This Privacy Policy explains how Legacy Trail collects, uses, stores and protects your personal information in accordance with the New Zealand Privacy Act 2020 and applicable international privacy law including GDPR and UK GDPR.
Legacy Trail is committed to protecting your privacy. We collect only information necessary to provide our service and we do not sell personal information in the ordinary course of business. Questions? Contact us at orders@legacytrail.co.nz
01 Who We Are
Legacy Trail is a sole trader business operating in New Zealand providing memorial page creation and hosting services. Legacy Trail is responsible for determining how personal information is collected and used in connection with the service.
Contact: orders@legacytrail.co.nz
Website: legacytrail.co.nz
Location: New Zealand
02 Lawful Basis for Processing
We process your personal information on the following lawful bases:
- Contract performance — processing necessary to deliver the memorial page service you have purchased
- Legal obligation — retaining records required by NZ tax and business law
- Legitimate interests — maintaining security, preventing fraud, and improving the service
- Consent — where you have explicitly agreed at the point of submission, including agreement to our Terms of Service
Where processing is based on consent you have the right to withdraw that consent at any time by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
03 Information We Collect
| Category | Information collected | Purpose |
|---|---|---|
| Account holder | Name, email, phone, delivery address | Deliver service, process payment, communicate |
| Memorial content | Name of deceased, birth year or full date, date of passing, biography, photographs, family message, timeline | Create and host memorial page |
| Payment | Card details processed by Stripe — we do not store card numbers | Process subscription payments |
| Consent record | IP address and timestamp at point of Terms acceptance | Legal evidence of informed consent |
| Technical | Browser type, basic usage data via Netlify | Service operation and security |
04 AI Processing Disclosure
Memorial pages may be drafted in whole or in part using AI language model tools (including Anthropic Claude). This means:
- Your submitted content — biography, dates, story, photographs — is processed by an AI system to generate a draft memorial page
- AI-generated drafts are not independently verified by Legacy Trail
- You review and approve all content before publication
- Anthropic (the AI provider) processes data in accordance with their own privacy policy and data processing agreements
By using our service you consent to your submitted content being processed by AI tools for the purpose of creating your memorial page.
05 Publicly Visible Information & Identity Theft Risk
Warning: Memorial pages are publicly accessible to anyone who scans the QR code or visits the page URL. Full dates of birth are commonly used to verify identity with banks and government agencies. We strongly recommend displaying birth year only. You will be warned of this risk again at the point of data entry in our portal.
Legacy Trail accepts no responsibility for how third parties use information you choose to make publicly available, including any risk of identity fraud or financial harm.
We recommend carefully considering:
- Whether to include full dates of birth — birth year only is strongly recommended
- Only including photographs of living individuals with their consent
- Only including photographs of minors with parental or guardian consent
- Enabling privacy mode to reduce discoverability and limit access primarily to those with the direct link or QR code
06 Privacy Mode & Search Engine Indexing
Legacy Trail offers a privacy mode option. When privacy mode is enabled:
- The page will not be submitted for search engine indexing via robots meta tags
- The page URL is designed to be difficult to discover without the direct link or QR code
- The page will not be publicly listed by Legacy Trail
Legacy Trail cannot guarantee complete non-discoverability of any URL. Privacy mode reduces but does not eliminate the risk of unauthorised access. Anyone in possession of the QR code or direct URL will still be able to view the page.
Search engines and third-party archives may temporarily retain cached copies of memorial pages even after removal or privacy mode activation. Legacy Trail is not responsible for cached content held by third party search engines or archiving services.
07 Living Persons & Third Party Data
Memorial content frequently contains information about and photographs of living individuals. You are responsible for ensuring that:
- Living individuals depicted in photographs have consented to their image being published publicly
- Biographical references to living persons are accurate and not harmful
- You have parental or guardian consent for any images of living minors
Living individuals who object to their inclusion may submit a request supported by reasonable evidence of privacy, safety or reputational concerns to orders@legacytrail.co.nz. Legacy Trail will process such requests within 14 days.
08 How We Use Your Information
We use your personal information only to:
- Create and publish your memorial page using AI-assisted tools
- Process subscription payments via Stripe
- Deliver your engraved QR code and welcome pack
- Send service-related communications including previews, updates and renewal reminders
- Maintain a legal record of your consent to our Terms of Service
- Comply with legal obligations
We do not sell personal information in the ordinary course of business. We do not use your information for third party marketing without your explicit consent.
