Privacy Policy

1.1 Consumer Services (Support Circle App)

Mobile App Permissions

Our mobile apps require these permissions:

• Internet access: Required for core functionality

Personal Information

We collect:

Basic Information

• Name
• Email address
• Contact details

Grief Support Information

• Date of birth
• Phone number
• Relationship to deceased (if applicable)
• Important dates

App Store Analytics

• We have access to aggregated analytics data provided by the Apple App Store and Google Play Store, including:
• General device types and operating systems
• Basic usage statistics
• Crash reports
• This data is anonymized and provided by the respective app stores in accordance with their privacy policies. We do not collect this technical data directly.

1.2 Business Services

Ownleaf for Business - Bereavement Support System

We process the following data on behalf of business clients:

Organization Information

• Business name and contact details
• Staff accounts and access levels
• Service configuration

End-user Information

• Case management data
• In case an end-user is utilising the Personal Grief Support, see Personal Information collected in section 1.1.

1.3 Third-Party Integrations

Our services integrate with:

Payment Processing

• Stripe Payment SDK: Processes premium feature payments
• Data collected:
  • Payment card information (processed securely by Stripe)
  • Transaction identifiers
  • Billing address
• Purpose:
  • Secure payment processing
  • Fraud prevention
  • Transaction record keeping
• Data location: EU/UK data centers
• Retention period: 7 years (as required by UK financial regulations)
• Privacy policy: Stripe Privacy Policy

Analytics

• Amplitude Analytics: App and website analytics
• Data collected:
  • Anonymized usage patterns
  • Feature interaction metrics
  • Performance data
• Purpose:
  • Service optimization
  • Performance monitoring
  • User experience improvement
• Data location: EU servers
• Retention period: 25 months
• Privacy policy: Amplitude Privacy Policy

Communication

• Postmark: Email service provider
• Data collected:
  • Email addresses
  • Email content
  • Delivery status
• Purpose:
  • Account verification
  • Service notifications
  • Support communication
• Data location: EU/UK data centers
• Retention period: 45 days
• Privacy policy: Postmark Privacy Policy
• Twilio: SMS notification service
• Data collected:
  • Phone numbers
  • Message content
  • Delivery status
• Purpose:
  • Support group reminders
  • Two-factor authentication
  • Service notifications
• Data location: EU data centers
• Retention period: 30 days
• Privacy policy: Twilio Privacy Policy

Cloud Services

• Amazon Web Services (AWS): Cloud infrastructure
• Data collected:
  • User account information
  • Application data
  • Encrypted backups
• Purpose:
  • Secure data storage
  • Service hosting
  • Disaster recovery
• Data location: AWS EU-West-2 (London)
• Security certifications: ISO 27001, SOC 2
• Privacy policy: AWS Privacy Notice

All third-party providers are subject to:

• Regular security audits
• Data Processing Agreements (DPAs)
• Strict confidentiality requirements
• UK GDPR compliance verification
• App store data safety requirements

2.1 Consumer Services

• Provide grief support services
• Send relevant notifications
• Improve user experience

2.2 Business Services

• Process payments and transactions
• Provide bereavement support tools
• Generate analytics and reports
• Maintain compliance records

2.3 Cross-Product Data Usage

We maintain strict data separation between our services, with limited exceptions for essential service delivery:

Data Separation

We maintain distinct data environments for:

• Consumer Support Circle app data
• Business client data
• Payment processing data

Limited Cross-Product Relations

We maintain minimal cross-product data connections only where necessary to provide our services:

• Employer-provided access: When a user accesses the Support Circle app through their employer's bereavement support program, we maintain:
  • Employment verification status
  • Access level and entitlements
  • Organization relationship
• User invitations: When users invite others to join support groups or services, we track:
  • Invitation relationships
  • Connection status

Additional Data Sharing

Beyond these specific relationships, data is not shared between services unless:

• Required by law
• Necessary for fraud prevention
• Explicitly authorized by users

