Keepsake Privacy Policy — How We Handle Your Family's Care Info

Keepsake is a consumer wellness app. It is NOT a HIPAA-covered service, and the information you store in Keepsake is NOT protected by HIPAA. Please read Section 9 carefully before storing medical or legal information in the App.

Washington State residents: Additional disclosures specific to consumer health data are in our separate Consumer Health Data Privacy Policy.

1. About This Policy

This Privacy Policy describes how Keepsake ("we," "us," or "our") collects, uses, shares, and protects personal information in connection with the Keepsake mobile application and related services (the "Service"). It applies to:

Caregivers who create an account and use Keepsake;
Care Recipients, whose information caregivers store in Keepsake;
Visitors to our website at keepsakecares.com.

Keepsake is offered only in the United States. This policy is written for U.S. users and is governed by U.S. federal and California state law.

Your use of the Service is also governed by our Terms of Service.

2. Quick Summary

Who we are: Keepsake — a small California-based team building Keepsake.
What we collect: your phone number (and, if you sign in with Apple or Google, your email and the identifier those services share with us); the first and last name you enter at sign-up and a small amount of onboarding context (your relationship to the person you care for and how you heard about Keepsake); information you enter about yourself and the people you care for (including health, medical, legal, and contact details); audio recordings and documents you upload; activity timestamps and task-completion history; and a limited set of device permissions the App needs to function.
Why we collect it: to provide the Service — storing, organizing, transcribing, and sharing care information among the caregivers you choose, and verifying your identity by SMS.
We do NOT: sell your data. Share it for cross-context behavioral advertising. Use it to train third-party AI models. Run advertising campaigns or buy ads against your information. (If you opt in during sign-up, we use your email to send occasional product updates and support tutorials directly from our team — see Section 3.1.)
Who we share it with: a short list of service providers (subprocessors) that host our infrastructure, authenticate you, deliver SMS verification codes, transcribe audio, and help us diagnose crashes and product issues. They act on our behalf under contract.
Your rights: you can access, export, correct, and delete your data by emailing info@keepsakecares.com.
Retention after deletion: we purge operational data within 60 days of an account-deletion request. Managed database backups roll off per the storage provider's default window.
No HIPAA: Keepsake is not a HIPAA-covered service. Do not rely on it as a clinical medical record.
Ages 18+ only.

3. Information We Collect

3.1 Information you give us

Account information. Authentication is handled by our identity provider, Clerk. You can sign in to Keepsake in any of three ways:

Phone number + SMS one-time passcode. You enter a U.S. mobile phone number; Clerk sends a 6-digit verification code by SMS, and you type it back in to sign in. Your phone number is stored by Clerk and mirrored into our database.
Sign in with Apple. You authorize Apple to share your Apple account identifier (and an email — which may be a private relay address — and your name on first sign-in) with Clerk. Clerk shares the identifier and any disclosed email/name with us so we can recognize you on return visits.
Sign in with Google. You authorize Google to share your Google account identifier and your email and name with Clerk. Clerk shares this with us for the same purpose.

We do not store your password. If you sign in by phone, the only secret involved is the one-time SMS code, which is consumed on use. If you sign in with Apple or Google, the password lives with Apple or Google, never with us.

When you complete sign-up, our backend stores an internal user identifier (UUID), the contact information returned by Clerk (typically your phone number, and any email and first/last name returned by an SSO provider), and your timestamps.

Information you provide at onboarding. During the brief onboarding flow we ask you for:

Your first and last name, so other caregivers on a Care Recipient profile see who's on the team;
Your relationship to the Care Recipient (e.g., parent, spouse, friend, professional, or "myself" for self-care);
An optional display name for the Care Recipient (e.g., "Mom");
An optional referral source — how you heard about Keepsake (e.g., friend, social media, search). This is product-acquisition attribution; it is not a peer-referral program and does not share your account with any referrer.

Marketing email opt-in (optional). At the end of onboarding (and again from Settings if you skip it), we ask whether you'd like to receive occasional product updates and support tutorials from the team building Keepsake. If you opt in, we collect the email address you provide for that purpose. The address is mirrored to our marketing- email service (Loops; see Section 7) so we can send you those emails. If you signed in with Apple or Google, the email field is pre-filled with the address that provider shared with us; you can edit it before opting in. If you signed in with phone OTP, the field starts empty and you type the address you'd like us to use. Opting in is purely optional — declining lets you continue into the app with no email collected for marketing. You can unsubscribe at any time using the link in every email we send, or change your preferences from Settings.

Information about yourself. Anything else you choose to enter about yourself in the App (for example, a self-care profile).

Information about Care Recipients. When you add a Care Recipient, you may enter their name and any care-related information you choose, including across these categories:

medical — diagnoses, conditions, treatments, care history;
medications — prescriptions, dosages, schedules;
observations — symptoms, behaviors, mood notes;
appointments — visit times, locations, providers;
care_plan — goals, routines, instructions;
legal — documents such as powers of attorney or advance directives;
personal — other personal information;
contacts — names and contact details of people connected to the Care Recipient (doctors, family, aides).

