1. Who We Are
Still Here ("we", "our", "us") operates the website soimok.com and the Still Here wellness check-in service. We are committed to protecting your privacy and handling your data transparently and lawfully.
2. Data We Collect
2.1 Information You Provide
- Account data: Name, email address, and hashed authentication credentials when you create an account.
- Check-in data: Your responses (or non-responses) to scheduled check-ins, including timestamps.
- Emergency contact data: Names, email addresses, and phone numbers of people you designate as emergency contacts. These individuals must consent to being listed.
- Settings & preferences: Check-in frequency, active hours, timezone, vacation mode dates.
- Payment data: We do not store your credit card details. Payments are processed by Stripe, which may collect billing information in accordance with its own privacy policy. We receive only subscription status and transaction metadata.
2.2 Information Collected Automatically
- Technical data: IP address, browser type, device information, and access timestamps, collected in server logs for security and operational purposes.
- Cookies: We use a single essential cookie (JWT token) to maintain your authenticated session. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
3. How We Use Your Data
- To provide the check-in service: dispatching check-ins, processing responses, and escalating to emergency contacts when configured thresholds are met.
- To send transactional emails: verification links, check-in prompts, trial reminders, and account notifications.
- To process payments via Stripe.
- To maintain service security: rate limiting, abuse detection, and fraud prevention.
- To comply with legal obligations.
We do not sell your data. We do not use your data for advertising or profiling. We do not train machine learning models on your data.
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:
- Consent: You explicitly consent when you create an account and provide your data. You may withdraw consent at any time by deleting your account.
- Contractual necessity: Processing your data is necessary to provide the check-in service you signed up for.
- Legitimate interest: Server logs and security measures protect our service and your data from abuse.
5. Data Sharing & Third Parties
We share data only with the following service providers, and only to the extent necessary:
- Cloudflare: Hosts our infrastructure (Workers, D1 database). Your data is stored in the region you select during deployment.
- Stripe: Processes payments. Stripe receives your email, name, and subscription details. Stripe's privacy policy is at stripe.com/privacy.
- MailChannels: Routes our transactional emails. Email content passes through their servers for delivery.
We may disclose data if required by law or in good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Emergency Contact Data
When you add emergency contacts, we send them a confirmation notice explaining the nature of the service and their role. They may opt out at any time. We store their contact information solely for the purpose of delivering escalation notifications. Emergency contacts can request deletion of their data by contacting us.
7. Data Retention
- Active account: Data is retained while your account is active.
- Account deletion: Upon deletion, personal data is permanently removed within 30 days. Check-in logs may be retained in anonymized form for operational metrics.
- Server logs: Retained for a maximum of 90 days for security purposes.
8. Your Rights
8.1 GDPR Rights (EEA/UK Residents)
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request limited processing of your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: At any time, without affecting the lawfulness of prior processing.
8.2 CCPA Rights (California Residents)
- Right to know: Request disclosure of categories and specific pieces of personal data collected.
- Right to delete: Request deletion of personal data.
- Right to opt out: We do not sell data, so no opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising CCPA rights.
To exercise any right, email us at privacy@soimok.com. We will respond within 30 days and verify your identity before fulfilling the request.
9. International Data Transfers
Our infrastructure (Cloudflare, Stripe) operates globally. Data may be transferred to and processed in the United States and other jurisdictions. We rely on Standard Contractual Clauses (SCCs) and service providers' certifications (EU-US Data Privacy Framework, where applicable) to ensure adequate protection for cross-border transfers.
10. Children's Privacy
Still Here is not intended for individuals under 18 years of age. We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it promptly.
11. Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, and access controls. For details, see our Security page. No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by law.
12. Changes to This Policy
We will notify you of material changes via email or a prominent notice on our website before the changes take effect. Continued use of the service after changes constitutes acceptance.
13. Contact
For privacy-related inquiries or to exercise your rights:
Email: privacy@soimok.com
Response time: Within 30 days (GDPR requirement) or sooner.
You also have the right to lodge a complaint with your local data protection authority.