Skip to main content
carer
  • Home
  • How it works
  • Features
  • Product
  • Who it's for
  • Privacy
  • Contact
Join early access

Legal

Privacy Notice

This is the formal UK GDPR / DPA 2018 notice for the CARER app and website.
For a plain-English summary of how CARER handles your data, see our Privacy promise.

Last updated: 3 July 2026

Contents

  1. Who we are
  2. Our privacy principles
  3. What this notice covers
  4. Information we collect
  5. How we use it and our lawful bases
  6. Product improvement and research
  7. On-device processing and cloud assistance
  8. Who we share information with
  9. International transfers
  10. How long we keep it
  11. Your rights
  12. Security
  13. Children and age restriction
  14. Changes to this notice
  15. Contact and complaints

1. Who we are

Wellnetix Ltd ("Wellnetix", "we", "us") is the data controller for the CARER app and the CARER website (wellnetixltd.com and sub-domains). We are incorporated in the United Kingdom.

Privacy enquiries and data-subject requests: nimind@wellnetixltd.com

2. Our privacy principles

These are built into the code, not just policy statements.

  • On-device by default. The companion AI and your conversations run on your own device, offline. Your words do not need to leave your phone.
  • Consent first. We rely on your explicit, freely given consent for the core companion. You can withdraw it at any time without losing access to the app's crisis and safety features.
  • Never sold. We do not sell your data to anyone, ever.
  • No advertising. We do not use your data for advertising, and we do not share it with advertising networks.
  • No score about you. We never compute, store, or return a clinical assessment, burnout score, stress level, mood number, or risk grade about you. The capability does not exist in the system.
  • The person you care for is not our data subject. Their condition, medications, symptoms, and care have no representation in our system. We structurally cannot build a profile of them.
  • Crisis help is unconditional. The crisis and safeguarding routes are free, offline-capable, and not gated by consent state or account status.

3. What this notice covers

This notice applies to:

  • The CARER mobile app (iOS and Android) — including the companion, memory, grief space, private space, reflection, and crisis features.
  • The CARER website — these static information pages.

It does not cover third-party websites or services that CARER may link to (for example, Samaritans or the NHS), which have their own privacy notices.

4. Information we collect

4.1 Account information

When you create an account, we collect the minimum needed to secure your memory across devices:

  • A verified identity token from your chosen sign-in provider (Apple, Google, or email — your OIDC subject identifier). We never see your sign-in provider password.
  • Your email address — encrypted at rest, held only if you sign in via email.
  • Your preferred display name — optional, encrypted, stored only if you provide it.
  • A self-label in your own words — optional, encrypted.
  • Region (United Kingdom) and age-gate confirmation (18+).

We do not ask for your date of birth, phone number, address, or any demographic that is not needed to run the service.

4.2 Your conversations and memory

The content you share in conversations — and the memory items you choose to save — is the most sensitive information we hold. It is treated as special-category data under Article 9 UK GDPR (data concerning health and emotional state), even though you are well-under-stress rather than a patient, because we apply the more protective reading.

  • Conversation content is encrypted at the field level on your device before it leaves your phone, and on our servers it is held as ciphertext only.
  • Memory items are your verbatim words — exactly what you said, never a verdict or inference the system drew about you. They are encrypted at rest.
  • Memory is written back only on your explicit confirmation — a tap to save. Nothing you say is silently stored as a memory.
  • The cared-for person is not stored. Any mention of the person you care for in your words is held as part of your narrative, never as a profile of them. We structurally cannot store their condition, medications, symptoms, or care as data.

4.3 Consent and preference records

We store your consent choices — which features you have enabled or disabled — with a timestamp and method. You can view and change these in Settings. The consent scopes are: companion memory, cloud backup (off by default), proactive nudges, anniversary surfacing, reflection export, analytics opt-out, and third-party mention acknowledgement. Scopes for research, training, carer-link, or sharing to family do not exist — the system returns an error if any client attempts to set one.

4.4 Structural product analytics

We collect a minimal, strictly sandboxed set of structural signals to understand whether the app is working: your account region, account status, subscription tier, which crisis-config version your device holds, and which content modules you have started. We never collect session duration, engagement counts, or the content of any conversation or memory. You can opt out of even this via the analytics opt-out setting.

