← Back to home

Privacy Policy

Last updated: 20 June 2026

Who we are

The Care Companion ("we", "us") is a UK-based product that helps families organise dementia care. The data controller is The Care Companion. Contact: hello@thecarecompanion.com.

What we collect

  • Account: email address and (optionally) display name.
  • Care data you enter: loved one's first name, dementia type, daily logs, medication list, appointments, contacts, journal entries, attachments.
  • Subscription metadata from Stripe (status, plan, period dates — never card details).
  • Minimal analytics: page path, anonymised user id, timestamp. No third-party advertising trackers.

Lawful basis (UK GDPR)

  • Contract — to deliver the service you subscribe to.
  • Legitimate interests — securing the service, preventing abuse, improving the product through aggregate usage.
  • Consent — for optional product emails. You can withdraw at any time.

Where data is stored

Application data is stored in EU-region infrastructure (AWS via Supabase), encrypted at rest. Payments are processed by Stripe (PCI-DSS Level 1). Emails are sent via Resend. No data is sold or shared with advertisers.

Who can access it

Only you (and family members you explicitly invite). Database row-level security enforces this. A small number of named operators may access support tickets you send us; production database access is restricted and audited.

Retention & deletion

  • Account & care data: kept while your subscription is active.
  • After cancellation: kept for 30 days so you can reactivate, then permanently deleted.
  • You can request immediate deletion at any time by emailing hello@thecarecompanion.com. We respond within 30 days as required by UK GDPR.
  • Invoices and tax records are kept for 7 years (HMRC requirement).

Your rights

Under UK GDPR you have the right to access, correct, delete or export your data, and to object to or restrict processing. To exercise any of these, email us. You can also complain to the ICO at ico.org.uk.

Security

HTTPS everywhere with HSTS, a strict Content Security Policy, encrypted storage, row-level access control, leaked-password screening on signup, and secure password hashing handled by Supabase Auth (bcrypt-equivalent). Full details at /security.

Changes

If we make material changes we'll email active subscribers before they take effect.