1. Who we are
Wellnetix Ltd ("Wellnetix", "we", "us") is the data controller for the CARER app and the CARER website (wellnetixltd.com and sub-domains). We are incorporated in the United Kingdom.
Privacy enquiries and data-subject requests: nimind@wellnetixltd.com
2. Our privacy principles
These are built into the code, not just policy statements.
- On-device by default. The companion AI and your conversations run on your own device, offline. Your words do not need to leave your phone.
- Consent first. We rely on your explicit, freely given consent for the core companion. You can withdraw it at any time without losing access to the app's crisis and safety features.
- Never sold. We do not sell your data to anyone, ever.
- No advertising. We do not use your data for advertising, and we do not share it with advertising networks.
- No score about you. We never compute, store, or return a clinical assessment, burnout score, stress level, mood number, or risk grade about you. The capability does not exist in the system.
- The person you care for is not our data subject. Their condition, medications, symptoms, and care have no representation in our system. We structurally cannot build a profile of them.
- Crisis help is unconditional. The crisis and safeguarding routes are free, offline-capable, and not gated by consent state or account status.
3. What this notice covers
This notice applies to:
- The CARER mobile app (iOS and Android) — including the companion, memory, grief space, private space, reflection, and crisis features.
- The CARER website — these static information pages.
It does not cover third-party websites or services that CARER may link to (for example, Samaritans or the NHS), which have their own privacy notices.
4. Information we collect
4.1 Account information
When you create an account, we collect the minimum needed to secure your memory across devices:
- A verified identity token from your chosen sign-in provider (Apple, Google, or email — your OIDC subject identifier). We never see your sign-in provider password.
- Your email address — encrypted at rest, held only if you sign in via email.
- Your preferred display name — optional, encrypted, stored only if you provide it.
- A self-label in your own words — optional, encrypted.
- Region (United Kingdom) and age-gate confirmation (18+).
We do not ask for your date of birth, phone number, address, or any demographic that is not needed to run the service.
4.2 Your conversations and memory
The content you share in conversations — and the memory items you choose to save — is the most sensitive information we hold. It is treated as special-category data under Article 9 UK GDPR (data concerning health and emotional state), even though you are well-under-stress rather than a patient, because we apply the more protective reading.
- Conversation content is encrypted at the field level on your device before it leaves your phone, and on our servers it is held as ciphertext only.
- Memory items are your verbatim words — exactly what you said, never a verdict or inference the system drew about you. They are encrypted at rest.
- Memory is written back only on your explicit confirmation — a tap to save. Nothing you say is silently stored as a memory.
- The cared-for person is not stored. Any mention of the person you care for in your words is held as part of your narrative, never as a profile of them. We structurally cannot store their condition, medications, symptoms, or care as data.
4.3 Consent and preference records
We store your consent choices — which features you have enabled or disabled — with a timestamp and method. You can view and change these in Settings. The consent scopes are: companion memory, cloud backup (off by default), proactive nudges, anniversary surfacing, reflection export, analytics opt-out, and third-party mention acknowledgement. Scopes for research, training, carer-link, or sharing to family do not exist — the system returns an error if any client attempts to set one.
4.4 Structural product analytics
We collect a minimal, strictly sandboxed set of structural signals to understand whether the app is working: your account region, account status, subscription tier, which crisis-config version your device holds, and which content modules you have started. We never collect session duration, engagement counts, or the content of any conversation or memory. You can opt out of even this via the analytics opt-out setting.
4.5 Safety signals (temporary, boolean, never counted)
When the app's safety system identifies a moment that may need support (for example, a late-night pattern or a disclosure that triggers the crisis route), it records a boolean flag: that something happened, not what was said. These flags are used only to shape the immediate in-app response and are automatically purged after 7 days. They are never accumulated, scored, or included in analytics.
4.6 Crisis interactions
The crisis configuration (helpline numbers and safeguarding resources for your region) is downloaded to your device and cached there. It does not require an account and is not linked to you. If you use the crisis route in the app, the interaction stays on your device — nothing is sent to us, and we cannot see that you used it.
4.7 Website
The CARER website is a static site. We do not use server-side analytics, tracking pixels, or advertising cookies. Fonts are loaded from Google Fonts (see our Cookie policy). We do not set any first-party cookies. We receive standard web-server access logs (IP address, browser type, referring URL, timestamp) only if we move to hosted infrastructure; currently these are not collected.
4.8 Audit log
We maintain an append-only audit log that records that significant events happened (login, consent changes, export requests, deletion requests) — never the content of any conversation or memory item.
5. How we use it and our lawful bases
| Purpose | Lawful basis |
|---|---|
| Providing the CARER companion — conversations, memory, grief space, private space, reflection | Art. 6(1)(b) — performance of a contract; and for the special-category content, Art. 9(2)(a) — your explicit consent |
| Operating your account and securing your memory across devices | Art. 6(1)(b) — performance of a contract |
| Crisis and safeguarding features | Art. 6(1)(d) — vital interests; and Art. 9(2)(c) for special-category data in a life-risk context. These features are never withheld on consent grounds. |
| Storing and processing your consent choices | Art. 6(1)(c) — legal obligation (UK GDPR Art. 7) |
| Structural product analytics (opt-out available) | Art. 6(1)(f) — legitimate interests (understanding whether the app is functioning, not measuring engagement) |
| Responding to your data-subject rights requests | Art. 6(1)(c) — legal obligation |
| Complying with law, preventing fraud or harm | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests |
What we do not do: We do not use your information to send you advertising, to profile you for third parties, to make any automated decision with a significant legal or similar effect on you, or to assess your clinical state.