4.5 Safety signals (temporary, boolean, never counted)

When the app's safety system identifies a moment that may need support (for example, a late-night pattern or a disclosure that triggers the crisis route), it records a boolean flag: that something happened, not what was said. These flags are used only to shape the immediate in-app response and are automatically purged after 7 days. They are never accumulated, scored, or included in analytics.

4.6 Crisis interactions

The crisis configuration (helpline numbers and safeguarding resources for your region) is downloaded to your device and cached there. It does not require an account and is not linked to you. If you use the crisis route in the app, the interaction stays on your device — nothing is sent to us, and we cannot see that you used it.

4.7 Website

The CARER website is a static site. We do not use server-side analytics, tracking pixels, or advertising cookies. Fonts are loaded from Google Fonts (see our Cookie policy). We do not set any first-party cookies. We receive standard web-server access logs (IP address, browser type, referring URL, timestamp) only if we move to hosted infrastructure; currently these are not collected.

4.8 Audit log

We maintain an append-only audit log that records that significant events happened (login, consent changes, export requests, deletion requests) — never the content of any conversation or memory item.

5. How we use it and our lawful bases

PurposeLawful basis
Providing the CARER companion — conversations, memory, grief space, private space, reflectionArt. 6(1)(b) — performance of a contract; and for the special-category content, Art. 9(2)(a) — your explicit consent
Operating your account and securing your memory across devicesArt. 6(1)(b) — performance of a contract
Crisis and safeguarding featuresArt. 6(1)(d) — vital interests; and Art. 9(2)(c) for special-category data in a life-risk context. These features are never withheld on consent grounds.
Storing and processing your consent choicesArt. 6(1)(c) — legal obligation (UK GDPR Art. 7)
Structural product analytics (opt-out available)Art. 6(1)(f) — legitimate interests (understanding whether the app is functioning, not measuring engagement)
Responding to your data-subject rights requestsArt. 6(1)(c) — legal obligation
Complying with law, preventing fraud or harmArt. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests

What we do not do: We do not use your information to send you advertising, to profile you for third parties, to make any automated decision with a significant legal or similar effect on you, or to assess your clinical state.

6. Product improvement and research

6.1 Current position

There is currently no research or training pipeline in the CARER app or backend. The structural analytics described in §4.4 (region, tier, crisis-config version, content-module state) may be used to understand whether features are working and to improve the product. These signals are not linked to the content of any conversation or memory.

Your conversations and memory items are never used to train AI models. The companion AI runs on a pre-trained on-device model; your words are never fed back into model training. This is a structural constraint — the training pipeline simply does not exist.

6.2 Future research (policy for when it is introduced)

If a research or science-contribution programme is introduced, the following commitments will apply before a single record is used:

  • It will be introduced under a separate, explicit opt-in consent — never assumed from existing consent, and never required to use CARER.
  • It will use a physically separate system with its own governance, no shared decryption key with the main CARER system, and access only to de-identified or aggregated data.
  • It will be reviewed under the PPIE (patient and public involvement and engagement) process before launch.
  • You will be able to withdraw at any time, which will stop any future use.
  • Results will never be used to infer or return a clinical state to you.
  • This notice will be updated and you will be informed before the programme starts.

7. On-device processing and cloud assistance

7.1 On-device by default

CARER's companion AI downloads to your device once, over Wi-Fi, the first time you use it. After that, the companion runs on your device, offline. Your words are processed locally — they do not leave your phone during a conversation unless you have turned on cloud assistance.

7.2 Cloud assistance (optional, off by default)

Some optional features can use a cloud-hosted AI service to provide richer responses when you are online. This is off by default and clearly labelled in settings. If you turn it on, your message for that turn is sent to a cloud provider over an encrypted connection to generate a response; it is not retained for training. You can switch it off at any time, returning to fully on-device operation.

7.3 End-to-end encrypted sync and backup

If you turn on cloud backup (off by default), your memory and conversation data is encrypted on your device using AES-GCM before it leaves your phone. The encryption key is held only on your device (secured in the platform keychain) and recoverable only by you via a recovery code. Our servers store an opaque, unreadable ciphertext — we cannot decrypt your backup, even if compelled.

