Back to Home

Privacy Policy

Last updated: March 18, 2026

SamaBrains Solutions ("we", "us", "our") operates BeyondMe ("the Service"), a digital legacy management platform. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

a) Account Information

  • Email address and full name (provided during registration).
  • Authentication credentials (password hash — we never store plaintext passwords).
  • Two-factor authentication settings (if enabled).
  • Profile preferences and settings.

b) Encrypted Vault Data

  • Assets you store in the vault (passwords, documents, letters, files).
  • This data is encrypted client-side using AES-256-GCM before reaching our servers.
  • We cannot read, access, or decrypt this data. Only you (with your master password) can decrypt it.

c) Trusted Contact Information

  • Email addresses and names of your designated trusted contacts.
  • Emergency access settings and preferences.

d) Usage & Activity Data

  • Heartbeat check-in timestamps and interval settings.
  • Audit logs (login events, vault access, settings changes).
  • Notification delivery records.

e) Payment Information

  • Subscription plan, payment status, and billing history.
  • Payment method type (e.g., MTN Mobile Money, Airtel Money, Visa).
  • Pesapal order tracking IDs and transaction references.
  • We do not store your full mobile money number, card number, or financial credentials. All payment processing is handled securely by Pesapal.

2. How We Use Your Information

  • To provide, maintain, and improve the Service.
  • To monitor your heartbeat status and trigger the escalation process when inactivity is detected.
  • To send transactional emails: verification, password reset, check-in reminders, escalation warnings, asset release notifications, and subscription renewal reminders.
  • To process subscription payments via Pesapal.
  • To enforce plan limits and feature access.
  • To maintain audit logs for your security.
  • To respond to support requests.

3. Zero-Knowledge Encryption

BeyondMe uses a zero-knowledge encryption model. Your sensitive vault data is encrypted using AES-256-GCM with PBKDF2 key derivation (600,000 iterations) entirely in your browser before being transmitted to our servers.

Your master password never leaves your device. We do not have access to your encryption keys. This means:

  • We cannot read your vault data, even if legally compelled.
  • If you lose your master password, your encrypted data cannot be recovered by anyone.
  • Even if our database were compromised, attackers would only find encrypted ciphertext that is computationally infeasible to decrypt.

4. Data Sharing & Third Parties

We do not sell, trade, or share your personal information for marketing purposes. We share data only with:

Service Providers

  • Supabase — Authentication and database hosting (PostgreSQL). Data stored with row-level security policies.
  • Pesapal — Payment processing for subscriptions. Handles MTN Mobile Money, Airtel Money, Visa, Mastercard. Pesapal is regulated by the Bank of Uganda.
  • Brevo — Transactional email delivery (check-in reminders, notifications, renewal emails).
  • Cloudflare — Frontend hosting and CDN via Cloudflare Pages.
  • Railway — Backend API hosting.

Other Disclosures

  • Trusted contacts: When your heartbeat expires, we send notification emails to your designated recipients. They receive your encrypted assets but still need your master password to decrypt them.
  • Legal requirements: If required by law, regulation, or legal process. Note that due to our zero-knowledge architecture, we cannot provide decrypted vault contents even under legal compulsion.

5. Data Retention

  • Active accounts: Data is retained as long as your account is active.
  • Deleted accounts: When you delete your account, all associated data (profile, encrypted assets, contacts, heartbeat records, payment history, audit logs) is permanently deleted.
  • Released notifications: Emails that have already been sent to recipients cannot be recalled after account deletion.
  • Payment records: Transaction records may be retained for up to 7 years as required by financial regulations.

6. Data Security

We implement multiple layers of security:

  • Client-side AES-256-GCM encryption for all vault data.
  • PBKDF2 key derivation with 600,000 iterations.
  • TLS encryption for all data in transit.
  • Row-level security (RLS) policies in the database.
  • JWT-based authentication with Supabase.
  • CORS protection and rate limiting on the API.
  • Audit logging of all security-relevant events.

7. Your Rights

You have the right to:

  • Access: View all personal information we hold about you through your account dashboard and audit logs.
  • Correction: Update or correct your account information at any time.
  • Deletion: Delete your account and all associated data permanently.
  • Portability: Export your data (unencrypted, with your master password).
  • Objection: Opt out of non-essential communications.

To exercise these rights, contact us at info@samabrains.com or use the relevant features in your account settings.

8. Cookies & Local Storage

  • Authentication cookies: Essential cookies for session management. Required for the Service to function.
  • Local storage: Used to store your theme preference and non-sensitive UI state.
  • We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. International Data Transfers

Your data may be processed and stored in servers located outside Uganda through our service providers (Supabase, Cloudflare, Railway). These providers maintain industry-standard security practices and compliance certifications. All vault data remains encrypted with your master password regardless of where it is stored.

10. Children's Privacy

BeyondMe is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected information from a minor, we will delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

For privacy-related questions or to exercise your data rights, contact us:

  • Email: info@samabrains.com
  • Company: SamaBrains Solutions
  • Tel: +256 759 910 596
  • Website: www.samabrains.com