Place a Section 29 or 35 notice

    Privacy Policy

    Last updated: 25 April 2026

    Responsible Party / Information Officer

    When I Am Gone (Pty) Ltd, Office 8, PineworX, Lonsdale Way, Pinelands, Cape Town, 7405, South Africa.
    Information Officer: Natalie Macdonald Spence, support@wheniamgone.co.za
    Regulator: Information Regulator (South Africa) - inforegulator.org.za

    1. Introduction

    When I Am Gone (Pty) Ltd ("we", "our", "us") looks after your privacy. We handle your personal information under the Protection of Personal Information Act 4 of 2013 (POPIA) and any other data protection laws that apply.

    This Privacy Policy explains how we collect, use, store and protect your personal information when you use our estate planning service. That includes the personal vault, the When I Am Gone Pro practitioner portal and any legal notice services we provide.

    2. Information We Collect

    Account Information

    When you create an account, we collect:

    • Email address (for authentication and communication);
    • Name (optional, for personalisation);
    • Phone number (optional, for account recovery); and
    • For practitioners: firm name, regulatory body, practice number and any verification evidence you submit.

    Vault Data

    You can store sensitive information in your encrypted vault. That includes assets, debts, contacts, documents and instructions. Your device encrypts all of this with a key derived from your passphrase before sending it to our servers. We receive and store only the encrypted form. We cannot read your vault entries or uploaded documents without your passphrase.

    Legal Notice and Practitioner Matter Data

    When you use the practitioner portal, we process the matter details you enter, such as the deceased's name, identity number, dates and notice text. We need these to draft and publish the notice. Unlike vault data, this information is processed in plain text on our servers because it has to be sent to the Government Printing Works or newspapers for publication.

    Payment Information

    Payments are processed by Paystack. We receive a transaction reference and status but do not receive or store your full card number.

    Usage Information

    We automatically collect:

    • Log data (IP address, browser type, access times);
    • Device information (device type, operating system); and
    • Usage patterns (features used, pages visited).

    3. How We Use Your Information

    We use your information to:

    • Provide and maintain our services;
    • Authenticate your identity and secure your account;
    • Send important service notifications and transactional email;
    • Process access requests from executors or trusted contacts;
    • Verify practitioner credentials and lodge legal notices on your instructions;
    • Improve our service and develop new features; and
    • Comply with legal obligations.

    4. Data Security

    Your vault data is encrypted on your device before it is uploaded. Your vault passphrase is not stored on our servers. In addition, all data we hold is protected by:

    • Encrypted connections between your browser and our servers;
    • Encrypted storage of our database and uploaded files, managed by our hosting providers;
    • Hashing of one-time verification codes and session tokens before storage;
    • Regular security reviews, dependency audits and monitoring; and
    • Strict role-based access controls for our staff.

    5. Sub-processors and Data Sharing

    We do not sell your personal information. We rely on a small number of trusted operators (sub-processors) to run the Service, each bound by contractual data protection obligations:

    • Paystack (Paystack Payments South Africa (Pty) Ltd, a Stripe company) - payment processing for subscriptions and legal notice orders. Data may be processed in South Africa and the United States.
    • Resend (Resend, Inc., United States) - delivery of transactional email (verification codes, access request notifications, receipts). Email content and recipient addresses are processed in the United States.
    • Google Cloud Storage (Google LLC, United States) - encrypted storage of uploaded vault files (ciphertext only) and application assets. Files are stored in the United States and accessed through our cloud infrastructure partner.
    • Google Cloud Platform (Google LLC, United States) - underlying infrastructure for application hosting and the managed PostgreSQL database that stores encrypted vault payloads, account records and practitioner matter data. Operated in the United States and accessed through our cloud infrastructure partner.
    • Government Printing Works and participating newspapers - only where you instruct us to publish a legal notice, and only the content necessary for that publication.

    We may also share personal information with persons you authorise through our access request workflow, and with law enforcement or regulators where legally required.

    6. Cross-border Transfers and International Data Processing

    When I Am Gone stores and processes personal information using infrastructure operated by international service providers. Our application hosting and managed database run on Google Cloud Platform (Google LLC, United States) through a cloud infrastructure partner, and uploaded files are stored in Google Cloud Storage (Google LLC, United States). Transactional email is sent via Resend, Inc. (United States). Payment processing is provided by Paystack, which may process data in South Africa and the United States. No adequacy determination under POPIA currently applies to the United States. We rely on the transfer mechanisms permitted under section 72 of POPIA, including contractual data protection clauses with each recipient, and, where applicable, your explicit consent.

    The basis for this transfer is your explicit consent, given at registration or (for existing accounts) via the consent banner, as contemplated by section 72 of the Protection of Personal Information Act 4 of 2013.

    Categories of data transferred

    • Account information (email address, name, phone number);
    • Vault metadata (record counts, dates, activity logs);
    • Transactional data (payment references, subscription status); and
    • Any personal information you store in the plain-text sections of your vault (such as executor, beneficiary, and guardian details submitted via the will generator or contact manager).

    Your rights

    Contact the Information Officer if you wish to withdraw consent. If international processing is necessary to provide the service, withdrawal may require account closure.

    Cross-border transfer enquiries

    For enquiries specifically about cross-border data transfers, contact our Information Officer at support@wheniamgone.co.za.

    7. Your Rights Under POPIA

    You have the right to:

    • Access the personal information we hold about you;
    • Request correction of inaccurate information;
    • Request deletion of your data;
    • Object to processing of your data;
    • Withdraw consent at any time; and
    • Lodge a complaint with the Information Regulator.

