DAD HEALTH LEGAL

    PRIVACY POLICY

    Updated: June 2025 · Version 2.0

    This Privacy Notice for Dad Health ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

    • Visit our website at https://dadhealth.co.uk or any website of ours that links to this Privacy Notice
    • Download and use our mobile application (Dad Health), or any other application of ours that links to this Privacy Notice
    • Use Dad Health. Dad Health is a wellness tool and not a clinical mental health service
    • Engage with us in other related ways, including any marketing or events

    Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at jamie@dadhealth.co.uk.

    Summary of key points

    This summary provides key points from our Privacy Notice. Use the table of contents below to find specific sections.

    What personal information do we process? When you visit, use, or navigate our Services, we may process personal information including account details, mood and wellbeing data, journal entries, location data for activity search, and community posts. See Section 1 for full details.

    Do we process sensitive personal information? Yes. We process special category health data including mood logs, mental wellbeing check-in responses, journal entries and CBT pulse responses under Article 9 UK GDPR with your explicit consent. See Section 1 and Section 3 for full details.

    Do we use AI to process your data? Yes. When you use the Dad Days activity search or meal plan generator, your query and approximate location are sent to Anthropic's API to generate results. No personally identifiable information beyond your search query and approximate location area is shared. See Section 4 for full details.

    Do we share personal information? We share data with service providers necessary to operate the app. We do not sell your data. See Section 4 for a full list of processors.

    How do we keep your information safe? We use Supabase with Row Level Security, encrypted connections and appropriate technical measures. See Section 7.

    What are your rights? You have rights to access, rectify, erase, port and restrict processing of your data. See Section 9.

    Table of contents

    1. What information do we collect?
    2. How do we process your information?
    3. What legal bases do we rely on?
    4. When and with whom do we share your personal information?
    5. Do we use cookies and other tracking technologies?
    6. How long do we keep your information?
    7. How do we keep your information safe?
    8. Do we collect information from minors?
    9. What are your privacy rights?
    10. Controls for Do-Not-Track features
    11. Do United States residents have specific privacy rights?
    12. Do other regions have specific privacy rights?
    13. Do we make updates to this notice?
    14. How can you contact us?
    15. How can you review, update, or delete your data?

    1. What information do we collect?

    In Short: We collect personal information you provide, health and wellbeing data you generate through using the app, and technical data about your device and usage.

    Personal information you disclose to us

    We collect personal information that you voluntarily provide when you register, use the Services or contact us. This may include:

    • Names and usernames
    • Email addresses
    • Passwords and authentication data
    • Contact preferences
    • Payment information (handled by Stripe — we do not store card details)

    Special category health and wellbeing data

    When you use Dad Health's mental health and wellbeing features, we collect and process the following special category personal data with your explicit consent:

    • Daily mood check-in responses (mood index 0–4)
    • 3-question CBT mental pulse responses (sleep quality, stress level, connection to children)
    • Journal entries (free text, mood tag, date)
    • Bond check-in data (quality time logged, presence rating, conversation rating)
    • Sleep logs (hours, quality rating, date)
    • Dad Health Score components (calculated from the above data points)
    • Custody pattern (daily / most days / 50–50 / weekends / varies)
    • Remote bonding activity logs on non-contact days

    This data is processed under Article 9(2)(a) UK GDPR — explicit consent. You may withdraw consent at any time by deleting your account or contacting jamie@dadhealth.co.uk. Withdrawal does not affect the lawfulness of processing before withdrawal.

    This data is used solely to provide you with your Dad Health Score, personalised insights and app functionality. It is never used for advertising, sold to third parties or shared beyond the processors listed in Section 4.

    Fitness and body metrics data

    • Body weight (kg), waist measurement, blood pressure readings, step count
    • Workout sessions (name, duration, exercises completed, estimated calories)
    • Meal plan preferences and dietary requirements
    • TDEE calculator inputs (age, weight, height, activity level, gender)

    Location data

    When you use the Dad Days activity search feature, we request access to your device location or postcode to find nearby activities. We process location data as follows:

    • Raw GPS coordinates are converted to an approximate area on our server and never stored in identifiable form
    • Only the postcode district (e.g. SK9, not SK9 5EY) may be retained for analytics purposes
    • Location data is sent to Anthropic's API to generate activity results and to Google Maps Platform for mapping functionality
    • You may decline location permission and enter a postcode manually instead

