MySolace

# Privacy Policy

**Effective Date:** January 31, 2026
**Last Updated:** January 31, 2026
**Version:** 2.0

MySolace (“we,” “us,” “our,” or “Company”), operated by **TRIAXIS LTD**, operates the MySolace memorial platform accessible via website (mysolace.me) and mobile applications (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

**Legal Entity Information:**
– **Company Name:** TRIAXIS LTD
– **Company Registration Number:** 16978369
– **Incorporated:** 21 January 2026
– **Registered Address:** 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
– **Contact Email:** office@mysolace.me

## 1. Information We Collect

### 1.1 Personal Information You Provide
When you create an account and use our Service, we collect:

**Registration & Account Information:**
– Full name
– Email address
– Country of residence
– Google profile picture and name (if using Google Sign-In)

**Memorial Content:**
– Memorial profile information (names of deceased, important dates)
– Photos and videos uploaded for memorials
– Memorial messages, tributes, and text content
– Relationship information (e.g., “spouse,” “pet”)

**Payment Information:**
– Payment card details (processed by Airwallex)
– Name and billing address
– Purchase history and transaction amounts
– Note: Airwallex processes and secures payment card numbers; we do not store full payment card details on our servers

### 1.2 Automatically Collected Information
**Device & Browser Information:**
– Device type and operating system version
– Browser type and version
– IP address (approximates geographic location)
– Device identifiers

**Usage Analytics:**
– Pages viewed and features accessed
– Session duration and frequency
– Clicks and interactions within the app
– Crash reports and error logs

**Cookies & Tracking:**
– Session cookies (to remember your login)
– Analytics cookies (from Google Analytics)
– Login preferences

### 1.3 Third-Party Information
When you use Google Sign-In, we receive:
– Name and email address
– Profile picture and country
– These are used only for authentication and account creation

## 2. How We Use Your Information

We use your information to:
– Create and maintain memorial profiles
– Process payments through Airwallex
– Send important notifications (memorial updates, payment receipts)
– Provide customer support
– Analyze usage patterns to improve our Service
– Prevent fraud and maintain security
– Comply with legal obligations (UK law, GDPR, CCPA)
– Respond to user deletion requests

## 3. How We Share Your Information

**We do NOT sell, rent, or trade your personal information.**

We share information only with:

### 3.1 Payment Processors
**Airwallex** processes all payments
– Data shared: Name, email, payment card details, billing address, transaction amount
– Purpose: Payment processing and fraud prevention
– Note: Airwallex is an independent data controller for payment data
– Airwallex Privacy Policy: https://www.airwallex.com/privacy-policy
– Airwallex is PCI DSS Level 1 certified
– Data Processing Agreement: Available upon request
– Payment data is encrypted in transit and at rest
– Card data is tokenized and not stored on our servers

### 3.2 Authentication Services
**Google OAuth** (only if using Google Sign-In)
– Data shared: Email, name, profile picture, country
– Purpose: User authentication and account creation
– Google Privacy: https://policies.google.com/privacy

### 3.3 Web Hosting & Infrastructure
**Hostinger** (Hosting provider)
– Data shared: All Service data (encrypted at rest)
– Purpose: Store and deliver Service
– Hostinger Privacy: https://www.hostinger.com/privacy
– Server Location: EU data center
– Data Processing Agreement: In place

### 3.4 Analytics Services
**Google Analytics** (for aggregated, anonymized usage data)
– Data shared: Anonymized browsing behavior, page views, country, device info
– Purpose: Understand user behavior, improve user experience
– Google Analytics Privacy: https://policies.google.com/privacy
– Data retention: 90 days
– You can opt-out: https://tools.google.com/dlpage/gaoptout

### 3.5 Legal Requirements
We may share information when:
– Required by law, regulation, or government request
– Necessary to protect our legal rights
– Required for fraud prevention or security
– Court order or legal process issued in United Kingdom or applicable jurisdiction

## 4. Data Security

We implement industry-standard security measures:

**Technical Measures:**
– SSL/TLS encryption for data transmitted over the internet
– Secure HTTPS for all web communications
– Data encryption at rest in Hostinger’s EU data centers
– Secure file upload validation (malware scanning)
– Web Application Firewall (WAF) protection against attacks
– Regular security updates and patches
– WebView security: Android CookieManager properly clears session cookies on logout
– PCI DSS compliant payment processing through Airwallex

