Privacy Policy

What LegacyKey collects, how we use it, and how your firm and your firm’s clients are protected.

On this page

LegacyKey | South Bend, Indiana
Effective Date: June 5, 2026 | Version 2.0


Who We Are

LegacyKey ("LegacyKey," "we," "us," or "our") operates the LegacyKey Program and platform operating system at LegacyKeyProgram.com and GetLegacyKey.com. This Privacy Policy explains how we collect, use, store, share, and protect personal information across our website, the LegacyKey operating system (OS), and all related services.

LegacyKey is not a law firm and does not provide legal services. Legal services available through the LegacyKey Program are provided solely by licensed member attorneys operating independently under their own professional licenses and responsibilities.


Who This Policy Covers

This policy applies to three categories of users:

Members — licensed attorneys who purchase a LegacyKey membership and use the OS to manage their estate planning practice.

Advisors — non-attorney professionals who access a read-only advisor portal through a member attorney's LegacyKey network.

Clients — individuals who engage a member attorney through the LegacyKey client journey for estate planning services.

Each category is described separately where data practices differ.


Information We Collect

From Members (Attorneys)

When you purchase a LegacyKey membership we collect your full legal name, law firm name, bar number and jurisdiction(s), business address, phone number, email address, and payment information. We also collect technical data including IP address, browser type, login timestamps, document version acceptance records, and OS usage data.

From Advisors

When a member attorney creates an advisor portal for you, we collect your name, professional title, business name, email address, and phone number as provided by the member attorney. We also collect your IP address and login timestamp when you access your portal.

From Clients

When you engage a member attorney through the LegacyKey client journey, we collect your name, email address, and phone number.

Automatically Collected Data

When you visit our website or use the OS, we may automatically collect device information, browser type, operating system, referring URLs, pages visited, time spent, and IP address through cookies and similar tracking technologies.


How We Use Your Information

We use Member information to provision and maintain OS access, process membership payments, deliver program services, communicate about your account, enforce our Member License Agreement, and improve the platform.

We use Advisor information to provision portal access, display client status information within the advisor dashboard, and communicate about portal access.

We use Client information to facilitate the client journey through the member attorney's practice, deliver automated workflow communications on the attorney's behalf, and maintain records necessary to operate the platform.

We do not use Client information for any purpose beyond providing the OS to the member attorney. Client data is processed by LegacyKey solely as a service provider acting on the member attorney's behalf. The member attorney is the data controller for all Client data.

We do not sell, rent, or trade personal information from any user category to any third party for marketing or advertising purposes.


Automated Processing

LegacyKey uses automated processes to trigger workflow communications and status updates within the OS based on predefined rules. We do not use automated decision-making technology to make decisions about individuals affecting their access to legal services or any other significant interests.


SMS Communications

If you have provided your phone number and opted in to SMS communications, you may receive appointment reminders and status updates via text message from the member attorney's law firm through the LegacyKey platform. Message frequency varies. Message and data rates may apply.

SMS consent is never shared with third parties or affiliates for their own marketing purposes.

To stop receiving SMS messages at any time, reply STOP to any message. Reply HELP for assistance. Opting out does not of itself affect your ability to use the portal, receive email communications, or continue legal services with the member attorney.


Cookies, Tracking Technologies, and Global Privacy Control

We use cookies and similar technologies to maintain login sessions, remember user preferences, analyze platform usage, and improve performance. We do not use cookies to serve behavioral advertising or for cross-context behavioral advertising.

Global Privacy Control (GPC). We recognize and honor the Global Privacy Control browser signal as a legally valid opt-out of the sale and sharing of personal information. If your browser or browser extension has GPC enabled when you visit our website, we will process your signal as an opt-out request and display confirmation that your preference has been honored. This applies to visitors from California, Colorado, Connecticut, Texas, Oregon, Montana, New Hampshire, New Jersey, Delaware, Nebraska, and all other states where GPC recognition is legally required.

Do Not Track. We also honor Do Not Track (DNT) signals. We do not engage in cross-site tracking or behavioral advertising when a DNT signal is present.

You may configure your browser to refuse cookies or alert you when cookies are being sent. Disabling cookies may affect certain platform features.

We may use Google Analytics or similar tools to understand aggregate usage patterns. You may opt out using the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout.


How We Share Information

We do not sell, trade, or transfer personal information to outside parties except as described below.

Service Providers. We share information with third-party vendors who help us operate the platform, process payments, send email and SMS communications, and maintain security — including our platform developer, payment processor (Stripe), and email delivery provider. All service providers are contractually required to keep your information confidential, use it only to provide services to us, and comply with applicable privacy laws including the CCPA/CPRA where applicable.

Member Attorneys. Client information is accessible to and controlled by the member attorney whose portal the client uses. LegacyKey processes Client data on the attorney's behalf. Advisors receive only limited read-only status information through the advisor dashboard as described in their participation terms.

Legal Requirements. We may disclose information when required by law, court order, or government authority, or when necessary to protect the rights, property, or safety of LegacyKey, our users, or the public.

Business Transfer. In the event of a merger, acquisition, or sale of all or substantially all of LegacyKey's assets, personal information may be transferred to the acquiring entity subject to the same privacy protections described in this policy.


