Legal

Privacy Policy

How Sudden handles your data — and why most of it is something we can never read.

Last updated: April 2026  ·  Sudden Ltd, England & Wales

🔒

Zero-knowledge encryption

Your vault data is encrypted on your device before it ever reaches our servers. We use AES-256-GCM encryption derived from your password. This means Sudden cannot read, access, or recover your vault contents — not even if compelled by a court order. The encryption key exists only on your device.

Contents

01

Who we are

Sudden is an estate readiness application developed and operated by Sudden Ltd, a company registered in England and Wales. We are the data controller for any personal information processed in connection with the Sudden app and website.

For any privacy-related questions, contact us at: hello@sudden-app.com

02

What we collect

We collect two categories of data:

  • Account data — your email address and encrypted password hash, used to authenticate you and manage your subscription.
  • Vault data — the personal, financial, and legal information you enter into your vault modules. This is encrypted on your device before transmission. We store only the encrypted ciphertext — we cannot read it.
  • Usage data — your readiness score (a number), last check-in timestamp, and subscription plan. No behavioural tracking, no analytics on what you type.
  • Payment data — Stripe processes your payment. We receive only confirmation of successful payment and your plan status. We never see or store your card details.

We do not use advertising. Sudden contains no ads and we do not sell, rent, or share your data with advertisers or data brokers under any circumstances.

03

Your vault data

Your vault data — everything you enter across the nine modules — is encrypted using AES-256-GCM with a key derived from your password via PBKDF2 (100,000 iterations). Encryption happens entirely on your device.

What this means in practice:

  • Sudden's servers store only encrypted ciphertext — a string of characters that is meaningless without your key.
  • We cannot decrypt your vault. If you forget your password, your vault data cannot be recovered — there is no backdoor.
  • A data breach of our servers would expose only encrypted data that cannot be read without your password.
  • Nominee access works the same way — nominees see only what you explicitly share, and only in its encrypted form unless you export a PDF.
04

How we use your data

We use your data only to provide the Sudden service:

  • Email address — to authenticate your account, send nominee invitations on your behalf, and send essential service communications (receipts, security notices).
  • Encrypted vault data — stored and returned to your device when you log in. We process it only to store and retrieve it; we cannot read its contents.
  • Readiness score — calculated from your vault completion to show you progress within the app.
  • Subscription status — to determine which features you can access.

We do not use your data for profiling, targeted advertising, or any purpose beyond delivering the service you signed up for.

Our legal basis for processing is contract performance (Article 6(1)(b) UK GDPR) — processing is necessary to provide the service you have requested.

05

Sharing your data

We do not sell your data. We share it only in these limited circumstances:

  • Supabase — our backend infrastructure provider (database and authentication). Stores encrypted vault data on our behalf under a data processing agreement. Servers located in the EU.
  • Stripe — payment processor. Handles subscription billing. Subject to their own privacy policy. We share only your email address to prefill checkout.
  • Nominees you invite — if you invite someone as a nominee, they can see your email address and the vault fields you explicitly choose to share.
  • Legal requirements — we may disclose data if required by law. Because vault data is zero-knowledge encrypted, any such disclosure would yield only unreadable ciphertext.
06

Data retention

We retain your data for as long as your account is active. If you delete your account, your vault data and profile are deleted within 30 days.

Backups may retain encrypted data for up to 90 days after deletion for disaster recovery purposes. Payment records are retained for 7 years as required by UK financial regulations.

To delete your account and all associated data, contact us at hello@sudden-app.com with the subject line "Delete my account". We will process your request within 30 days.

07

Your rights

Under UK GDPR you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Restriction — request that we limit how we use your data.
  • Portability — request your data in a portable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@sudden-app.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

08

Security

Sudden is built with security as its primary design constraint:

  • All vault data encrypted with AES-256-GCM before leaving your device
  • Encryption keys derived via PBKDF2-SHA256 with 100,000 iterations
  • Keys stored in your device's secure enclave (iOS Keychain / Android Keystore)
  • Biometric authentication required to unlock the app
  • All data transmitted over HTTPS/TLS
  • No plaintext vault data ever stored on our servers
  • Stripe handles all payment data — we never see card details

If you discover a security vulnerability, please contact us at hello@sudden-app.com before disclosing publicly.

09

Children

Sudden is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, please contact us at hello@sudden-app.com and we will delete the account promptly.

10

Contact us

For any privacy questions, data requests, or concerns about how we handle your information:

Get in touch

hello@sudden-app.com

Sudden Ltd  ·  England & Wales  ·  sudden-app.com

This policy was last updated in April 2026. We will notify you of material changes via email or an in-app notice before they take effect.