7.4 Encryption at rest on our servers

All personal content fields (email, display name, conversation titles, message content, memory items) are encrypted at the field level on our servers using envelope encryption: a per-user data encryption key (DEK) is wrapped by a key-encryption key (KEK) held in a key management system. Access to plaintext requires both the DEK and the KEK — a two-layer defence.

8. Who we share information with

We do not sell your personal data. We do not share it with your family or the person you care for. We share it only in the following circumstances:

8.1 Sub-processors (service providers)

We use a small number of third-party service providers to operate CARER. They act only on our instructions and are contractually prohibited from using your data for their own purposes.

CategoryPurposeLocation aim
Cloud infrastructure / hostingRunning the CARER backend API and databaseUK or EEA preferred; appropriate safeguards in place where not
Cloud AI service (optional — only when cloud-assist is on)Generating a richer response when you have opted in to cloud assistanceUK or EEA preferred; appropriate safeguards in place where not. This processor receives only the message for that turn; it is contractually prohibited from retaining or training on it.
Authentication (sign-in)Verifying your identity when you sign inApple (Sign in with Apple) and/or Google (Sign in with Google), depending on your sign-in method. If you sign in by email, an email-authentication service is used. All operate under standard data-transfer safeguards.
Encrypted backup / object storage (optional — only when cloud backup is on)Storing your end-to-end encrypted backup blob (we hold ciphertext only; we cannot decrypt it)UK or EEA preferred; appropriate safeguards in place where not

Full named sub-processor list, including country of processing and applicable transfer safeguard, is available on request: nimind@wellnetixltd.com

8.2 Legal disclosures

We may disclose information where required by UK law, a court order, or a regulatory authority. We will tell you before doing so unless we are legally prevented from it.

8.3 Safeguarding — what we do not do

CARER's crisis and safeguarding features route you to human services (999, Samaritans, Carers UK, adult safeguarding). They are never a covert reporting channel. We cannot and do not contact emergency services, local authorities, or anyone else on your behalf. The app is honest about this.

9. International transfers

Wellnetix Ltd is a UK company. We aim to keep your data within the UK and the EEA, and will use sub-processors in those regions where possible. Where any sub-processor is based outside the UK or EEA, we will ensure an appropriate safeguard is in place (such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses).

Where any sub-processor processes data outside the UK or EEA, we will put an appropriate safeguard in place — such as the UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses (SCCs) with a UK addendum where required. Specific transfer details by sub-processor are available on request: nimind@wellnetixltd.com

10. How long we keep it

  • Conversation and memory content — kept only as long as your account is active. On-device data is entirely in your control and deleted when you delete it or the app. Cloud-held ciphertext is deleted within 30 days of a deletion request.
  • Account information — kept for the duration of your account, then deleted within 30 days of confirmed deletion.
  • Safety flags — automatically purged after 7 days.
  • Consent records — kept for the duration of your account and for a period thereafter to demonstrate compliance.
  • Audit log — kept for 12 months for compliance and security purposes, then permanently deleted.
  • Analytics (structural, aggregated) — retained in aggregated form with no link to individuals after your account is deleted.

Summary retention schedule:

CategoryRetention period
Conversation and memory content (cloud ciphertext)Active account + deleted within 30 days of a deletion request (14-day reversal window, then hard delete completes)
Account information (email, display name, tokens)Active account + deleted within 30 days of confirmed account deletion
Safety flags (temporary, boolean)7 days, then purged automatically
Consent and preference recordsActive account + 12 months after deletion (to demonstrate compliance)
Audit log entries12 months, then permanently deleted
Structural analyticsIndividual-account linkage removed at deletion; aggregate figures may be retained indefinitely

When you request deletion, we immediately destroy your per-profile encryption key (a "crypto-shred"). This makes all your encrypted data permanently unreadable before any row is deleted. A 14-day reversal window lets you cancel an accidental deletion; after that, hard deletion completes within 30 days.

11. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of your personal data. In the app, you can view all your memory items at any time.
  • Rectification — ask us to correct inaccurate data. In the app, you can edit any memory item directly.
  • Erasure ("right to be forgotten") — request deletion of your data. In the app, you can delete individual items or your entire account. See §10 for how deletion works.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a portable format (JSON and Markdown). Available from the app at any time.
  • Object — object to processing based on legitimate interests (for example, structural analytics). The analytics opt-out in Settings gives you immediate effect.
  • Withdraw consent — withdraw consent for any consent-based processing at any time, without affecting anything we did before you withdrew. Withdrawing consent for the companion does not remove your access to crisis features.
  • Complain to the ICO — if you are unhappy with how we have handled your data, you can contact the Information Commissioner's Office: ico.org.uk · 0303 123 1113.

To exercise any right, email nimind@wellnetixltd.com with the subject line "data request". We will respond within one calendar month.

11.2 Additional rights for international users

CARER is available to users worldwide. The data controller is Wellnetix Ltd (United Kingdom) and UK GDPR is the primary framework. In addition:

  • EU/EEA users: You have equivalent rights under the EU General Data Protection Regulation (EU GDPR). The lawful bases and rights described in §5 and §11.1 apply to you. Our transfers of your data to the UK are made on the basis that the UK has received an EU adequacy decision.
  • California residents: Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you have the right to know what personal information we collect, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising your rights. Contact us at nimind@wellnetixltd.com to exercise these rights.
  • Other jurisdictions: You may have additional rights under the laws of your country. We will honour lawful requests regardless of where you are based. Contact us at the address above.

This notice is an honest working draft. Multi-jurisdiction data-protection compliance — particularly EU GDPR adequacy, CCPA/CPRA, and other local frameworks — will be reviewed by a qualified solicitor before public launch. The rights and bases described here are our genuine current position; the solicitor review will confirm or refine them.

12. Security

  • Field-level encryption on all personal content (email, names, conversation content, memory items) using envelope encryption (per-user DEK + KMS-held KEK).
  • End-to-end encryption for cloud backup (AES-GCM, client-side key, server holds ciphertext only).
  • Row-level security (RLS) in the database — enforced at the database layer so that even an API bug cannot return another user's data. Each request sets a database session variable to your account ID, and every row access is filtered by it.
  • Crypto-shred deletion — your encryption key is destroyed immediately on a deletion request, rendering all your data permanently unreadable before any row is deleted.
  • No plaintext content in logs or analytics — the audit log records metadata only; the analytics firewall is a code-enforced allowlist that blocks any field ending in _enc.
  • On-device safety processing — the safety classifier runs outside and independent of the AI model, on your device, so it cannot be bypassed by model jailbreaks.
  • Access controls — backend access requires a valid OIDC JWT; role separation between the API and the database enforces least privilege.

If you discover a security vulnerability, please report it to nimind@wellnetixltd.com.

13. Children and age restriction

CARER's core companion is for adults aged 18 and over. We enforce this with a hard age gate at onboarding. We do not knowingly collect personal data from anyone under 18.

If a user discloses that they are under 18 during use of the app, the companion does not open and the user is signposted to dedicated young-carer services (Childline, The Mix, Carers Trust). The crisis and safeguarding features remain available regardless of age.

If you believe we have inadvertently collected data from someone under 18, please contact us at nimind@wellnetixltd.com and we will delete it promptly.

14. Changes to this notice

We will update this notice as CARER develops. For material changes, we will notify you via the app before the change takes effect. The "Last updated" date at the top of this page shows when it was last revised. Continued use of CARER after a change constitutes acceptance of the updated notice.

15. Contact and complaints

For any privacy question or data-subject request: nimind@wellnetixltd.com

If you are not satisfied with our response, you have the right to complain to the UK supervisory authority:

  • Information Commissioner's Office (ICO)
  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
carer

A little light, kept.

A warm, private, non-clinical companion for unpaid family carers everywhere. Made in the United Kingdom.

CARER is a product of Wellnetix Ltd, United Kingdom.

CARER

  • How it works
  • Features
  • Product
  • Who it's for
  • Our approach

Support

  • Get urgent help
  • FAQ
  • Contact

Trust

  • Privacy promise
  • Our principles
  • About

Legal

  • Privacy notice
  • Terms of use
  • Cookie policy
  • Accessibility

CARER is not an emergency or medical service and does not provide medical advice. In an emergency, call your local emergency services. For urgent support, see Get urgent help.

© 2026 Wellnetix Ltd, United Kingdom. All rights reserved. Contact: nimind@wellnetixltd.com