Last year, a family in Manchester spent five months trying to access their father's email account.

He had died suddenly — a heart attack, no warning, no time to prepare. He was 54. Fit, healthy, the kind of man who always seemed like he had decades ahead of him. He had a will. He had a solicitor. He had life insurance. He had done, by most measures, what responsible adults are supposed to do.

What he hadn't done — what almost nobody does — was leave any record of his digital life.

His email account held 14 years of correspondence. Contracts. Tax records. The login credentials for three investment accounts his family didn't know existed. Letters he had written to his children and never sent. His email provider, following its own terms of service, would not grant access to a deceased user's account without a court order. The process took four months and cost the family over £800 in legal fees.

And they were the lucky ones. They knew to try.

The scale of a problem nobody talks about

We have spent the last two decades moving our lives online. Our finances. Our photographs. Our communications. Our creative work. Our memories.

Most of us have somewhere between 70 and 150 online accounts. Email addresses. Banking apps. Investment platforms. Crypto wallets. Cloud storage containing decades of photographs. Subscription services. Social media profiles. Business accounts. Password managers holding the keys to all of it.

The combined value of unclaimed digital assets in the UK runs into hundreds of millions of pounds. Cryptocurrency alone — held in wallets and exchange accounts with no recovery information left behind — accounts for an estimated £1 billion in permanently inaccessible funds globally. This includes not just self-custody wallets but funds held on exchanges such as Coinbase, Binance, and Kraken. An exchange account may hold tens of thousands of pounds in assets. Without login credentials and identity verification, a family cannot touch it. The exchange will not release funds to next of kin without extensive legal process — and many families never initiate that process because they did not know the account existed. When the owner dies without leaving any record, the assets do not pass to anyone. They simply disappear. What a family needs is not necessarily the seed phrase or private key itself — it is the knowledge that the account exists, which exchange holds it, and where the recovery information can be found. A reference. A signpost. Enough to know where to look and how to begin.

There is a second, compounding barrier that almost nobody accounts for: two-factor authentication. Most people have enabled MFA on their important accounts — email, banking, investment platforms, crypto exchanges — as a basic security measure. When they die, their family may have the correct password and still be completely locked out. The second factor is typically a code sent to the owner's phone, or generated by an authenticator app on a device that may be locked, inaccessible, or wiped. The password was never the problem. The second factor is. The answer here is recovery codes — the backup codes generated when MFA is first set up, explicitly designed by every major platform to be saved and stored securely for exactly this scenario. They are one-time-use, they do not expose the live authentication secret, and storing them is standard security practice. Most people generate them once, ignore the instruction to save them, and never think about them again. That is the gap.

Beyond the financial, there is the irreplaceable. The photographs stored in iCloud that a family cannot access because nobody knew the Apple ID password. The WhatsApp conversations that contain the last messages from someone who is gone. The voice notes, the videos, the years of digital correspondence that constitute a modern life — all of it locked behind authentication barriers that were designed to keep strangers out, with no mechanism to let loved ones in.

The problem is not lack of care. Most people who die without any digital estate plan were thoughtful, organised individuals who simply never thought about it. Why would they? Nobody told them to. Their solicitor asked about property, savings, and physical assets. Their financial adviser asked about pensions and investments. Nobody asked about the password manager.

What people typically do

Nothing.

That is not a criticism. It is just the reality. A 2023 survey found that fewer than 14% of UK adults had made any provision for their digital accounts as part of their estate planning. Of those who had, the majority had simply written passwords in a notebook — a solution that becomes outdated within months as passwords change, accounts are added, and that notebook sits in a drawer where nobody thinks to look.

The rest — the 86% — have made an implicit decision. They have decided, without quite realising it, that the people they leave behind will figure it out. That someone will manage. That it probably won't matter.

It always matters.

What a proper digital estate looks like

A digital estate is not complicated. It is simply the sum of your online presence, organised in a way that can be handed over. At minimum it should contain four things.

  • 01 Account inventory. A complete list of every significant online account — banking, investments, email, cloud storage, subscriptions, social media, crypto — with enough information for someone to identify and access each one. This does not have to be every account. It has to be the ones that matter.
  • 02 Access credentials. The means to actually get in. Passwords, two-factor authentication recovery codes, PIN numbers, security question answers. A list of accounts without access details is a map with no roads.
  • 03 Legal and financial signposts. Where to find the will. The solicitor's contact details. The pension provider. The life insurance policy number. The accountant. The things a family needs to begin the practical process of dealing with an estate. Most of this information exists somewhere — it just isn't findable when it's needed most.
  • 04 Personal messages and wishes. This is the part that cannot be reconstructed. The letter to a partner. The note to a child. The instructions for a funeral. The things you would want to say if you knew it was the last time. Most people have these thoughts. Almost nobody writes them down in a place where they can be found and delivered.

You have a legal right to this data

Something most people do not know: under UK GDPR Article 20, you have the legal right to receive your personal data from any organisation that holds it, in a structured, commonly used, machine-readable format. This is called the right to data portability.