This information is typically sensitive health information about an identified person. You affirm that you are authorized to input this information under our Terms of Service (Section 5).

Notes and uploads. You can create text notes, voice notes (audio recordings), scanned documents (converted to PDF on device before upload), and document uploads (PDF or DOCX). Documents are capped at 20 MiB and audio at 50 MiB per upload.

Care Recipient profile picture. Optionally, an image you upload for the Care Recipient (JPEG, PNG, or WebP, up to 5 MiB).

Tasks. Task titles, notes, locations, due times, recurrence rules, completion history, per-task links to notes, and per-task local reminder settings (which are scheduled as on-device notifications by your operating system).

Team membership. When you invite (or, today, request operationally) another caregiver to join a Care Recipient profile, we associate their user account with that profile at the role you assign (owner, editor, or viewer).

3.2 Information generated when you use the App

Activity timestamps. For every item you create, update, or complete (notes, tasks, task occurrences), we record the time and the user who performed the action.

Streak / engagement metadata. When you mark a day's care tasks as complete, we record per-caregiver, per-Care-Recipient counters (current streak, longest streak, most recent completion date, and which calendar dates have at least one credited completion). These counters power the in-app "care streak" UI; they are derived from your task-completion timestamps and contain no free-text or health content.

Transcriptions and extracted text. When you upload a voice note, we send the audio to a transcription provider and store the resulting transcript with the note. When you upload a document, we run server-side text extraction (for PDFs) or render a PDF preview (for DOCX) inside our own server infrastructure and store the extracted text.

Thumbnails and previews. For uploaded documents we generate and store a thumbnail image and, for DOCX, a rendered PDF preview.

Server logs. Our hosting provider (Railway) captures standard request logs — IP address, user-agent, request path, and any exceptions raised — for debugging and operational health.

Crash and error diagnostics. When the App or our backend encounters an unexpected error, we send a diagnostic report to our error-monitoring provider (Sentry). Reports include a stack trace, the device model and operating-system version (mobile), the build version of the App, and the request path that triggered the error. We rely on Sentry's default client behavior, which means a report may incidentally include a snippet of in-flight data (for example, a few characters of a request path or query parameter) that was on the stack at the moment the error happened. We do not deliberately attach the body of your notes, audio bytes, document contents, or transcripts to Sentry events, and we do not use Sentry data for anything other than fixing bugs.

Product-analytics events (when enabled). If product analytics are enabled for your build of the App (see Section 13), the App sends pseudonymous usage events to PostHog — for example, "a screen was viewed," "a note of type X was created," "an upload failed with error kind Y." The App enforces an internal allow-list of event property keys: identifiers and content-bearing fields (phone, email, note titles and bodies, transcripts, document text, search queries, JWTs, and Care Recipient identifiers) are not sent to PostHog. Strings are truncated to 80 characters. We identify each user to PostHog by the internal application UUID — not by your name, email, or phone number.

3.3 Device permissions

Keepsake asks only for the permissions it actively uses. Each permission is requested in context and can be revoked at any time from your device's system settings. The App currently requests:

Permission	Why we use it	Where the data goes
Camera	To capture photos and scan documents for care records	Captured images become document uploads (sent to Keepsake)
Microphone	To record voice notes	Audio is uploaded to Keepsake for storage and transcription
Photo library (read)	To let you choose a care recipient profile picture from your library	The selected image is uploaded to Keepsake and stored with the care recipient profile
Notifications / exact alarms / vibration / boot-completed / wake lock	To deliver task reminders as local notifications scheduled on your device. We do not currently send remote push notifications or collect remote push tokens.	Local notifications stay on your device
Network state / Internet	To detect offline conditions and reach our backend	Stays on your device
Sign in with Apple	If you choose Apple sign-in, to authenticate you via Apple's flow	Apple shares an account identifier and (on first sign-in) name and email with Clerk

We do not request or collect: location, Bluetooth, Health / HealthKit, body sensors, activity recognition, contacts, calendars, reminders, or background location.

3.4 Local on-device storage

To make the App responsive and usable offline, Keepsake caches certain data on your device using your operating system's standard application storage:

A session token cache (managed by Clerk) in your device's secure keystore (iOS Keychain / Android Keystore via Expo SecureStore). This holds the JWT that authenticates you to our backend.
A read-through cache of recent notes and tasks (titles, bodies, category labels, transcription text, document URLs, completion state) and a cached presigned URL for the Care Recipient profile picture, in standard app storage (AsyncStorage). This cache is not encrypted at rest beyond the platform's standard app sandbox protections. Caches are cleared when you sign out or uninstall the App.

3.5 Information we do NOT collect

We do not use advertising SDKs.
We do not use cross-context behavioral advertising.
We do not collect biometric identifiers server-side. Face ID, Touch ID, and fingerprint authentication run entirely on your device.
We do not collect precise or background location.
We do not access your contacts, calendars, reminders, or health data (Apple Health / Google Fit).

