Data Processing Agreement
Last updated: March 23, 2026
Summary: This Data Processing Agreement ("DPA") describes how LastingPath processes personal data on your behalf, the sub-processors we use, the security measures we maintain, and your rights as a data subject. This DPA supplements our Privacy Policy.
1. Parties and Roles
For the purposes of applicable data protection laws, including the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"):
- •Data Controller: LastingPath, Inc. ("LastingPath," "we," "us") determines the purposes and means of processing personal data collected through our platform.
- •Data Subject: You, the user of LastingPath's services, whose personal data (and the personal data of the deceased individual you are administering an estate for) is processed through the platform.
Where LastingPath engages third-party service providers to process data on our behalf, those providers act as Data Processors (or "sub-processors") under our instruction.
2. Categories of Personal Data Processed
LastingPath processes the following categories of personal data in the course of providing estate administration services:
Identity and Contact Data
Full name, email address, phone number (optional), mailing address, and Google account identifier used for authentication.
Deceased Individual Data
Name, date of birth, date of death, Social Security number (encrypted), state of residence, and estate-related details such as asset types, beneficiaries, and probate information.
Financial Data
Payment information (processed by Stripe; we do not store card numbers), bank account metadata (for Concierge tier users via Plaid), estate ledger entries, and distribution records.
Documents and Correspondence
Uploaded death certificates, government forms (SS-4, Form 56, SSA-8, etc.), AI-generated letters, and document vault contents.
Usage and Technical Data
Pages visited, wizard progress, AI chat conversations, browser type, IP address, and anonymous analytics data.
3. Purposes of Processing
We process personal data strictly for the following purposes:
- •Service delivery: Generating personalized task checklists, populating government forms, producing PDF documents, and providing AI-assisted guidance for estate administration.
- •Account management: Authenticating users, managing subscriptions and tier access, and processing payments.
- •Communication: Sending transactional emails (deadline alerts, welcome sequences, re-engagement notifications) and responding to support requests.
- •Product improvement: Analyzing anonymous usage patterns to improve features, performance, and user experience.
- •Legal compliance: Maintaining audit trails, fulfilling legal obligations, and responding to lawful data requests.
4. Sub-Processors
LastingPath engages the following sub-processors to deliver our services. Each operates under a data processing agreement with LastingPath and processes data only as instructed by us.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | All estate data, user accounts, documents, chat history | United States |
| Stripe | Payment processing | Email, payment card details, transaction records | United States |
| Anthropic | AI-powered chat, document analysis, and letter generation | Estate context (names, dates, state), user queries, document content | United States |
| Resend | Transactional email delivery | Email address, name, email content | United States |
| Plaid | Bank account discovery (Concierge tier only) | Bank account metadata, institution names, account types | United States |
| Sentry | Error monitoring and diagnostics | Error traces, browser metadata (PII scrubbing enabled) | United States |
| Vercel | Application hosting, CDN, and serverless functions | HTTP requests, IP addresses, anonymous analytics | United States |
We will notify users of any material changes to our sub-processor list by updating this page and, where practicable, by email. You may object to a new sub-processor by contacting us at privacy@lastingpath.com within 30 days of notification.
5. Security Measures
LastingPath implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- •Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- •Encryption at rest: Database contents are encrypted at rest by our database provider (Supabase/PostgreSQL).
- •Field-level encryption: Highly sensitive fields, including Social Security numbers, are encrypted using AES-256-GCM with a dedicated encryption key before storage. These values are never stored in plaintext.
- •Row-Level Security (RLS): Database access policies ensure that users can only access data belonging to their own estate.
- •Authentication: User authentication is managed through Supabase Auth with Google OAuth. Session tokens are httpOnly and secure.
- •Rate limiting: API endpoints handling sensitive operations are rate-limited to prevent abuse.
- •PCI-DSS compliance: Payment processing is handled entirely by Stripe. We never store, process, or transmit payment card numbers.
- •Error monitoring: Sentry is configured with PII scrubbing to prevent sensitive data from appearing in error logs.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this DPA:
- •Active accounts: All estate data, documents, AI chat history, and associated records are retained for the duration of your account.
- •Account deletion: Upon account deletion, all personal data is permanently removed from our production systems within 24 hours.
- •Backup retention: Encrypted database backups maintained by Supabase have a 30-day recovery window. Deleted data may persist in backups during this period, after which it is permanently purged.
- •Legal holds: Data may be retained beyond the standard retention period if required by law, regulation, or pending legal proceedings.
7. Data Subject Rights
Under applicable data protection laws, you have the following rights with respect to your personal data:
- •Right of access: You may request a copy of the personal data we hold about you.
- •Right to rectification: You may request correction of any inaccurate or incomplete personal data.
- •Right to erasure: You may request deletion of your personal data. We will comply unless retention is required by law.
- •Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
- •Right to restrict processing: You may request that we limit how we process your data in certain circumstances.
- •Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
To exercise any of these rights, contact us at privacy@lastingpath.com. We will respond to verified requests within 30 days. If we need additional time, we will notify you of the extension and the reason for the delay.
8. International Data Transfers
All sub-processors listed in this DPA are based in the United States. If you are accessing LastingPath from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer. We ensure that all sub-processors maintain adequate data protection standards consistent with applicable regulations.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.
10. Changes to This Agreement
We may update this DPA from time to time to reflect changes in our data processing practices or applicable laws. Material changes will be communicated by email to registered users and by updating the "Last updated" date at the top of this page. Continued use of LastingPath after changes take effect constitutes acceptance of the updated DPA.
11. Contact
For questions about this Data Processing Agreement, data subject rights requests, or concerns about how your data is handled, contact us at privacy@lastingpath.com.