    To exercise any of these rights, please use our self-service data rights form. We will respond within 21 calendar days.

    8. Data Retention

    We keep your account and vault data for as long as your account is active. When you ask us to delete your account, we mark it for deletion straight away and immediately block sign-in. You then have 30 days to email us at support@wheniamgone.co.za to cancel the deletion. After 30 days an automated nightly process permanently removes the related personal information, or, where the data still has to be linked to records we are required to keep, replaces it with values that can no longer identify you. This is in line with POPIA Section 14. The only exception is where the law requires us to keep specific records, such as tax, accounting or legal-notice publication records. Those are kept only for as long as the applicable law requires.

    Encrypted backup copies are overwritten in the normal course of our backup rotation. Until they are overwritten, deleted records may still sit in those backups, but we do not restore them into the live service except to recover from a disaster.

    9. Contact Us

    For privacy-related inquiries or to exercise your rights, contact us at:

    Email: support@wheniamgone.co.za
    Address: When I Am Gone (Pty) Ltd, Office 8, PineworX, Lonsdale Way, Pinelands, Cape Town, 7405, South Africa.

    You may also lodge a complaint directly with the Information Regulator at inforegulator.org.za.

    9A. Self-drafting acknowledgement log

    When you confirm in the will generator that you are drafting your will for yourself, we record the date, time and source IP address of that confirmation against your account. This log helps us stop someone else from pretending to be you. It also helps us co-operate with the South African Police Service or a court if your will is later disputed. We keep the record for as long as the will draft exists, and for seven years after it is revoked.

    9B. Analytics and conversion measurement

    We use a privacy-first analytics tool called Plausible to count page views and a small number of important actions (such as joining the cover waitlist, registering an account, paying for a will, and completing a will). Plausible does not use cookies, does not track you across websites, and does not collect anything that could identify you. The information we receive is limited to anonymous counts and aggregate trends, which we use to understand which parts of the Service are actually helping South Africans plan their estates.

    If we ever run advertising on Meta (Facebook or Instagram) or Google, those platforms ask us to confirm when an advert led to a real signup or payment. To support that we may load the Meta Pixel and Google Ads conversion tag. These tools do use cookies and would let those platforms recognise you, so we only load them if you accept cookies in our cookie banner. If you decline, or have not yet answered the banner, no advertising cookies are set on your device. You can withdraw your consent at any time by clearing your cookies for our site or by using your browser's site-data controls.

    Separately from your browser, our server records the same four conversion events directly from our backend so that we can measure performance even when ad-blockers stop the browser scripts. When we send these server-side events to Meta or Google, your email or phone number (if any) is hashed using SHA-256 before it leaves our servers, and we never forward your IP address to those platforms.

    10. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service, and update the "Last updated" date at the top of this page.

    When I Am Gone

    Secure estate information vault for South Africans.

    When I Am Gone is a life-file and estate-readiness platform. It is not a law firm, financial adviser, estate administrator, executor service, probate service or insurer. The platform stores information you supply and helps you keep it organised; it does not provide legal, tax or financial advice.

    When I Am Gone (Pty) Ltd ("When I Am Gone") is a registered Financial Services Provider (FSP No: 55699) providing secure digital information storage and estate-readiness tools. When I Am Gone is not a law firm or estate planning professional. For personalised legal, tax or estate planning advice, consult a qualified attorney or fiduciary practitioner. Executors and beneficiaries are responsible for verifying information and obtaining professional advice before acting.

    Will documents created using When I Am Gone must be printed, reviewed, and signed in the presence of two competent witnesses as required by the Wills Act 7 of 1953. Electronic wills are not valid under South African law. When I Am Gone does not verify will validity, witness competency, or guarantee executor or Master of the High Court acceptance.

    When I Am Gone is the responsible party for processing your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA). We process data based on your consent and contract performance. Data categories collected include identity, contact, estate, and financial information. Consumer vault entries are browser-encrypted; some authorised sharing workflows use server-side envelope encryption so access can be scanned, granted and audited. The security of your own device and passphrase remains your responsibility. Data is held with our cloud and database providers under written POPIA processing terms. Retention: active accounts are retained while the account remains open. Deleted vault contents are removed from active storage. Limited regulatory, audit and transaction records may be retained where required by law, including FICA records kept for at least 5 years from the applicable trigger date.

    You have the right to access, correct, delete, or object to processing of your personal information. Contact our Information Officer at support@wheniamgone.co.za for data subject requests. We notify the Information Regulator and affected data subjects as soon as reasonably possible after discovery of a security compromise, in line with POPIA. Our internal target is 72 hours where the facts allow it. See our Privacy Policy for full details.

    © 2026 When I Am Gone (Pty) Ltd. All rights reserved. Registered in South Africa.

    When I Am Gone is a registered Financial Services Provider | FSP No: 55699 | Regulated by the FSCA

    Administrative vault services are non-FAIS. Insurance services, where live, are financial services and are provided under the relevant authorisation, disclosures and product-provider terms. The will wizard and estate vault are software tools, not FAIS products. Insurance cover products are not yet on sale. When insurance products are offered, any remuneration will be regulated under FAIS and disclosed before any transaction. CPA and ECTA cooling-off rights apply where the transaction qualifies. The FSP licence is held by When I Am Gone alone and is never re-presented under a partner brand.

    When I Am Gone