4. How We Use Information

We use the information we collect to:

Operate the Service — authenticate you, store your notes and tasks, transcribe audio, extract text from documents, render thumbnails and previews, serve you your data when you open the App.
Share information among caregivers you have added to a Care Recipient profile — at the role level each caregiver has been assigned.
Secure the Service — detect and prevent abuse, fraud, and unauthorized access; investigate security incidents.
Support you — respond to messages sent to info@keepsakecares.com or info@keepsakecares.com.
Comply with legal obligations — respond to valid legal process, enforce our Terms, protect our rights.
Improve the Service — diagnose bugs and develop new features, primarily using aggregated and de-identified data.

We will not:

sell personal information or share it for cross-context behavioral advertising;
use personal information for targeted advertising;
use Your Content to train third-party AI models;
use Your Content for marketing;
disclose medical information other than as described in this policy.

5. Legal Bases (California and Other U.S. State Privacy Laws)

We process personal information to provide and maintain the Service you have requested (contractual necessity), with your consent (for optional features such as microphone access), to comply with legal obligations, and for our legitimate interests in securing and improving the Service — provided those interests are not overridden by your rights.

California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states grant privacy rights that apply regardless of the legal basis. See Section 10.

We share personal information only in these limited ways:

6.1 With caregivers you have added to a Care Recipient

Everyone assigned to a Care Recipient profile (owner, editor, viewer) can see that Care Recipient's notes, tasks, audio, documents, and scans — at the level their role allows. You control this sharing.

6.2 With our service providers (subprocessors)

The providers listed in Section 7 process personal information on our behalf under written agreements that limit their use of the data to providing services to us.

6.3 For legal reasons

We may disclose information if we reasonably believe it is necessary to (a) comply with a valid subpoena, court order, or other legal process; (b) enforce our Terms or investigate potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Keepsake, our users, or the public. When legally permitted, we will notify the affected user before disclosure.

6.4 Business transfers

If Keepsake is acquired or involved in a merger, asset sale, reorganization, bankruptcy, or similar transaction, personal information may be transferred to the acquirer, subject to this policy. We will notify you of any such transfer.

6.5 With your direction or consent

We will share information as you direct (for example, if you ask support to share data with your own legal or medical representative).

We do not otherwise share your information with third parties.

7. Service Providers (Subprocessors)

All providers below are located in the United States (or operate globally from the U.S.) and process data under contractual obligations that protect your information.

Role	Provider	Region	What they receive
Backend hosting	Railway	United States	All request/response bodies in transit; ephemeral server logs (IP, request path, exceptions)
Identity, sessions, and SMS phone verification	Clerk	United States	Your phone number; any email and name returned by Apple/Google SSO; device user-agent metadata used to verify sessions; Clerk arranges SMS verification-code delivery through its own SMS subprocessors (which include carrier-grade SMS providers such as Twilio)
Federated sign-in (only if you choose them)	Apple (Sign in with Apple) and Google (Sign in with Google)	United States / global	Your Apple or Google account identifier and the email/name you authorize them to share. We never receive your Apple/Google password.
Primary database	Supabase (managed Postgres)	United States	All your domain data (notes, tasks, Care Recipient profiles, caregiver assignments, streak counters, audio/document metadata)
Object storage	Cloudflare R2	Cloudflare's global network, with data stored in the region we configure	Audio recordings, original documents, thumbnails, DOCX-to-PDF previews, Care Recipient profile pictures
Audio transcription (primary)	Deepgram	United States	Audio bytes of voice notes and the generated transcript
Audio transcription (fallback)	OpenAI (Whisper API)	United States	Audio bytes of voice notes and the generated transcript (used only if Deepgram fails)
Mobile runtime and OTA updates	Expo / Expo Application Services	United States	App update metadata; device identifiers used by the Expo SDK
Crash and error monitoring	Sentry (mobile + backend)	United States	Stack traces, device/OS metadata, App version, the request path that triggered the error, and any small in-flight payload that was on the stack at the moment of the error
Product analytics (when enabled for your build)	PostHog (US Cloud, `us.i.posthog.com`)	United States	Pseudonymous product-usage events as described in Section 3.2; our internal user UUID; basic device/platform metadata. The App's analytics wrapper enforces an allow-list of event-property keys and redacts content-bearing fields before sending.
Marketing email delivery (only if you opt in)	Loops (`app.loops.so`)	United States	The email address you provide at opt-in; your first name; our internal user UUID; the surface (onboarding, interstitial, settings) where you opted in and the timestamp. Loops never receives the content of your notes, audio, transcripts, documents, Care Recipient information, phone number, or any consumer health data.

We do not use advertising networks or cross-context behavioral advertising in any version of the App.

AI / LLM features. We do not currently use any third-party large-language-model service to generate summaries, chat replies, or inferences from Your Content. The OpenAI Whisper API is used solely as a transcription fallback as described above. If we introduce AI-powered features in a future version (for example, summarization or chat), we will update this Privacy Policy to identify the provider and the categories of data sent to them, and notify you before enabling the feature.

