Holdfast vs Just In Case: honest comparison

01The short verdict

All Just In Case facts on this page were taken from their own published pages (justincase.vip, the iOS App Store listing, and the legal pages linked from the site footer) on the date this comparison was written. If anything has moved since, we would rather know than not. Drop us a line.

Choose Just In Case if you are primarily an iOS user who wants a local-first vault app with on-device biometric and voiceprint authentication, you want the most aggressive dead man's switch escalation in the category (five levels including an AI phone call), the AI digital clone concept appeals to you as a way of preserving personality beyond vault delivery, or you want a one-time $99 purchase with no recurring subscription.

Choose Holdfast if you want an operator you can verify — a named UK company at Companies House, registered with the ICO, with a published privacy policy, terms of service, sub-processor list, and closure plan — you want recipients to receive the actual encrypted contents directly without installing an app or creating an account, you want a web-based vault accessible from any device rather than a single-platform iOS app, or you want a B2B tier built for professional firms in legal and financial services.

The honest one-line summary: Just In Case is a technically ambitious iOS app with features that go well beyond what most vault products attempt. Holdfast is a web-based vault with a narrower feature set and a materially deeper operational transparency posture. Which matters more depends on whether you weight features or verifiability.

02How each one is built

Both products use AES-256-GCM and describe themselves as zero-knowledge. The architectures underneath differ in platform, scope, and what is publicly verifiable.

Just In Case's model

Just In Case is an iOS-only app published by YongNian Digital Life, available on the App Store. There is no Android version and no web-based vault — the product runs on your iPhone or iPad.

Encryption architecture. The App Store listing and website describe AES-256-GCM encryption, SRP-6a zero-knowledge authentication ("we never see your password"), SQLCipher for full local database encryption, and on-device biometric and voiceprint authentication. The website claims a zero-knowledge architecture where the operator cannot read vault contents. The product does not publish a standalone encryption module or source code for independent review.

Dead man's switch. Just In Case describes a 5-level monitoring system, the most layered in the category: Level 1 is an email reminder, Level 2 is an SMS alert, Level 3 is an AI-powered phone call verification (the system calls you to check if you are alive), Level 4 is a cooling period, and Level 5 is legacy delivery. Check-in intervals are configurable from 24 hours to 90 days.

Digital inheritance. On trigger, the product delivers vault contents to designated heirs with end-to-end encryption. Additional features include Time Capsules (schedule messages for future delivery), video and audio testaments with voice-cloned playback, social media afterlife instructions for more than 15 platforms, and an Emergency Recovery Kit (a printable PDF backup).

AI digital clone (YongNian). This is where Just In Case diverges from every other product in the category. The YongNian system describes a 29-dimensional personality modelling engine, voice cloning from as little as 5 seconds of audio, and an AI twin that can make phone calls to family members on birthdays and anniversaries. Three tiers are described: Companion (included with Lifetime Pro at $99, or from $999 as a standalone), Presence (a 7-day "soul collection" by a specialist, cross-verified by family members, pricing on request), and Eternity (a dedicated neural checkpoint, with an optional "hyper-realistic humanoid" built in Shenzhen, pricing on request).

Operator. The website footer reads "© 2026 YongNian Digital Life. All rights reserved." The privacy policy and terms of service pages linked from the footer are empty — they contain the copyright line and a back-link but no policy content. The website does not publish a registered company name, company number, registered address, jurisdiction, named director, data protection registration, data residency information, sub-processor list, or closure plan. The site offers content in English, simplified Chinese, traditional Chinese, Japanese, Korean, and Spanish.

Holdfast's model

Holdfast is a web-based vault accessible from any browser on any device. We do not have a native mobile app; the vault runs in your browser with client-side encryption.

All vault contents are encrypted client-side with AES-256-GCM. The key is derived from a passphrase you choose, using PBKDF2 with 250,000 iterations of SHA-256 against a per-user salt. The passphrase never leaves your browser, never reaches our servers, and cannot be recovered by us. The encryption module sits at github.com/Nexus-sectech/holdfast-crypto and is loaded with Subresource Integrity so the browser refuses to execute it if the file has been altered.

The vault holds credentials and recovery phrases, signposting information about where assets are held, account access instructions, final letters, documents, and private video messages (Family tier and above, up to 50MB per message). When check-ins stop, Holdfast delivers the encrypted vault and instructions to each recipient by email after a documented escalation (7-day grace, 7-day escalation with up to 3 reminders through distinct delivery infrastructure, then delivery). Recipients open an email and decrypt with the passphrase shared with them offline. No app to install, no account to create, no platform to remember.

