Legal

Your data,
handled with care.

We built SOL for families who value dignity and privacy. This policy explains, in plain language, exactly what data we collect, why we collect it, who sees it, and how you can control it.

Effective date: 26 March 2026 · Version 1.0
Section 01

🏢Who we are

Signs of Life (“SOL”, “we”, “us”, or “our”) is a digital wellness platform operated by [Company Name] Pte. Ltd., a company incorporated in Singapore (UEN: [UEN Number]).

SOL is a social wellness tool. It is not a medical device, not a health monitoring system, and not a substitute for emergency services. The data we process is social and behavioural wellness data — it does not constitute health or medical data under Singapore law or any applicable regulation.

This Privacy Policy applies to all users of the SOL platform, including our marketing website, the caregiver dashboard, and the senior check-in Progressive Web App (PWA). By using any part of SOL, you agree to the collection and use of your data as described here.

💡
In plain terms: We are a Singapore company. We run a check-in app for seniors and their families. This document tells you exactly what we know about you and what we do with it.
Section 02

📋What we collect

We collect the minimum data necessary to operate the service. The data we collect differs depending on whether you are a caregiver or a senior.

Caregivers

  • Email address (for OTP login and notifications)
  • Phone number (for WhatsApp notifications on Paid tier)
  • Name assigned to linked senior(s)
  • Check-in window configurations (labels, start and end times)
  • Notification preferences (toggle settings)
  • Subscription tier (Free or Paid)
  • Account creation timestamp

Seniors

  • Phone number and/or email address (for OTP login)
  • Device timezone (auto-detected from browser locale on first launch)
  • Check-in timestamps — both when you tapped and when we received it
  • Check-in status per window (Completed, Late Sync, or Missed)
  • Medical disclaimer acceptance timestamp
  • Pairing code used to link with caregiver (stored as a one-way hash, not the raw code)

What we do not collect — ever

None of the following is ever collected by SOL

  • GPS or location data
  • Camera or video access
  • Microphone access
  • Biometric data of any kind
  • Browsing history
  • Contacts or address book
  • Files or photos on your device
  • Financial or payment card data

Automatically collected technical data

When you use SOL, our servers automatically record standard web server logs including your IP address, browser type, and the pages you access. This data is used solely for security monitoring and infrastructure operations. It is not linked to your profile and is purged within 30 days.

The Senior's device timezone is the only device-specific data we actively store. It is collected using the browser's built-in Intl.DateTimeFormat().resolvedOptions().timeZone API and stored as an IANA timezone string (e.g. Asia/Singapore). No other device information is collected or retained.

Section 03

⚙️How we use your data

Every piece of data we collect has a specific, documented purpose. We do not use data for any purpose beyond what is listed here.

Email address

OTP login; sending nudge and alert notifications (Free tier)

Contractual necessity

Phone number

OTP login; WhatsApp nudge and alert notifications (Paid tier)

Contractual necessity

Senior's timezone

Calculating when check-in windows open and close in local time

Contractual necessity

Check-in timestamps

Populating the caregiver's history log; determining missed, completed, or late sync status

Contractual necessity

Notification preferences

Determining whether and how to send check-in confirmations to caregiver

Consent

Disclaimer acceptance timestamp

Audit record confirming the senior gave informed consent before accessing the Big Button

Legal obligation

Pairing code hash

Securely linking a senior's device to a caregiver account; discarded after use

Contractual necessity

Web server logs (IP, browser)

Security monitoring; infrastructure operations only

Legitimate interests
🔒
We do not use your data for advertising, profiling, or behavioural tracking. We do not sell data to third parties. We do not use your data to train AI models. SOL has no advertising relationships and displays no ads.
Section 04

🤝Who we share your data with

We share data only where it is strictly necessary to operate the service. We do not have advertising partners, data brokers, or analytics resellers.

Between users within SOL

A senior's check-in data — timestamps and status — is visible only to their directly linked caregiver(s). No other user can see your data. Caregivers cannot see each other's account settings or linked seniors. Seniors cannot see caregiver configuration or notification settings.

Third-party service providers

📧

SendGrid (Twilio)

Receives recipient email address and message content for nudge and alert delivery. Data is not retained by SendGrid beyond delivery. SendGrid Privacy Policy →

Free tier
💬

WhatsApp Business API (via Twilio or 360dialog)

Receives recipient phone number and message content for WhatsApp nudge and alert delivery. WhatsApp Privacy Policy →

Paid tier
🖥️

Railway / Render (infrastructure)

Hosts our application servers and PostgreSQL database. Acts as a data processor only — they store encrypted data on our behalf and have no rights to access or use it for their own purposes.

All tiers
📊

Analytics (marketing site only)

We use a privacy-respecting, cookieless analytics tool (e.g. Plausible) on the marketing website only. No personal data is collected. The SOL app itself has no analytics tracking.

All tiers

We will never

  • 🚫Sell your personal data to any third party, ever, under any circumstances
  • 🚫Share data with advertisers or data brokers
  • 🚫Use your data to train AI or machine learning models
  • 🚫Share data with government agencies or law enforcement except where compelled by a lawful order under Singapore law, in which case we will notify you to the extent legally permitted
Section 05

🗓️Retention & deletion

We keep data only as long as necessary for its stated purpose.