Data Security

We implement commercially reasonable technical and organizational security measures including:

  • Data in transit encrypted with HTTPS and TLS 1.2 or higher
  • Data at rest encrypted with AES-256
  • Payment processing compliant with PCI DSS standards through Stripe
  • Access controls limiting system access to authorized personnel on a need-to-know basis
  • Regular security review and vulnerability assessment of platform infrastructure

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify affected users by email within the timeframe required by applicable law and no later than 72 hours of confirmed discovery.

Cybersecurity Audits. We conduct periodic internal cybersecurity reviews of our platform. As our platform grows and applicable regulatory thresholds are met, we will implement formal third-party cybersecurity audits consistent with CPPA requirements.


Data Retention and Deletion

Member data is retained for the duration of the membership and for seven (7) years following termination, consistent with professional records retention requirements applicable to legal service providers.

Advisor data is retained for the duration of the advisor's portal access and deleted within thirty (30) days of deactivation, except as required for audit or legal purposes.

Client data is retained for the duration of the member attorney's active membership. Upon termination of a member's account, Client data is made available for export to the member attorney for thirty (30) days, after which it is deleted or anonymized. Client data is never retained by LegacyKey beyond what is necessary to provide the OS.

We retain personal information only for as long as necessary to fulfill the purposes described in this policy or as required by law. You may request deletion of your personal information by contacting us at the address below, subject to applicable legal retention obligations.


Age Eligibility

The LegacyKey platform is restricted to users 18 years of age or older. Members must be licensed attorneys. Advisors must be professionals operating in a business capacity. Clients must be adults capable of entering into a legal services engagement agreement.

LegacyKey collects only name, email address, and phone number from clients. We do not knowingly collect any information from individuals under 18. If we discover a minor has accessed the platform or provided information, we will terminate that access and delete all associated data immediately.

To report a potential minor access issue, contact us at legal@legacykeyprogram.com.


CAN-SPAM Compliance

When we send commercial email communications we comply with the CAN-SPAM Act by using accurate sender information, clearly identifying promotional messages, including our physical mailing address, and honoring opt-out requests within ten (10) business days. To unsubscribe, use the unsubscribe link at the bottom of any email or contact us directly.


Your Privacy Rights by State

California (CCPA / CPRA)

California residents have the following rights:

Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes for collecting it, and the categories of third parties with whom we share it.

Right to Delete. You may request deletion of personal information we have collected from you, subject to exceptions permitted by law.

Right to Correct. You may request correction of inaccurate personal information we hold about you.

Right to Opt Out of Sale or Sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising. You may confirm this at any time and we will honor your GPC signal automatically as described above.

Right to Limit Use of Sensitive Personal Information. We use sensitive personal information only as necessary to provide the services described in this policy. We do not use it for secondary purposes without your consent.

Right Regarding Automated Decision-Making (ADMT). You have the right to opt out of automated decision-making technology used for significant decisions about you, and to access information about how any such system operates. See the Automated Processing section above.

Right to Non-Discrimination. We will not discriminate against you for exercising any California privacy right.

How to Exercise Your Rights. Submit a request to the contact below. We will respond within 45 days, extendable by an additional 45 days where reasonably necessary. We may verify your identity before processing your request.

Authorized Agent. You may designate an authorized agent to submit requests on your behalf. We may require written authorization or proof of power of attorney.

Shine the Light (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for their direct marketing purposes.

CalOPPA. This policy is posted conspicuously, linked from our homepage using the word "Privacy," and updated with a version number and effective date. California users may visit our site anonymously.


Colorado, Connecticut, Texas, Oregon, Montana, Virginia, and Other State Privacy Laws

Residents of states with comprehensive privacy laws have rights similar to those described above for California, including rights to access, delete, correct, and opt out of sale or sharing of personal information and targeted advertising. We honor GPC signals from residents of all states that legally require it. To exercise your rights under any applicable state privacy law, contact us at the address below.


Nevada

Nevada residents may opt out of the sale of personal information under Nevada Revised Statutes Chapter 603A. We do not sell personal information. Nevada residents may submit a verified opt-out request to the contact below.


Privacy Risk Assessments

Consistent with emerging best practices and applicable regulatory requirements, LegacyKey conducts periodic privacy risk assessments of data processing activities that may present heightened risk to consumers. We document these assessments and will submit required information to the California Privacy Protection Agency on the schedule applicable to our revenue tier as those deadlines approach.


Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the version number and effective date at the top of this page. If changes are material, we will notify active users by email or through the OS. Continued use of the platform after the effective date of any update constitutes acceptance. You may request the version in effect at the time of your account creation from the contact below.


Contact Us

LegacyKey 300 S Saint Louis Blvd Suite 201, South Bend, Indiana 46617 Email: legal@legacykeyprogram.com Phone: (574) 367-7774

For California-specific requests, please include "California Privacy Request" in your subject line.


This Privacy Policy applies to LegacyKey and the LegacyKey Program. It does not govern the privacy practices of member attorneys, who maintain independent attorney-client confidentiality obligations and may maintain separate privacy policies for their own law practices.