Heritavo is a Swiss service that we host and operate for you.

Who can access my data?

Only you — and in an emergency, the people you trust. Your data is encrypted so we technically cannot read it.

Do my contacts find out?

It depends on the method. With Recovery Sheet, no one knows. With Shamir, contacts receive their code during setup.

How does the emergency plan work?

After the set period without a sign of life, your contacts receive an email with a link to the encrypted vault.

What release methods are available?

3 methods: Recovery Sheet (offline), access code by email, printed access code. All work offline.

What if an access code is lost?

With a Recovery Sheet, you can re-download it in Settings (master password required). Warning: if the Recovery Sheet was stolen, it can be used to decrypt the vault — in that case, rotate the release key in Settings and print a new sheet. With Shamir codes, you can redo the setup in the dashboard and distribute new codes. Your vault data is preserved in all cases.

Can I cancel anytime?

Yes, anytime — no minimum term.

Are limits shared in a household?

Yes — entries, attachments and storage are shared across the household. Only emergency contacts are per user. Example: In the Family plan, all 5 users share the 400 entries and 300 attachments.

Terms of Service

Informal translation. This is an informal English translation of the German Terms of Service. In case of any discrepancy or dispute, the German version is the legally binding original.

These Terms of Service govern the use of the SaaS service Heritavo (the "Service"), operated by Moritz Hauff IT, Okenfinerstrasse 2C, 8274 Tägerwilen, Switzerland (the "Provider"). By registering, the user accepts these Terms.

1. Subject of the Agreement

The Provider makes available to the user a web-based service for the encrypted storage of digital legacy items as well as their automated handover in the emergency case. The Service is provided exclusively as Software-as-a-Service (SaaS); the user receives no right to a transfer of software.

2. Subscription Plans and Pricing

The Service is offered under the following plans (prices in CHF, including any applicable taxes):

Plan	1 year	2 years	3 years	Key features
Free	CHF 0	—	—	1 user, 10 entries, 1 emergency contact
Light	CHF 19	CHF 34	CHF 49	1 user, 50 entries, 1 emergency contact, attachments
Pro	CHF 39	CHF 70	CHF 99	1 user, 200 entries, 3 emergency contacts, attachments & priority
Couple	CHF 59	CHF 106	CHF 150	2 users, 200 entries, 5 emergency contacts, priority support
Family	CHF 89	CHF 160	CHF 227	5 users, 400 entries, 8 emergency contacts, priority support

The Free plan is not time-limited; the Provider reserves the right to adjust its feature set or terms with reasonable prior notice.

2a. Exceeding Plan Limits

Each plan defines specific upper limits (number of entries, attachments, legacy videos, emergency contacts, users per household). If these limits are exceeded — for example through a subsequent downgrade to a smaller plan — the account is considered over quota. Existing data is preserved unchanged and remains accessible in all cases.

While an account is over quota, new write actions are blocked(creating new entries, uploading further attachments, inviting further users). Reading, deletion, and downgrade management remain unrestricted. The emergency release to trusted contacts (trustee release) continues to function in all cases — it is exempt from this restriction.

The Provider reserves the right to restrict a user account in cases of disproportionately long exceedance of plan limits under the following staged procedure:

Day 0: Notice in the dashboard and by email; write actions in affected areas are blocked.
Day 14 and 30: Reminder emails with a request to either consolidate entries or adjust the plan.
Day 90: If the exceedance persists, the account is set to read-only. Reading and emergency release remain available; all other actions are permanently blocked as long as the exceedance persists.
After day 90, without response to reasonable contact attempts: The Provider reserves the right to definitively delete the account after written prior notice with a reasonable deadline. Deletion applies as per the provisions on account deletion (see section 4).

Read-only setting and any account deletion are announced at least 14 days in advance by email to the address on file. Restoration of unrestricted operation occurs automatically as soon as plan limits are again observed — either through consolidation of data or through upgrade to a fitting plan.

3. Payment Terms

Paid plans are billed in advance as a one-time amount for the chosen term (1, 2, or 3 years). Payment is processed by the payment service provider Stripe, Inc. The amount is automatically charged to the payment method on file. In case of payment default, the Provider reserves the right to suspend access to the Service until the outstanding amount is settled.

4. Termination

The subscription may be cancelled at any time in the user account. Cancellation prevents automatic renewal; the subscription remains active until the end of the paid term. No pro-rata refund of amounts already paid will be made. The Provider may suspend or delete the user account without notice in the event of a serious violation of these Terms.

Before cancellation, the Provider strongly recommends downloading an encrypted export of the vault data, as all data will be irreversibly deleted after cancellation.

5. User Obligations

The user is responsible for the security of their password and recovery key.
The user shall not use the Service for unlawful purposes.
The user ensures that the data they store does not infringe third-party rights.
The user keeps the contact information in the account current.

6. Availability and Maintenance

The Provider strives for high availability of the Service (targeted availability: 99% on monthly average) but assumes no guarantee of uninterrupted availability. Planned maintenance is announced in advance where possible.

6a. Minimum Operating Period for Paid Subscriptions

The Provider undertakes to maintain the Service for the entire duration of a subscription prepaid by the user. Anyone who purchases a subscription with a term of one (1), two (2), or three (3) years has a contractual claim to the provision of the Service for the entire prepaid period.

Should the Provider discontinue the Service before the expiry of the prepaid term for its own economic or strategic reasons, the Provider undertakes:

to provide written notice of discontinuation with a lead time of at least ninety (90) days to the email address on file;
to keep the export function for encrypted vault data available for the entire notice period;
to refund the unused portion of the subscription on a pro rata temporis basis, calculated against the remaining prepaid term.

This assurance does not apply in cases of force majeure, regulatory orders, insolvency, or other circumstances for which the Provider is not responsible. In such cases, the Provider shall endeavour in good faith to enable users to carry out an orderly data export within a reasonable period.

A discontinuation of the free Free plan is expressly not covered by this provision and is governed by section 2, last paragraph.

7. Limitation of Liability

The Provider is liable only for damages caused by gross negligence or intent. Liability for slight negligence as well as for indirect damages, consequential damages, and lost profits is excluded to the extent permitted by law. Because the Service uses a zero-knowledge architecture, it is technically impossible for the Provider to access the contents of the vault or to recover lost keys.

The total liability of the Provider is limited to the subscription fees actually paid by the user in the last 12 months.

8. Data Protection

The processing of personal data is governed by our Privacy Policy.

9. Amendments to the Terms

The Provider reserves the right to amend these Terms with 30 days' notice by email. If the user does not object within this period, the new Terms are deemed accepted. In case of objection, the user has the right to extraordinary termination.

10. Applicable Law and Jurisdiction

Swiss law applies exclusively. The place of jurisdiction for all disputes arising from or in connection with this Agreement is Canton of Thurgau, Switzerland, unless mandatory statutory provisions stipulate another place of jurisdiction.

Version: 22 May 2026