Privacy Policy
Last Message — ultimamensagem.com
Last updated: 23 May 2026
Your privacy is our central commitment. Last Message (hereafter the "Service") processes sensitive personal data — messages, documents and personal relationships that you wish to preserve for the right moment. This Policy explains, clearly and in line with Regulation (EU) 2016/679 (GDPR) and Portuguese Law No. 58/2019, of 8 August, what data we collect, for what purposes, on what legal basis, with whom we share it and what your rights are.
This Policy should be read together with our Terms of Use.
1. Data controller
The controller of your personal data is:
- Legal name: [LEGAL NAME OF THE COMPANY]
- Tax/Corporate ID (NIPC/NIF): [NUMBER]
- Registered office: [FULL POSTAL ADDRESS]
- Email: info@ultimamensagem.com
- Website: https://ultimamensagem.com
Data Protection Officer (DPO). For specific data protection matters you may contact: [DPO NAME or "privacidade@ultimamensagem.com"]. Formal appointment of a DPO is not mandatory at the current stage; if and when it becomes so under art. 37 GDPR, it will be communicated here.
2. Data we collect
We collect only what is strictly necessary for the Service to operate:
2.1. Account data
- Name (provided by you; may be a pseudonym)
- Email address (used for authentication, the Life ping and communications)
- Password — never stored in plain text; protected by a robust salted hash (the
bcryptalgorithm or equivalent) - Language and account preferences
2.2. Message content
- Message title and text body — encrypted at rest with
XChaCha20-Poly1305(libsodium), with a unique nonce per message - Attachments — images, videos, audio and documents you choose to attach, likewise encrypted on disk and only decrypted upon authorised delivery
- Profile photo — optional, also encrypted
2.3. People you designate
- Recipients — name and email of the people you want the messages to reach
- Guardians — name and email of the people who confirm your prolonged absence (optional)
Important: when designating third parties (Recipients or Guardians), the User declares that they have informed those persons or have a legitimate basis to do so. The Company may notify those persons to give them the opportunity to object.
2.4. Operational data
- Date of the last Life ping and of the next scheduled one
- Delivery settings — dates, conditions, rules
- Message status — pending, paused, delivered
2.5. Technical and log data
- IP address, date/time and type of actions relevant to security (sign-in, message creation/editing, configuration changes)
- Basic device/browser information (user-agent), for fraud detection and technical support
2.6. Cookies
We use only cookies strictly necessary for the Service to operate:
LMSESSID— technical session cookie to keep you signed in. Marked asSecure,HttpOnlyandSameSite=Lax.- We do not use marketing, advertising, behavioural tracking, <em>fingerprinting</em> or third-party analytics cookies.
2.7. Payment data
Payment data (card, bank account) is handled directly by the payment processor (currently PayPal). The Company neither stores nor has access to that data; it only records the transaction reference, the status and the plan purchased.
3. Purposes and legal bases of processing
We process your personal data for the following purposes, with the corresponding legal basis under art. 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Create and manage your User account | Performance of contract — art. 6(1)(b) |
| Store and encrypt your messages and attachments | Performance of contract — (b) |
| Send the Life ping and process your response | Performance of contract — (b) |
| Contact Recipients and Guardians at the right times | Performance of contract — (b) |
| Process subscriptions and payments | Performance of contract — (b) |
| Comply with tax, accounting and legal obligations | Legal obligation — art. 6(1)(c) |
| Prevent abuse, fraud and IT attacks | Legitimate interest — art. 6(1)(f) |
| Respond to support requests | Legitimate interest / performance of contract |
| Defend rights in judicial or administrative proceedings | Legitimate interest — (f) |
On legitimate interest: the Company carries out a prior balancing test between the interest pursued and the rights and freedoms of the data subjects. You have the right to object to processing based on legitimate interest, under section 8.
4. Processing of messages after your death or prolonged absence
This is the central feature of Last Message. The Service was designed to handle your data precisely in situations where you can no longer give instructions. The process is as follows:
- If you stop confirming the Life ping for the period set in your account, successive alerts are sent to your own email.
- If you have appointed Guardians, we contact them by email so that they confirm your prolonged absence. Only with the minimum required confirmation is delivery triggered.
- If you have not appointed Guardians, delivery is triggered after the minimum inactivity period defined in the Terms has elapsed, with interim notices and a grace period. This option carries a higher risk of undue delivery — see the corresponding topic in the Terms.
- Before final delivery, the grace period set out in the Terms is observed; during it, simply signing in to your account cancels the entire process.
- Once the absence is confirmed and the grace period has elapsed, the messages are decrypted and sent to the Recipients via a unique link.
Legal basis and framework. This processing arises from the performance of the contract entered into with you during your lifetime and from respect for your expressed will. The processing of data of deceased persons is governed by art. 17 of Portuguese Law No. 58/2019, which grants legitimate heirs the right to exercise the data subject’s rights.
Automated decision-making (art. 22 GDPR). When you appoint Guardians, the system does not take fully automated decisions on delivery of messages, because it depends on human confirmation by the Guardians. When you opt out of Guardians, there is an automated component (passing of time periods), but with multiple notices and a grace period that allows you to intervene. In any case, you may request human review of any delivery by contacting us.