Every online service that holds your data — your email provider, your bank, your cloud storage — is legally required to provide it to you in an exportable format upon request. You own your data. You have the right to take it with you, store it, and ultimately decide what happens to it.

The problem is not legal. The problem is practical. The right exists. The mechanism to exercise it after death does not. Once you are gone, your right to that data does not automatically transfer to anyone. The legal right to portability is yours personally — and it expires with you, practically speaking, unless you have made arrangements in advance.

This is not a gap in the law so much as a gap in how we have been taught to think about our digital lives. We plan for our physical assets. We have not yet learned to plan for our digital ones.

Practical steps anyone can take today

You do not need a specialist service to start. You need an afternoon and a document.

  • 01 Make the list. Open a document and list every online account that matters. Banking. Investments. Email. Cloud storage. Subscriptions with stored payment details. Crypto. Business accounts. Social media. Do not try to be exhaustive on the first pass — start with the accounts where access would matter most to the people you leave behind.
  • 02 Add the access details. For each account, note the email address used to register, the password if you know it from memory, and any two-factor authentication method. If you use a password manager, note which one and how to access it — the master password and any recovery codes.
  • 03 Write the signposts. Where is your will? Who is your solicitor? Who is your accountant? Where are the pension and life insurance documents? What are the login details for the email account most of your financial correspondence goes to? One page of this information can save a family months of confusion.
  • 04 Write what you want to say. This is the step most people skip and later regret not doing. It does not have to be long. It does not have to be formal. It just has to exist somewhere that it can be found and delivered to the person you wrote it for.
  • 05 Tell someone it exists — or use a service that delivers it automatically. A document on your laptop that nobody knows about is not a digital estate plan. It is a document on your laptop. The information needs a delivery mechanism. Someone needs to know where it is, how to access it, and when to look for it.

The problem with the notebook

The instinct to write things down in a notebook is correct. The execution is almost always insufficient.

Passwords change. Accounts are added and closed. The notebook becomes outdated within weeks and nobody updates it. It gets stored somewhere safe — which usually means somewhere nobody will think to look. It is not encrypted, so leaving it accessible creates its own security risk. And it has no delivery mechanism — it relies entirely on someone knowing to look for it, finding it, and knowing what to do with it.

What a digital estate needs is not a notebook. It needs a vault — something encrypted, always up to date, with a reliable way of reaching the right people at the right time.

The tool I built

I spent over twenty years working in enterprise security — protecting sensitive data for organisations that could not afford for it to fall into the wrong hands. I understood encryption, access controls, and what it actually means to keep information secure.

Then I asked myself the question I had never properly asked: who protects my information after I am gone?

The tools that existed were either too technical, too expensive, too American, or simply not trustworthy enough to hand something this important to. Nothing felt like it had been built by someone who understood both the security requirements and the weight of what was being stored.

So I built Holdfast.

Holdfast is a digital estate manager. You create an encrypted vault — your account details, letters, legal signposts, personal messages — and nominate the people who should receive it. Once a month, you confirm you are still here with a single click. If you ever stop confirming, Holdfast follows a careful escalation process before delivering your vault to exactly who you chose. Nothing goes anywhere until it is certain something has happened.

We are aware that a service encouraging people to store financial credentials and recovery codes demands more than good intentions and a privacy policy. The concern is legitimate — and it deserves a direct answer rather than reassuring language that papers over it.

Holdfast is built on a zero-knowledge model. Your vault is encrypted on your device, with your passphrase, before it ever leaves your browser. What reaches our servers is ciphertext — mathematical noise that cannot be reversed without the key we do not hold. We are not choosing not to read your vault. We are architecturally incapable of reading it. No employee, no breach, no legal compulsion changes that fact, because the plaintext never exists anywhere except on your screen.

For the most sensitive items — cryptocurrency seed phrases, hardware wallet locations, private keys — we recommend storing a reference rather than the data itself. Note which exchange holds assets, where a hardware wallet is kept, that a seed phrase exists in a sealed envelope in a specific location. Your family will know enough to proceed. The most critical information stays physical, offline, and entirely outside any digital system. That is not a limitation of Holdfast. It is the right approach regardless of which service you use.

We use AES-256 encryption — the same standard used by governments and financial institutions. We cannot read your vault. Nobody can, except you and, when the time comes, the people you chose.

It is free to start. Personal plans begin at £5 a month.

One practical note on how to handle the people you nominate: you do not need to explain the system to them in advance. You do not need to walk them through how it works or have a long conversation about what you have set up. Just give them a key — a password, a phrase — and ask them to keep it safe. Tell them they will know what to do with it when the time comes. The vault, when it arrives, will explain itself. The key is all they need to open it.

I built it because I believe everyone deserves the quiet reassurance that they have taken care of it. That the people they love will have what they need. That the letters they meant to write will actually arrive.

If you have been putting this off — and most people have — today is a reasonable day to stop putting it off.