delivery |

---

## 13. Automated Decision-Making

**13.1 GDPR Article 22 Disclosure.** The MyFinalMessage Proof of Life ("POL") system constitutes **automated decision-making** within the meaning of GDPR Article 22(1), to the extent that it produces a significant effect — namely, the dispatch of personal video messages to third parties (your designated recipients) — based solely on automated processing of your inactivity data, without human review at any stage of the process.

**13.2 Description of the Automated Logic.** The automated decision-making logic functions as follows:

1. At the user's chosen interval (between 1 month and 8 years), the system checks whether a "check-in" response has been recorded.
2. If no check-in is recorded, a check-in email is sent (Day 0). If there is no response, a first reminder check-in email is sent 7 days later (Day 7). If silence persists, a second reminder check-in email is sent 14 days later (Day 14), and a pre-escalation warning is sent 21 days later (Day 21).
3. If no response is received and emergency contacts are configured, emergency contacts are notified 22 days after the initial check-in email (Day 22).
4. If an emergency contact confirms death, or if no emergency contact responds within 7 days (reaching Day 29 of the cycle), the system automatically marks the user's account as **"Presumed Deceased"** (Day 29) and triggers a 48-hour cooldown window.
5. Upon expiration of the 48-hour cooldown window (Day 31), the Video Dispatch Engine re-wraps the Data Encryption Key for the recipient and transmits a time-limited secure delivery link. Recipient-side decryption occurs in the recipient's browser.

**At no point in this process does a human MyFinalMessage employee review, assess, or override the system's determination.** The determination of "Presumed Deceased" is based solely on the absence of a digital response — it is not a clinical, legal, or factual determination of death.

**13.3 The "I'm OK" Manual Override.** You have the right and the ability to intervene in the automated process at any time before dispatch is triggered. You may exercise this right by:

- (a) Clicking the **"I'm OK"** button embedded in any check-in or escalation email you receive; or
- (b) Logging into your MyFinalMessage account at myfinalmessage.info and confirming activity from your account dashboard.

Either action immediately resets the automated inactivity timer to zero, cancels any pending escalation steps, and restarts the check-in interval countdown. This manual override is available throughout Steps 1 through 6 of the escalation sequence described in Section 6 of the Terms of Service. Once Step 7 (video dispatch) has been triggered, the process cannot be reversed.

**13.4 False Positive Risk.** We expressly acknowledge that the automated system carries a non-zero risk of a **false positive determination** — i.e., a determination that you are "Presumed Deceased" when you are, in fact, alive. This risk arises from, without limitation: failure to receive check-in emails due to spam filtering; hospitalization or incapacity preventing response; loss of access to your registered email account; inaccurate emergency contact information; or emergency contacts failing to respond or incorrectly confirming death. This risk is disclosed in full in Section 7 of the Terms of Service, which you acknowledged and accepted at registration.

**13.5 Right to Challenge.** If you believe a dispatch was triggered incorrectly (false positive), you have the right to contact us at **support@myfinalmessage.info** to request a human review of the decision. We will investigate and, where technically possible, reset your account's dispatch status. However, as stated in Section 8 of the Terms of Service, we cannot recall messages already delivered to recipients.

**13.6 GDPR Safeguards.** In accordance with GDPR Article 22(2)(b), we rely on your **explicit consent** (obtained at registration and upload) as the lawful basis for this automated decision-making involving special category data. This consent covers the automated dispatch process. You retain the right to withdraw consent (by deleting your account) and to contest the automated decision as described in Section 13.5 above.

---

## 14. Security Measures

MyFinalMessage implements the following technical and organizational security measures to protect your personal data:

**14.1 Client-Side Envelope Encryption (v2).** All video content is encrypted **in your browser** before being uploaded to our servers. Encryption uses **AES-256-GCM** with a unique Data Encryption Key (DEK) generated locally. The DEK is wrapped (encrypted) using a key derived from a user-specific password via PBKDF2, creating a client-side "owner-wrapped DEK". A separate "dispatch-wrapped DEK" — re-wrapped using a dispatch secret stored encrypted in Google Cloud KMS — is also created at upload time. **Our servers never receive or store the plaintext video or the plaintext DEK at any point.**

**14.2 No Plaintext Video on Server.** The plaintext (unencrypted) version of your video never leaves your device and is never transmitted to or processed by our servers. Only the AES-256-GCM encrypted ciphertext is uploaded and stored in Google Cloud Storage.

