Back to Home

Grace Suite Privacy Policy

Last updated: 6 December 2025

Your Privacy Matters

Grace Suite, including Grace Companion, Grace Notes and Grace Care Facilities, is committed to protecting the privacy and security of our users, particularly vulnerable individuals, their families and professional carers. This Privacy Policy explains how we collect, use, store and protect your personal information in accordance with UK GDPR and the Data Protection Act 2018.

Unless stated otherwise, references to "we", "us" or "our" in this Policy refer to the operators of the Grace Suite products listed above.

For example, Grace Companion focuses on conversations, reminders and family messaging; Grace Notes supports professional care records and visit notes; and Grace Care Facilities supports resident records, care plans and staff activity within registered organisations.

1. Information We Collect

Personal Information:

  • Name, email address, and contact details
  • Relationship information (for next of kin)
  • Time zone and location preferences
  • Date of birth and emergency contact information

Voice Data:

  • Voice recordings for personalised reminders (optional)
  • Voice-to-text transcriptions of conversations
  • Voice samples stored securely for cloning purposes

Usage Information:

  • Conversation history with AI companion
  • Reminder preferences and responses
  • Help request history and emergency contacts made
  • Device information and usage patterns

2. How We Use Your Information

We use your information solely to:

  • Provide personalised reminders and companionship
  • Generate voice-based reminders in familiar voices
  • Notify designated family members of help requests
  • Improve conversation quality and response accuracy
  • Ensure safety and wellbeing of users
  • Comply with legal obligations

We never sell your data to third parties. Ever.

3. Data Security

We implement industry-standard security measures:

  • End-to-end encryption for all voice data
  • Secure cloud storage with regular backups
  • Access controls and authentication requirements
  • Regular security audits and updates
  • Data minimisation principles

Note: Voice recordings are encrypted and stored separately from personal information. Only authorised personnel can access this data for service improvement.

4. Family Access & Consent

When a next of kin registers on behalf of an elder, they affirm they have legal authority to do so. Family members with granted access can:

  • View reminder history and conversation summaries
  • Receive notifications when help is requested
  • Modify reminder schedules and preferences
  • Access emergency contact information

The elder or their legal guardian can revoke family access at any time through settings.

5. Data Retention

We operate a three-tiered retention system to balance your privacy with legal safeguarding obligations:

Tier 1: Essential Safeguarding Data (7 years)

  • Conversations flagged as concerning (risk of harm, confusion, distress)
  • Legal basis: Legal obligation, Vital interests
  • Cannot be deleted on request if legal obligation applies
  • Access: You, authorized family members, safeguarding authorities

Tier 2: Family Monitoring Data (12-24 months, configurable)

  • Normal daily wellbeing conversations
  • Legal basis: Legitimate interests, Consent
  • Default: 12 months active, then 12 months archived, then deleted
  • You can choose: 12 or 24 month retention in settings
  • Can be deleted on request with 30-day grace period
  • 60-day notice before permanent deletion

Tier 3: Service Improvement Data (Indefinite, anonymised)

  • Anonymised conversation patterns for AI improvement
  • Legal basis: Explicit consent (optional, opt-in only)
  • All personal information removed (irreversible anonymisation)
  • Cannot be linked back to you (GDPR Recital 26 compliant)
  • Consent expires annually and must be renewed

Other Data Retention:

  • Voice recordings: Retained until account deletion or revoked consent
  • Personal information: Retained while account is active, deleted within 30 days of account closure
  • Reminder history: Stored for 6 months
  • Access logs: Maintained for 3 years for security and accountability

Manage Your Data: Visit your Data Management Dashboard to view all stored conversations, adjust retention periods, and exercise your data rights.

6. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of all your data
  • Rectification: Correct inaccurate information
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain data processing
  • Withdrawal: Withdraw consent at any time

To exercise any of these rights:

We will respond to all requests within 30 days as required by GDPR Article 12.

7. Account Deletion & Right to Erasure

You may delete your account or request data erasure at any time via your Data Management Dashboard.

Upon account deletion:

  • All personal information is permanently deleted within 30 days
  • Voice recordings are securely erased with cryptographic overwriting
  • Non-safeguarding conversations are immediately deleted
  • Family members are notified of account closure

Important: Safeguarding Data Retention

Conversations flagged for safeguarding purposes (indicating risk of harm, abuse, or urgent need) must be retained for 7 years under UK Adult Safeguarding legislation. This is a legal obligation under GDPR Article 6(1)(c) and cannot be overridden by a deletion request.

You will be notified of any data retained for legal reasons, including the specific legal basis and retention period. You may request a review of safeguarding flagging decisions.

Anonymised, aggregated data (with all personal identifiers removed) may be retained for service improvement purposes. This data cannot be linked back to you and is not considered personal data under GDPR Recital 26.

8. Third-Party Services

We use the following third-party services:

  • ElevenLabs: Voice cloning and text-to-speech (data processing agreement in place)
  • Supabase: Secure database and authentication
  • AI providers: Conversation processing (no data retention)

All third-party processors comply with UK GDPR and have appropriate data protection agreements.

9. International Data Transfers

Your data is primarily stored within the UK and EU. Where data is transferred internationally, we ensure appropriate safeguards are in place through Standard Contractual Clauses and adequacy decisions.

10. Children's Privacy

Grace Companion is designed for adults aged 18 and over. We do not knowingly collect information from children under 18.

11. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via email and in-app notifications. Continued use after changes constitutes acceptance.

12. Contact & Complaints

For privacy-related questions or concerns:

Data Protection Officer

Email: privacy@grace-companion.co.uk

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk | Helpline: 0303 123 1113