Privacy Policy
Last updated: 6 July 2026
This Privacy Policy explains how PatientUpdate.App ("Patient Update", "we", "our" or "us") collects, uses and protects your personal data when you use our service. We handle personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where applicable, the EU GDPR.
1. Who we are (data controller)
Patient Update is the data controller for personal data processed through this service. You can contact us about anything in this policy at info@patientupdate.app.
2. What personal data we collect
- Account data: your email address, a display name and an encrypted password (we never see your password in plain text).
- Journey content: the hospital, department, reason and status updates you choose to record, along with any images or video you upload.
- Comments and reactions: the name, optional email and message left by people you have shared a journey link with.
- Contact-form submissions: the name, phone number, email and message you send us through our contact form.
- Basic usage analytics: pseudonymous events such as which pages are viewed and which buttons are tapped, so we can improve the service. We do not record the content of your updates or messages for analytics.
- Technical data: minimal information your browser sends with every request (IP address, browser type, timestamps) used for security and debugging.
3. Why we process it (lawful bases)
- Performance of a contract (UK GDPR Art. 6(1)(b)) — to create your account, run your journey and deliver updates to the people you share with.
- Consent (Art. 6(1)(a)) — for optional features such as leaving a comment, or if we later send you optional product update emails. You can withdraw consent at any time.
- Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse and improve the product in aggregate.
- Legal obligation (Art. 6(1)(c)) — where the law requires us to retain or disclose certain data.
4. Public share links
A core feature of the service is that you can share a journey link with family and friends. Anyone who receives that link can view the journey without signing in. This is a deliberate choice you make when you share it.
Once you share a journey link, you have chosen to make that content accessible to anyone who receives or forwards it. We cannot control onward sharing, screenshots or downloads. If you want to restrict access, don't share the link — or contact us to disable it.
5. Who we share data with (processors)
We do not sell your personal data. We share it only with the service providers we need to run the platform, all of whom act as data processors under our instructions:
- Lovable Cloud (built on Supabase) — hosting, database, authentication, file storage and serverless functions.
- Lovable AI Gateway — if and where we use AI-assisted features.
- Email delivery provider — used to send account emails (verification, password reset, notifications).
We may also disclose personal data where legally required to do so (e.g. in response to a valid court order).
6. Where your data is stored
Personal data is stored on servers in the UK/EU region. Where any processor transfers personal data outside the UK or European Economic Area, that transfer is protected by the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses.
7. How long we keep it
- Account and journey data: kept for as long as your account is active, then deleted on your request.
- Contact-form messages: kept for up to 24 months, then deleted.
- Usage analytics: kept in aggregated / pseudonymous form for up to 24 months.
- Backups: may persist for a short additional period before being overwritten.
8. Your rights under UK GDPR
You have the right to:
- be informed about how we use your data (this policy);
- access a copy of the personal data we hold about you;
- ask us to correct inaccurate data;
- ask us to erase your data ("right to be forgotten");
- restrict or object to certain processing;
- data portability, where technically feasible;
- withdraw consent at any time where processing is based on consent;
- complain to the UK Information Commissioner's Office at ico.org.uk.
To exercise any of these rights, submit the form below or email info@patientupdate.app. We respond within 30 days.
9. Cookies and local storage
We only use browser storage that is strictly necessary to run the service — specifically, we store your sign-in token in your browser's local storage so you don't have to sign in on every page. We do not use advertising cookies or third-party tracking pixels. Our first-party usage analytics is pseudonymous and used only to understand how the product is used.
10. Security
We use appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), encryption at rest for the database, access controls and row-level security policies. No online service can be 100% secure; if we become aware of a personal data breach that presents a risk to your rights we will notify the ICO and, where required, affected users, in line with UK GDPR.
11. Children
The service is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be highlighted on this page and, where appropriate, communicated by email. The "Last updated" date at the top always reflects the current version.
13. Contact
Questions or requests about your data? Email info@patientupdate.app or use our contact form. See also our Terms & Conditions.