Legal
Privacy Policy for EvaCares
Last Updated: 18 February 2026
In short
- EvaCares explains what personal and health-related data it processes and why.
- User health data is processed on the basis of explicit consent obtained directly from the user.
- EvaCares states that it has solid data security, documented governance controls, and clear UK GDPR processes.
- The policy lists processors, transfer safeguards, retention periods, and UK GDPR rights.
1. Introduction
EvaCares Ltd ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard the information of both the individuals who subscribe to our service ("Subscribers") and the elderly individuals who receive our calls ("Users").
This policy explains what data we collect, why we collect it, our legal basis for doing so, and your rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR).
Please read this policy carefully. By using our Service, you acknowledge that you have understood the terms of this Privacy Policy.
2. Who We Are
We are the "data controller" for the personal data we process.
- Company Name: EvaCares Ltd
- Company Number: [Your Company Number]
- Registered Address: [Your Company Address]
- Data Protection Contact: For any questions about this policy or your data protection rights, please email us at rick@evacares.co.uk.
2.1. Security and Governance
EvaCares is built with solid data security and supporting governance processes around sensitive family and wellbeing data.
- We maintain Data Processing Agreements (DPAs) with relevant processors.
- We maintain Transfer Risk Assessments (TRAs) for relevant transfers.
- We maintain data deletion processes and a documented Subject Access Request (SAR) procedure.
- We have appointed a Data Protection Officer (DPO).
- We maintain a Data Protection Impact Assessment (DPIA) for the service.
If you would like to request further information about these measures, please email rick@evacares.co.uk.
3. The Information We Collect
We collect different types of information to provide and improve our Service. We are committed to collecting only the data that is necessary.
3.1. Data About Subscribers (The Family Member/Carer)
- Account Information: Your full name, email address, and phone number.
- Billing Information: Your payment details and billing address, which are securely processed by our payment provider, Stripe.
- Relationship to User: Your relationship to the User receiving the calls.
3.2. Data About Users (The Person Receiving Calls)
- Eligibility: Our service is designed only for Users who have the capacity to understand the service and provide their own consent. We do not offer services to individuals who lack the capacity to consent for themselves.
- Identity Information: The User's full name, phone number, and address.
- Emergency Contacts: The name, phone number, and relationship to the User for one or more emergency contacts.
3.3. Special Category Health Data of the User
This is sensitive personal information, and we give it the highest level of protection. During calls with our AI assistant, Eva, we process information about the User's health and wellbeing. This is only done with the explicit consent of the User.
This data includes:
- Call Recordings: Full audio recordings of all calls with Eva.
- Call Transcripts: Text versions of all call conversations.
- Health & Wellbeing Indicators: Information derived from the conversation, such as:
- Mood and emotional state
- Mentions of pain or discomfort
- Medication adherence (reminders and confirmations)
- Physical activity and social interaction levels
- General wellness and any other health-related information the User chooses to share.
3.4. Website and Service Usage Data
- Technical Data: We may collect anonymized data about your use of our website and dashboard, such as pages visited and features used, to help us improve our service. We use Google Analytics for this purpose.
4. Our Lawful Basis for Processing Data
We must have a valid legal reason (a "lawful basis") to process personal data. Our lawful bases differ depending on whose data we are processing and for what purpose.
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Subscriber Data (Name, email, billing info) | To manage your account, provide customer service, and process payments. | Performance of a Contract |
| User Data (Name, phone number) | To set up the service and initiate the consent call. | Legitimate Interest (to prepare the service requested by the Subscriber) |
| User Health Data (Recordings, transcripts, health indicators) | To provide the core wellness monitoring service and generate reports for the Subscriber. | Explicit Consent (obtained directly from the User) |
| Marketing Communications | To send you marketing emails about our services. | Consent (you can opt-out at any time) |
We do not rely on legitimate interests to process any special category health data. The processing of all User health data is founded on the explicit consent we obtain directly from the User before the service begins.
5. How We Use Your Information
- To Provide the Service: To make daily check-in calls, analyze the conversations for wellbeing indicators, and provide reports and alerts to Subscribers.
- To Obtain Consent: To make an initial, recorded call to the User to obtain their explicit consent to receive the service.
- To Improve Our Service: To analyze anonymized data to improve Eva's conversational abilities and the overall effectiveness of our service.
- For Safety and Security: To detect potential emergencies during a call and trigger alerts to the User's designated emergency contacts.
- To Manage Your Account: To handle billing, send service-related updates, and provide customer support.
- To Comply with Legal Obligations: To meet our legal and regulatory requirements, such as for financial accounting.
6. Who We Share Your Data With
We use a number of third-party service providers ("data processors") to deliver our Service. We have legally binding Data Processing Agreements (DPAs) in place with all of them. We only share the minimum data necessary for them to perform their function.
| Processor | Purpose | Location | Key Data Shared |
|---|---|---|---|
| OpenAI | AI Conversation Engine | USA | Call audio (transiently) |
| Twilio | Phone Call Delivery | USA | User phone numbers, call audio |
| Assembly.AI | Call Transcription | USA | Call audio |
| Supabase | Database & Storage | UK/EU | All User and Subscriber data |
| Fly.io | Backend Application Hosting | UK/EU | Application logic |
| Vercel | Frontend Hosting | Global CDN | Website data |
| Stripe | Secure Payment Processing | USA | Subscriber billing information |
| Google Analytics | Website Analytics | USA | Anonymized usage data |
7. International Data Transfers
Some of our data processors are based outside the UK. When we transfer your data to these countries (e.g., the USA), we ensure it is protected through legally-approved mechanisms:
- UK-US Data Bridge: For transfers to certified US companies like Twilio, Stripe, and Google.
- Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA): For transfers to processors who are not certified under the Data Bridge, such as OpenAI and Assembly.AI. We conduct a Transfer Risk Assessment for these transfers to ensure the protection of your data.
8. Data Retention
We believe in data minimisation and only keep your data for as long as it is needed. Our retention periods are enforced by automated systems.
- Call Recordings (Audio): Deleted after 90 days.
- Call Transcripts (Text): Anonymized or deleted after 1 year.
- Wellness Summaries & Reports: Deleted after 2 years.
- Data on Cancelled Accounts: Fully deleted 30 days after cancellation.
- Billing Records: Kept for 7 years to comply with UK tax law.
9. Your Data Protection Rights
Under UK GDPR, you have rights over your personal data. This applies to both Subscribers and Users.
- The Right to be Informed: To be told how we use your data (which is the purpose of this policy).
- The Right of Access: To request a copy of the data we hold about you.
- The Right to Rectification: To ask us to correct inaccurate or incomplete data.
- The Right to Erasure (The "Right to be Forgotten"): To ask us to delete your data.
- The Right to Restrict Processing: To ask us to limit how we use your data.
- The Right to Data Portability: To request your data in a common, machine-readable format.
- The Right to Object: To object to our processing of your data for certain purposes (e.g., direct marketing).
- The Right to Withdraw Consent: For any processing based on consent, you can withdraw that consent at any time. For a User, this will mean stopping the Service.
To exercise any of these rights, please contact our Data Protection Contact at rick@evacares.co.uk. We will respond to your request within one month.
10. How to Complain
If you are unhappy with how we have handled your data, we would appreciate it if you contact us first to allow us to try and resolve the issue. However, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator.
- Website: www.ico.org.uk
- Helpline: 0303 123 1113
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by email or through a notice on our website.