**Administrative Measures:**
– Limited access to production data
– Employee confidentiality agreements
– Incident response procedures
– Regular security audits

**Limitations:**
No security system is 100% secure. We cannot guarantee absolute protection against all threats.

## 5. Your Rights and Data Subject Access

You have the right to:
– Access all personal information we hold about you
– Correct or update inaccurate information
– Request deletion of your data (see Section 5.1)
– Withdraw consent at any time
– Obtain a copy of your data in a portable format
– Opt-out of marketing communications
– File a complaint with data protection authorities

### 5.1 Account Deletion and Data Erasure

Upon your request, we will:
– Delete your account and all associated memorial profiles
– Permanently remove all personal information (name, email, country)
– Delete all uploaded photos and memorial content
– Remove your payment information (Airwallex retains minimal data per their policy and PCI DSS requirements)
– Complete deletion within 30 days

**Exceptions:** We may retain data for:
– Legal compliance (tax records for 7 years per UK law)
– Court orders or law enforcement requests
– Fraud prevention and security purposes

To request deletion: office@mysolace.me

**Memorial Deletion Policy:**
When you request account deletion or individual memorial deletion:
– All memorial content is permanently deleted from our servers
– Memorial photos and messages are unrecoverable
– Associated transaction records are deleted except where tax law requires retention

## 6. Cookies and Tracking Technologies

We use cookies for:
– **Essential Cookies:** Remember your login session and preferences
– **Analytics Cookies:** Track website traffic and user behavior (Google Analytics)
– **Functional Cookies:** Personalize your experience

**Managing Cookies:**
You can disable cookies in your browser settings or mobile device settings, but this may:
– Prevent proper login functionality
– Disable personalization features
– Require re-entering information more frequently

Most browsers allow you to:
– Block all cookies
– Block third-party cookies only
– Delete cookies upon exit

## 7. Third-Party Services

### 7.1 Third-Party Integrations

**Google OAuth / Google Sign-In**
– Purpose: Simplified login via Google account
– Data: Email, name, profile picture, country
– Privacy: https://policies.google.com/privacy

**Airwallex Payment Processing**
– Purpose: Secure payment processing (PCI DSS Level 1 compliant)
– Data: Payment card details, billing information (Airwallex is independent controller)
– Privacy: https://www.airwallex.com/privacy-policy
– Compliance: PCI DSS Level 1, GDPR compliant
– Location: Airwallex servers in EU and Asia-Pacific regions
– Data Protection Agreement: In place

**Hostinger Web Hosting**
– Purpose: Host MySolace website and store memorial data
– Data: All user data encrypted at rest
– Privacy: https://www.hostinger.com/privacy
– Location: EU data centers

### 7.2 Web Analytics
We use Google Analytics to understand site traffic, user behavior, and geographic distribution of users. This may track your IP address, country, and devices across visits. Data is retained for 90 days.

## 8. Children’s Privacy

### 8.1 Age Restrictions
Our Service is **NOT intended for users under 13 years old** (or the digital age of majority in your jurisdiction).

We do not knowingly collect personal information from children under 13.

### 8.2 Teen Users (13-17)
For users between 13-17:
– We require reasonable parental awareness of data practices
– We recommend parental monitoring of memorial profile contents
– We do NOT market specifically to this age group
– In California and EU: Parental consent required for users under 16

### 8.3 Parental Actions
If you believe we’ve collected data from a child under 13:
1. Contact us immediately: office@mysolace.me
2. We will investigate within 5 business days
3. We will delete the child’s data within 30 days

## 9. Changes to This Privacy Policy

We may update this Privacy Policy periodically to:
– Reflect changes in our practices
– Comply with new legal requirements
– Improve clarity
– Add new third-party services

**How we’ll notify you:**
– Email notification for significant changes
– In-app notification when you next log in
– Updated effective date on this page

**Your acceptance:**
Continued use of the Service implies acceptance of changes.

## 10. EU-Specific Rights (GDPR)

If you are located in the European Union, you have additional rights:

### 10.1 Data Subject Rights
– **Right of access:** Request a copy of your personal data
– **Right of rectification:** Correct inaccurate information
– **Right to erasure:** Request deletion (“right to be forgotten”)
– **Right to restrict processing:** Limit how we use your data
– **Right to data portability:** Receive data in portable format (JSON/CSV)
– **Right to object:** Object to processing of your data
– **Right to not be subject to automated decision-making**
– **Right to lodge a complaint:** With your local data protection authority

### 10.2 Legal Basis for Processing
**Consent:** Explicit consent for memorial creation and analytics
**Contract:** Processing necessary to provide the Service
**Legitimate Interest:** Fraud prevention, security, service improvement

### 10.3 Data Retention (GDPR Article 5)
– **Account data:** Retained while account is active
– **Memorial content:** Retained per your preferences or upon deletion request
– **Payment data:** Retained per tax requirements (up to 7 years per UK law) and PCI DSS compliance
– **Analytics data:** Retained for 90 days
– **Cookies:** Session cookies deleted at logout via CookieManager

Upon account deletion, data is deleted/anonymized within 30 days except where legal retention is required (tax records).

### 10.4 EU Data Protection Authority
Your local data protection authority:
– EU supervisory authorities: https://edpb.ec.europa.eu/
– UK Information Commissioner’s Office (ICO): https://ico.org.uk/

### 10.5 Data Processing Location
All data is processed and stored in **EU data centers (Hostinger)**, compliant with GDPR requirements. Payment processing may occur in EU and Asia-Pacific regions via Airwallex. Data is not transferred outside the EU/EEA without explicit legal mechanisms (Standard Contractual Clauses).

## 11. Turkey & International Users

If you are located in Turkey:
– Your data is processed according to Turkish Law No. 6698 on Protection of Personal Data (KVKK)
– You have the right to access, correct, delete, and port your data
– Contact office@mysolace.me to exercise these rights

If you are located in the United States:

### 11.1 California Privacy Rights (CCPA/CPRA)
California residents have rights under CCPA:
– **Right to know:** What personal information is collected
– **Right to access:** Request a copy of your information
– **Right to delete:** Request deletion of your data
– **Right to opt-out:** Opt-out of data sharing/selling (we don’t sell)
– **Right to correct:** Correct inaccurate information

For California residents under 16:
– We do NOT sell personal information
– Verifiable parental consent required for children under 13
– For users 13-16: Opt-in required for data sale (we don’t engage in sales)

To exercise CCPA rights: office@mysolace.me
– Include “California Privacy Request” in subject
– Provide sufficient information to identify you
– We will respond within 45 days

### 11.2 Other US State Laws
We comply with privacy laws in other US states including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA).

## 12. Data Protection Impact Assessment (DPIA)

For EU users: We have assessed the impact of our data processing activities. High-risk processing includes:
– Payment data processing (mitigated by Airwallex’s PCI DSS Level 1 certification and independent controls)
– Retention of memorial content (mitigated by user deletion rights)
– Analytics tracking (mitigated by anonymization, 90-day retention, and user opt-out)

## 13. Contact Us

For questions about this Privacy Policy or to exercise your rights:

**Email:** office@mysolace.me

**Mailing Address:**
TRIAXIS LTD
71-75 Shelton Street
Covent Garden
London WC2H 9JQ
United Kingdom

**Response Time:** We will respond to inquiries within 30 days.

**Data Protection Officer / Privacy Contact:** office@mysolace.me

—

**Document Version:** 2.0
**Last Updated:** January 31, 2026
**Effective Date:** January 31, 2026
**Applicable Laws:** UK law, GDPR (EU), CCPA (California), KVKK (Turkey), and other applicable jurisdictions

—

## Appendix: Compliance Checklist

Before public launch, ensure the following are completed:

✅ **Completed:**
1. Analytics Data Retention Period: 90 days (defined)
2. Payment Processor: Airwallex (updated)
3. Airwallex PCI DSS Level 1 certification verified
4. Company registration: TRIAXIS LTD (16978369)

⏳ **To Complete:**
1. **Data Processing Agreement with Hostinger:** Ensure DPA is signed
2. **Data Processing Agreement with Airwallex:** Ensure DPA is signed and covers PCI DSS compliance and cross-border transfers
3. **Data Processing Agreement with Google:** For Google Analytics and Google OAuth
4. **Specific Server Location:** Confirm exact EU region where Hostinger servers are located
5. **Backup & Disaster Recovery Policy:** Document how memorial data is backed up
6. **Incident Response Plan:** Document how data breaches will be handled (GDPR requires breach notification within 72 hours)
7. **Sub-processor List:** Maintain list of all companies with data access (Airwallex, Google, Hostinger)
8. **Cookie Consent Banner:** Implement GDPR-compliant cookie consent (if not already present)
9. **User Rights Request Form:** Create easy-to-use form for data access/deletion requests

—

**End of Privacy Policy**