6. Product improvement and research
6.1 Current position
There is currently no research or training pipeline in the CARER app or backend. The structural analytics described in §4.4 (region, tier, crisis-config version, content-module state) may be used to understand whether features are working and to improve the product. These signals are not linked to the content of any conversation or memory.
Your conversations and memory items are never used to train AI models. The companion AI runs on a pre-trained on-device model; your words are never fed back into model training. This is a structural constraint — the training pipeline simply does not exist.
6.2 Future research (policy for when it is introduced)
If a research or science-contribution programme is introduced, the following commitments will apply before a single record is used:
- It will be introduced under a separate, explicit opt-in consent — never assumed from existing consent, and never required to use CARER.
- It will use a physically separate system with its own governance, no shared decryption key with the main CARER system, and access only to de-identified or aggregated data.
- It will be reviewed under the PPIE (patient and public involvement and engagement) process before launch.
- You will be able to withdraw at any time, which will stop any future use.
- Results will never be used to infer or return a clinical state to you.
- This notice will be updated and you will be informed before the programme starts.
7. On-device processing and cloud assistance
7.1 On-device by default
CARER's companion AI downloads to your device once, over Wi-Fi, the first time you use it. After that, the companion runs on your device, offline. Your words are processed locally — they do not leave your phone during a conversation unless you have turned on cloud assistance.
7.2 Cloud assistance (optional, off by default)
Some optional features can use a cloud-hosted AI service to provide richer responses when you are online. This is off by default and clearly labelled in settings. If you turn it on, your message for that turn is sent to a cloud provider over an encrypted connection to generate a response; it is not retained for training. You can switch it off at any time, returning to fully on-device operation.
7.3 End-to-end encrypted sync and backup
If you turn on cloud backup (off by default), your memory and conversation data is encrypted on your device using AES-GCM before it leaves your phone. The encryption key is held only on your device (secured in the platform keychain) and recoverable only by you via a recovery code. Our servers store an opaque, unreadable ciphertext — we cannot decrypt your backup, even if compelled.
7.4 Encryption at rest on our servers
All personal content fields (email, display name, conversation titles, message content, memory items) are encrypted at the field level on our servers using envelope encryption: a per-user data encryption key (DEK) is wrapped by a key-encryption key (KEK) held in a key management system. Access to plaintext requires both the DEK and the KEK — a two-layer defence.
8. Who we share information with
We do not sell your personal data. We do not share it with your family or the person you care for. We share it only in the following circumstances:
8.1 Sub-processors (service providers)
We use a small number of third-party service providers to operate CARER. They act only on our instructions and are contractually prohibited from using your data for their own purposes.
| Category | Purpose | Location aim |
|---|---|---|
| Cloud infrastructure / hosting | Running the CARER backend API and database | UK or EEA preferred; appropriate safeguards in place where not |
| Cloud AI service (optional — only when cloud-assist is on) | Generating a richer response when you have opted in to cloud assistance | UK or EEA preferred; appropriate safeguards in place where not. This processor receives only the message for that turn; it is contractually prohibited from retaining or training on it. |
| Authentication (sign-in) | Verifying your identity when you sign in | Apple (Sign in with Apple) and/or Google (Sign in with Google), depending on your sign-in method. If you sign in by email, an email-authentication service is used. All operate under standard data-transfer safeguards. |
| Encrypted backup / object storage (optional — only when cloud backup is on) | Storing your end-to-end encrypted backup blob (we hold ciphertext only; we cannot decrypt it) | UK or EEA preferred; appropriate safeguards in place where not |
Full named sub-processor list, including country of processing and applicable transfer safeguard, is available on request: nimind@wellnetixltd.com
8.2 Legal disclosures
We may disclose information where required by UK law, a court order, or a regulatory authority. We will tell you before doing so unless we are legally prevented from it.
8.3 Safeguarding — what we do not do
CARER's crisis and safeguarding features route you to human services (999, Samaritans, Carers UK, adult safeguarding). They are never a covert reporting channel. We cannot and do not contact emergency services, local authorities, or anyone else on your behalf. The app is honest about this.
9. International transfers
Wellnetix Ltd is a UK company. We aim to keep your data within the UK and the EEA, and will use sub-processors in those regions where possible. Where any sub-processor is based outside the UK or EEA, we will ensure an appropriate safeguard is in place (such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses).
Where any sub-processor processes data outside the UK or EEA, we will put an appropriate safeguard in place — such as the UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses (SCCs) with a UK addendum where required. Specific transfer details by sub-processor are available on request: nimind@wellnetixltd.com
10. How long we keep it
- Conversation and memory content — kept only as long as your account is active. On-device data is entirely in your control and deleted when you delete it or the app. Cloud-held ciphertext is deleted within 30 days of a deletion request.