8. How We Protect Information

Encryption in transit. All network traffic between the App, our backend, and our subprocessors uses HTTPS/TLS.
Encryption at rest. Our managed database (Supabase) and object storage (Cloudflare R2) encrypt data at rest by default. Their encryption details are documented on their respective public security pages.
Access control. Every data table in our database enforces row-level security keyed to your user ID and your role on each Care Recipient profile. Uploaded files in object storage are not publicly addressable; the App fetches them through short-lived, 15-minute presigned URLs generated by our backend after verifying your access.
Authentication. We use signed JSON Web Tokens (JWTs) verified on every request.
Internal access. Keepsake staff do not access medical documents, audio recordings, transcriptions, or the body text of notes that may contain sensitive medical, legal, or personal information. Staff access, where authorized, is limited to quality-assurance review of user-set metadata (account information, category labels, task titles and completion status, and usage events) and is de-identified where possible. We maintain an internal access policy and acknowledgement by staff authorized to access production data.
No end-to-end encryption. Our servers can read Your Content in order to transcribe audio, extract text, and serve the App. If you need a service that cannot read your content, Keepsake is not the right product for your use case.

No security system is perfect; we cannot guarantee absolute security, but we work to safeguard your information.

9. Health Information and HIPAA

Keepsake is a consumer wellness and organization app. It is not a HIPAA-covered entity and not a business associate of any covered entity. The health information you store in Keepsake is NOT protected by HIPAA, even though much of it (medications, diagnoses, appointments, medical documents) would be protected if it were held by a covered health-care provider or health plan.

This means:

You should not use Keepsake as your clinical medical record.
You should not rely on Keepsake for HIPAA-grade confidentiality, breach-notification timelines, or access rights.
If you need a HIPAA-compliant record, use a system provided by your health-care provider.

For California residents, our handling of medical information you voluntarily provide is also subject to the California Confidentiality of Medical Information Act (CMIA). We do not disclose your medical information except as described in this policy and will not use it for commercial purposes beyond operating the Service.

10. Your Privacy Rights

10.1 All U.S. users

You may at any time:

Access — request a copy of the personal information we hold about you;
Export / portability — receive the information in a portable, machine-readable format (JSON/CSV);
Correct — ask us to fix inaccurate information;
Delete — ask us to delete your account and the data associated with it (subject to limited legal retention obligations described in Section 11);
Opt out of sale/sharing and targeted advertising — not applicable, because we do not engage in sale, sharing for cross-context behavioral advertising, or targeted advertising;
Limit use of sensitive personal information — we use sensitive personal information only to provide the Service, as described in Section 4; we do not use it for inferring characteristics or for any other secondary purpose.

To exercise any of these rights, email info@keepsakecares.com with the request and the phone number or SSO email on your account. We verify requests by confirming account control through the sign-in method or another reasonable identity check. We respond to access/export requests within 30 days and to deletion requests within 45 days of verification; we may extend by an additional 45 days where legally permitted, and will notify you if we do.

There is no charge for your first request in a 12-month period. We do not discriminate against you for exercising your rights.

10.2 California residents (CCPA / CPRA)

California law grants you all of the rights in Section 10.1, plus the right to designate an authorized agent to make a request on your behalf. Agents must provide written authorization and we may require you to verify your identity directly.

Categories of personal information collected, sources, purposes, and recipients (CCPA disclosure for the preceding 12 months):

Category	Collected?	Sources	Purposes	Recipients
Identifiers (phone number, internal user UUID, Clerk user ID, optional email and name from SSO, optional marketing email if you opt in)	Yes	You; Clerk; Apple/Google (only if you choose SSO)	Account, auth, support, and product-update emails if you opt in	Clerk, Supabase, Railway, Loops (marketing email only, if opted in)
Customer records (first/last name, relationship, attribution source)	Yes	You	Service operation	Supabase, Railway
Protected classifications	No	—	—	—
Commercial information	No (no purchases today)	—	—	—
Biometric information	No (biometric unlock, where present, runs on-device)	—	—	—
Internet/network activity (server logs; pseudonymous product-usage events when analytics are enabled)	Yes	Your device	Security, debugging, product improvement	Railway, Sentry, PostHog (when enabled)
Geolocation	No	—	—	—
Sensory data (audio you upload; documents and scanned images)	Yes	You	Storage, transcription	Supabase, R2, Deepgram / OpenAI
Professional/employment info	No	—	—	—
Education info	No	—	—	—
Sensitive personal information (health and medical information you enter; content of Care Recipient records; phone number)	Yes	You; Clerk (phone number)	Service operation at your direction; SMS verification	Supabase, R2, Deepgram / OpenAI (audio only), Clerk (phone only)
Inferences	No	—	—	—

We have not sold or shared personal information in the preceding 12 months and do not do so today.

You may complain to the California Privacy Protection Agency at https://cppa.ca.gov/.