09 Where We Store Your Data
Your data is processed using the following third party services, some located outside New Zealand:
- Google Drive — submitted photographs stored in a dedicated business account (United States)
- Netlify — memorial pages hosted on Netlify's infrastructure (United States)
- Stripe — payment processing, PCI DSS compliant (United States)
- Anthropic Claude — AI processing of submitted content for page creation (United States)
- Gmail — order notifications and customer communications
By using our service you acknowledge that your data will be transferred to and processed in the United States and potentially other jurisdictions. Certain third-party providers may rely on Standard Contractual Clauses or similar transfer mechanisms for international data transfers.
Legacy Trail may change third-party service providers from time to time in the ordinary course of operating the service. Material changes to providers will be reflected in updates to this Privacy Policy.
10 Security Measures
Legacy Trail takes the following steps to protect your personal data:
- Access to customer data is restricted to the business operator only
- Access to business Google accounts is protected using strong passwords and multi-factor authentication
- Stripe handles all payment data to PCI DSS standards — card numbers are never stored by Legacy Trail
- Netlify provides HTTPS encryption for all memorial pages
- We select third-party providers that publicly represent that they maintain industry-standard security measures
No system is completely secure. In the event of a data breach we will notify affected customers and the Office of the Privacy Commissioner as required by law.
11 Data Retention
- Active subscribers: Data retained for the duration of your subscription
- After cancellation: Page taken offline after 30-day notice period. Customer data retained for 12 months then securely deleted
- Payment records: Retained for 7 years as required by NZ tax law
- Consent records (IP + timestamp): Retained for 7 years as legal evidence
- Failed payment records: 14-day grace period applies before page suspension; 30 days before deletion
No guarantee of permanent preservation: Legacy Trail does not guarantee perpetual or indefinite preservation of memorial pages or uploaded content. Continued availability of your memorial page depends entirely on maintaining an active subscription. Legacy Trail is not a digital archive service and should not be treated as the sole repository of important family content. We strongly recommend retaining independent copies of all submitted photographs and written materials.
12 Your Rights
Under the NZ Privacy Act 2020 and where applicable GDPR and UK GDPR, you have the right to:
- Access the personal information we hold about you
- Correct any inaccurate personal information
- Request deletion subject to legal retention requirements
- Data portability — receive a copy of your content in downloadable format within 14 days at no charge
- Withdraw consent at any time where processing is based on consent
- Object to processing in certain circumstances
- Request removal of your memorial page at any time
- Lodge a complaint with the relevant supervisory authority
To exercise any of these rights contact us at orders@legacytrail.co.nz
13 International Privacy Rights
- EU/UK residents (GDPR/UK GDPR): You have the rights listed in Section 12. Our lawful basis for processing is set out in Section 02. You may lodge a complaint with your local data protection authority.
- Australian residents: We comply with the Australian Privacy Principles under the Privacy Act 1988 where applicable.
- US residents: Certain US state privacy laws may provide additional rights to residents depending on applicable thresholds and jurisdiction.
Legacy Trail is a small sole trader business based in New Zealand. We do not have an EU representative or Data Protection Officer at this time. For privacy enquiries please contact us directly.
14 Cookies & Tracking
Our website uses minimal cookies necessary for the site to function. We do not use advertising cookies or behavioural tracking cookies. Third party services embedded in our website including Stripe, Netlify and Google Fonts may set their own technical or analytics cookies. You can manage cookie preferences through your browser settings.
15 Children's Privacy
Our service is not directed at children under 18. We do not knowingly collect personal information directly from minors. Memorial pages may contain photographs of deceased minors submitted by a parent or guardian — by submitting such photographs you confirm you have the legal right to do so. If you believe we hold information relating to a living minor without appropriate consent please contact us immediately.
16 Data Breach Notification
In the event of a data breach posing a risk of harm Legacy Trail will:
- Notify affected customers as soon as reasonably practicable
- Notify the Office of the Privacy Commissioner where required
- Where legally required, notify relevant supervisory authorities
- Take immediate steps to contain and remediate the breach
17 Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The current version will always be available at legacytrail.co.nz/privacy.html
18 Contact & Complaints
Legacy Trail
Email: orders@legacytrail.co.nz
Website: legacytrail.co.nz
If you are not satisfied with our response you may complain to:
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz
- UK: Information Commissioner's Office — ico.org.uk
- Australia: Office of the Australian Information Commissioner — oaic.gov.au