Legal
Privacy Policy
Last updated: 28 April 2026
Plain English summary
TL;DR — quick scan
- We don't sell your data to advertisers or data brokers.
- Only invited people can see a care circle's tasks and records — not the public internet.
- Encryption in transit and at rest helps protect what you store with us.
- We don't provide medical advice — we help you store and share what you choose with people you invite; clinical decisions stay with you and your professionals.
- You can ask to access, fix, or delete your information (some legal exceptions apply). You can also delete your account in the app to remove your circles and content (see section 9).
- The sections below are the full legal text — if anything differs, those details win.
1. Introduction
This Privacy Policy describes how Attriko ("we", "us", "our") collects, uses, stores, and shares personal information when you use our mobile apps, websites, and related services (together, the "Services"). It is intended to help users in the European Economic Area ("EEA"), the United Kingdom, Switzerland, and California ("CCPA/CPRA") understand their privacy rights, as well as users elsewhere. It is not a substitute for legal advice tailored to your situation.
In plain English: We built Attriko to help families coordinate care — not to monetise your health story.
2. How we classify your information
We distinguish categories of data so you can see what is "normal" account data versus more sensitive material.
- Personal data includes identifiers and account information such as your name, email address, phone number (if you provide it), profile details, authentication identifiers from sign-in providers (for example Google, Apple, Microsoft, or Facebook where you choose those options), device and technical logs, billing contact details if you subscribe to a paid plan, and messages you send us (for example through our contact form).
- Sensitive care data (special category health data) includes information you or your invitees voluntarily enter about health or care in the app — for example prescriptions, diagnoses, symptoms, medical notes, lab results, care tasks, attachments such as PDFs or photos of documents, and similar content stored inside care circles or records features. Under the UK and EU GDPR, this is treated as special category data when it relates to your health.
In plain English: Your email is "personal data". A photo of a discharge summary is "sensitive care data" — we handle it with extra care.
3. What we collect and why (lawful bases)
Where GDPR applies, we rely on appropriate lawful bases including: contract (to provide the Services you asked for), legitimate interests (for example securing our systems and improving reliability, balanced against your rights), legal obligation where the law requires us to retain or disclose information, and — for special category health-related content you choose to store — explicit consent at the point you enter that information, and/or processing necessary for the provision of health or social care (where applicable). You may withdraw consent where processing is consent-based, subject to limitations if we must retain data for legal reasons.
We use personal data and sensitive care data to operate features you use (care circles, tasks, records, notifications, invitations, multilingual content), authenticate you, provide support, detect abuse, comply with law, and communicate service and security updates.
4. Handling of sensitive health information, encryption, and access
We treat health-related content you choose to store (including prescriptions, lab results, diagnoses, clinical notes, and similar uploads) as special category data under the UK and EU GDPR where it concerns health. This data is logically isolated within the care circle(s) you use in the product — it is not mixed into public profiles or used to build advertising audiences.
We use TLS (HTTPS) in transit and AES-256 encryption at rest (or an equivalent strength mechanism) where supported by our infrastructure. We do not process this content for behavioural advertising, sale, rental, or automated profiling unrelated to operating the features you asked for (storage, display to invited members, reminders, and similar user-directed coordination).
We will never sell, rent, or use your family's health records for marketing or profiling purposes in the sense described in section 5.
Visibility inside the product: care circle content (tasks, records, and similar) is designed to be visible only to members you (or another authorised member) have invited to that circle, according to the permissions model in the app. Attriko staff do not browse your care notes for marketing or product curiosity. We may access limited technical metadata (for example error logs) when diagnosing outages. We may view specific content only where you ask us to (for example support with your permission), where we reasonably believe it necessary to investigate abuse or illegal activity, or where required by law or to protect vital interests.
In plain English: Your circle is for your team — not for our staff to read routinely.
5. We do not sell your family's data
We do not sell personal information or sensitive care data to advertisers, data brokers, or unrelated third parties. We do not monetise your health content by sharing it for third-party behavioural advertising.
If you are a California resident: we do not "sell" or "share" personal information as those terms are commonly understood under the CCPA/CPRA for cross-context behavioural advertising. You may still exercise access and deletion rights as described below.
6. Third-party service providers (sub-processors)
We use carefully selected service providers ("sub-processors" or "processors") who process personal data only on our instructions and under contractual confidentiality and security obligations. They help us host the service, authenticate users, deliver messages you configure, and (on the marketing site) measure anonymous traffic. The table below lists categories and roles fulfilled by third parties; we may add or change providers over time and will update this section when changes are material.
| Category | How we use third parties |
|---|---|
| Authentication | Third-party authentication and identity services, including the sign-in providers you choose when creating an account (for example Google, Apple, Microsoft, or Facebook). |
| Infrastructure & storage | Third-party cloud hosting and storage used to run servers, databases, and backups in the regions we configure. |
| Communications | Third-party providers for transactional email, SMS and voice where enabled on eligible plans, and platform push notification services for mobile alerts — each only to deliver messages you or your circle configure in the app. |
| Analytics (marketing site) | Third-party analytics on this marketing website only for aggregated, optional traffic when you accept cookies — see our Cookie Policy. This is separate from in-app care records except where both relate to the same account identity you provide. |
| Other | In-product analytics or diagnostics tools where we enable them; customer support tooling; and payment processors if you purchase a paid plan (we generally do not store your full card number). |
Each provider processes only the data needed for its role. If you require a formal sub-processor list for your organisation, contact us via our contact page.
7. International transfers
Your information may be processed in the United Kingdom, the EEA, the United States, and other countries where our providers operate. Where GDPR applies and data is transferred outside the EEA/UK, we use appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required.
8. Retention
We retain information for as long as your account exists and as needed to provide the Services, resolve disputes, comply with legal obligations, and enforce our agreements. You may request deletion of your account subject to legal exceptions (for example certain billing or security records we must retain for a limited period).
Where the app offers Delete account, using that flow is intended to permanently remove your profile and care-circle content you provided, except for data we must keep by law (for example limited billing or fraud-prevention logs) or briefly in encrypted backups as they age out.
9. Your rights
Depending on your location, you may have rights including:
- Right to access: request a copy of the personal information we hold about you.
- Right to rectification: request correction of inaccurate or incomplete information.
- Right to erasure ("right to be forgotten"): request deletion of personal information, subject to legal exceptions.
- Right to restrict processing or object to certain processing in some cases.
- Right to data portability: receive certain information in a structured, commonly used format where technically feasible.
- Right to withdraw consent where processing is based on consent.
- Right to lodge a complaint with a supervisory authority (for example the ICO in the UK).
California residents may also have rights to know categories of personal information collected, to request deletion, and to correct inaccurate personal information, subject to exceptions.
To exercise rights, contact us via our contact page. We may need to verify your identity before fulfilling certain requests.
Your family's story belongs to you. You can ask for a copy of your data where the law requires or where export features exist. If you leave Attriko, account deletion in the app is designed to remove your profile and the care data you added, without holding that content hostage, subject to the legal exceptions above.
10. Children
Attriko is not directed to children in a way that encourages unsupervised collection from young children. If you believe we have collected personal information from a child inappropriately, contact us and we will take appropriate steps.
11. Changes
We may update this policy from time to time. We will post the updated version and revise the "Last updated" date at the top of this page. Where changes are material, we will provide additional notice as required by law.
12. Contact
For privacy-related questions or requests, please use our contact form or email info@attriko.com.