How it worksSecurityPricing Questions Log in Start Free
Zero-knowledge security

Built so we can’t read your data — by design.

There’s one question that decides whether your most private records are truly private: who holds the key? With most services, the company keeps a copy and promises not to look. We built LegacyDash so we never have it at all.

An honest moment

“Am I the last person who doesn’t trust this stuff?”

If you hesitate before handing your accounts, documents, and final wishes to any company — you’re not behind the times. You’re the one paying attention. The right answer isn’t “trust us.” It’s to show you exactly how this works, in plain language, so you can decide for yourself. Here it is, start to finish.

The simplest way to picture it

A locked steel box that only you can open.

Imagine your records sealed inside a heavy steel box. We keep that box in a guarded vault — we protect it around the clock, back it up, and stand watch over it. But there’s one thing we can never do: open it. We don’t have your key. Only you do.

  • You lock the box. Your records are encrypted on your device before they’re ever stored.
  • We guard the box. We keep it safe, available, and backed up — but we hold no key to it.
  • A breach finds gibberish. If someone ever got into our servers, they’d get locked boxes — not your life.

Picture a locked steel box. Your records sit inside it. We’re the guard who protects that box around the clock — but we can never open it, because we don’t have your key. Only you do.

No third-party trackers
The question that matters

Who holds the encryption key?

It’s the single difference between “private” and “they promise it’s private.”

Everyone else
Everplans, FidSafe, Trust & Will: the company keeps a copy of your key — and just promises not to look.
Trust us
LegacyDash
Only you hold the key. We can’t read your data — not because we promise, because the math won’t let us.
Only you
Under the hood

The actual building blocks — named, so you can check them.

No hand-waving. Here’s every cryptographic primitive that keeps your records private, in plain language and by its real name.

Your records are scrambled on your own device

Before anything is stored, each field is encrypted right here in your browser — so what reaches our servers is already unreadable.

AES-256-GCM · Web Crypto (client-side)

Your master password becomes your private key

We stretch your password through hundreds of thousands of rounds to derive your key — slow on purpose, so it can’t be brute-forced.

PBKDF2-SHA256 · 600,000 iterations

Your key is wrapped, never stored in the open

The key that unlocks your records is itself encrypted with the key derived from your master password — locked inside a lock.

AES-KW (AES Key Wrap)

Your login password is hashed, never kept

Even your account password is run through a deliberately memory-hard hash on our servers — we store the hash, never the password.

Argon2id · 64 MB memory, 3 iterations

A recovery phrase you can write down and keep

At setup you receive a sequence of plain English words. Kept somewhere safe, it can restore your access if you forget your master password.

BIP-39 recovery phrase

Our servers only ever hold the locked box

We store your wrapped key as ciphertext. We never see your master password, so we have nothing to unlock it with — by design.

Wrapped key stored as ciphertext (encrypted_key_cse)

On the roadmap: an independent third-party audit of our encryption is planned — we’ll publish the results here. We don’t claim it as done, because it isn’t yet.

A claim you can verify yourself

No third-party trackers. You don’t have to take our word for it.

Privacy isn’t only about encryption — it’s also about who’s watching. We don’t load third-party advertising or tracking scripts anywhere on LegacyDash, and we don’t sell, mine, or share what you store.

We do use first-party product analytics — a count of which features get used, so we can make the app better. That’s an honest distinction worth being clear about: it runs on our own infrastructure, carries no advertising network, and never touches the encrypted contents of your records.

Check it for yourself: open your browser’s developer tools, go to the Network tab, and load any page. Every request goes to us — no ad networks, no data brokers.

Secure and findable

Private to a fault — but never a dead end.

The hardest part of true zero-knowledge is making sure your family can still get in when it matters. Here’s how we solve that without ever holding your key.

A recovery phrase, just for you

At setup you receive a BIP-39 recovery phrase — a sequence of ordinary words. Write it down, keep it somewhere safe, and it can restore your access if you ever forget your master password.

Emergency access, set in advance

You decide ahead of time who can request entry, and on what terms. When the moment comes, the right person follows a guided flow to your emergency kit — clearly, calmly, and only when it’s truly needed.

One honest trade-off, stated plainly: because we never hold your key, these are your recovery routes. If you lose both your master password and your recovery phrase, we cannot recover your data — there is no master key on our side to fall back on. That’s the same property that keeps it private. So set up emergency access, and keep your recovery phrase somewhere secure.

It’s yours — really yours

Your data stays usable and private, no matter what happens to us.

Companies get acquired. Some shut down. Some quietly delete what you trusted them with. We built LegacyDash so none of that can strand you.

Export everything, anytime

Your records and your generated emergency kit are yours to download and keep, whenever you want — no lock-in, no hostage-taking.

Encrypted with your key

Because the key is yours, your data stays private whether it lives with us, in your export, or anywhere you take it. Our access can’t change that.

Software-first & independent

We’re built to keep working for families, not to be flipped. And if we ever weren’t around, your exported, key-protected records would still be fully yours and usable.

Privacy, answered straight

The questions skeptics ask first.

No. Your records are encrypted on your device with a key only you hold, before anything is stored. The key that unlocks them is derived from a master password we never see — so the data that lives on our servers is, to us, an unreadable locked box. We can't read your data — not because we promise, because the math won't let us.
We comply with valid legal process — but we can only ever produce what we actually hold, which is ciphertext we cannot decrypt. Because your encryption key is derived from a master password that never reaches us, there is no key on our side to hand over and nothing readable to disclose. The honest answer is that we can't turn over what we can't unlock.
The minimum to run the service: your account email (so you can log in and recover access), billing details handled by Stripe if you upgrade to a paid plan, and minimal first-party product analytics (which features get used, so we can improve the app). The contents of your records are encrypted and unreadable to us.
No. We don't load third-party advertising or tracking scripts, and we don't sell, mine, or share your data. We use only first-party product analytics to understand which features help. You can verify this yourself — open your browser's network tab on any of our pages and look at where the requests go.

Organize your life somewhere that genuinely can’t read it.

Start free — no credit card — and lock your records with a key only you hold. It’s the same zero-knowledge encryption on every plan, free included.

Start Free — no card See how it works

No credit card · Free forever · Cancel anytime