Privacy Policy

1. Introduction

Within Reach ("Within Reach," "we," "us," or "our") builds software that helps caregivers, families, and vetted professionals coordinate care, preserve memories, and manage end-of-life logistics. Because our users trust us with sensitive information, we designed this Privacy Policy to explain how we collect, safeguard, and use personal information, including Protected Health Information (PHI). By accessing our website, mobile experiences, or vendor portals (collectively, the "Services"), you agree to the practices described below.

2. Information We Collect

2.1 Information You Provide

• Account details: name, email address, phone number, password, role (family member, caregiver, vendor, or employee)
• Care coordination content: notes, checklists, symptom logs, medication schedules, uploaded forms, and advance directives
• Media and memorial content: photos, audio, videos, and stories shared to digital obituaries or newsletters
• Vendor and professional data: business contact information, proof of credentials, service descriptions, and pricing
• Payment information: billing address and transaction details processed through secure third-party payment processors (we never store full card numbers)
• Support interactions: information you send to support@withinreach.care or during usability research sessions

2.2 Information Collected Automatically

• Device and log data: IP address, browser type, operating system, crash reports, and access timestamps
• Usage analytics: feature engagement, buttons clicked, pages visited, and referral URLs
• Cookies & local storage: session tokens, language preferences, and device identifiers that help us keep you logged in securely
• Approximate location: derived from IP address to comply with regional privacy rules and detect fraud

2.3 Information From Third Parties

• Identity information from authentication providers (currently Clerk) to verify sign-ins
• File processing metadata from cloud storage partners (currently Amazon Web Services S3)
• Content moderation or transcription services engaged to improve accessibility and safety
• Limited data from analytics, error monitoring, or AI assistive tools that process information solely on our behalf

3. How We Use Information

We use personal information to:

• Provide, personalize, and maintain the Services and your care circles
• Create secure digital obituaries, newsletters, and memory archives per your instructions
• Facilitate messaging, notifications, and collaboration between authorized users
• Process payments, manage subscriptions, and send invoices or renewal reminders
• Verify user identity, prevent fraud, and protect against unauthorized access
• Monitor platform performance, troubleshoot issues, and improve product design
• Conduct research and analytics on a de-identified or aggregated basis
• Communicate with you about security alerts, product updates, and support requests
• Comply with legal obligations, audit requirements, or enforce our Terms & Conditions

4. Legal Bases for Processing (EEA/UK)

Where GDPR or UK GDPR applies, we rely on one or more of the following legal bases: (a) performance of a contract with you; (b) your consent (for example, when you upload photos for a memorial page); (c) compliance with legal obligations; (d) protection of vital interests; and (e) our legitimate interests in providing secure caregiving tools. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Share Information

We do not sell personal information. We may share data only with:

• Care circle members: people you explicitly invite and permission to view or edit content
• Service providers: vendors that host infrastructure (AWS), authentication (Clerk), secure email, analytics, or customer support tools that process information under written agreements
• Professional partners: funeral directors, hospice teams, or vendors you choose to engage through the platform
• Regulators or law enforcement: when required by applicable law, subpoena, or to protect rights, safety, or property
• Successors: in connection with a merger, acquisition, or financing, subject to confidentiality obligations and continued protection of your data

Whenever we share PHI with subprocessors, they are bound by contractual obligations to use that data only on our instructions and to maintain comparable safeguards.

6. Data Security

Security is built into our architecture. We use TLS encryption for data in transit, encryption at rest for stored files, role-based access controls, logging, least-privilege service accounts, and routine penetration testing. Despite these safeguards, no online service can guarantee absolute security. Please notify us immediately at support@withinreach.care if you suspect unauthorized access to your account.

7. Your Rights & Choices

Depending on where you live, you may have the right to access, correct, download, or delete your personal information; object to or restrict certain processing; opt out of marketing emails; and appeal decisions. To exercise these rights, email privacy@withinreach.care or use account settings where available. We will verify your identity before fulfilling requests and respond within the timelines required by applicable law.

Residents of California, Colorado, Connecticut, Virginia, Utah, and other U.S. states with consumer privacy laws can designate an authorized agent to submit requests on their behalf by following the same process.

8. Data Retention

We retain personal information only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods include:

• Active accounts: data retained until you request deletion or your subscription ends
• Deleted accounts: core content deleted or anonymized within 30 days, except invoices or audit logs kept for up to 7 years
• Backups: encrypted backups may persist for up to 90 days before they cycle out of the disaster-recovery system

9. Cookies & Tracking Technologies

We use essential cookies to keep you logged in, remember preferences, and protect user sessions. Optional analytics cookies (e.g., to understand feature adoption) are only activated after you provide consent where required. You can modify cookie preferences through your browser settings, though blocking certain cookies may degrade functionality.

10. Children's Privacy

Within Reach is intended for adults coordinating care. We do not knowingly collect personal information directly from children under 13 (or the minimum age in your jurisdiction). Caregivers may upload information about minors only when they have the legal right to do so. If you believe we collected information from a child without consent, contact privacy@withinreach.care so we can delete it.

11. International Data Transfers

Our infrastructure is currently hosted in the United States. If you access the Services from another country, your information may be transferred to, stored in, or processed in the United States or other locations where our subprocessors operate. We implement Standard Contractual Clauses or other legally recognized transfer mechanisms when required.

12. Third-Party Links & Integrations

The Services may link to external websites, memorial pages, or partner offerings. We are not responsible for the privacy practices of unaffiliated third parties, so we encourage you to review their policies before sharing information.

13. Updates to This Privacy Policy

We may revise this Policy to reflect product changes, legal developments, or new safeguards. When we make material updates, we will post the revised Policy here, update the "Last Updated" date, and notify you via email or in-app alerts when required. Your continued use of the Services after the effective date means you accept the updated Policy.

14. Contact Us