**14.3 Dispatch Key Re-Wrapping.** During video dispatch, the Dispatch Engine uses Google Cloud KMS to decrypt the dispatch secret, then performs PBKDF2 + AES Key Wrap (RFC 3394) to unwrap the dispatch-wrapped DEK and re-wrap it for the recipient using the recipient's one-time token. The raw video ciphertext is served to the recipient's browser, which performs the final AES-256-GCM decryption locally. The server performs key re-wrapping only — it does not perform video decryption.

**14.4 Nonce (IV) Uniqueness.** Each encryption operation uses a unique, cryptographically random Initialization Vector (IV / nonce). Reuse of nonces is prohibited by design, preventing ciphertext analysis attacks.

**14.5 Account Authentication.** User authentication is handled by our backend application, which implements industry-standard bcrypt credential hashing, rate limiting, and JWT session management. Passwords are never stored in plaintext by MyFinalMessage.

**14.6 Transport Layer Security (TLS).** All data in transit between your browser and the MyFinalMessage platform is encrypted using TLS 1.2 or higher. All communications with GCP, Dodo Payments, Twilio, and AWS/Amazon SES use TLS-encrypted connections.

**14.7 Access Control.** Access to production infrastructure is restricted to the platform owner via Google Cloud IAM with least-privilege principles. No third party has unauthorized access to production data stores.

**14.8 Security Logging.** Platform security events are logged in GCP Cloud Logging and retained for 90 days. Logs are reviewed in the event of a suspected security incident.

**14.9 Data Breach Response.** In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within **72 hours** of becoming aware of the breach (GDPR Art. 33). Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay (GDPR Art. 34).

**14.10 No Security Guarantee.** Despite the measures described above, no security measure is unconditionally infallible. We cannot guarantee the absolute security of your data against all possible attacks, breaches, or vulnerabilities. We commit to responding promptly to identified vulnerabilities and incidents.

---

## 15. Children's Privacy

**15.1 Minimum Age Restriction.** MyFinalMessage is not designed for, marketed to, or intended to be used by individuals under the age of **18 years**. We do not knowingly collect, process, or store personal data from children under 18.

**15.2 Discovery of Under-Age User.** If we become aware that we have inadvertently collected personal data from a person under 18, we will immediately: (a) suspend the account; (b) permanently delete all data associated with the account; and (c) notify the relevant authorities if required by applicable law.

**15.3 Parental Notification.** If you are a parent or guardian and believe that your child (under 18) has created a MyFinalMessage account, please contact us immediately at **support@myfinalmessage.info** and we will take prompt action.

---

## 16. Cookies & Tracking Technologies

**16.1 Cookie Usage.** MyFinalMessage uses cookies and similar tracking technologies on myfinalmessage.info to enable core platform functionality, maintain your authentication session, and where consented, to analyse platform usage.

**16.2 Cookie Policy.** A full description of the cookies we use, their purposes, duration, and your choices is available in the MyFinalMessage **Cookie Policy**, accessible at **myfinalmessage.info/legal/cookie-policy**.

**16.3 Essential Cookies.** Certain cookies are strictly necessary for the platform to function (e.g., session authentication cookies containing secure JWT refresh tokens set by our backend). These cannot be disabled without preventing you from using the Service.

**16.4 Analytics Cookies.** If we use analytics tools (e.g., Google Analytics), we will obtain your prior consent via a cookie consent banner before setting non-essential analytics cookies. You may withdraw this consent at any time via your cookie preferences.

---

## 17. Changes to This Policy

**17.1 Right to Update.** We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or platform functionality. The "Last Updated" date at the top of this document will always reflect the date of the most recent update.

**17.2 Material Changes.** For material changes — meaning changes that significantly affect how we process your personal data or reduce your rights — we will: (a) update this Policy with a new "Last Updated" date; and (b) send a notification email to your registered email address at least **30 days** before the change takes effect.

