DeathList

Privacy policy

Last updated: 12 June 2026.

DeathList is a self-hosted ledger for debts between friends, run by its operator on their own infrastructure in the EU (Hetzner, Germany/Finland). This page describes what data the service stores and why. Short version: only what the product needs, encrypted where it is sensitive, deletable on request.

What we store

  • Account — your email address (sign-in and notifications), handle, display name, and activity timestamps.
  • Debts — amounts, descriptions, dates, statuses, the audit trail of changes, comment threads, and any receipt images you attach.
  • IBAN — optional, for SEPA payment QR codes. Stored encrypted at rest (libsodium secretbox); shown to a debtor only when they are about to pay you.
  • Death switch — your configuration, liveness ping history, and the collectors you nominate (their email and the name you give them). Nominated collectors are not contacted unless your switch escalates.
  • Web push subscriptions — browser push endpoints, if you enable notifications.

What we do not do

  • No analytics, no trackers, no advertising, no data sales.
  • No cookies beyond the session cookie that keeps you signed in.
  • Raw sign-in and share tokens are never stored — only their SHA-256 hashes.

Who else touches data

Transactional email (magic links, liveness pings, collector escalation) is delivered by Resend (EU region). They process recipient addresses and message content for delivery and are GDPR compliant. Receipts are stored in Cloudflare R2 (EU jurisdiction), readable only through short-lived signed links minted by the app.

Sharing built into the product

Debts are shared records: the other party (friend or guest-link recipient) sees the amount, description, status, thread, and receipt. If your death switch fully escalates, your nominated collector gains read and mark-settled access to debts owed to you — that is the product working as designed, and every collector action is logged and visible to you if you return.

Your rights

  • Export — download everything tied to your account as JSON from Settings → Account.
  • Deletion — request it in Settings → Account. You get a 30-day grace window (signing in cancels it), after which all personal data is purged. Debt records themselves are anonymised to “Deleted user” rather than removed — the people you shared them with keep their side of the ledger.
  • Backups — encrypted database backups rotate out within 30 days of a purge.

Contact

Privacy questions and requests: [email protected].