Privacy Policy
Burning Ash Protocol privacy policy — data collection, encryption, retention, and user rights.
Privacy Policy
Last Updated: March 2026
Domain: www.baprotocol.com
Overview
Burning Ash Protocol ("BAP", "we", "us", "our"), operated by TripleVision LLC, is a digital notification and file delivery service available at www.baprotocol.com that helps users securely store and transfer important documents and messages to designated recipients upon death or incapacitation. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.
By using BAP, you agree to this Privacy Policy.
What Data We Collect
Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account | Email, password, display name | Authentication, identification |
| Profile | Name, preferences | Personalization |
| Survivors/Recipients | Names, relationships, contact information | Message delivery |
| Documents/Files | Files you upload | Content to be delivered |
| Connectors | Email, phone, API credentials | Notification delivery |
Information Automatically Collected
| Data Type | Examples | Purpose |
|---|---|---|
| Logs | API requests, errors | Troubleshooting, security |
| Usage | Page views, features used | Improvements |
| Device | IP address, browser | Security, analytics |
How We Use Your Data
We use your data ONLY for application functionality — NOT for marketing or sales.
Specifically, we use your data to:
- Authenticate your account and maintain access
- Encrypt and securely store your documents and messages
- Deliver notifications and files to your designated recipients
- Perform liveness checks to determine when to trigger delivery
- Provide customer support when needed
We do NOT:
- Sell your personal data, contact information, or will contents
- Use your contacts for marketing purposes
- Share your data with third parties for advertising
- Profile you for commercial purposes
Third-Party Processors
We may share certain data with third-party service providers solely for delivering notifications as part of the service. These are:
| Processor | Data Shared | Purpose |
|---|---|---|
| SMTP Provider | Email addresses | Email notification delivery |
| Twilio | Phone numbers | SMS delivery |
| Meta (WhatsApp) | Phone numbers | WhatsApp delivery |
| Telegram | Usernames/Phone numbers | Telegram bot notifications |
| AWS | All data | Cloud storage (S3) |
| Hosting | All data | Infrastructure |
We do not sell your data to these providers. They are used solely to deliver the notifications and files you configure through our service.
Data Protection
Encryption
All sensitive data is encrypted using AES-256-GCM:
- Documents/Files: Encrypted before upload using unique per-delivery keys
- Credentials: Connector and storage credentials encrypted at rest
- Keys: Master encryption key derived from your environment variable
Encryption Architecture
┌─────────────────────────────────────────────────────────────┐
│ Data Encryption │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. Documents → AES-256-GCM → Encrypted blobs │
│ │
│ 2. Encryption keys → Split via Shamir's Secret Sharing │
│ │
│ 3. SSS shares → Encrypted per-recipient │
│ │
│ 4. All encryption keys → Never stored in plaintext │
│ │
└─────────────────────────────────────────────────────────────┘Zero-Knowledge
- We cannot read your documents or messages
- We cannot recover lost encryption keys
- Encryption happens on our servers before storage
Data Retention
Account Data
- Retained while account is active
- Deleted within 30 days of account deletion
Document/File Data
- Encrypted documents: Deleted when you delete them or your account
- Encryption keys: Destroyed (crypto-shredding) on deletion
Logs
- Security logs: 1 year
- Access logs: 90 days
Your Rights
Access
You can request a copy of your data:
# Via API
GET /api/host/profile
# Or contact support
[email protected]Correction
Update your information via the dashboard or API.
Deletion
Delete your account and all data:
- Log into dashboard
- Go to Settings → Delete Account
- Confirm deletion
Note: Deletion is irreversible. Encrypted documents become unrecoverable.
Data Portability
Export your data:
# Get all your data
GET /api/will/status
GET /api/recipients
# etc.Object
Object to processing by contacting support.
Security Measures
Technical
- TLS 1.3 for all traffic
- AES-256-GCM encryption
- Argon2id password hashing
- Rate limiting
- Audit logging
Organizational
- Security training for staff
- Access controls
- Incident response procedures
Data Breaches
If a breach occurs:
- Assess scope within 24 hours
- Notify affected users within 72 hours
- Report to authorities if required
- Publish summary publicly
Children's Privacy
BAP is not intended for children under 18. We do not knowingly collect data from anyone under 18.
Changes to Policy
We may update this policy. We will notify of material changes via:
- Dashboard notification
- Website notice
GDPR Compliance
For users in the EU:
Legal Basis
- Consent (account creation)
- Contract (service delivery)
- Legitimate interest (security)
Data Subject Rights
Under GDPR, you have:
| Right | Description |
|---|---|
| Access | Get your data |
| Rectification | Fix incorrect data |
| Erasure | Delete your data |
| Restriction | Limit processing |
| Portability | Get your data in portable format |
| Object | Object to processing |
Data Protection Officer
Contact: [email protected]
Supervisory Authority
You have the right to lodge a complaint with your local data protection authority.
California Privacy (CCPA)
California residents have rights under CCPA:
- Know what data we collect
- Delete your data
- Opt-out of data sales (we don't sell data)
- Non-discrimination for exercising rights
We do NOT sell your personal information.
Contact
Privacy inquiries: [email protected]
General inquiries: [email protected]
Legal inquiries: [email protected]
This policy is part of our Terms of Service. By using BAP, you agree to both.