10.3 Other state privacy laws (VCDPA / CPA / CTDPA / UCPA / TDPSA / OCPA / MTCDPA, etc.)

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state that grants consumer privacy rights substantially similar to the above, you have the same rights described in Section 10.1. Residents of Colorado and Connecticut have the right to appeal a denied request; to appeal, reply to our denial email or write to info@keepsakecares.com with "Appeal" in the subject line. We will respond to appeals within 45 days.

10.4 Washington State residents (MHMDA)

Additional rights specific to consumer health data are described in our Consumer Health Data Privacy Policy, which is incorporated here by reference.

10.5 Care Recipients

If information about you is stored in Keepsake by someone who acts as your caregiver, you may contact info@keepsakecares.com and we will work with the account owner to honor your request. Because the caregiver is our direct user, we may need to coordinate with them; we will also act on our own to investigate and address credible concerns about unauthorized use.

11. Data Retention and Deletion

11.1 While your account is active

We keep your data as long as your account is active and you use the Service.

11.2 Archiving vs. deletion of individual notes and tasks

Today, when you delete an individual note or task in the App, it is marked as archived (a soft delete) and hidden from your default view. You can restore it. Archived items remain in the database and their associated files remain in object storage, until the account is deleted or the item is purged.

We intend to split hard-delete behavior by note type in a near-term update:

Audio and text notes. The note row will be removed from the database. The audio file in object storage will remain until the account is deleted (at which point it is purged as described below).
Document and scan notes. The note row, the original file, the thumbnail, and any DOCX-to-PDF preview will be removed immediately.

When we make this change, we will update this policy.

11.3 Account deletion

When you email info@keepsakecares.com to request account deletion:

We verify the request by confirming control of the account phone number, SSO email, or another reasonable identity check.
Within 30 days we confirm receipt and the deletion scope.
Within 60 days of the verified request, we purge your personal information from our operational database and from object storage, including your account record, notes, tasks, audio files, and documents.
We retain only a minimal deletion tombstone (internal account ID, identity-provider ID, and deletion timestamp) to prevent stale credentials from recreating the deleted account and to maintain an audit trail of the deletion request.
Backups. Our primary database is managed by Supabase, which maintains backups for a limited window. Personal data may persist in backups until they expire under Supabase's default backup retention, at which point the data becomes inaccessible as part of ordinary backup rotation. During this window, backup data is not used for any purpose other than disaster recovery.
Legal holds and disputes. We may retain information longer if required to comply with a legal obligation, resolve a dispute, or enforce our Terms. We will retain only the minimum necessary.

11.4 Server logs

Operational server logs are retained by our hosting provider (Railway) under its default policy. We do not use log data for any purpose other than security, debugging, and service health.

11.5 Aggregated and de-identified data

We may retain aggregated or de-identified data indefinitely. Such data cannot reasonably be used to identify you and is not subject to this policy.

12. Children's Privacy

Keepsake is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email info@keepsakecares.com and we will delete the account.

Note that a Care Recipient may be a minor if an adult caregiver has lawful authority to act for them. The account holder is, and must be, at least 18.

13. Cookies, Analytics, Advertising, and Tracking

13.1 No advertising or cross-context tracking

Keepsake is a mobile application and does not use browser cookies. We do not use advertising, retargeting, or cross-context behavioral advertising SDKs in any version of the App. We do not participate in any "sale" or "sharing" of personal information.

13.2 Product analytics (PostHog)

We use PostHog to collect pseudonymous product-usage events that help us understand how the App is used and improve it (for example, which screens are viewed, which features are used, and which API calls fail). PostHog is enabled when an analytics key is present in your build of the App; if your build does not have an analytics key, no PostHog events are sent.

What PostHog does receive:

An internal user identifier (a UUID that we assign to you in our database) — never your name, email, or phone number;
Event names from a fixed catalog (for example, app_opened, task_completed, note_search_completed, upload_failed);
A short, allow-listed set of event property keys (for example, note_type, error_kind, platform, app_environment);
Explicit events emitted by Keepsake's analytics wrapper; screen, touch, session replay, lifecycle, and feature-flag autocapture are disabled;
Standard PostHog metadata such as your platform (iOS/Android) and app version.

What PostHog does not receive:

The content of your notes, audio recordings, transcripts, documents, or Care Recipient information;
Phone numbers, email addresses, JWTs, document or note titles, search queries, or any URL or URI;
Care Recipient identifiers, note identifiers, or task identifiers.

The App's analytics wrapper enforces these rules in code by allow-listing the property keys it will send, blocking common content-bearing key names, truncating string values to 80 characters, disabling session replay, disabling geo-IP enrichment, and disabling lifecycle autocapture.

We do not link PostHog data to any advertising network or share it with third parties. PostHog is hosted in the United States.

13.3 Crash and error monitoring (Sentry)

We use Sentry to receive crash reports and unhandled-error reports from the App and from our backend. See Section 3.2 for details of what a Sentry event contains. We use Sentry only to diagnose and fix bugs.