    Community and social data

    When you use the community feed and Dad Circles features:

    • Post content, tags and timestamps are stored in our database
    • Anonymous posts: if you choose to post anonymously, your post will appear without your name to other users. However, a user identifier is retained by Dad Health for moderation, safety and legal compliance purposes and will never be exposed publicly
    • Circle membership (which Dad Circles you have joined)
    • Respect (likes) and comment interactions

    Milestone and parenting data

    Information about moments and milestones you log relating to your children is stored solely to provide you with the milestone tracking feature. This data:

    • Is processed under your consent as the parent or guardian
    • Is not used for any purpose other than providing the milestone feature to you
    • Is not shared with or accessible to other users unless you explicitly mark a milestone as shared with a co-parent

    Wearable device data (Phase 3)

    In a future version of the app, with your explicit permission, we may sync with Apple HealthKit (iOS) or Google Health Connect (Android) to receive steps, sleep data, heart rate and workout information. This will be covered by a separate consent flow when the feature launches.

    Payment data

    Payment processing is handled entirely by Stripe. We collect only the minimum data necessary to initiate a payment. Card numbers and security codes are never processed or stored by us. See Stripe's privacy policy at https://stripe.com/privacy.

    Push notifications

    We may request permission to send push notifications via OneSignal. You may withdraw this permission at any time in your device settings.

    2. How do we process your information?

    In Short: We process your information to provide the Services, calculate your Dad Health Score, generate AI-powered activity suggestions, process payments and keep you safe.

    We process your personal information for the following purposes:

    • To create and manage your account
    • To calculate and display your Dad Health Score and pillar breakdowns
    • To provide personalised wellbeing insights based on your mood, sleep and activity data
    • To generate AI-powered Dad Days activity suggestions based on your location and preferences
    • To generate personalised meal plans and TDEE calculations
    • To process subscription payments via Stripe
    • To send push notifications and service-related emails via OneSignal and Resend
    • To track anonymous usage analytics to improve the Services via PostHog
    • To moderate community content and enforce our terms of service
    • To respond to your support requests
    • To comply with our legal obligations
    • To protect the vital interests of users where there is a risk to safety

    Automated processing — Dad Health Score

    The Dad Health Score is calculated automatically from your mood logs, sleep logs and Bond check-in data using a weighted formula (Mind 35% + Body 35% + Bond 30%). This automated calculation:

    • Does not produce legal or similarly significant effects
    • Is purely informational and intended to help you understand your overall wellbeing
    • Can be understood by reviewing the Score breakdown on the Progress screen
    • Is based entirely on data you have voluntarily provided

    You have the right to request information about how your score is calculated by contacting jamie@dadhealth.co.uk.

    3. What legal bases do we rely on?

    In Short: We process your personal information on the basis of consent, contract performance, legitimate interests and legal obligations depending on the type of data and purpose.

    Under UK GDPR we rely on the following legal bases:

    Explicit Consent (Article 6(1)(a) and Article 9(2)(a)): We rely on your explicit consent to process special category health and wellbeing data including mood logs, journal entries, CBT pulse responses, sleep logs and Bond check-in data. You may withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect prior processing.

    Contract Performance (Article 6(1)(b)): We process your account data, payment information and subscription status to fulfil our contractual obligations — providing you with the Dad Health Services you have signed up for.

    Legitimate Interests (Article 6(1)(f)): We process usage analytics data, fraud prevention data and technical logs on the basis of our legitimate interest in operating and improving a secure, functioning service. We have assessed that these interests are not overridden by your rights and freedoms.

    Legal Obligations (Article 6(1)(c)): We may process your information where necessary to comply with legal obligations such as responding to lawful requests from regulatory bodies or law enforcement.

    Vital Interests (Article 6(1)(d)): We may process your information where necessary to protect the vital interests of you or another person, including where there is a risk to life or safety.

    4. When and with whom do we share your personal information?

    In Short: We share data with service providers necessary to operate the app. We do not sell your personal information. We do not share special category health data with any party except processors listed below who process it solely on our behalf.