- Account information — kept for the duration of your account, then deleted within 30 days of confirmed deletion.
- Safety flags — automatically purged after 7 days.
- Consent records — kept for the duration of your account and for a period thereafter to demonstrate compliance.
- Audit log — kept for 12 months for compliance and security purposes, then permanently deleted.
- Analytics (structural, aggregated) — retained in aggregated form with no link to individuals after your account is deleted.
Summary retention schedule:
| Category | Retention period |
|---|---|
| Conversation and memory content (cloud ciphertext) | Active account + deleted within 30 days of a deletion request (14-day reversal window, then hard delete completes) |
| Account information (email, display name, tokens) | Active account + deleted within 30 days of confirmed account deletion |
| Safety flags (temporary, boolean) | 7 days, then purged automatically |
| Consent and preference records | Active account + 12 months after deletion (to demonstrate compliance) |
| Audit log entries | 12 months, then permanently deleted |
| Structural analytics | Individual-account linkage removed at deletion; aggregate figures may be retained indefinitely |
When you request deletion, we immediately destroy your per-profile encryption key (a "crypto-shred"). This makes all your encrypted data permanently unreadable before any row is deleted. A 14-day reversal window lets you cancel an accidental deletion; after that, hard deletion completes within 30 days.
11. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of your personal data. In the app, you can view all your memory items at any time.
- Rectification — ask us to correct inaccurate data. In the app, you can edit any memory item directly.
- Erasure ("right to be forgotten") — request deletion of your data. In the app, you can delete individual items or your entire account. See §10 for how deletion works.
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a portable format (JSON and Markdown). Available from the app at any time.
- Object — object to processing based on legitimate interests (for example, structural analytics). The analytics opt-out in Settings gives you immediate effect.
- Withdraw consent — withdraw consent for any consent-based processing at any time, without affecting anything we did before you withdrew. Withdrawing consent for the companion does not remove your access to crisis features.
- Complain to the ICO — if you are unhappy with how we have handled your data, you can contact the Information Commissioner's Office: ico.org.uk · 0303 123 1113.
To exercise any right, email nimind@wellnetixltd.com with the subject line "data request". We will respond within one calendar month.
11.2 Additional rights for international users
CARER is available to users worldwide. The data controller is Wellnetix Ltd (United Kingdom) and UK GDPR is the primary framework. In addition:
- EU/EEA users: You have equivalent rights under the EU General Data Protection Regulation (EU GDPR). The lawful bases and rights described in §5 and §11.1 apply to you. Our transfers of your data to the UK are made on the basis that the UK has received an EU adequacy decision.
- California residents: Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you have the right to know what personal information we collect, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising your rights. Contact us at nimind@wellnetixltd.com to exercise these rights.
- Other jurisdictions: You may have additional rights under the laws of your country. We will honour lawful requests regardless of where you are based. Contact us at the address above.
This notice is an honest working draft. Multi-jurisdiction data-protection compliance — particularly EU GDPR adequacy, CCPA/CPRA, and other local frameworks — will be reviewed by a qualified solicitor before public launch. The rights and bases described here are our genuine current position; the solicitor review will confirm or refine them.
12. Security
- Field-level encryption on all personal content (email, names, conversation content, memory items) using envelope encryption (per-user DEK + KMS-held KEK).
- End-to-end encryption for cloud backup (AES-GCM, client-side key, server holds ciphertext only).
- Row-level security (RLS) in the database — enforced at the database layer so that even an API bug cannot return another user's data. Each request sets a database session variable to your account ID, and every row access is filtered by it.
- Crypto-shred deletion — your encryption key is destroyed immediately on a deletion request, rendering all your data permanently unreadable before any row is deleted.
- No plaintext content in logs or analytics — the audit log records metadata only; the analytics firewall is a code-enforced allowlist that blocks any field ending in
_enc. - On-device safety processing — the safety classifier runs outside and independent of the AI model, on your device, so it cannot be bypassed by model jailbreaks.
- Access controls — backend access requires a valid OIDC JWT; role separation between the API and the database enforces least privilege.
If you discover a security vulnerability, please report it to nimind@wellnetixltd.com.
13. Children and age restriction
CARER's core companion is for adults aged 18 and over. We enforce this with a hard age gate at onboarding. We do not knowingly collect personal data from anyone under 18.
If a user discloses that they are under 18 during use of the app, the companion does not open and the user is signposted to dedicated young-carer services (Childline, The Mix, Carers Trust). The crisis and safeguarding features remain available regardless of age.
If you believe we have inadvertently collected data from someone under 18, please contact us at nimind@wellnetixltd.com and we will delete it promptly.
14. Changes to this notice
We will update this notice as CARER develops. For material changes, we will notify you via the app before the change takes effect. The "Last updated" date at the top of this page shows when it was last revised. Continued use of CARER after a change constitutes acceptance of the updated notice.
15. Contact and complaints
For any privacy question or data-subject request: nimind@wellnetixltd.com
If you are not satisfied with our response, you have the right to complain to the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF