Privacy Policy

1. Who We Are

Addison's Diary is a product of Pribco LLC, a Georgia limited liability company. "We," "us," and "our" refer to Pribco LLC. This Privacy Policy explains what information we collect when you use the Platform, how we use and protect it, who can see it, and the choices you have. It applies to the Addison's Diary website and web application at addisonsdiary.com.

By creating an account or using the Platform, you agree to this Privacy Policy. This Policy should be read together with our Terms of Use, Acceptable Use Policy, HIPAA Notice and Health Data Policy, and Data Deletion and User Rights Policy — all available at addisonsdiary.com.

2. Information We Collect

Information You Provide Directly

• Account registration: your name, email address, mobile phone number (optional), and a password managed by Amazon Cognito
• Patient profile: the name, date of birth, care setting, allergies, and other details about the person receiving care
• Care journal entries, notes, and observations about a loved one's condition and daily life
• Medication reference information: drug names, doses, frequencies, and schedules — entered for personal organizational reference only
• Care schedules: caregiver names and shift assignments
• Appointment information: dates, times, providers, and care notes
• Medical team contacts: names, roles, and contact information
• Documents uploaded to the vault: insurance cards, legal documents, advance directives, and other personal records
• Photos, stories, and memories uploaded to the Memory Book
• Messages sent through Family Messages, Direct Messages, and SOS alerts
• Support requests submitted through the in-app support form

Technical Information Collected Automatically

• Sign-in timestamps, session duration, and feature usage patterns
• Device type, operating system, and browser type
• IP address and approximate geographic location (city/region level — not precise)
• Error and crash reports to help us identify and fix technical problems

Information We Do Not Collect

• Clinical health records, medical charts, or EHR data from any healthcare provider
• Biometric data of any kind
• Precise GPS location
• Your payment card number — card data is processed by Stripe and never touches our systems
• Data from social media platforms or third-party sources

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Platform
• Authenticate your identity and maintain account security
• Display your care information to the family members and personal contacts you have invited and authorized
• Send service notifications you have requested — by email and, if you opt in, by SMS
• Respond to support requests
• Analyze aggregate, anonymized usage patterns to improve the Platform
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable law and legal process

4. How We Share Your Information

With Family Members You Invite

Information you record is visible only to users you have invited and authorized. The account Admin controls granular per-section, per-member permissions. No one outside your invited group can access your account.

With Our Service Providers

We use a small number of trusted service providers to operate the Platform: Amazon Web Services (hosting, database, authentication, file storage), Postmark (email delivery), Twilio (SMS delivery, opt-in only), and Stripe (payment processing). Each is contractually required to protect your information and may not use it for their own purposes.

For Legal Requirements

We may disclose your information if required by law, court order, or valid legal process, or if we believe in good faith that disclosure is necessary to prevent fraud or protect the safety of any person.

In Connection with a Business Transfer

If Pribco LLC is acquired, merges, or sells assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5. Operator Access to Your Data

The Addison's Diary operator admin console is technically blocked from reading your care content — care journal entries, medication records, messages, photos, and vault documents. Reading care content requires a deliberate "break-glass" step using a separate MFA-protected administrative role, and every use is recorded in a tamper-evident AWS CloudTrail audit log. Operators cannot edit or delete medication or care activity log entries under any circumstances — these logs are append-only and immutable even for operators. See the HIPAA Notice and Health Data Policy for full detail.

6. Data Security

• All data encrypted in transit using TLS/HTTPS — no unencrypted connection path
• All data encrypted at rest using AWS-managed keys for DynamoDB and S3
• Two-factor authentication required for every user account
• Strict per-family data isolation enforced server-side
• Granular per-member, per-section permissions enforced server-side
• Append-only, immutable audit trail for medication and care activity logs
• AWS CloudTrail tamper-evident logging of all administrative actions
• Private Amazon S3 storage with short-lived per-file presigned URLs

No system is perfectly secure. We cannot guarantee that unauthorized access will never occur. You are responsible for maintaining the security of your account credentials and for notifying us promptly of any unauthorized access.

7. Data Retention and Deletion

While Your Account Is Active

We retain your account information and all care content for as long as your account is active.

When You Cancel Your Subscription

When you cancel your subscription, your account enters a 90-day dormant period (read-only, fully recoverable by reactivating). If you do not reactivate within 90 days, your account moves to a 30-day pending-closure period with four warning emails. After the 30-day grace period expires — 120 days total from cancellation — all family data is permanently and irreversibly deleted.

When You Close Your Account

If you close your account manually, your account enters the 30-day pending-closure period immediately. All data is permanently deleted after 30 days.

What Survives Deletion

Your Terms of Use acceptance record (version, typed electronic signature, timestamp) is retained permanently as a legal record. Support ticket history and Stripe billing records are retained as required by law. No care content or health-related information is retained after deletion.

How to Request Deletion

In-platform: Sign in → My Account → Close My Account → Confirm

By email: support@addisonsdiary.com  ·  Subject: "Data Deletion Request"

For expedited deletion (CCPA, GDPR "right to be forgotten," or urgent request): email support@addisonsdiary.com with subject "URGENT Data Deletion Request." See the Data Deletion and User Rights Policy for the complete process.

8. SMS Text Messages

Program Name: Addison's Diary Care Alerts.

Purpose: Urgent care event notifications — missed caregiver shifts, "I'm OK" check-ins, and SOS alerts. SMS is off by default and requires you to opt in by entering your mobile number and enabling SMS notifications in your account settings.

