Privacy Policy

Last updated: April 17, 2026

1. Who We Are

Sema Legacy LLC ("Sema Legacy", "we", "our", or "us") is a limited liability company that operates the website at semalegacy.com and the Sema Legacy application. We provide tools to help individuals and families assess and improve their estate and financial planning readiness.

For privacy questions, contact us at privacy@semalegacy.com.

2. Information We Collect

Account information — your name and email address when you register.

Assessment responses — answers to our planning questions across topics like estate planning, Medicare, Social Security, and retirement. This is stored to calculate your protection score and generate personalised guidance.

Documents — files you upload to the Document Vault. These are stored securely and are only accessible by you.

Payment information — if you subscribe, payment is processed by Stripe. We receive a subscription status and customer ID but never see or store your card details.

Usage data — pages visited, features used, and errors encountered, used to improve the service. We do not use this for advertising.

Technical data — IP address, browser type, device type, and access timestamps collected automatically by our server and third-party services (hCaptcha, Sentry). IP addresses are used for security, rate limiting, and fraud prevention. We do not build advertising profiles from this data.

Financial and sensitive personal information — because our assessments cover estate planning, Medicare, Social Security, retirement, taxes, long-term care, and special-needs planning, your answers may include financial account types, approximate income or asset ranges, beneficiary designations, references to health conditions relevant to planning (e.g. long-term care triggers, advance directives), and other sensitive categories. Under California law this is treated as "sensitive personal information," and under applicable laws in other jurisdictions it may be treated as special-category data. We use this information solely to provide the service you requested (calculating your protection score, generating your action plan, storing your planning documents). We do not use it for advertising, profiling, or inferences unrelated to the service.

3. How We Use Your Information

• To create and manage your account
• To calculate your family protection score and generate your personalised action plan
• To send transactional emails (password resets, family invites, deadline reminders)
• To process and manage your subscription through Stripe
• To improve the application and fix errors
• To respond to your support requests

We do not use your information for advertising, profiling, or selling to third parties.

4. Sharing Your Information

We do not sell, rent, or share your personal information with third parties for marketing purposes. We share data only with the following service providers acting as data processors on our behalf:

• Stripe (stripe.com) — payment processing and subscription management. Stripe processes payment card data directly and we never see your full card details.
• Anthropic (anthropic.com) — AI-powered features. When you use AI tools, relevant inputs are sent to Anthropic's API. Their privacy policy applies. Per Anthropic's commercial terms, API data is not used to train their models.
• Resend (resend.com) — transactional email delivery (password resets, account notifications).
• Cloudflare (cloudflare.com) — DNS, CDN, DDoS protection, and R2 object storage for your uploaded documents.
• DigitalOcean (digitalocean.com) — cloud server hosting. Your data is stored on servers in the United States.
• hCaptcha (hcaptcha.com) — bot protection on registration and password reset forms. hCaptcha may process your IP address and browser data. Their privacy policy applies.
• Sentry (sentry.io) — anonymised error reports to help us find and fix bugs. Error reports may include general device/browser information but not personal account data.
• Google Tag Manager & Google Analytics (google.com) — aggregate web analytics to understand how visitors use the site (pages viewed, time on page, general location). Google processes IP address and device/browser data. We use IP anonymisation where available and do not use Google Analytics for advertising or cross-site tracking. Google's privacy policy applies.
• Web Push service — your browser's push-notification provider (e.g. Google, Apple, Mozilla) delivers notifications we send. We send the notification payload through the browser vendor's standard push service.
• Law enforcement — if required by a valid legal process such as a court order or subpoena, or where we have a good-faith belief that disclosure is necessary to protect rights, property, or safety. Where legally permitted and not prohibited by the request itself, we will attempt to notify affected users before responding to government demands so that they may seek their own legal counsel.

Aggregate and de-identified data. We may create and use aggregate, anonymised, or de-identified information (for example, "12% of users scored above 80 on the Estate Planning assessment") for research, analytics, and product improvement. Such information does not identify you and is not subject to the restrictions in this Policy.

5. The Advisor Share Feature

If you generate an advisor share link, it creates a read-only view of your protection summary accessible to anyone with that link for up to 30 days. You can revoke this link at any time from your account settings. Only share this link with a trusted financial advisor or attorney.