**17.3 Non-Material Changes.** Minor, non-material changes (such as typographical corrections, clarifications, or addition of new subprocessors with equivalent safeguards) may be made without individual notification, but will always be reflected in the "Last Updated" date.

**17.4 Continued Use as Acceptance.** Your continued use of MyFinalMessage after a material change to this Privacy Policy takes effect constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you must stop using the Service and may delete your account.

---

## 18. How to Exercise Your Rights

**18.1 Submission of Rights Requests.** To exercise any of the rights described in Sections 10, 11, or 12, submit a written request by email to:

**support@myfinalmessage.info**

Your request should include: (a) your full name and registered email address; (b) the specific right or rights you wish to exercise (e.g., access, erasure, portability); and (c) any relevant details to help us identify and locate your data.

**18.2 Identity Verification.** To protect against unauthorized requests, we may ask you to verify your identity before processing your request. This may include confirming your email address via a one-time verification link, answering security questions, or providing other reasonable identifying information. We will not process a request where we cannot reasonably verify the identity of the requester.

**18.3 Response Timeframe.** We will respond to your request within:

| Regulation | Response Deadline |
|---|---|
| GDPR (EU/EEA users) | **1 month** (30 calendar days) from receipt of valid request; extendable by 2 additional months for complex requests with notification |
| KVKK (all users) | **30 calendar days** from receipt of valid request |
| CCPA (California users) | **45 calendar days** from receipt of verifiable request; extendable by 45 additional days with notification |

**18.4 No Fee for Rights Requests.** We will process your rights request free of charge. If requests are manifestly unfounded or excessive (in particular, repetitive), we reserve the right to charge a reasonable fee or refuse to act, in accordance with GDPR Article 12(5).

**18.5 Self-Service Options.** Many rights can be exercised directly within your account settings, including: downloading your videos (portability), correcting your account information (rectification), and deleting your account (erasure).

---

## 19. Right to Lodge a Complaint

You have the right to lodge a complaint with a competent supervisory authority if you believe our processing of your personal data violates applicable law.

**19.1 European Union / EEA Residents (GDPR).** You may lodge a complaint with the **data protection supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement**. A list of EU supervisory authorities is available at: [https://edpb.europa.eu/about-edpb/about-edpb/members_en](https://edpb.europa.eu/about-edpb/about-edpb/members_en)

You may also contact our EU Representative (support@myfinalmessage.info) to facilitate your complaint.

**19.2 Turkey / Turkish Residents (KVKK).** You may lodge a complaint with the:

**Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK)**
Nasuh Akar Mahallesi, Ziyabey Caddesi No:19, Balgat, 06520 Ankara, Turkey
Website: [https://www.kvkk.gov.tr](https://www.kvkk.gov.tr)
Email: kvkk@hs01.kep.tr

**19.3 California Residents (CCPA / CPRA).** You may submit a complaint to the:

**California Privacy Protection Agency (CPPA)**
2101 Arena Boulevard, Sacramento, California 95834, USA
Website: [https://cppa.ca.gov](https://cppa.ca.gov)

Alternatively, you may submit a complaint to the:

**California Office of the Attorney General**
Website: [https://oag.ca.gov/privacy/ccpa](https://oag.ca.gov/privacy/ccpa)

**19.4 We Encourage Direct Contact First.** Before lodging a formal regulatory complaint, we encourage you to contact us directly at **support@myfinalmessage.info** so that we may have the opportunity to resolve your concern quickly and informally. This does not limit your right to go directly to a supervisory authority.

---

## 20. Contact

For all privacy-related inquiries, data subject access requests, complaints, or questions about this Privacy Policy:

**Data Controller:**
MyFinalMessage
Istanbul, Turkey
Email: **support@myfinalmessage.info**
Website: **myfinalmessage.info**

**EU Representative:**
support@myfinalmessage.info (Direct inquiries handled centrally pending local representative appointment)

We are committed to responding to all privacy inquiries within **30 calendar days** of receipt.

---

*MyFinalMessage — myfinalmessage.info*
*© MyFinalMessage. All rights reserved.*
*This Privacy Policy is governed by the laws of the Republic of Turkey, with EU and California statutory rights preserved as required by applicable law.*
