Privacy Policy

1 Introduction

MemoryMantle Ireland Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at memorymantle.ie.

MemoryMantle is an Irish online memorial platform that enables families to create digital death notices and comprehensive memory mantles — permanent digital memorials featuring photo galleries, AI-enhanced photos, life timelines, condolence books, and video slideshows.

We are the data controller for the purposes of the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

2 Data We Collect

Information You Provide

We collect information you voluntarily provide when using our services:

• Account Information: Name, email address, password (stored securely as a hash — we never store your actual password)
• Memorial Content: Deceased person's name, dates of birth and death, biography, family information, funeral details, and other memorial content
• Photographs: Images you upload, including AI-enhanced versions created through our photo enhancement service
• Condolences: Messages left by visitors on memorials (name, email if provided, and message content)
• Payment Information: Billing details are processed securely by Stripe — we do not store your full card number on our servers
• Communications: Messages you send us, feedback, and support requests

Information Collected Automatically

When you access our services, we automatically collect:

• Device Information: IP address, browser type, operating system
• Usage Data: Pages visited, features used, time spent, and navigation patterns
• Cookies: See our Cookie Policy for full details

Verification Information

Death notices on MemoryMantle are published only by registered funeral directors, so we do not ask families to submit verification evidence. Funeral directors are verified through their listing on the Irish Association of Funeral Directors (IAFD) register and confirmation of their business email address.

Report Information

Every notice and memorial carries a Report button, which can be used without an account. When you submit a report, we record:

• IP Address: Always recorded
• Email Address: If you choose to provide one
• Account ID: If you are logged in

We record this data to prevent abuse of the reporting system (for example, false reports used to suppress genuine notices). It is kept for 24 months and then deleted or anonymised.

Submitter Accountability

For each death notice or memorial, we retain the submitter's IP address and payment identity (the Stripe payment reference and associated billing identity) linked to that notice. We keep this on the basis of our legitimate interest in investigating fraud and harassment — in particular, fake death notices created about living people. This data may be disclosed to An Garda Síochána on lawful request.

3 Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal grounds:

• Contract (Art. 6(1)(b)): Processing necessary to provide our memorial services that you have purchased or signed up for, including creating memorials, processing payments, and delivering AI photo enhancements
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for cookies (analytics/marketing), marketing emails, or optional features
• Legitimate Interests (Art. 6(1)(f)): For improving our services, preventing fraud, ensuring security, and analysing usage patterns to enhance the user experience. This also covers verifying that death notices are genuine (including contacting a funeral director whose details a family provides), recording reporter details to prevent abuse of the reporting system, and retaining submitter IP and payment identity to investigate fraud and harassment
• Legal Obligation (Art. 6(1)(c)): Where processing is required by Irish or EU law, such as retaining financial records for tax purposes

4 How We Use Your Data

We use your personal data for the following purposes:

• Create and Display Memorials: To build, host, and display death notices and memory mantles as requested by you
• Process Payments: To process purchases via Stripe, including memory mantles, slideshows, and AI photo enhancement credits
• AI Photo Enhancement: To enhance, restore, and colourise photographs using AI technology (Replicate API). Photos are sent to Replicate's servers for processing and enhanced images are stored in your account
• Memorial Slideshows: To create video tribute slideshows from your uploaded photos and memorial content
• Notice Verification: To confirm that funeral directors publishing death notices are genuine — by verifying their Irish Association of Funeral Directors listing and business email address
• Report Handling & Abuse Prevention: To review reported notices and memorials, and to record reporter details (IP address, optional email, account ID) so that false or malicious reporting can be identified and addressed
• Fraud & Harassment Investigation: To retain submitter IP addresses and payment identity linked to each notice so that fake or harassing notices can be investigated and, where appropriate, disclosed to An Garda Síochána on lawful request
• Condolence Moderation: To moderate condolence messages for inappropriate content before they appear on memorials
• Transactional Communications: To send payment confirmations, account verification emails, and service-related notifications
• Account Management: To maintain your account, provide customer support, and respond to enquiries
• Service Improvements: To analyse usage patterns and improve our platform
• Legal Compliance: To comply with Irish and EU legal obligations

5 Third-Party Data Sharing

We do not sell your personal data. Ever. We may share data with the following service providers who are essential to operating our platform:

