What we can see, and what we can't.

We built When I'm Gone so that we cannot read your journal — not by accident, not on purpose, not under legal pressure. This notice spells out exactly how that works, what we do see, and what your rights are.

Last updated: 10 May 2026

Who we are

When I'm Gone is operated by When I'm Gone Ltd, a company registered in England. If you have any questions about your data or this notice, write to info@whenimgone.life. A real person will answer.

What we cannot see

Your journal is encrypted on your device, with a key derived from your password. The encrypted blob is the only thing that ever leaves your device. We can't read it. Our staff can't read it. If we were ever compelled to hand over data by a court order, all anyone would see is encrypted gibberish.

This means we have no way to:

• Read what you've written in your journal.
• Recover your journal if you lose both your password and your recovery code.
• Search your data, profile you, or build any kind of dataset from journal contents.
• Share your journal contents with anyone, including any government or law enforcement.

That is the deliberate trade-off. The price of a journal that no-one else can ever read is that we cannot help you get back in if you've lost the way in. The recovery code we give you at setup is the only safety net we can offer.

What we do see

To run the service, we and our providers see a small amount of information:

• The encrypted blob itself. When you click "Save a copy", we store the encrypted version of your journal in Google Firestore (a cloud database). The contents are unreadable to us. We also store an anonymous identifier derived from your recovery code so the right device can find the right blob when you sync between devices.
• A Firebase anonymous user ID. When the app talks to the cloud it creates a temporary anonymous Firebase account. There's no email, no password, and no way to link that ID back to you personally. We use it only for rate-limiting and abuse prevention.
• Standard server logs. Like any website, our hosting provider (Azure Static Web Apps) records basic request information — IP address, browser type, page requested. These are retained for a short period for security and diagnostics, then deleted.
• Payment information. When you pay £7.95, our payment processor (when we add one) will see the standard card details required to process the payment. We will not store your card number. We will only know that a payment was made.

Cookies and local storage

We don't use tracking cookies. We don't use Google Analytics or any other behaviour- tracking tool. The app uses your browser's local storage and IndexedDB to keep your encrypted journal on your device — that's the journal itself, not tracking data.

Your rights under UK GDPR

You have the right to:

• Ask what data we hold about you.
• Ask for your encrypted blob to be deleted from our cloud backup.
• Object to processing or withdraw consent at any time.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we've mishandled your data.

To exercise any of these, email info@whenimgone.life. Because we hold so little data, most requests are quick — typically resolved within a week.

Children

When I'm Gone is intended for adults planning their estate. We don't knowingly collect data from anyone under 16. If you believe a child has used the service, please contact us and we'll remove their backup.

International transfers

Our cloud backup runs on Google Firestore, which may store the encrypted blob in data centres outside the UK. Because the blob is encrypted before it leaves your device, the legal exposure is limited — anyone with access to those data centres sees only encrypted gibberish.

Changes to this notice

If we change anything material, we'll update the "Last updated" date at the top and explain the change in plain English at the top of this page. We won't change the fundamental promise — that we can't read your journal — without a very loud announcement.