Privacy Policy

1) Who we are

CallMy.help is provided by Steleo Ltd (trading as CallMy.help), a company registered in England and Wales (company no. 16502219), with registered office at 128 City Road, London, EC1V 2NX, United Kingdom (“CallMy.help”, “we”, “us”). We are the controller of personal data processed in connection with the Service. Contact us at privacy@callmy.help.

2) Scope

This Privacy Policy explains how we collect, use, share, and retain personal data when you use the CallMy.help website and services (the “Service”). It applies to:

• Guardians (account holders),
• Persons (people added by a Guardian),
• Designated Contacts, and
• Helpers (members of the public who use the site to assist a Person).

3) The data we process

3.1 Data you or a Guardian provides

• Account & profile (Guardians): name, email, password (hashed), subscription status.
• Persons: name as spoken; associated code word/phrase chosen with the Guardian.
• Designated Contacts: name, phone number(s), email address(es).
• Support communications: messages you send to us.
• Payments: billing details are processed by our payment provider; we receive limited records (e.g., transaction status, last four digits, expiry month/year).

3.2 Data added by a Helper (optional, per alert)

When sending an alert for a Person, a Helper may choose to include their: name, phone number, single point‑in‑time location, and a short note. These details are included in the alert to the Person's Designated Contacts and stored in the corresponding event log (see Retention).

3.3 Automatically collected data

• Logs & online identifiers: IP address, device and browser information, timestamps, pages/actions for security, fraud and abuse prevention, diagnostics, and reliability.
• Cookies/SDKs: Essential cookies are used to operate the Service. Non‑essential analytics cookies/SDKs are only used with consent (see Cookies below).

4) How we use personal data (purposes)

• Provide the Service: verify name + code word, reveal Designated Contacts, generate and deliver alerts (email/SMS), maintain account features.
• Safety & abuse prevention: security monitoring, rate‑limiting, logging, investigating misuse, and responding to incidents.
• Customer support: respond to questions and troubleshoot issues.
• Payments & billing: process subscriptions, prevent fraud, and manage invoices/receipts.
• Service communications: transactional emails (e.g., alerts, security, billing, updates about changes to the Service).
• Analytics (optional): understand usage and improve the Service (only where consented via cookies/SDKs).
• Legal compliance: comply with legal obligations and requests from competent authorities when lawfully required.

5) Our lawful bases (UK GDPR)

• Core service (verification, alerts, revealing contact details): Legitimate interests (safety and reunification) and, for Guardians, performance of a contract.
• Helper details in alerts; logs for security/abuse: Legitimate interests.
• Payments & tax records: Legal obligation and legitimate interests.
• Service communications: Legitimate interests.
• Marketing (if used): Consent or soft opt‑in (where permitted); you may unsubscribe at any time.
• Analytics cookies/SDKs: Consent.

A summary of our legitimate interests assessment is available on request.

6) When we share personal data

• With Designated Contacts: after a correct name + code word match, we display the Designated Contacts for the Person. If the Helper adds optional details (their name, phone number, single point‑in‑time location, and note), these are included in the alert sent to those contacts.
• Service providers (processors): hosting, databases, security, email, SMS, authentication, analytics (if enabled), payments, and support tooling—under contracts that protect personal data.
• Corporate events: as part of a merger, acquisition, or asset transfer.
• Legal: where required by law or to protect rights, safety, and security.
• Aggregated/anonymised data: for insight and service improvement without identifying individuals.

7) Where we process data & international transfers

We host core service data in the United Kingdom (UK). Some processing by our vendors may occur in other countries (for example, email or SMS delivery, support, or analytics). Where personal data is transferred outside the UK, we use approved safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and, where applicable, rely on adequacy mechanisms (e.g., the UK‑US Data Bridge for certified US recipients). Transfer impact assessments are carried out where required. Some processing by our vendors may occur in other countries (for example, email or SMS delivery, support, or analytics). Where personal data is transferred outside the UK/EEA, we use approved safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and, where applicable, rely on adequacy mechanisms (e.g., the UK‑US Data Bridge for certified US recipients). Transfer impact assessments are carried out where required.

8) Cookies and similar technologies

We use essential cookies necessary for the Service to function. We use non‑essential cookies/SDKs (e.g., analytics) only with your consent. You can change your cookie preferences at any time via the cookie banner or settings. For details, see our Cookie Policy.

9) If someone else provided your details

• Persons & Designated Contacts: A Guardian may add your details to the Service. We provide this privacy information at or before first contact, for example within the first alert or verification message.
• Helpers: Before sending an alert, Helpers see an on‑screen notice explaining what information will be included and shared, and how it will be retained.

10) Retention

We keep personal data only as long as needed for the purposes above, then delete or anonymise it.

• Event/alert payloads (including optional Helper details and the single point‑in‑time location): 30 days
• Delivery logs (email/SMS): 12 months
• Guardian/Persons/Designated Contacts data: for the life of the Guardian's account (or until removed by the Guardian or data subject)
• IP/security logs: 90 days (longer if required for an investigation)
• Payments/tax records: 7 years
• Backups: rolling 30–90 days

11) Your choices and rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object (including to processing based on legitimate interests), and port your personal data, and to withdraw consent at any time (where processing is based on consent). We respond without undue delay and within one month (extensions apply in limited cases). We may request information to verify your identity. To exercise rights, contact privacy@callmy.help.

Self‑service controls. In your account portal you can:

• Download your data (e.g., Persons, Designated Contacts and recent alert logs) in a portable format; and
• Close and delete your account. Closing your account triggers deletion of account data per Retention (with limited legal/audit exceptions, e.g., payment records).

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority. ICO: ico.org.uk | Tel: 0303 123 1113.

12) Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, monitoring, and regular reviews. Where legally required, we notify authorities and affected individuals about data breaches.

13) Marketing communications

We send service messages (e.g., alerts, security, billing). We send marketing only with valid consent or under the soft opt‑in (where permitted). You can unsubscribe at any time via the link in the message or by contacting us.

14) Children's data provided by Guardians

The Service is intended for adults (Guardians and Helpers). We may process data about children that a Guardian provides (e.g., a Person's name as spoken and a code word/phrase) for the purpose of enabling alerts to the Person's Designated Contacts. We rely on the Guardian's authority and instructions to provide that data and to explain the Service to the Person as appropriate.

We apply data‑minimisation and high‑privacy defaults to information about children and provide privacy information via the Guardian and, where applicable, within alert messages to Designated Contacts. The UK Age‑Appropriate Design Code applies to online services likely to be accessed by children; our Service is designed for adult use. If our audience or features change such that children are likely to access the Service directly, we will update our approach and this policy.

15) Regional notices

California (CCPA/CPRA)

California residents may have rights to know/access, correct, delete, and opt‑out of sale or sharing of personal information, and the right to non‑discrimination. We do not sell personal information and do not share it for cross‑context behavioural advertising. To exercise rights, email privacy@callmy.help. You may use an authorised agent with valid authorisation and identity verification.

16) Changes to this policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a new “Last Updated” date. We will provide notice of material changes where required, and your continued use of the Service after the effective date constitutes acceptance.

17) Contact