5. Data security
We implement appropriate technical and organisational measures, under art. 32 GDPR:
5.1. Encryption
- In transit: all traffic is served over HTTPS with modern TLS.
- At rest: message content, attachments and profile photo encrypted with
XChaCha20-Poly1305(libsodium), with a unique nonce per element. - <strong>Passwords:</strong> stored exclusively as a salted <em>hash</em> (the <code>bcrypt</code> algorithm or equivalent). They are never stored or known in plain text — not even by us.
5.2. Access and application controls
- CSRF token on every form
- Cookies marked as
Secure,HttpOnlyandSameSite=Lax - Private folders not directly accessible from the web
- Least-privilege principle for administrative access
- Logging of relevant events for incident detection
- Rate limiting on authentication attempts and brute-force protection mechanisms
5.3. Continuity and backups
We carry out periodic backups. Deleted data disappears from the most recent backup within a maximum of 30 days.
5.4. Breach notification
In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Portuguese National Data Protection Commission (CNPD) within 72 hours of becoming aware of it (art. 33 GDPR). If the breach poses a high risk, we will communicate directly with the affected data subjects (art. 34 GDPR).
6. Data retention
We retain your data only for as long as necessary for the purposes stated:
| Category | Retention period |
|---|---|
| Active account | As long as you keep the account open |
| Account closed by you | Full deletion within 30 days |
| Delivered messages | Reasonable period to allow Recipients to consult them; then deleted. Earlier deletion on request. |
| Messages paused after downgrade | 90 days after the downgrade, as per the Terms |
| Technical and security logs | Up to 12 months |
| Billing data | 10 years (tax obligation) |
| Backups | Monthly rotation; deleted data disappears within 30 days |
7. Sharing with third parties and processors
We do not sell your data. We share only with parties strictly necessary for the operation of the Service:
7.1. Recipients and Guardians
We share with the persons you designated yourself, and only for the specific purpose you chose (receiving the messages; confirming your absence).
7.2. Processors (art. 28 GDPR)
We rely on processors for the technical operation of the Service, all bound by a processing contract under art. 28 GDPR:
| Category | Provider | Location |
|---|---|---|
| Hosting (servers) | [PROVIDER NAME] | European Union |
| Email delivery (SMTP) | [PROVIDER NAME] | European Union |
| Payment processing | PayPal (Europe) S.à r.l. et Cie, S.C.A. | Luxembourg (EU) |
| Support / helpdesk | [PROVIDER NAME or "Internal"] | [LOCATION] |
7.3. Public authorities
We may share data with the competent judicial, police or administrative authorities where legally required, in strict compliance with a valid and proportionate order. Where the law allows, we will notify the User.
7.4. Transfers outside the EEA
We do not carry out transfers of personal data outside the European Economic Area (EEA). If, in the future, any transfer becomes necessary, it will be carried out on the basis of the appropriate safeguards provided for in arts. 44 to 49 GDPR (in particular the European Commission’s standard contractual clauses) and communicated in this Policy.
8. Your rights
As a data subject, you may exercise, at any time and free of charge, the rights provided for in arts. 15 to 22 GDPR:
- Right of access — know what data of yours we process and obtain a copy.
- Right of rectification — correct inaccurate or incomplete data.
- Right of erasure ("right to be forgotten") — delete your data, in accordance with the law.
- Right to restriction — restrict processing in certain situations.
- Right to portability — receive your data in a structured, commonly used and machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent at any time, without prejudice to the lawfulness of prior processing.
- Right not to be subject to fully automated decisions with significant effects (see section 4 on how this right applies to the Service).
How to exercise. Send a request to info@ultimamensagem.com (or to the DPO, where applicable). We will respond within 30 days, extendable by a further 60 days in complex cases, with reasons. We may ask for additional information to verify your identity.
9. Complaints to the supervisory authority
If you consider that the processing of your data does not comply with GDPR or with Portuguese Law No. 58/2019, you may lodge a complaint with the competent supervisory authority:
National Data Protection Commission (CNPD)
Av. D. Carlos I, 134, 1.º — 1200-651 Lisbon, Portugal
Phone: +351 213 928 400 — Email: geral@cnpd.pt — Website: www.cnpd.pt
10. Minimum age
The Service is intended for persons aged 16 or over. We do not knowingly collect data from persons under 16. If we become aware that we have collected data from minors under those conditions, we will delete it immediately. If you suspect this has happened, please contact us.
11. Data you provide about third parties
When designating Recipients or Guardians, you provide us with personal data of third parties (name and email). You declare that:
- You have a personal relationship with them or a legitimate basis to do so;
- You have informed, or are in a position to inform, those persons that their data will be processed by the Service;
- You accept that we may contact them directly, in particular to inform them of the processing, to confirm your absence (Guardians) or to deliver the Message (Recipients).
Recipients and Guardians may, at any time, exercise their GDPR rights vis-à-vis the Company, including the right to object. Exercising that right may mean that messages intended for them are not delivered.
12. Changes to this Policy
We may update this Policy whenever necessary, due to legislative changes, evolution of the Service or clarification. The version in force is always available at https://ultimamensagem.com/privacidade.php. Material changes will be notified by email at least 30 days in advance.
13. Contact
For any question about this Policy or about the processing of your personal data, please contact us: info@ultimamensagem.com.
— End of Privacy Policy —