6. Data Security

We take reasonable technical measures to protect your data, including passwords stored using an industry-standard salted password-hashing algorithm (currently scrypt), HttpOnly SameSite session cookies, optional two-factor authentication, HTTPS in production, MIME-type validation on file uploads, and rate limiting on authentication endpoints. Specific algorithms and measures may change over time as industry best practices evolve. If you discover a security issue, contact security@semalegacy.com.

No system is perfectly secure. While we follow industry practices, we cannot guarantee absolute security, and you should retain your own copies of any critical estate-planning documents.

Data breach notification. In the event of a data breach that is likely to result in risk to your rights or freedoms, we will notify affected users as promptly as reasonably practicable and in any event within the timeframes required by applicable law — within 72 hours of becoming aware of the breach where GDPR applies, and without unreasonable delay after necessary investigation in other jurisdictions.

7. Data Retention

We retain your data for as long as your account is active. You can delete your account at any time from Settings → Account → Delete Account, which permanently removes your profile, assessments, documents, and all associated data from our primary systems. Automated backups may retain a copy of your data for up to 30 days before being overwritten. After that period, your data is fully purged from all systems.

Legal holds. Notwithstanding the above, we may retain limited information longer than stated where required by applicable law, to comply with legal obligations, to resolve disputes, to enforce our agreements, or where a legal hold or preservation request is in effect. Any data retained on this basis will continue to be protected in accordance with this Policy and will be purged once the legal basis for retention ends.

8. Your Rights

Depending on your location, you may have the right to access, correct, delete, export, or receive in a portable machine-readable format (data portability) the personal data we hold about you. To exercise any of these rights, email privacy@semalegacy.com. Response timelines depend on the law that applies to you: 45 days for California (see Section 14) and other US comprehensive-privacy-law states (see Section 14a); the timelines required by the Washington My Health My Data Act for Washington residents (see Section 14b); and 30 days for EU/UK/Swiss residents under GDPR/UK GDPR (see Section 13). For jurisdictions not specifically addressed, we will respond within 30 days. We may need to verify your identity before fulfilling requests. We do not collect biometric identifiers — see Section 14c.

8a. International Data Transfers

Sema Legacy is operated from the United States. If you access our service from outside the United States — including from the European Economic Area, United Kingdom, or Switzerland — your personal data will be transferred to and processed in the United States. The US may not provide the same level of data protection as your home country. By using the service, you consent to this transfer. Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs, or other legally recognised transfer mechanisms to lawfully move personal data across borders. You can request a copy of the relevant transfer mechanism by emailing privacy@semalegacy.com.

9. Cookies and Local Storage

We use the following categories of cookies and similar technologies:

• Strictly necessary — a single session cookie (HttpOnly, SameSite=Strict) to keep you logged in. This cookie is essential for the service to function and cannot be disabled.
• Preferences — localStorage is used to remember your theme preference (dark/light) on your device. Nothing in localStorage is transmitted to us.
• Analytics — Google Tag Manager loads Google Analytics, which sets cookies (such as _ga and _ga_*) to measure aggregate site usage (pages viewed, time on site, approximate geography at country/region level). We have configured Google Analytics with IP anonymisation where available, have disabled Google Signals and advertising features, and do not use this data for advertising, remarketing, or cross-site tracking.

We do not use advertising cookies, retargeting pixels, social-media tracking pixels, or session-replay tools.

Managing cookies. You can opt out of Google Analytics at any time by installing the Google Analytics Opt-out Browser Add-on, by enabling a "Do Not Track" or Global Privacy Control (GPC) signal in your browser, or by blocking third-party scripts. We honour GPC signals as a valid opt-out of the sale or sharing of personal information under applicable US state laws (see Section 14). You can also clear cookies at any time through your browser settings; clearing the session cookie will sign you out.

Push notifications. If you grant permission for browser push notifications, we store a push notification token on our server to deliver alerts such as deadline reminders and important account notices. You can revoke this permission at any time in your browser settings. Revoking permission removes your token from our server on your next visit.

10. Children's Privacy

Eligibility (age 18+). Sema Legacy is a financial and estate-planning tool intended for adult use. Account registration requires you to be at least 18 years old, as set out in our Terms of Service.

COPPA (under 13). Consistent with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under the age of 13. If a parent or guardian believes that a child under 13 has provided personal information to us, please email privacy@semalegacy.com and we will promptly delete that information and the associated account.

Minors 13–17. Where a minor aged 13–17 may have accessed the service despite our 18+ eligibility requirement, we will, upon notice from a parent or legal guardian, delete the account and associated information.