Opt-out: Reply STOP to any message or turn off SMS in settings. Help: Reply HELP or email support@addisonsdiary.com. Message and data rates may apply.

9. Cookies

Addison's Diary uses strictly necessary cookies and browser local storage to maintain your signed-in session and remember your preferences. We do not use advertising cookies or cross-site tracking. For full details including how to manage your cookie preferences, see the Addison's Diary Cookie Policy.

10. HIPAA Notice

Pribco LLC is not a "covered entity" or "business associate" under HIPAA. The Platform is not HIPAA-certified. The accurate description is HIPAA-adjacent — we are not legally required to comply with HIPAA, but we have built the platform with HIPAA-minded security practices because the information families share deserves that level of protection. See the HIPAA Notice and Health Data Policy at addisonsdiary.com/health-data for the full disclosure.

11. Children's Privacy

The Platform is for adults 18 and older. We do not knowingly collect personal information directly from children under 13. If a child is the patient in a family account, information about them is entered by adult family members and protected under this Policy. If you believe a child under 13 has created an account, contact privacyandlegal@pribco.com and we will delete it promptly.

12. Your Rights and Choices

All Users

You have the right to access, correct, and delete your personal data, update your notification preferences, and be informed about how your data is used. Contact support@addisonsdiary.com to exercise these rights.

California Residents — CCPA/CPRA Rights

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: request disclosure of the categories and specific pieces of personal information collected, the sources, business purposes, and third parties with whom it is shared
• Right to Delete: request deletion of personal information we have collected, subject to legal exceptions
• Right to Correct: request correction of inaccurate personal information
• Right to Opt Out of Sale: we do not sell personal information — this right is acknowledged but not applicable
• Right to Limit Use of Sensitive Personal Information: we use sensitive personal information (health-related data) only to provide the service, not for advertising or profiling
• Right to Non-Discrimination: we will not discriminate against you for exercising any CCPA right

To exercise CCPA/CPRA rights, contact support@addisonsdiary.com with subject "California Privacy Rights Request." We will respond to verifiable consumer requests within 45 days. We may extend by an additional 45 days (90 days total) for complex requests with notice. You may also file a complaint with the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.

Virginia, Colorado, Connecticut, Texas, and Other US States

Residents of states with comprehensive consumer privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Montana, Oregon, Delaware, Iowa, Indiana, Nevada, Utah, Tennessee, and others) have rights to access, correct, delete, and port their personal data, and to opt out of certain processing. Contact support@addisonsdiary.com with subject "State Privacy Rights Request." We respond within the timeframe required by your state's law.

European Union Residents — GDPR Rights

EEA residents have the following rights under the General Data Protection Regulation (GDPR):

• Article 15 — Right of Access: request a copy of personal data we hold about you
• Article 16 — Right to Rectification: correct inaccurate personal data
• Article 17 — Right to Erasure: request deletion of your personal data
• Article 18 — Right to Restriction: request that we limit processing in certain circumstances
• Article 20 — Right to Data Portability: receive your data in a structured, machine-readable format
• Article 21 — Right to Object: object to processing based on legitimate interests
• Right to withdraw consent: for consent-based processing at any time
• Right to lodge a complaint: with your national data protection supervisory authority (edpb.europa.eu)

Contact privacyandlegal@pribco.com with subject "GDPR Rights Request." We respond within 30 days. We may extend by up to 60 additional days for complex requests with prior notice.

United Kingdom Residents — UK GDPR

UK residents have equivalent rights under the UK GDPR and Data Protection Act 2018. Contact privacyandlegal@pribco.com with subject "UK GDPR Rights Request." UK residents may also contact the ICO at ico.org.uk.

13. EU and UK — Legal Basis for Processing

Legal Basis Under GDPR Article 6

For EEA users, we process personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): processing necessary to provide the Platform under the Terms of Use
• Legitimate interests (Article 6(1)(f)): processing for platform security, fraud prevention, and service improvement, where our interests do not override your rights
• Consent (Article 6(1)(a)): for optional features such as SMS notifications and non-essential cookies — withdrawable at any time
• Legal obligation (Article 6(1)(c)): processing required by applicable EU or member state law

Special Category Health Data — GDPR Article 9

Health-related information you enter may constitute "special category" personal data under Article 9 GDPR. We process it on the basis of your explicit consent (Article 9(2)(a)), given when you create an account and accept our Terms and this Policy. You may withdraw consent at any time by closing your account.

International Data Transfers

Addison's Diary is operated from the United States using US-based AWS infrastructure. If you are located in the EEA or UK, your personal data is transferred to and processed in the United States. We rely on the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) as the legal transfer mechanism for EEA users. For UK users, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs. By using the Platform, you acknowledge this transfer.

Data Protection Officer

Pribco LLC is a small startup and is not currently required to appoint a formal DPO under GDPR Article 37. Privacy inquiries: privacyandlegal@pribco.com.

14. Changes to This Privacy Policy

We may update this Policy from time to time. For material changes, we will notify registered users by email and in-app notice before the changes take effect. For EU/UK users, material changes affecting the legal basis for processing will include an opportunity to withdraw consent where consent is the legal basis. Continued use after the effective date constitutes acceptance.

15. Contact Us

Privacy inquiries, rights requests, and data deletion requests:

Pribco LLC — Addison's Diary

• Data Deletion Requests: support@addisonsdiary.com
• Legal and GDPR Inquiries: privacyandlegal@pribco.com
• Cookie Preferences: addisonsdiary.com/cookies
• Website: addisonsdiary.com