3.1 Consumer Services (Support Circle App)

This section outlines our lawful bases for processing personal data under UK GDPR. For each type of data processing, we rely on one or more of the following legal grounds:

Contract Fulfillment

We process your data to provide the services you've signed up for, such as:

• Creating and managing your account
• Enabling support group participation
• Delivering app features you've requested

Legitimate Interests

We process data for our legitimate business purposes, including:

• Improving our services
• Ensuring app security
• Preventing fraud
• Analyzing app performance

Consent

We obtain your explicit consent for processing sensitive data, such as:

• Information about bereavement
• Support group conversations
• Health-related information

3.2 Business Services (Professional Platform)

Contract Performance

We process data necessary to fulfill our business agreements:

• Providing bereavement support services
• Processing payments
• Managing client accounts

Legal Obligations

We process data to comply with legal requirements:

• Financial records for tax purposes
• Regulatory reporting requirements
• Data protection obligations

Legitimate Business Interests

We process data for essential business operations:

• Service optimization
• Security measures
• Business analytics
• Client support

4.1 Technical Measures

These are the technological safeguards we use:

Data Encryption

• All data is encrypted during transmission using TLS 1.3
• Data stored in our databases is encrypted at rest using AES-256
• Secure backup encryption

Access Security

• Multi-factor authentication for all system access
• Role-based access control (RBAC)
• Regular access review and audit logs
• Automated session timeouts

Infrastructure Security

• Regular vulnerability scanning
• Penetration testing conducted annually
• Automated security updates
• Firewall protection
• DDoS protection

4.2 Organizational Measures

These are our human and process-based protections:

Staff Security

• Background checks for employees
• Regular security awareness training
• Confidentiality agreements
• Clear desk policy

Security Procedures

• Documented incident response plan
• Regular security policy reviews
• Change management procedures
• Data breach notification process

Access Management

• Strict access approval process
• Regular access rights review
• Immediate access revocation for departing staff
• Principle of least privilege

5.1 Consumer Data

Account Information

• Basic account data: 14 days after account deletion
• App settings and preferences: 14 days after deletion

Transaction Records

• Consumer transactions: 6 years from transaction date
• Payment information: 6 years (UK Companies Act requirement)
• Transaction disputes: 6 years from resolution

5.2 Business Data

Transaction Records

• Financial transactions: 7 years from transaction date
• Payment processing records: 7 years
• Accounting documentation: 7 years

Client Data

• Active client data: Duration of service agreement
• Post-service retention: 12 months after service termination
• Client communication records: Duration of agreement + 12 months

Compliance Documentation

• Data Processing Agreements: 6 years after termination
• Consent records: 6 years from collection
• Privacy impact assessments: 6 years from creation
• Security audit reports: 6 years from audit date
• Incident response records: 6 years from incident closure

6.1 Your Core Rights

Right to Access (Subject Access Request)

• Request a copy of all your personal data we hold
• Receive information about how we use your data
• Response time: Within 30 days
• No fee for standard requests

Right to Rectification

• Correct inaccurate personal data
• Complete incomplete personal data
• Updates typically processed within 7 days

Right to Erasure ('Right to be Forgotten')

• Request deletion of your personal data
• Applies when:
• Data is no longer necessary
• You withdraw consent
• You object to processing
• Some data may be retained if legally required

Right to Data Portability

• Receive your data in a structured, common format
• Have your data transferred directly to another service
• Available formats: CSV, JSON
• Processing time: Up to 30 days

Right to Restrict Processing

• Limit how we use your data while:
• Accuracy is being verified
• Our legal basis is being verified
• You need it for legal claims

Right to Object

• Object to processing based on legitimate interests
• Object to direct marketing
• Object to processing for research/statistics

