Security & Trust

Your family's memories are
protected by design.

Every layer of Heirloom Sovereign is built for security, from the moment you upload to the day your great-grandchildren open the vault.

256-bit Encryption Passwordless Auth SOC 2 Infrastructure Blockchain Verification
- family memories sealed on Polygon blockchain
The Foundation

Four pillars of protection

Multiple layers of security work together to guard every piece of your family's data.

Encryption everywhere

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256) through enterprise-grade infrastructure from SOC 2 audited providers.

No passwords to steal

We use passwordless authentication. You log in with a one-time code sent to your email. No passwords are stored anywhere, so there's nothing to leak and nothing to hack.

Signed and sealed on-chain

Every upload is signed server-side before it reaches storage. Files can't be tampered with. Legacy plan members can seal any memory on the Polygon blockchain, creating a permanent, tamper-proof timestamp that anyone can verify.

Privacy-first analytics

No Google Analytics. No Facebook Pixel. No third-party trackers. We use first-party analytics only. Your browsing behavior is never sold or shared.

Under the hood

How we protect your data

Here's what's running behind the scenes to keep your family's memories safe.

HTTPS everywhere

HSTS with preload enabled. Every connection between your browser and our servers is encrypted. No exceptions, no downgrades.

Strict Content Security Policy

We whitelist exactly which scripts and connections are allowed on our site. Everything else gets blocked, which prevents code injection and cross-site scripting attacks.

HttpOnly secure cookies

Session tokens can't be accessed by JavaScript, are only sent over HTTPS, and are locked to our domain to prevent cross-site request forgery.

Rate limiting

Every sensitive endpoint is rate-limited. Login attempts, uploads, and API calls all have strict per-user caps. Brute force attacks are blocked automatically.

Input validation

All submitted data is sanitized, validated, and length-limited before it touches our database. Bad input gets rejected at the door.

CORS restrictions

Only tryheirloom.family can communicate with our API. Cross-origin requests from any other domain are blocked. Your data stays where it belongs.

Our partners

Enterprise infrastructure you can verify

We build on platforms trusted by millions of businesses. Every certification listed here is public and audited.

Cloudinary

ISO 27001

AES-256 encryption at rest. Stores all your photos, videos, and voice memos.

Supabase

SOC 2 Type II

PostgreSQL with Row-Level Security. Every query is scoped to your family's data. No cross-contamination.

Netlify

SOC 2

Global CDN with built-in DDoS protection. Your vault is fast and resilient from anywhere in the world.

Stripe

PCI DSS Level 1

Handles all payment processing. We never see or store your credit card number. Ever.

Anthropic

AI Safety Leader

Powers Sage, our teen AI companion. Conversations are processed in real-time and never used to train models.

Polygon

Blockchain ยท Mainnet

Our HeirloomVault smart contract stores immutable content hashes on Polygon Mainnet. Proves your memories existed at a specific moment in time. Tamper-proof and publicly verifiable.

Sage privacy

How we protect your teen's conversations

Teens won't be honest if they think someone is watching. So we made privacy the architecture, not just a feature.

🔒

Raw messages are architecturally private

Teen conversations are stored in a separate database table that parents can't access. Parents only see AI-generated themes and mood summaries. This isn't a setting you can toggle. It's the database design.

🤝

Teens know the rules

Sage proactively tells teens what parents can and can't see in the very first message. No hidden surveillance. No secret reporting. Trust is the foundation of everything Sage does.

🚨

Dual-layer safety detection

Every message runs through two independent AI safety checks. Mild concerns appear in weekly digests. Moderate concerns trigger same-day alerts. Severe concerns trigger immediate notification plus crisis resources for your teen.

🎂

Age verification required

Sage requires age verification (13 to 18) before activation. Birth year is validated server-side, and parents have to explicitly enable Sage for each teen. It's never turned on automatically.

Your rights

You own your data. Period.

You should have full control over your family's memories and information. Here's what that looks like.

Export your data

Request a full export of your vault, memories, and metadata at any time. Your data is yours to take wherever you go.

Delete your account

Request complete deletion of your data. We honor all deletion requests promptly and permanently.

Full transparency

We list every third-party service that touches your data in our Privacy Policy. No hidden partners, no surprise data sharing.

We never sell your data

We will never sell, rent, or share your personal data with advertisers. Your family's memories are not a product. Ever.

Never used to train AI

Your family's stories, voice memos, and photos are never used to train any AI model. Your data powers your family's experience and nothing else.

Read our full Privacy Policy →
Common questions

Security FAQ

Yes. All data is encrypted in transit with TLS 1.3 and at rest with AES-256 through our infrastructure partners Cloudinary and Supabase. Every connection to Heirloom is HTTPS-only, enforced with HSTS preload headers.
No. We use passwordless authentication exclusively. When you log in, we send a one-time code to your email that expires in 10 minutes. There are no passwords to leak, steal, or forget. Your session is maintained with encrypted, HttpOnly cookies.
Our team uses service-level access for infrastructure maintenance only. We don't browse user content. Row-level security in our database ensures every query is scoped to your family's data, preventing any cross-account access.
Your data stays in your vault for 90 days after cancellation. You can export everything during that window. After 90 days, data is permanently deleted from our systems and cannot be recovered.
When you seal a memory, we generate a SHA-256 hash of your file and write it to our HeirloomVault smart contract on the Polygon blockchain. This creates a publicly verifiable, permanent timestamp that proves your content existed at that exact moment. The content itself stays completely private. Only the cryptographic hash goes on-chain. You can verify any sealed memory on PolygonScan at any time.
No. Your teen's raw conversation text is never accessible to parents, Heirloom staff, or any third party. Parents only see AI-generated emotional themes, mood trends, and conversation starters. This privacy is built into the database architecture.
Cloudinary holds ISO 27001 certification. Supabase is SOC 2 Type II compliant. Netlify is SOC 2 compliant. Stripe is PCI DSS Level 1 certified. We choose infrastructure partners with the highest security standards and publicly verifiable audits.

Your memories deserve the same protection as your family.

Enterprise-grade security from day one. Because your family's stories are worth protecting.

Begin Your Legacy

Free forever to start • No credit card • Cancel anytime