Main

Data security built for sensitive family care conversations.

We handle personal care conversations with strict safeguards, clear rules, and full respect for your privacy rights. Most people want one answer first: yes, your data is protected and managed carefully.

TRADPIASARData deletionGDPR

At a glance

  • Direct, recorded consent is required before service activation.
  • Health-related conversation data is treated as sensitive data.
  • DPAs are in place with processors used to deliver the service.
  • TRAs, a DPIA, SAR procedures, and deletion processes support governance.
  • Retention periods are defined and enforced by policy.
  • Users can contact EvaCares about their data rights at any time.

Security

How we keep people safe

The service is built to protect vulnerable people and reduce risk. Here are the key protections behind that.

Explicit consent first

Eva only starts regular calls after the user gives direct, recorded consent.

Encrypted by default

Conversations and sensitive records are protected in transit and at rest.

DPAs and governance

Processor agreements, TRAs, a DPIA, and formal oversight are part of how EvaCares manages risk.

Clear retention rules

Audio, transcripts, reports, and account data follow defined retention windows.

UK GDPR rights support

Subscribers and users can request access, correction, deletion, restriction, and portability.

Documented oversight

Privacy, transfer, and impact reviews inform how the service is operated and improved.

Detailed

How controls and legal basis are applied

This section contains the legal and operational detail for people who want the full picture.

Consent and legal basis

Subscriber account and billing data is processed to run the service. Health-related call data is processed on the basis of explicit consent obtained directly from the person receiving Eva's calls.

  • Subscribers set up the account and service preferences.
  • Users receive a recorded onboarding consent call before service activation.
  • If consent is not given, the service does not begin.

Security controls

EvaCares states that conversations are encrypted in transit and at rest, processor access is contractually governed, and sensitive data handling follows UK data protection requirements.

  • Minimum data sharing with processors for the task they perform.
  • Documented transfer safeguards for data leaving the UK.
  • Retention limits designed around data minimisation.
  • Appointed DPO oversight, SAR handling, and documented deletion processes.

Governance documentation

EvaCares maintains governance material including DPAs, TRAs, a DPIA, data deletion processes, a SAR procedure, and appointed DPO oversight. If you would like to request more detail, email rick@evacares.co.uk.

Key processors and agreements

EvaCares identifies a set of processors used to operate calling, storage, AI, and billing. The Privacy Policy states that DPAs are in place and only the minimum data needed is shared.

ProcessorPurposeKey data shared
OpenAIAI conversation engineCall audio processed transiently
TwilioPhone call deliveryPhone numbers and call audio
AssemblyAITranscriptionCall audio
SupabaseDatabase and storageUser and subscriber records
StripePaymentsSubscriber billing information

Retention and deletion

  • Call recordings are deleted after 90 days.
  • Call transcripts are anonymized or deleted after 1 year.
  • Wellbeing summaries and reports are deleted after 2 years.
  • Cancelled account data is fully deleted after 30 days, except required billing records.

Data rights and contact

  • Access the data held about you
  • Correct inaccurate or incomplete records
  • Request deletion where applicable
  • Restrict or object to certain processing
  • Withdraw consent for consent-based processing

Contact: rick@evacares.co.uk

Need the full legal detail?

Use this page as the fast overview, then review the full Privacy Policy and Terms for detailed legal wording, retention tables, and service limitations.

Questions? Email rick@evacares.co.uk