13.4 Global Privacy Control (GPC)

If we later ship a web surface, it will honor the Global Privacy Control browser signal where applicable. The App itself does not involve cross-context behavioral advertising, so GPC does not apply in the current mobile experience.

14. International Users

Keepsake is offered only to users in the United States. We do not intentionally direct the Service to users in the European Economic Area, United Kingdom, Switzerland, Canada, or elsewhere, and this policy is not written to meet the requirements of GDPR, UK GDPR, or PIPEDA. If you are located outside the United States, please do not use the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you at least 30 days in advance through an in-app banner and an email to the address on your account. Non-material changes may take effect immediately. The "Last Updated" date at the top reflects the most recent version. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact Us

For privacy questions, rights requests, or to submit an arbitration opt-out under the Terms of Service:

Email: info@keepsakecares.com

For support, account deletion, and general inquiries:

Email: info@keepsakecares.com

Mailing address:

Keepsake 447 Sutter St Ste 506 - 1036 San Francisco, CA 94108

Appendix A: "Data We Collect" At a Glance

Type	Example fields	Storage	Who can see it
Account identity	Phone number, internal user UUID, Clerk user ID, optional email and first/last name (from SSO or onboarding)	Clerk + Supabase Postgres	You; limited staff for support (metadata only)
Authentication	Session JWTs issued by Clerk; locally cached in device secure keystore	Clerk; on-device Keychain / Keystore	No one outside Clerk
Onboarding context	Relationship to Care Recipient, attribution / referral source, optional Care Recipient display name	Supabase Postgres	You; caregivers at any role on the Care Recipient
Care Recipient profiles	Name, profile picture (optional), relationships to caregivers	Supabase Postgres + R2 (image)	You and caregivers you have added
Notes (text / audio / document / scan)	Title, body, category, status, timestamps	Supabase Postgres	You and caregivers at any role
Audio files and transcripts	Audio blob, transcript text	R2 (file) + Supabase (transcript)	You and caregivers at any role
Documents, thumbnails, previews	PDF/DOCX, PNG thumbnail, rendered PDF	R2 + Supabase (metadata)	You and caregivers at any role
Tasks	Titles, notes, due times, recurrence, reminder settings, completion history	Supabase Postgres	You and caregivers at any role
Streak / engagement metadata	Per-caregiver, per-Care-Recipient streak counters and credited dates	Supabase Postgres	You and caregivers at any role on the Care Recipient
Activity timestamps	created_at, updated_at, completed_by	Supabase Postgres	You and caregivers at any role
Caregiver assignments	Role per Care Recipient	Supabase Postgres	Other caregivers on the same Care Recipient
Server logs	IP, user-agent, request path, exceptions	Railway (short retention)	Engineering, for ops and security
Crash / error reports	Stack trace, OS / device / build metadata, request path, incidental in-flight payload	Sentry	Engineering, for bug fixing
Product-analytics events (when enabled for your build)	Event name, allow-listed properties, internal user UUID, platform, app version	PostHog	Engineering and product teams, for usage analysis
On-device cache	Recent notes, tasks, presigned profile-picture URL, Clerk session token	AsyncStorage (notes/tasks) and Keychain/Keystore (token) on your device	You — the cache lives only on your device

This policy is written to be read. If any part is unclear, email info@keepsakecares.com and we'll explain.

Keepsake Privacy — Washington Residents (Consumer Health Data)

Additional disclosures for Washington, Nevada, and Connecticut residents under state health data laws.

What this page is. This is the Washington-specific supplement to Keepsake's main Privacy Policy. It exists because Washington's My Health My Data Act (MHMDA) requires consumer wellness apps that handle health information about Washington residents to publish a distinct consumer health data privacy policy — separate from the general privacy policy — and to list specific rights, categories of data, and contact options. If you live in Washington (or your information was collected while you were physically in Washington), this page applies to you in addition to the main policy. Equivalent rights for Nevada (SB 370) and Connecticut residents under their consumer health data amendments are covered here as well; everyone else should read the main Privacy Policy.

This Consumer Health Data Privacy Policy describes how Keepsake ("we," "us," or "our") handles consumer health data in connection with the Keepsake mobile application (the "Service").

Defined terms follow MHMDA (RCW 19.373). Where Washington law uses "consumer," we use it in the MHMDA sense (a Washington resident, or a person whose consumer health data is collected in Washington).

1. What Counts as Consumer Health Data

"Consumer health data" means personal information that identifies a consumer's past, present, or future physical or mental health status. In Keepsake, consumer health data typically includes:

Information you enter about a Care Recipient's health — diagnoses, conditions, symptoms, and treatments (often in notes categorized as medical, medications, observations, care_plan, or appointments);
Medications: names, dosages, schedules, prescriber information;
Health-care appointments, visits, and providers;
Uploaded medical documents, such as lab results, discharge summaries, after-visit summaries, and care plans;
Audio voice notes that describe any of the above, and their transcripts;
Legal health documents such as powers of attorney and advance directives (uploaded in the legal category).