11. How AI Processes Your Information

Some Sema Legacy features use artificial intelligence (AI) provided by Anthropic to generate summaries, recommendations, or personalised guidance. When you use these features, the inputs you supply — along with relevant context from your account (such as assessment answers or a document you ask us to summarise) — are transmitted to Anthropic's API.

Per Anthropic's commercial terms, inputs and outputs from their API are not used to train their models. Anthropic may retain API traffic for a limited period for abuse monitoring and legal compliance. You can review their policy here: anthropic.com/legal/privacy.

AI output is not legal, medical, or financial advice. The personalised guidance generated by Sema Legacy — including checklists, plain-English explanations, and topic summaries — is informational. It is generated by a language model and can contain errors or omit material facts specific to your situation. For decisions with significant financial, tax, medical, or legal consequences, consult a licensed professional.

If you want to avoid any AI processing of your inputs, do not use the AI-powered features (e.g., the plain-English translator, checklist generator, or document summariser). The core assessment, scoring, and document storage features do not use AI. You may also email privacy@semalegacy.com to request that AI features be disabled on your account; we will confirm the change in writing.

12. HIPAA and Medical Information

Sema Legacy is not a HIPAA-covered entity and does not provide medical advice. While our service helps you plan around health-related decisions (Medicare enrollment, long-term care funding, advance directives, special-needs planning), any information you enter — including references to health conditions, medications, or care needs — is treated as general personal information under this policy, not as Protected Health Information ("PHI") under HIPAA.

The Vault is intended for estate-planning documents such as wills, powers of attorney, advance directives (living wills, health-care proxies, POLST forms), trust paperwork, beneficiary designations, and Letters of Intent. For our purposes these are treated as legal planning documents, not as clinical health records. You should not upload actual clinical medical records (physician notes, lab results, imaging, insurance Explanation of Benefits containing diagnosis codes, prescription records) to the Document Vault. If you choose to upload such clinical records anyway, they will be stored and treated under this Privacy Policy as general personal information, not as HIPAA-protected PHI.

If you need to share PHI with a family member, use a HIPAA-compliant tool or your healthcare provider's patient portal — not Sema Legacy.

13. Legal Basis for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance — to provide the service you signed up for, including account management, assessments, and document storage.
• Legitimate interests — to improve the service, send transactional communications, prevent fraud, and maintain aggregate analytics. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms.
• Consent — for optional marketing communications and for any non-essential cookies or analytics that require consent in your jurisdiction. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — where required to comply with applicable law.

Your GDPR/UK GDPR rights. In addition to the rights described in Section 8, you have the following specific rights: (a) the right to object to processing based on legitimate interests, including any profiling; (b) the right to restrict processing in certain circumstances; (c) the right to withdraw consent at any time where processing is based on consent; (d) the right to lodge a complaint with your supervisory authority (for example, the UK ICO, the Irish DPC, or your national data protection authority). To exercise any of these rights, email privacy@semalegacy.com.

No solely automated decision-making. We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. Your protection score, AI-generated summaries, and checklists are informational outputs to help you think through your planning — they do not determine eligibility for any benefit, service, or legal right, and a human (you) always decides what, if anything, to do with them.

14. California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to Correct — you may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — we do not sell your personal information or share it for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out request.
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
• Right to Limit Sensitive Information Use — we only use sensitive personal information (such as financial planning data) to provide the service you requested.

Categories of personal information collected (last 12 months). We collect the following CCPA categories: identifiers (name, email, IP address, account ID); commercial information (subscription status, billing events); internet or network activity (pages viewed, feature usage, device/browser info); geolocation at approximate city-level (from IP, for analytics and fraud prevention); professional or planning-related information voluntarily provided in your assessments; sensitive personal information limited to account credentials and self-reported financial and planning data used solely to deliver the service you requested. We do not collect biometric information, genetic data, precise geolocation, government-issued IDs, or racial/ethnic origin.

Sources of personal information. (a) Directly from you (when you register, complete an assessment, or upload a document); (b) automatically from your device (cookies, server logs, analytics); (c) from service providers acting on our behalf (Stripe payment confirmation, hCaptcha verification, Sentry error reports).

Business or commercial purposes for collection. Providing and maintaining the service; account management; processing payments; calculating your protection score and generating your action plan; sending transactional communications; security, fraud prevention, and debugging; product improvement; complying with legal obligations.