    4.1 Service providers and data processors

    We share your personal information with the following third party processors who process data solely on our behalf under written data processing agreements:

    ProcessorPurposeData sharedPrivacy policy
    SupabaseDatabase, authentication and file storageAccount data, all app data, health and wellbeing datasupabase.com/privacy
    StripePayment processing and subscription managementPayment details, email, subscription statusstripe.com/privacy
    AnthropicAI-powered Dad Days activity search and meal plan generationSearch query, approximate location area, dietary preferencesanthropic.com/privacy
    VercelWeb application hosting and deploymentTechnical logs, IP addressesvercel.com/legal/privacy-policy
    OneSignalPush notification deliveryDevice token, notification preferencesonesignal.com/privacy
    PostHogUsage analytics and product improvementAnonymised usage events, session dataposthog.com/privacy
    ResendTransactional email deliveryEmail address, email contentresend.com/privacy
    Google Maps PlatformLocation mapping and activity searchApproximate location areapolicies.google.com/privacy
    Awin / Rakuten (Phase 2)Affiliate activity recommendationsAnonymised click data, budget preferenceawin.com/privacy / rakutenadvertising.com/privacy

    4.2 Anonymous community posts

    While posts you choose to submit anonymously are displayed without your name to other users, a user identifier is retained by Dad Health for moderation, safety and legal compliance purposes. This identifier is never exposed publicly and is only accessed in cases of serious terms of service violations or legal requirements.

    4.3 Co-parenting calendar

    If you choose to use the co-parenting shared calendar feature, shared events and milestones you mark as shared will be visible to the connected co-parent account. You control which milestones are shared. No data is shared with a co-parent account without your explicit action.

    4.4 Business transfers

    We may share or transfer your information in connection with any merger, sale of company assets, financing or acquisition of all or part of our business. We will notify you of any such transfer that materially affects your personal information.

    4.5 Legal requirements

    We may disclose your information where required by law, to protect our rights, or where we believe disclosure is necessary to prevent harm.

    5. Do we use cookies and other tracking technologies?

    In Short: We use cookies and similar technologies for security, preferences and analytics. We will request your consent before placing non-essential cookies.

    We use cookies and similar tracking technologies to maintain the security of our Services, save your preferences and conduct analytics. Specifically:

    • Essential cookies: required for the app to function (authentication tokens, session management)
    • Analytics cookies: PostHog uses cookies to track anonymised usage events. You will be asked for consent before these are placed.

    A cookie consent banner is displayed on first visit to dadhealth.co.uk. You may withdraw consent for non-essential cookies at any time through the cookie settings on our website.

    For full details of the cookies we use, please see our Cookie Notice.

    6. How long do we keep your information?

    In Short: We keep your information for as long as necessary to provide the Services and comply with legal obligations.

    Data typeRetention periodReason
    Account and profile dataDuration of account + 6 monthsService provision and fraud prevention
    Mood logs, journal entries and health dataDuration of account + 6 monthsService provision only
    Payment records7 years from transactionUK tax and accounting legal requirement
    Community postsDuration of account or until deleted by userService provision
    Anonymous post identifiers7 yearsLegal compliance and moderation audit trail
    Analytics data (PostHog)12 months rollingProduct improvement
    Backup archivesUp to 30 days after deletionTechnical recovery only

    7. How do we keep your information safe?

    In Short: We use industry-standard technical and organisational measures to protect your data.

    We implement the following security measures:

    • All data is stored in Supabase with Row Level Security (RLS) enabled — users can only access their own data
    • All connections use HTTPS / TLS encryption in transit
    • Authentication is handled by Supabase Auth with support for OAuth providers
    • Anthropic API key and all sensitive credentials are stored server-side only and never exposed to the client
    • Anonymous post user identifiers are stored server-side only and never returned in API responses
    • Access to production systems is restricted to authorised personnel only

    In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware and will notify affected users without undue delay where required.

    Despite our safeguards, no electronic transmission or storage technology can be guaranteed to be 100% secure. If you become aware of any security concern, please contact jamie@dadhealth.co.uk immediately.

    8. Do we collect information from minors?

    In Short: Dad Health is for adults aged 18 and over. We do not knowingly collect personal data from children.

    Dad Health is designed for use by adults aged 18 and over. We do not knowingly collect, solicit or market to children under the age of 18.