  • Check-in history — Free Tier7 days, then auto-purged
  • Check-in history — Paid Tier30 days, then auto-purged
  • Account data (email, phone, name)While account is active
  • Notification delivery logs90 days, then purged
  • OTP codesCleared immediately after use or 5-min expiry
  • Pairing codes (hashed)Deleted on use or 48-hour expiry
  • Medical disclaimer acceptance recordLifetime of account (legal audit requirement)
  • Web server logs (IP, browser)30 days, then purged

Account deletion

You may request deletion of your account at any time by emailing [email protected]. On deletion, all personal data linked to your account is permanently purged within 30 days. Anonymised aggregate statistics may be retained for internal product analytics.

📌
Automatic purge of check-in history runs daily at midnight UTC via our scheduled task system. This is not a manual process — it happens automatically regardless of whether you request it.
Section 06

🛡️Security

We apply the following technical safeguards to protect your data.

  • 🔐All personally identifiable information — phone numbers and email addresses — is encrypted at rest in our PostgreSQL database.
  • 🔒All data in transit is encrypted via TLS 1.2 or higher. We do not serve any content over unencrypted HTTP.
  • 🔑Pairing codes are hashed using SHA-256 before storage. The raw 6-character code is displayed once and never stored.
  • ⏱️OTP codes expire after 5 minutes and are cleared from the database immediately after use or expiry.
  • 🔓Caregiver JWT sessions expire after 7 days and require OTP re-authentication. Refresh tokens are not used.
  • 🚧3 failed pairing attempts triggers a 15-minute lockout, preventing automated guessing attacks.
  • 🗄️Infrastructure is hosted on Railway or Render, both of which operate SOC 2-compliant cloud infrastructure.
⚠️
Honest disclosure: While we implement industry-standard security measures, no internet-connected system is completely immune to breach. In the event of a breach affecting your personal data, we will notify affected users within the PDPA-mandated timeframe.
Section 07

⚖️Your rights under the PDPA

Singapore's Personal Data Protection Act 2012 (PDPA) gives you the following rights. You may exercise any of these by contacting us at [email protected]. We will respond within 30 days of receiving your request.

📂

Right to Access

Request a copy of the personal data we hold about you, including check-in history within the retention window.

✏️

Right to Correction

Request correction of any inaccurate personal data — for example, an incorrect phone number or email address.

🚪

Withdrawal of Consent

Withdraw consent to data collection at any time. Note: withdrawal results in account deletion, as the service cannot operate without the data in Section 2.

📤

Data Portability

Request your check-in history as a structured CSV file. Email [email protected] and we will fulfil it within 30 days.

🗑️

Right to Erasure

Request full deletion of your account and all associated personal data. See Section 5 for the deletion timeline.

📣

Right to Complain

If you are unsatisfied with our handling of your data, you may lodge a complaint with the Personal Data Protection Commission (PDPC).

📮
To exercise any of the above rights, email [email protected]with the subject line “PDPA Request — [Your Right]”. We will acknowledge within 3 business days and fulfil within 30 days.
Section 08

🍪Cookies & local storage

We are deliberate about what we store on your device. Below is a complete inventory.

Used
IndexedDB (Senior's device only)Used to queue check-in timestamps locally when offline. Contains only the tap timestamp and window ID — no personal information.
Used
Session cookie (Caregiver dashboard)A short-lived session identifier in a secure, HttpOnly cookie. Expires when you close the browser or after 7 days, whichever comes first.
Used
Service Worker cache (PWA)Caches app shell files (HTML, CSS, JS) to allow the app to load offline. No personal data is cached.
Not used
Advertising or tracking cookiesSOL does not use advertising cookies, cross-site tracking pixels, or third-party analytics cookies within the app.
Not used
Third-party cookiesNo third-party scripts load cookies on the SOL app. The marketing website uses a cookieless analytics tool that sets no cookies.
Section 09

👶Children's data

SOL is designed exclusively for adults. Seniors using the platform are adults. Caregivers registering an account must be adults (18 years or older). We do not knowingly collect personal data from anyone under the age of 18.

If you believe a minor has registered an account or their data has been submitted to SOL without appropriate consent, please contact us immediately at [email protected] and we will delete the data without delay.

Section 10

📝Changes to this policy

We may update this Privacy Policy from time to time as our product evolves or as legal requirements change.

For material changes — changes that meaningfully affect how your data is used or shared — we will notify you via the email address registered to your account at least 14 days before the changes take effect.

For minor changes — corrections, clarifications, or formatting updates — we will update the policy and revise the effective date without prior email notification.

Continued use of SOL after the effective date of any revision constitutes your acceptance of the updated policy. If you do not agree, you may request account deletion before the effective date.

All previous versions of this policy are available upon request by emailing [email protected].

Section 11

📬Contact us

If you have any questions about this Privacy Policy, wish to exercise your PDPA rights, or want to report a data concern, please reach out through the following channels.

Privacy enquiries

[email protected]

Data Protection Officer

[DPO Name]
[email protected]

Registered address

[Company Address]
Singapore [Postal Code]
📌
SOL is a social wellness tool, not a medical device. In an emergency, always call 995.