Consumer health data does not include personal information that is de-identified, aggregated, or that is subject to HIPAA as protected health information in the hands of a covered entity. Keepsake is not a HIPAA-covered entity; see Section 9 of our main Privacy Policy.

2. Categories of Consumer Health Data We Collect

We collect consumer health data only from you, the caregiver, when you enter or upload it through the App. Specifically:

Free-text notes you type into a note titled, categorized, or tagged with a health-related category;
Voice recordings you create within the App, and the transcripts we generate from them;
Documents and scans you upload (PDF, DOCX, or camera-captured images converted to PDF on your device before upload);
Task metadata that you link to a health-related note or category;
Information you enter about a Care Recipient's health-care providers, caregivers, or other contacts;
Metadata automatically attached to the above (timestamps, category labels, the user who created the item, file size, and file type).

We do not collect consumer health data from any source other than the App.

3. Purposes for Which We Collect and Process Consumer Health Data

We collect and process consumer health data solely to provide the Service you have requested. Specifically, to:

Store your notes, tasks, audio, and documents so you and your caregiver team can retrieve them;
Transcribe audio recordings into text (see Section 4);
Extract text from uploaded PDF and DOCX documents so you can search and read the content inside the App;
Render thumbnails and PDF previews for uploaded documents;
Deliver task reminders via device notifications;
Share notes and tasks among the caregivers you add to a Care Recipient profile, at the roles you set (owner, editor, viewer);
Secure the Service — detect and prevent unauthorized access, investigate security incidents, and maintain the integrity of the system;
Support you — respond to messages you send us;
Comply with legal obligations — respond to valid legal process;
Improve the Service using aggregated and de-identified data.

We will not:

Sell consumer health data. We do not and will not sell consumer health data.
Use consumer health data for targeted advertising or cross-context behavioral advertising.
Use consumer health data to train third-party AI models.
Use consumer health data for any purpose beyond the purposes listed above without first obtaining your separate, affirmative consent — and in the case of sale, a signed authorization under Section 9 below (which we have no plans to seek).

We share consumer health data only with the service providers ("processors") that help us operate the Service. They process consumer health data on our behalf under contractual terms that limit their use to providing services to us. The relevant processors are:

Processor	Role	Data received
Railway	Hosts our backend API	All request/response bodies in transit; ephemeral server logs
Clerk	Authentication, session management, and SMS phone verification	Your phone number and any email/name returned by SSO; session metadata. Clerk does not receive the body of your notes, audio, transcripts, or documents.
Supabase (managed Postgres)	Primary database	Your account information; all notes, tasks, audio metadata, document metadata, streak counters, including the text content of notes and transcripts
Cloudflare R2	Object storage	Audio recordings, documents, thumbnails, DOCX-to-PDF previews, and Care Recipient profile pictures
Deepgram	Primary audio transcription provider	Raw audio bytes of voice notes and the generated transcript text
OpenAI (Whisper API)	Fallback audio transcription provider (used only if Deepgram fails)	Raw audio bytes of voice notes and the generated transcript text
Sentry	Crash and error monitoring (mobile + backend)	Stack traces, device/OS metadata, App version, the request path that triggered the error, and any small in-flight payload that happened to be on the stack at the moment of the error. We do not deliberately attach the body of notes, audio, transcripts, or documents to Sentry events.
PostHog (only when product analytics are enabled in your build)	Pseudonymous product analytics	An internal user UUID (not your name, phone, or email); event names from a fixed catalog; an allow-listed set of event property keys. PostHog does not receive consumer health data: the App's analytics wrapper blocks property keys whose names contain `body`, `content`, `transcript`, `note_id`, `task_id`, `recipient_id`, `phone`, `email`, `query`, `url`, `uri`, etc., and truncates string values to 80 characters.
Expo / Expo Application Services	Mobile runtime, builds, and submissions	App build/update metadata. Keepsake does not currently register remote push tokens or send remote push notifications through Expo Push.

Each processor is located in the United States or operates globally. We do not share consumer health data with any other third party except:

With your direction (for example, if you ask support to share data with your own legal or medical representative);
For legal reasons, as described in Section 6 of our main Privacy Policy (subpoenas, court orders, enforcement of our Terms, safety);
In a business transfer (merger, acquisition, asset sale, bankruptcy), in which case the acquirer will assume the same obligations.

We do not share consumer health data with advertising networks, data brokers, or behavioral analytics providers. No third party receives consumer health data for its own purposes. Our analytics processor (PostHog) does not receive the content of your notes, audio, transcripts, or documents; we use it only to count events and measure product usage. Our optional marketing-email service (Loops, used only if you opt in to product updates during sign-up) receives your email address and basic profile metadata only — it never receives consumer health data.

