Contents
- Identity and Contact
- What This Policy Covers
- What Data We Collect
- Why We Collect It (Purposes)
- Lawful Basis for Processing
- Who We Share Data With
- Where Data Is Stored
- International Transfers
- How Long We Keep Data
- Security Measures
- Your Rights Under UK GDPR
- Children
- How to Complain
- Changes to This Policy
1. Identity and Contact
Data Controller
SHM Capital LTD
128 City Road
London
United Kingdom
Privacy enquiries: support@dosedeck.uk
ICO Registration Number: TO BE FILLED IN AFTER REGISTRATION
EU Representative
EU REPRESENTATIVE NAME
EU REPRESENTATIVE ADDRESS
We aim to respond to all privacy enquiries within five working days and to all formal data subject requests within one calendar month, as required by UK GDPR.
2. What This Policy Covers
This policy applies to:
- The Dose Deck iOS application
- Any related support services and communications
It describes what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.
This policy applies to all users of Dose Deck, including patients (dependants), caregivers, and users who act as both.
3. What Data We Collect
3.1 Account Data
When you create an account we collect:
- Email address
- First name and last name
- Date of birth
- Role (patient, caregiver, or both)
- Display name (derived from your first name)
3.2 Health Data (Special Category)
By using Dose Deck you may provide, and we will store, information that constitutes special category data under Article 9 UK GDPR. This includes:
- Medication names, types, doses, and dose units
- Medication schedules (frequency, times, start and end dates)
- Dose adherence logs (when you mark a dose as taken or missed)
- Adherence statistics and streaks derived from your logs
- Free-text notes attached to medications — these are entered entirely at your discretion and may contain sensitive health information such as conditions, prescribing details, or symptoms
We collect this data solely to provide the medication-tracking service described below. We do not use it for any other purpose.
3.3 Care Relationship Data
If you use the caregiver or shared-role features, we collect:
- Invite codes generated and accepted
- Care link status (pending, active, revoked)
- Permissions granted by the patient (read-only or full access)
- The identities of linked accounts
3.4 OCR Scan Data
When you use the medication label scanner:
- Text recognition is performed entirely on your device using Apple's VisionKit framework
- No images are ever transmitted to our servers
- Only the extracted text is sent to our backend for processing into structured medication data
- Extracted text is not retained after the medication entry is complete
3.5 Support Communications
If you contact us by email, we retain that correspondence indefinitely to maintain a history of support interactions. You may request deletion of your support emails at any time by contacting us at the address above.
3.6 Analytics and Crash Reporting
We use the following third-party services to improve the app:
- PostHog (EU-hosted, posthog.com) — we collect anonymous usage events such as screen views, feature interactions, and onboarding steps. Data is stored on EU servers. PostHog's privacy policy: posthog.com/privacy
- Sentry (EU-hosted, sentry.io) — we collect crash reports and non-fatal error logs to identify and fix bugs. This may include device model, OS version, and app version. Data is stored on EU servers. Sentry's privacy policy: sentry.io/privacy
- RevenueCat (US-hosted, revenuecat.com) — we use RevenueCat to manage subscriptions and track purchase history. This involves the transfer of data outside the UK/EU to the United States. RevenueCat acts as a data processor under a Data Processing Agreement. RevenueCat's privacy policy: revenuecat.com/privacy
None of these services are used to serve advertising. You can request deletion of your analytics data by contacting support@dosedeck.uk.
3.6 Data We Do Not Collect
We do not collect:
- Location data
- Payment information (all transactions are handled by Apple)
- Push notification tokens (notifications are scheduled entirely on-device)
4. Why We Collect It (Purposes)
| Purpose | Data used |
|---|---|
| To create and manage your account | Account data |
| To provide the medication-tracking service | Health data, account data |
| To enable caregiver/dependant relationships | Care relationship data, health data |
| To generate reports you choose to share | Health data |
| To process OCR label scans | Extracted text only |
| To respond to support requests | Support communications, account data |
| To process subscription payments | Handled by Apple — we receive no payment data |
5. Lawful Basis for Processing
5.1 General personal data (Article 6 UK GDPR)
We process your account and care relationship data on the basis of:
- Article 6(1)(a) — Consent: you consent to the processing of your personal data when you create an account and accept this policy.
