Privacy.

When you create a page: the author name, relationship, patient name, and short description you typed. Optionally an email address you gave us so we can send you the admin link as a backup. If you set a passcode on the page, we store a salted scrypt hash of it — never the passcode itself.

When you invite another caretaker: their name and email, so we can send them their own admin link.

When you subscribe: your email address and which page you subscribed to.

When you post an update: the body text and anything you attach — photos, a voice note, a short video, or a file (a PDF from the doctor, for example).

When someone RSVPs to a visiting window: their name and an optional email. Visitor names are visible on the public page; the email is visible only to caretakers.

When someone drops a card on the page (a public message): their name, an optional email, and the audio, video, or text they sent. If they ticked “email me when you hear it,” we use that email once for that confirmation.

When a reader taps a reaction (heart, hug, etc.): we store a short per-device key so each reader can only react once per update. It isn't tied to an account or identity.

We use Google Analytics to see basic traffic numbers — how many people visited, roughly where they came from, which pages they read. It's the same tool most sites run. If you'd rather opt out, browser-level “Do Not Track” settings or an analytics-blocker extension will do it.

We don't fingerprint your browser, we don't run ads, we don't sell data, and we don't use any of the creepy retargeting trackers. Server access logs (IP, user-agent, request path) are kept for 14 days for security and abuse prevention, then deleted.

When someone clicks a link in one of our emails, we record the click with a hashed IP and the user-agent string (not the raw IP) so we can tell whether messages are landing and links are working. We don't share that data.

Anyone with the public link to a page can read the updates posted there. Pages aren't indexed by search engines (we set noindex) but they're not secret either — treat the public link the same way you'd treat sharing a Google Doc. If you set a passcode, readers will need to enter it before they see anything beyond the page title.

Only people who have an admin link can post or edit. Every caretaker on a page has their own admin link and equal admin powers. If you provided an email when you set up the page (or as a caretaker), you can have your admin link re-sent to that address. If no email is on file, we can't recover a lost admin link — the page becomes read-only for new updates until you create a new one.

Notifications are sent through Amazon SES from [email protected]. We may send:

• A confirmation email when you subscribe, plus one gentle reminder ~24h later if you haven't confirmed.
• A welcome email after you confirm, and one each time a caretaker posts a new update.
• A confirmation when you RSVP to a visiting window, with a one-click cancel link.
• A notice to caretakers (and the schedule's optional notify-email) whenever someone RSVPs, cancels, or — when approval is on — is approved or declined.
• A self-set reminder to caretakers who've asked for a posting nudge on a cadence (e.g. 10am and 7pm). Skipped on days they've already posted.
• A one-time confirmation to someone who dropped a card, if they ticked the “email me when you hear it” box.
• The backup email containing your admin link, if you asked for one at setup.

Every subscriber email has a one-click unsubscribe link. Operational emails tied to a specific action (RSVP confirmations, admin-link backups, message confirmations) don't have a subscribe relationship to unsubscribe from.

Photos, voice notes, videos, and file attachments are stored on a server we run. They're served from the public page, so anyone with the page link (and the passcode, if you set one) can view them. We also generate thumbnails and store the duration for audio and video. Be thoughtful about what you share — once a file is on the public page and people have visited, it may be cached on their devices.

When you tap Dictate in the composer, your recording is sent over HTTPS to Groq (a third-party inference provider) to run the Whisper transcription model. We don't keep the audio after the round-trip; Groq's handling of the request is governed by their own policy. If you'd rather not use it, just type instead.

If a page has messages turned on, anyone with the link can leave one. Sender name and the message body are visible on the page; the sender's email (if provided) is not shown to readers and is used only for the optional confirmation. Caretakers can remove any message at any time. If multiple readers report a message, it's auto-hidden pending review. We may also remove messages that violate the Terms.

Click Close the page in the admin to stop new posts and emails. To delete the page entirely (including past updates and subscribers), email [email protected] from the email tied to the page or include the admin link in your message. We'll delete it within 7 days.

Retention windows: active page content lives until the page is deleted; deleted pages are removed from databases within 24 hours and from backups within 30 days; server access logs are kept 14 days; email send logs are kept 30 days. For institutional accounts, audit logs of staff actions are kept 6 years per HIPAA norms.

If you're a hospital, hospice, or care facility evaluating UpdatesOn for your families, see our HIPAA posture page. We will sign a Business Associate Agreement with institutional customers before any PHI flows.

The server runs in Oracle Cloud Infrastructure (us-east region, Ashburn VA). Cloudflare sits in front for HTTPS and DDoS protection.

Questions: [email protected].