5. Your Rights Under MHMDA (Washington Consumers)

If you are a Washington resident, or if we collected your consumer health data while you were in Washington, you have the following rights:

Right to confirm whether we are collecting, sharing, or selling your consumer health data, and to access that data;
Right to delete your consumer health data (subject to the limited retention obligations in Section 11 of our main Privacy Policy);
Right to withdraw consent to our collection and sharing of consumer health data at any time;
Right to a list of third parties with whom we have shared or sold your consumer health data (we maintain no list of third-party buyers because we do not sell consumer health data; the processors we share with are listed in Section 4 above);
Right to non-discrimination for exercising any of these rights.

5.1 How to exercise your rights

To exercise any of these rights, email info@keepsakecares.com with your request and the phone number or SSO email on your account. We verify requests by confirming account control through the sign-in method or another reasonable identity check. We respond within 45 days; we may extend by an additional 45 days where legally permitted, and will notify you if we do.

We do not charge a fee for your first request in any 12-month period.

5.2 Deletion

When you exercise the right to delete, we will delete the consumer health data we hold about you from our operational systems within 60 days of the verified request, as described in Section 11 of our main Privacy Policy. We will also direct our processors (Clerk, Supabase, Cloudflare R2, Deepgram, OpenAI, Sentry, PostHog, Railway, and Expo) to delete the data they hold on our behalf in accordance with their contracts. Backup copies expire on ordinary rotation schedules and are not used for any purpose other than disaster recovery.

5.3 Appeal

If we deny your request, you may appeal by replying to our denial email or writing to info@keepsakecares.com with "MHMDA Appeal" in the subject line. We will respond to appeals within 45 days. If your appeal is denied, you may file a complaint with the Washington State Attorney General at https://www.atg.wa.gov/file-complaint.

5.4 Non-Washington residents

Residents of Nevada, Connecticut, and other states with consumer health data laws have substantially similar rights; we honor them on the same terms described above. Email info@keepsakecares.com to exercise any such right.

6.1 Collection and processing

When you use Keepsake, you affirmatively consent to our collection and processing of the consumer health data you enter, for the purposes described in Section 3. You can withdraw that consent at any time by deleting the data and/or your account (see Section 5.2).

6.2 Sharing with processors

By using the Service, you also consent to our sharing of consumer health data with the processors listed in Section 4, solely for the purposes of delivering the Service.

6.3 No sale

We do not sell consumer health data, and we have not obtained your signed authorization for any sale. If we ever wish to do so, we will first obtain your separate, signed valid authorization meeting MHMDA's requirements under RCW 19.373.070, describing the specific data and recipient, and disclosing your rights — including your right to revoke. We have no plans to seek such authorization.

6.4 Changes to purposes

If we ever want to process consumer health data for a purpose not disclosed in this policy, we will obtain your consent before doing so.

7. Security

We describe our security controls in Section 8 of our main Privacy Policy. The same controls apply to consumer health data:

TLS in transit;
Encryption at rest by our database and object-storage providers;
Row-level security tied to your user ID and role;
Short-lived (15-minute) presigned URLs for any file access;
Signed JWTs for authentication;
Internal access restrictions — Keepsake staff do not access medical documents, audio recordings, transcriptions, or the body text of notes that may contain sensitive information. Staff access, where authorized, is limited to quality-assurance review of user-set metadata (account information, category labels, task titles and completion status, and usage events) and is de-identified where possible.

No system is perfectly secure, and we cannot guarantee absolute security; but we work to safeguard your consumer health data consistent with industry practice.

8. Retention

We keep consumer health data only as long as necessary to provide the Service to you. Retention timelines are described in Section 11 of our main Privacy Policy:

Soft-deleted (archived) notes remain in the database until you delete your account or until a future hard-delete change takes effect.
Upon account deletion, we purge consumer health data from operational systems within 60 days. Backup copies expire on ordinary rotation schedules.

9. No Sale of Consumer Health Data

We do not sell consumer health data. "Sale" has the meaning given in MHMDA (the exchange of consumer health data for monetary or other valuable consideration). We have no data broker relationships and no revenue model based on consumer health data.

10. Geofencing

We do not use geofences around any facility that provides in-person health-care services to identify, track, or target consumers for advertising. We do not collect location data server-side at all.

11. Children

Keepsake is intended for users 18 years of age or older. We do not knowingly collect consumer health data from anyone under 18 acting as a caregiver. Consumer health data about a Care Recipient who is a minor may be stored by an adult caregiver who has lawful authority to act for them (see our Terms of Service, Section 5).

12. Changes to This Policy

We may update this Consumer Health Data Privacy Policy from time to time. For material changes affecting the processing of consumer health data, we will notify you at least 30 days in advance through an in-app banner and an email to the address on your account, and — where required — obtain your renewed consent. The "Last Updated" date at the top reflects the most recent version.

13. Contact Us

Consumer health data requests and MHMDA appeals: info@keepsakecares.com
General support and account deletion: info@keepsakecares.com
Mailing address: Keepsake 447 Sutter St Ste 506 - 1036 San Francisco, CA 94108
Washington State Attorney General (to file a complaint): https://www.atg.wa.gov/file-complaint

This Consumer Health Data Privacy Policy is incorporated by reference into our main Privacy Policy.