5.2 Health data (Article 9 UK GDPR)
Health data is special category data requiring an additional lawful basis. We process it on the basis of:
- Article 9(2)(a) — Explicit consent: at account creation, you are presented with a clear, prominent consent checkbox specifically for the processing of your health data. This consent is separate from, and in addition to, general terms acceptance.
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, delete your account from Settings → Account → Delete Account, or contact us at the address above.
6. Who We Share Data With
We do not sell your data. We do not share your data with third parties for advertising or marketing purposes.
We share data only with the following processors, who act under our instructions:
Apple Inc.
- Purpose: Account authentication (Sign In with Apple), in-app subscription management (App Store), on-device notification delivery
- Data shared: Account authentication tokens; subscription entitlement status
- Privacy policy: https://www.apple.com/privacy
Supabase Inc.
- Purpose: Secure cloud database and authentication backend
- Data shared: All data described in Section 3 above
- Storage region: EU West (see Section 7)
- Privacy policy: https://supabase.com/privacy
Caregivers you invite
If you are a patient and you invite a caregiver, that caregiver will be able to see your medication data to the extent of the permissions you grant (read-only or full access). You control and can revoke this access at any time from within the app.
7. Where Data Is Stored
Your data is stored on servers located in the EU West region operated by Supabase Inc.
Important note on US jurisdiction: Supabase Inc. is incorporated in the United States. Even though your data is stored within the EU, it may in principle be subject to US legal process under the CLOUD Act. To protect your data, we have entered into Standard Contractual Clauses (SCCs) and a Data Processing Addendum (DPA) with Supabase, as required under UK GDPR for transfers to processors in third countries.
8. International Transfers
- UK ↔ EEA: The UK has recognised EEA countries as providing adequate protection. No additional safeguards are required for transfers between the UK and EEA.
- UK → US (Supabase): Transfers are safeguarded by Standard Contractual Clauses and a Data Processing Addendum as described in Section 7.
9. How Long We Keep Data
| Data type | Retention period |
|---|---|
| Account and health data | Retained while your account is active |
| Data following account deletion | Permanently deleted within 30 days of your deletion request |
| Support emails | Retained indefinitely; request deletion by contacting us |
| OCR extracted text | Discarded immediately after medication entry is complete |
When you request account deletion via Settings → Account → Delete Account, a 30-day grace period begins during which you may cancel the request. At the end of that period all your data — including medications, dose logs, notes, and care relationships — is permanently and irreversibly deleted.
10. Security Measures
We take the security of your data — particularly your health data — seriously. The following measures are in place:
- Encryption in transit: all data transmitted between the app and our servers is encrypted using TLS
- Encryption at rest: data stored on Supabase servers is encrypted using AES-256
- Row Level Security (RLS): database-level policies ensure users can only access their own data, or data explicitly shared with them via a care link
- Access control: caregiver access to patient data is restricted to the permission level granted by the patient and can be revoked at any time
No security measure is infallible. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.
11. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
| Right | How to exercise it |
|---|---|
| Access — obtain a copy of your data | Contact us at our privacy email |
| Rectification — correct inaccurate data | Edit your profile in Settings, or contact us |
| Erasure — request deletion of your data | Settings → Account → Delete Account, or contact us |
| Portability — receive your data in a structured format | Contact us at our privacy email |
| Object — object to processing based on legitimate interests | Contact us at our privacy email |
| Restriction — ask us to restrict processing | Contact us at our privacy email |
| Withdraw consent — withdraw your consent at any time | Delete your account, or contact us |
We will respond to all requests within one calendar month. We do not charge a fee for reasonable requests.
12. Children
Dose Deck is intended for users aged 16 and over.
We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not use Dose Deck or provide us with any personal data.
If you are a parent or guardian and believe your child under 16 has created an account, please contact us at our privacy email and we will delete the account promptly.
13. How to Complain
If you have a concern about how we handle your personal data, please contact us first:
Email: support@dosedeck.uk
We will investigate and respond within five working days.
If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are located in the EU, you also have the right to lodge a complaint with your local supervisory authority.
14. Changes to This Policy
We may update this policy from time to time.
- Material changes (changes that affect your rights or how we use your data) will be notified to you via an in-app message before they take effect.
- Non-material changes (e.g. corrections, clarifications) will be reflected in the version history at this URL without separate notification.
The version number and effective date at the top of this document will always reflect the current version.