Privacy Policy

SLDocs is a service operated by Fiji Systems LLC dba SLDocs (“SLDocs,” “we,” “us”).

This policy describes what data we collect, how we protect it, and the choices you have. We update it as the service evolves; the authoritative sources for the topics below are this page together with our Subprocessors list and Cookie Policy.

What we collect

Information you provide directly: name, email address, password (hashed), optional profile information (phone, address, identity digits — encrypted at rest with a per-user envelope-encryption key), the documents you upload (encrypted at rest with a per-document key wrapped by a tenant-scoped Google Cloud KMS key), and information about people you designate as recipients or trusted contacts.

Information generated by your use of the service: audit log entries (who did what and when), authentication events, billing records, and email-delivery metadata.

How we protect it

Every document uploaded is encrypted with AES-256-GCM using a unique data encryption key (DEK) per document. That DEK is wrapped by a tenant-scoped key in Google Cloud KMS. Ciphertext is stored in Cloudflare R2; plaintext only exists in process memory during a single decryption operation and is zeroed afterward. Sensitive profile fields (phone, date of birth, ID last-three) use the same envelope-encryption pattern with a per-user key.

SMS / text messaging

If you provide a mobile number and opt in, we use it to send account and security text messages — sign-in (two-factor) codes, document-access codes, and account notifications. We do not send marketing or promotional text messages. Message frequency varies with your account activity, and message and data rates may apply. You can reply STOP to any message to opt out, or HELP for help.

We do not sell your mobile information, and we do not share your mobile phone number or SMS opt-in/consent data with third parties or affiliates for their own marketing or promotional purposes. Your number is shared only with the messaging service provider we use to deliver the texts you requested (our SMS carrier, listed on the Subprocessors page), and only for that purpose. Mobile opt-in data is never used for any purpose other than delivering the messages you asked to receive.

Who else processes your data

See our Subprocessors page for the complete list of third-party providers we rely on, what each one processes, and whether they ever see plaintext document content.

Cookies

SLDocs sets only strictly-necessary cookies — authentication, CSRF, white-label tenant resolution, and (during pre-launch) the access-code gate. We do not use cookies for analytics, advertising, profiling, or any non-essential purpose. See our Cookie Policy for the full table.

Geographic scope

SLDocs is offered to U.S. residents and U.S.-organized entities only. Account holders attest to U.S. residency at sign-up. Users may designate recipients (executors, trustees, next-of-kin) who live anywhere — this is incidental processing driven by the user's choice, not active targeting of non-U.S. data subjects.

How long we keep it

Because SLDocs is built for long-horizon document custody, our default is to preserve your documents rather than expire them:

• Paid individual accounts (including accounts whose paid subscription has lapsed): retained indefinitely so your documents remain available over the long term.
• Free accounts: retention is conditioned on periodic engagement. After an extended period of inactivity (currently 36 months, with advance email reminders), a free vault enters a soft-locked state in which your data is preserved — not deleted — and can be reactivated by signing in.
• Law-firm operational data: retained for up to 7 years after a firm relationship ends.
• Audit logs and anonymized financial transaction records: retained for up to 7 years to meet U.S. tax and legal-defense obligations.

For accounts that remain inactive for extraordinary periods, we reserve the right to establish a maximum retention period (for example, 100 years), with advance notice to the contacts we have on file before any such action is taken.

Your rights

Depending on your state of residence — including under the Texas Data Privacy and Security Act (TDPSA) and the California Consumer Privacy Act (CCPA/CPRA) — you may have the right to access or know what personal data we hold about you, to correct it, to delete it, to obtain a portable copy, and to appeal a decision we make on such a request. We do not sell your personal information, and we will not discriminate against you for exercising these rights.

You can download a portable copy of your own data at any time from your account settings, and you can request access, correction, or deletion by emailing info@sldocs.com. If you are listed as a recipient or trusted contact on someone else's vault and you would like that listing removed, you can request removal at the same address — we will remove the listing and notify the vault owner so they can designate a replacement.

Contact

Questions about this policy or to exercise any of the rights above? Email info@sldocs.com.