Operator. Holdfast is operated by Nexus-Sec Ltd (71-75 Shelton Street, Covent Garden, London), a UK limited company at Companies House (number 17126982), registered with the Information Commissioner's Office. The privacy policy names the data controller, lists sub-processors with their roles and locations, describes data residency (Supabase hosted in Frankfurt), and commits to a published closure plan (90-day notice, export tool, documented decryption procedure). Holdfast is compliant with UK GDPR, which the EU recognises as providing an equivalent level of protection under its adequacy decision. Users worldwide are welcome; data is processed to UK/EU standards regardless of where the user is based.

03The trigger and delivery flow

Both products use a check-in-based trigger. The escalation depth and the recipient experience differ.

Just In Case's flow

The 5-level dead man's switch is the most escalated in the category. After the check-in window expires:

• Level 1: Email reminder sent to the user.
• Level 2: SMS alert sent to the user.
• Level 3: AI phone call to the user — the system calls you and uses voice verification to confirm you are alive.
• Level 4: Cooling period before delivery fires.
• Level 5: Legacy delivery — vault contents are delivered to designated heirs with end-to-end encryption.

The App Store listing mentions "automatic inheritance delivery to designated heirs" but does not describe the delivery mechanism in detail. Just In Case does not publicly document whether heirs need the app installed to receive delivery, whether delivery works via email or in-app notification, or what happens if the heir does not have an iOS device.

Holdfast's flow

When a check-in is missed:

• Grace period: 7 days, no escalation.
• Escalation: 7 days, during which up to 3 reminder emails are sent through distinct delivery infrastructure.
• Delivery: encrypted vault and delivery instructions go to each nominated recipient by email.
• Retention: 30 days after delivery the vault is fully purged (day 23 warning, day 30 full purge including blob nulling, storage deletion, Stripe cancellation, and user row anonymisation).

Each recipient opens their email, follows the instructions, and decrypts the vault with the passphrase shared with them offline. No app, no account, no platform dependency.

Why this matters

Just In Case's 5-level system is technically impressive and addresses a genuine design concern: false positives. The AI phone call at Level 3 is a novel verification step that no other product in the category offers. If the call reaches you and you confirm you are alive, the escalation stops. This materially reduces the chance of accidental delivery.

Holdfast's 2-phase flow (grace plus multi-reminder escalation) is simpler but designed around a different principle: families need access quickly, and the recipient flow must work for people who have never used a password manager. The trade-off is that Holdfast relies on email reminders and does not escalate to phone or SMS. The one-click check-in (a tokenised email link) keeps the bar low enough that users with deteriorating capability can still respond.

On the recipient side, Holdfast's flow is documented in detail: email plus passphrase, no account required. Just In Case's delivery mechanism to heirs is not fully documented on their public pages, and the iOS-only platform raises a practical question: what happens if the designated heir uses Android or has no smartphone?

04Jurisdiction and compliance

This is the axis where the two products diverge most sharply, and it is where we will be most direct.

Just In Case is operated by YongNian Digital Life. The privacy policy and terms of service pages linked from the website footer contain no policy content. The website does not disclose: the legal entity operating the service, the jurisdiction it operates under, the registered address, a named director or responsible person, a data protection registration with any regulator, the location of data storage, sub-processors used, transfer mechanisms for cross-border data flows, or a closure plan in the event the service winds down. The App Store listing states "the developer has not yet indicated which accessibility features this app supports" and the privacy details section was not completed at the time of writing.

We are not suggesting that an empty privacy policy means the product is unsafe. We are noting that for a product that asks users to store credentials, crypto keys, and private messages behind a dead man's switch — material that by definition cannot be retrieved after delivery — the absence of any published operational accountability is a gap that prospective users should weigh seriously.

Holdfast is operated by Nexus-Sec Ltd, a UK limited company at Companies House (number 17126982), registered with the Information Commissioner's Office. Holdfast is compliant with UK GDPR, which the EU recognises as providing an equivalent level of protection under its adequacy decision. Users worldwide are welcome; data is processed to UK/EU standards regardless of where the user is based. For users in jurisdictions with their own data protection regimes, our baseline exceeds most jurisdictions' default protections. We do not sell data in any case, and we say so plainly in our privacy policy. Sub-processors are listed with their roles and locations. A published closure plan commits to a minimum 90-day notice, an export tool, and a documented decryption procedure.

The practical implication: if something goes wrong with Holdfast — a billing dispute, a missed delivery, a question about data handling — you have a named UK company, a regulator you can complain to, and a director with personal legal exposure. If something goes wrong with Just In Case, the published materials on the date of writing do not tell you who to contact, where they are, or what legal framework governs the relationship.

05Pricing

Both products offer a free tier and a one-time or subscription paid tier.