Categories of third parties with whom personal information is shared. Service providers and processors listed in Section 4 (Stripe, Anthropic, Resend, Cloudflare, DigitalOcean, hCaptcha, Sentry, Google Analytics, your browser's push-notification provider). We do not share personal information with data brokers, advertising networks, or third parties for their independent marketing.

Retention criteria and periods. We retain personal information only as long as reasonably necessary for the purposes for which it was collected, and we apply the following category-specific periods: (a) account information (name, email, credentials) — retained while the account is active and deleted upon account closure; (b) assessment responses and protection scores — retained while the account is active, with deletion cascading when the account is closed; (c) uploaded documents — retained until you delete them or close your account; (d) payment and subscription records — retained for up to seven (7) years to comply with tax, accounting, and audit obligations; (e) server logs and technical data — retained for up to 90 days for security and debugging; (f) analytics data — retained per Google Analytics default (up to 14 months); (g) automated backups — overwritten within 30 days as described in Section 7; (h) information subject to legal hold — retained only for as long as the legal obligation or proceeding requires.

How to exercise your rights. To exercise any of these rights, email privacy@semalegacy.com. We will confirm receipt within 10 business days and respond substantively within 45 days (extendable by an additional 45 days with notice to you, as permitted by law). We may need to verify your identity before fulfilling your request.

Authorized agents. You may designate an authorized agent to submit requests on your behalf. We will require (a) written, signed permission from you authorising the agent to act, and (b) verification of the agent's identity. We reserve the right to deny requests from agents who do not provide this.

Do Not Sell or Share My Personal Information: We do not sell or share your personal information with third parties for advertising or marketing purposes.

14a. Other US State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Delaware, New Hampshire, New Jersey, Minnesota, Rhode Island, Maryland, or another US state with a comprehensive privacy law, you have rights substantially similar to those described in Section 14, including the right to access, correct, and delete personal information, and the right to opt out of targeted advertising, the sale of personal data, and certain profiling. To exercise your rights, email privacy@semalegacy.com. You also have the right to appeal a refusal to take action on your request by replying to our response email; if you are not satisfied with our appeal decision you may contact your state Attorney General.

Colorado residents. We honour universal opt-out mechanisms (including the Global Privacy Control) as opt-out preference signals under the Colorado Privacy Act.

Texas residents. Sema Legacy does not engage in the sale of personal data as defined by the Texas Data Privacy and Security Act, and does not use sensitive personal data for targeted advertising.

14b. Washington "My Health My Data" Act

Washington's My Health My Data Act (MHMDA) regulates "consumer health data," which it defines broadly to include information related to past, present, or future physical or mental health, diagnoses, treatments, use or purchase of health-related products, and other health-adjacent categories. Because our assessments touch on Medicare, long-term care, advance directives, and special-needs planning, some of the information you provide may fall within this definition for Washington residents.

Scope. We collect consumer health data only where you voluntarily provide it through an assessment (for example, indicating a family member's care needs or selecting an LTC scenario) or where you choose to upload a related planning document. We do not collect precise location information related to attempts to seek health care, and we do not build health-based profiles.

Consent. Where MHMDA applies to your consumer health data, we will request separate, clear, and specific in-product consent at the point of collection (for example, before you complete an assessment that asks about health-related planning topics). Your acceptance of this Privacy Policy or our Terms of Service does not, by itself, constitute the affirmative consent required by MHMDA. You may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, by emailing privacy@semalegacy.com, by deleting the relevant assessment answers, or by closing your account.

No sale of consumer health data. We do not sell consumer health data, and we do not share it with third parties other than the service providers described in Section 4, who process it only to deliver the service to you. We will not share consumer health data with a third party for cross-context behavioural advertising under any circumstances.

Your MHMDA rights and response timelines. Washington residents may request to access, delete, or withdraw consent to the processing of their consumer health data by emailing privacy@semalegacy.com. We will confirm receipt of your request promptly and respond substantively within forty-five (45) days, extendable by an additional 45 days where reasonably necessary (with notice to you). You may also lodge a complaint with the Washington Attorney General, who enforces MHMDA under Washington's Consumer Protection Act.

14c. Biometric Information — Illinois BIPA

Sema Legacy does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information (as defined by the Illinois Biometric Information Privacy Act or similar laws in Texas, Washington, or elsewhere). We do not use facial recognition, voiceprints, fingerprint scanning, iris scanning, or any comparable technology.

15. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top reflects the most recent version.

16. Contact

Questions about this Privacy Policy? Email us at privacy@semalegacy.com.