    Some features of the app, including the milestone tracker, Bond check-in and Present Dad Mode, allow parents to log information about their interactions with their children. This information:

    • Is submitted by the parent user and processed under that parent's consent
    • Does not involve direct data collection from children
    • Is not used for any purpose other than providing the relevant feature to the parent
    • Is not shared with or accessible to other users unless explicitly shared by the parent via the co-parenting feature

    If we learn that a user is under the age of 18, we will deactivate their account and delete their data. Please contact jamie@dadhealth.co.uk if you believe a minor has registered.

    9. What are your privacy rights?

    In Short: Under UK GDPR you have significant rights over your personal data. We will respond to all valid requests within one month.

    Under UK GDPR you have the following rights:

    • Right of access — to receive a copy of the personal data we hold about you
    • Right to rectification — to have inaccurate data corrected
    • Right to erasure ('right to be forgotten') — to have your data deleted, subject to legal retention requirements
    • Right to restrict processing — to limit how we use your data
    • Right to data portability — to receive your data in a structured, commonly used format
    • Right to object — to object to processing based on legitimate interests
    • Rights related to automated decision-making — to request human review of automated decisions that significantly affect you

    To exercise any of these rights, please contact us at jamie@dadhealth.co.uk or submit a Data Subject Access Request at https://dadhealth.co.uk/privacy-request.

    If you are located in the UK and believe we are unlawfully processing your personal information, you have the right to complain to the Information Commissioner's Office (ICO):

    Withdrawing consent

    Where we rely on your consent to process special category health and wellbeing data, you may withdraw that consent at any time by deleting your account or contacting jamie@dadhealth.co.uk. Withdrawal does not affect the lawfulness of processing before withdrawal. Following withdrawal, your health and wellbeing data will be deleted within 30 days.

    Opting out of marketing

    You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email we send or by contacting us. We may still send service-related messages necessary for account operation.

    10. Controls for Do-Not-Track features

    Most web browsers include a Do-Not-Track ("DNT") feature. No uniform technology standard for implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard is adopted in the future, we will update this notice accordingly.

    11. Do United States residents have specific privacy rights?

    If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have specific privacy rights under applicable state law.

    Categories of personal information collected

    CategoryExamplesCollected
    A. IdentifiersEmail address, username, IP addressYES
    B. California Customer RecordsName, contact informationYES
    C. Protected classification characteristicsAge, genderYES
    D. Commercial informationPurchase history, subscription statusYES
    E. Biometric informationFingerprints and voiceprintsNO
    F. Internet or network activityApp usage data, analyticsYES
    G. Geolocation dataApproximate location for Dad Days searchYES — approximate area only, not precise
    H. Audio, electronic or visual informationProfile photos (if uploaded)YES — if provided
    I. Professional or employment informationNot collectedNO
    J. Education informationNot collectedNO
    K. Inferences from personal informationDad Health Score calculated from mood, sleep and Bond dataYES — see Section 2
    L. Sensitive personal informationMood logs, journal entries, health check-in data, precise locationYES — see Section 1

    Appeals: If we decline to take action on your privacy request, you may appeal by emailing jamie@dadhealth.co.uk. We will respond in writing within 60 days. If your appeal is denied, you may submit a complaint to your state attorney general.

    12. Do other regions have specific privacy rights?

    Australia and New Zealand

    We collect and process your personal information under the obligations set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. If you believe we are unlawfully processing your personal information, you may contact the Office of the Australian Information Commissioner or the Office of New Zealand Privacy Commissioner.

    Republic of South Africa

    You have the right to request access to or correction of your personal information at any time. Complaints may be submitted to the Information Regulator (South Africa) at enquiries@inforegulator.org.za.

    13. Do we make updates to this notice?

    We may update this Privacy Notice from time to time to reflect changes in our Services, legal requirements or data processing activities. The updated version will show a revised date at the top. We will notify you of material changes either by posting a notice within the app or by email.

    14. How can you contact us?

    If you have questions or comments about this notice, or wish to exercise your privacy rights, please contact our Data Protection Officer:

    We aim to respond to all privacy enquiries within 30 days.

    15. How can you review, update, or delete your data?

    Based on applicable laws, you may have the right to request access to, correction of, or deletion of your personal information. To make such a request:

    We will respond to verified requests within one month in accordance with UK GDPR. In complex cases we may extend this by a further two months, in which case we will notify you.