Just In Case (taken from their website and App Store listing on the date of writing):

• Free: $0 forever. Encrypted vault with 10 items, basic dead man's switch, 1 heir, voiceprint authentication.
• Lifetime Pro: $99 one-time payment. Unlimited vault items, 5-level DMS with AI verification, unlimited heirs, time capsules, voice cloning, AI twin (Companion tier), priority support.
• Digital Clone premium tiers: Companion from $999, Presence and Eternity by consultation (pricing not published).

Holdfast (taken from our pricing page on the date of writing):

• Free: £0 forever. 5 entries, 1 recipient, monthly check-in.
• Personal: £5 per month or £45 per year. Unlimited entries, 3 recipients, choice of weekly, fortnightly, or monthly check-in.
• Family: £9 per month or £79 per year. Two independent vaults on one plan, 5 recipients per vault, video messages up to 50MB each.
• Firm: £39 per month or £399 per year. B2B tier for professional firms in legal and financial services with white-label delivery, soft cap of 20 clients included, tiered overage above that, dedicated dashboard, client invitation flow.

On headline price, Just In Case's Lifetime Pro at $99 is the cheapest all-in-one purchase in the category for the feature set described. The question is not whether the price is competitive (it is) but whether the operational posture behind the product supports the trust required to store material that will be needed after you are gone. A vault product is a long-horizon commitment, and the operator's ability to exist, operate, and deliver five or ten years from now is part of the value proposition whether it appears on the pricing page or not.

06Where Just In Case is genuinely better

Two things are worth saying clearly and not burying.

The 5-level dead man's switch with AI phone call verification. No other product in this comparison set escalates to a phone call before delivery. The AI call at Level 3 is a genuine engineering innovation that addresses the false-positive problem more aggressively than any email-only escalation can. For users who worry about accidental delivery — especially those with irregular schedules, frequent travel, or periods of low digital activity — this is a real advantage.

The AI digital clone concept. Whether or not the YongNian personality modelling and voice cloning technology delivers on its claims (we have not tested it and cannot verify the "29-dimensional" characterisation independently), the concept is novel in this category. No other vault product offers personality preservation as a feature alongside credential and document delivery. For users who want to leave behind more than information — who want to leave behind a version of themselves that can speak in their voice to their family — Just In Case is the only product attempting this.

07Where Holdfast is built differently

Three things we have done deliberately that Just In Case has not.

Verifiable operational accountability. Holdfast is operated by a named UK company with a Companies House registration, an ICO registration, a named director, a published privacy policy, published terms of service, a listed sub-processor chain, and a closure plan. The encryption module is published on GitHub with Subresource Integrity enforcement. These are not marketing features; they are the minimum operational infrastructure that a vault product holding material for post-mortem delivery should have, and they are verifiable by anyone who wants to check.

Recipients receive contents directly, with no app and no account. Holdfast recipients open an email and decrypt with a passphrase shared offline. What they see is whatever was in the vault: credentials, signposting information about asset locations, documents, and private video messages on the Family tier and above. No iOS app to install, no account to create, no platform dependency. For a 78-year-old surviving spouse on an Android phone, this is the difference between receiving the vault and not receiving it.

A Firm tier built around UK and international professional firms in legal and financial services. The Holdfast Firm tier is built for professional firms offering digital legacy planning to clients as part of their service — UK solicitors and IFAs, and their international counterparts in legal and financial services. White-label delivery, CSV bulk client invite, a per-firm dashboard, and a soft-cap-plus-overage pricing model are aimed at making this a viable channel for professional firms. Just In Case does not have a B2B tier.

08Honest summary

Choose Just In Case if you are an iOS user who values an aggressive escalation system (the AI phone call is genuinely novel), the AI digital clone concept appeals to you, you want a $99 one-time purchase with no recurring subscription, and the absence of published operational accountability (no named company, no privacy policy content, no terms of service content, no data residency disclosure, no regulator registration) does not factor into your decision. The technical ambition is real. The question is whether the operational infrastructure matches it.

Choose Holdfast if you want a vault product where the operator is verifiable, the encryption module is published, the privacy policy names the data controller, and the closure plan is documented. Choose Holdfast if you want recipients to receive content directly via email plus an offline-shared passphrase without installing an app. Choose Holdfast if you want an operator compliant with UK GDPR, which the EU recognises as providing an equivalent level of protection under its adequacy decision. Choose Holdfast if you want a B2B tier built specifically for professional firms in legal and financial services across the UK and international markets.

If you are still on the fence, the most useful thing you can do is ask yourself two questions. First: does the operator publish enough information for you to hold them accountable if something goes wrong? And second: can your least technical recipient complete the delivery flow without your help? The product that passes both tests is the product to choose.

Last verified against published Just In Case pages on the date this comparison was written. If Just In Case has changed materially since — particularly if they have published privacy policy and terms of service content — please let us know at [email protected] and we will update this page accordingly.