Your data is yours.

DearGrove is a web application that helps you document the accounts, passwords, contacts, and wishes your family would need if something happened to you. The company is a Michigan-registered entity operating the service at deargrove.com. When this policy says “we,” “us,” or “DearGrove,” we mean that entity.

We collect only what the service needs to work, plus a narrow slice of ad-measurement data covered separately under “Advertising measurement” below. We never track you across other sites and we never build a behavioral profile on you.

• Account information. Your email address (for sign-in) and, if you enter it, your name. We do not use passwords. You sign in with Google or a one-time email link.
• The content you create. Everything you enter in the eight guided sections: personal details, contacts, financial accounts, insurance, property, digital accounts, legal documents, and final wishes. This is the whole point of the product.
• Payment information. Stripe handles your card details directly. We never see them. We store only the Stripe customer id and a record that you paid.
• Basic technical data. IP address, browser type, and timestamps on sign-in, purchase, and share-link access. Used to prevent abuse and diagnose errors. Deleted within 90 days.
• Share-link access logs. When someone you invite opens your document, we record the timestamp and IP so you can see who accessed what. Visible to you in Settings.

We do not collect: location beyond the country level inferred from IP, contacts from your address book, social graph data, behavioral fingerprints, or anything about sites you visit outside DearGrove.

The content you enter is encrypted with AES-256-GCM in our application layer before it touches our database. The encryption keys are managed by a key-management service and are never stored in the database alongside the ciphertext. This means:

• A full database breach reveals only encrypted bytes.
• Our own staff cannot read your content without a deliberate, audited request involving the KMS-held key.
• Every query on your data is scoped by your account id through row-level security in our database.

We use Supabase (PostgreSQL) for the database, hosted on AWS in the United States. Your data stays in the US.

Nobody except a short list of sub-processors needed to run the service. Each one sees only the narrow slice of data required for its job, and each is bound by contractual confidentiality and security obligations.

The contents of your DearGrove document never leave this list of sub-processors. We do not sell, swap, or otherwise share what you wrote down. If a government agency serves a valid legal order, we will notify you unless the order prohibits it, and we will provide only what is legally required.

One narrow exception with your explicit opt-in: if you click "find an advisor" or otherwise ask us to connect you with an estate planning provider, we share contact-onlyinformation (name, email, phone, state, age range, expressed intent, and asset/family signals). See the next section for the full disclosure.

On the “Find an advisor” page (and any other surface where we ask “Do you want help with a will or trust?”), if you tick the explicit consent checkbox we share a contact-and-context profile with a vetted estate planning provider so they can reach out about your needs.

What we share, when you opt in:

• Your name and email (the same one you signed in with)
• Phone number, if you provided it
• Your state, age range, marital status, and whether you indicated minor children
• The intent boxes you ticked (will, trust, POA, healthcare directive, review, not sure)
• High-level signals derived from your DearGrove questionnaire: whether you have a will, trust, POA, or healthcare directive on file; whether you have life insurance, retirement accounts, real estate, or a business; and a coarse range for how many bank accounts you listed (1-2 / 3-5 / 6+)
• Any free-text note you typed on the opt-in form

What we never share:

• The actual contents of your DearGrove document. Account numbers, passwords, beneficiary names, locations of physical documents, final wishes, the answers you gave in the questionnaire. None of this leaves our systems.
• Anything related to anyone other than you (your spouse, kids, contacts).
• Your Social Security number, government IDs, or any other strong identifier.

Categories of recipients: vetted estate planning attorneys, estate planning service providers, and related professional firms. We may also use this information ourselves to provide estate planning services through our sister product (Bancroft).

This may constitute a “sale” under certain US state privacy laws, including the California Consumer Privacy Act (CCPA / CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act. We disclose this in plain English here because honest disclosure beats a paragraph of legalese.

You can withdraw consent and opt out at any time by visiting our Do Not Sell or Share My Personal Information page, or by emailing support@deargrove.com. Opt-out is processed within 15 days of receipt; we will notify any provider we already shared your information with and ask them to remove you from their list.

Regardless of where you live, you have these rights with respect to your DearGrove data:

• Access. See everything we have about you. Available anytime in Settings or via the Export button.
• Correct. Update any field, any time.
• Delete. One click in Settings removes your account and all associated data. Purged from backups within 30 days.
• Export. Download a password-optional PDF of your entire document at any time.
• Object or restrict. Write to support@deargrove.com. We will respond within 30 days.

If you live in California, the CCPA gives you the rights above plus the right to know the categories of personal information collected (listed in “What we collect”) and the right not to be discriminated against for exercising these rights.

If you live in the EU, the UK, or another jurisdiction with a GDPR-style law, the rights above apply along with your right to data portability (satisfied by the Export feature) and the right to lodge a complaint with your supervisory authority. Our legal basis for processing is contract performance (to provide the service you purchased) and legitimate interest (abuse prevention and diagnostics).

We run Facebook and Instagram ads to find new customers. To tell which ads actually lead to sign-ups, and therefore which ads are worth keeping and which are waste, we use two Meta measurement tools, the Meta Pixel (runs in your browser) and the Conversions API (runs on our server). Together they do the following and nothing else:

• Record that your browser viewed pages on deargrove.com, moved into the checkout, and completed a purchase. Tied to a Meta-managed first-party cookie (_fbp) that lives only on this domain.
• When you purchase, send Meta a SHA-256 hash of your email (not your email itself) and the purchase amount, so Meta can match the sign-up to the ad that brought you here. The hash is one-way; Meta cannot recover your email from it.
• That is the entire data share. Not your name, not your content, not your address, not any field from your DearGrove document. Nothing from inside the product ever leaves our systems.

You can turn ad measurement off on this browser with one click. It sets a cookie (dg_ads_opt_out) that stops the Pixel from firing. Server-side measurement on your own purchases still occurs (we can’t suppress the receipt pipeline), but the browser trail stops immediately.

The short list of cookies DearGrove sets. We do not use advertising cookies from any other network.

• Session cookies (HTTP-only, Secure, SameSite=Lax) keep you signed in between pages.
• CSRF tokens prevent cross-site request forgery on mutating actions.
• _fbp is a first-party Meta Pixel cookie on deargrove.com, used to link ad clicks to sign-ups. Disabled if you opt out under “Advertising measurement” above.
• dg_ads_opt_out is set when you click “Turn off” above.

Vercel Web Analytics, our page analytics, is cookie-free by design.

Data is kept for as long as you have an account.

• When you delete your account: purged from active systems immediately; removed from backups within 30 days.
• Payment records: retained for 7 years to comply with US tax law. Stored separately, encrypted, never joined to your content.
• Share-link access logs: 90 days, then purged.
• Sign-in events: 30 days.
• Error telemetry: 30 days, scrubbed of personal content before storage.

DearGrove is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a child has created an account, write to support@deargrove.com and we will delete it promptly.

We take a defensive approach: least privilege, encryption at rest and in transit, signed webhooks, row-level security, and responsible-disclosure contact at support@deargrove.com. A detailed posture is available at /security.

No system is perfect. If a breach ever affects your data, we will notify you within 72 hours of confirming the scope, along with what happened, what data was involved, and what we are doing about it.

If we change this policy in a way that reduces your rights or expands what we collect, we will email every account holder at least 30 days before the change takes effect. Minor clarifications (typos, reformatting, new sub-processors that receive no additional data) will be noted in the “Last updated” date above.

Privacy questions, security reports, data requests, or anything else, write to support@deargrove.com. A real person reads every email.