6.2 How to Exercise Your Rights

1. Submit a Request
   • Email: privacy@ownleaf.com
2. Verification Process
   • We'll verify your identity
   • May request additional information
   • Usually completed within 2 business days
3. Response Timelines
   • Initial response: Within 48 hours
   • Final response: Within 30 days
   • Extension if complex: Up to 60 days (we'll notify you)
4. What to Include
   • Your full name
   • Email address associated with your account
   • Specific right(s) you're exercising
   • Any relevant details about your request

6.3 Additional Information

• All requests are free of charge unless demonstrably excessive
• We maintain a record of all rights requests
• You can authorize someone else to make a request on your behalf
• If we cannot fulfill your request, we'll explain why
• You have the right to complain to the ICO (www.ico.org.uk)

6.4 Limitations

Some rights may be limited when:

• Legal or regulatory requirements apply
• Rights of others would be adversely affected
• Technical limitations exist
• The request is manifestly unfounded or excessive

7.1 Data Processing Agreements

As a processor of personal data on behalf of our business clients, we maintain comprehensive Data Processing Agreements (DPAs) that outline responsibilities for both parties:

Client Responsibilities

• Ensure lawful basis for data processing
• Maintain appropriate technical and organizational security measures
• Conduct necessary Data Protection Impact Assessments (DPIAs)
• Respond to data subject requests within required timeframes
• Report any suspected data breaches within 24 hours
• Keep records of all data processing activities
• Ensure staff are trained in data protection

Our Commitments

• Process data only on documented client instructions
• Implement appropriate security measures
• Assist with data subject requests
• Support clients in security incident response
• Provide evidence of compliance upon request
• Maintain confidentiality obligations
• Return or delete client data upon contract termination

7.2 Sub-processing

We maintain transparent sub-processing relationships:

Sub-processor Management

• Maintain current list of approved sub-processors available on request
• Provide 30 days notice before adding new sub-processors
• Ensure sub-processors meet security requirements through:
• Security assessments
• Data Processing Agreements
• Regular compliance reviews
• Documented security controls

Client Rights

• Right to object to new sub-processors within 14 days
• Access to sub-processor security documentation
• Regular updates on sub-processor compliance
• Ability to audit sub-processor arrangements

7.3 Security & Compliance

Business clients must maintain minimum security standards:

Technical Requirements

• Encrypt data in transit and at rest
• Implement access controls and authentication
• Regular security testing and updates
• Maintain audit logs
• Use secure development practices

Organizational Requirements

• Maintain written security policies
• Regular staff training
• Incident response procedures
• Access management processes
• Change control procedures

7.4 Audits & Assessments

To ensure ongoing compliance:

Regular Reviews

• Annual security assessments
• Quarterly compliance checks
• Monthly access reviews
• Continuous monitoring

Documentation

• Maintain compliance records
• Update security documentation
• Record all data processing activities
• Document incident responses

7.5 Incident Response

In case of security incidents:

Notification Requirements

• Report incidents within 24 hours
• Provide incident details and impact
• Document remediation steps
• Support investigation efforts

Cooperation Procedures

• Share relevant logs and data
• Participate in incident calls
• Support client communications
• Assist with regulatory reporting

8.1 Review Process

• Regular policy reviews conducted quarterly
• Additional reviews when:
• We launch new features or services
• Regulations change
• We modify data processing practices
• We add new third-party providers

8.2 Notification of Changes

We notify users of material changes through multiple channels:

• Email notification to all active users
• Website notice (at least 30 days)

8.3 What Constitutes a Material Change

Material changes include:

• Changes to data collection practices
• New ways of using personal data
• Changes to data sharing practices
• Updates to retention periods
• Modifications to user rights
• New sub-processor additions

8.4 Version History

8.5 Previous Versions

• Changes are documented in our changelog
• Previous versions can be requested via privacy@ownleaf.com

8.6 Your Choices

When we make material changes:

• You will be asked to review and acknowledge significant changes
• You have the right to object to changes affecting your data
• You can request clarification about any changes
• You may opt-out of certain new data uses where applicable