• Stripe (payments) — Processes all payment transactions securely. See Stripe's Privacy Policy
• Railway (application & database hosting) — Hosts our PostgreSQL database and serves our web application. See Railway's Privacy Policy
• Cloudflare R2 (media storage) — Stores uploaded photos and videos. See Cloudflare's Privacy Policy
• Replicate (AI photo enhancement) — Processes photos for AI enhancement. Photos are sent to Replicate's API and may be temporarily processed on their infrastructure. See Replicate's Privacy Policy

We may also share data with:

• Funeral Directors: When a family names a funeral director on a notice, we contact that director (using the details the family provides) to ask them to confirm the notice. We share only what is needed for verification: the notice details and the submitter's name
• Legal Authorities: When required by law, court order, or to protect our rights and the safety of our users. This includes disclosing submitter and reporter data (IP address, payment identity, account details) to An Garda Síochána on lawful request, for example in connection with fake death notices or harassment
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate data protection safeguards

All third-party service providers are bound by data processing agreements and are required to handle your data in compliance with GDPR.

6 Data About Deceased Persons

MemoryMantle's core purpose is to create and display memorials for deceased individuals. Important points regarding this data:

• GDPR applies to living individuals. Information about deceased persons published on our platform is not subject to GDPR data subject rights
• Memorial content about deceased persons is published with the consent and at the direction of the memorial creator (the living user who creates the memorial)
• Memorial creators are responsible for ensuring they have the right to publish information about the deceased, including photographs and biographical details
• We will remove or modify memorial content upon verified request from the memorial creator or verified next of kin

7 Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Request that we limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Object to processing of your data based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email us at [email protected]. We will respond within 30 days of receiving your request. We may ask for proof of identity to prevent unauthorised access to your data.

For more detailed information about each right, visit our GDPR Rights page.

8 Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

• Active Accounts: Personal data retained while your account is active
• Account Deletion: Personal data deleted within 30 days of account deletion request. Memorials can be transferred to another user or deleted upon request
• Memory Mantles: Retained indefinitely — that is the core purpose of our service. You or your designated contacts can request deletion at any time
• Death Notices & Memorials: Retained indefinitely — permanent hosting is included with all paid products
• Payment Records: Retained for 7 years as required by Irish tax law (Taxes Consolidation Act 1997)
• Usage/Analytics Data: Retained for up to 26 months, then anonymised or deleted
• Report Data: Reporter IP, optional email, and account ID retained for 24 months from the report date, then deleted or anonymised (longer if required for an ongoing legal matter or Garda investigation)
• Submitter IP & Payment Identity: Retained linked to the notice for as long as the notice exists; payment records are kept for 7 years as required by Irish tax law

9 Children's Privacy

Our services are not directed at children under 16 years of age (the age of digital consent in Ireland under the Data Protection Act 2018, Section 31).

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will promptly delete such data.

10 International Data Transfers

Some of our service providers process data outside the European Economic Area (EEA). Specifically:

• Railway: Application & database hosting (US-based infrastructure)
• Cloudflare R2: Media storage (global infrastructure)
• Stripe: Payment processing (US-based)
• Replicate: AI photo enhancement processing (US-based)

All international transfers are protected by appropriate safeguards as required by GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with each provider
• Assessment of the data protection laws in the recipient country

11 Cookies

We use cookies and similar technologies to enhance your experience. These include:

• Essential Cookies: Required for authentication, payment processing, and basic site functionality. These cannot be disabled
• Functional Cookies: Remember your preferences such as saved form progress
• Analytics Cookies: Help us understand how visitors use our site (only loaded with your consent)

We do not currently use marketing cookies. You can manage your cookie preferences at any time using our cookie preference centre.

For full details about each cookie we use, please see our Cookie Policy.

12 Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• SSL/TLS encryption for all data in transit (HTTPS)
• Encryption at rest for stored data (provided by Railway and Cloudflare R2)
• Secure password hashing — we never store passwords in plain text
• Access controls and authentication for all administrative functions
• Regular security reviews of our codebase and infrastructure
• Secure payment processing through PCI DSS-compliant Stripe

While we take every reasonable precaution to protect your data, no method of transmission over the Internet is 100% secure. We encourage you to use a strong, unique password for your account.

13 Contact & Complaints

For any questions about this Privacy Policy, to exercise your data protection rights, or to raise a concern about how we handle your data:

We will endeavour to resolve any complaint promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission: