We built That’s Right. for a single, narrow purpose: to help an elderly person stay grounded through the day, and to keep their family quietly informed. Everything below follows from that.
- We don’t record or store your voice. Speech is transcribed on your iPhone, in real time, on-device. The audio itself never leaves your phone.
- What we do keep is the text of what was said, what the app replied, and a short profile of the person using it — so their family can receive a daily recap and so the app remembers the person from one day to the next.
- Who sees it: the person’s designated family group on Telegram, the AI provider that generates the recaps (Anthropic, via OpenRouter), Apple (for sign-in), and us, the people running the servers. No advertisers. No data brokers. No analytics companies.
- Where it lives: on a server we operate in Germany, and on the iPhone itself.
- You can ask us to delete everything, at any time, by writing to the address at the bottom of this page.
This summary is true, but it isn’t the whole policy. The rest of this page is the detail.
1Who we are
That’s Right. (the “app”) is operated by That’s Right SAS (“we”, “us”), the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and equivalent laws.
For any question about this policy, or to exercise any of the rights described below, write to: domlecadev@gmail.com.
We answer privacy requests personally — there is no support ticket queue. We aim to reply within seven days.
2Who this policy is for
That’s Right. is used by two distinct people, and we want to be clear about how we treat each:
- The patient — the person speaking with the app, typically an elderly relative living with cognitive decline. The patient is the subject of most of the data described below.
- The caregiver — typically an adult child or close family member. The caregiver sets the app up, manages the family Telegram group, and acts on behalf of the patient when the patient cannot.
Both are “data subjects” under GDPR. Where the patient cannot meaningfully consent on their own behalf, the caregiver provides consent in their place, in line with applicable family-care and capacity laws. We rely on the caregiver to have the authority to do so before installing the app.
3What we handle, and why
The clearest way to explain what we do with data is to walk through it by category, the same way the app itself uses it.
3.1 The patient’s profile (“Ground Truth”)
When the app is first set up, it builds a short profile of the patient: preferred name, year of birth, a short biography, family contacts, medical conditions, allergies, mobility, daily rhythm, soothing activities, things to avoid. This profile lives on the iPhone (in iCloud Drive if you have it enabled) and is synced to our server.
Why: the app uses this profile to recognise the patient from day to day, to respond appropriately, and to write the daily recap. Legal basis (GDPR): explicit consent (Article 6(1)(a)) for ordinary fields, and explicit consent (Article 9(2)(a)) for the health-related fields (medical conditions, allergies, mobility). Some of this information qualifies as “special category” data under GDPR — we treat it accordingly. Retention: for as long as the account is active. Deleted on request, or when the account is closed.3.2 Conversations
Each time the patient speaks with the app, the app saves a structured record of the exchange. That record contains: the transcribed text of what the patient said, the app’s reply, when it happened, how long the reply took, and a few small technical fields (app version, whether the patient interrupted, whether the system detected a phrase indicating distress).
Why: these records are the raw material for the daily recap, and they let the family review the day if something seems off. Legal basis (GDPR): explicit consent (Article 6(1)(a) and, for health-related content within conversations, Article 9(2)(a)). Retention: kept for as long as the account is active, so the family can scroll back through recent days. We do not have a hard expiry today; we plan to introduce one in a future version, and we will update this policy when we do.3.3 Voice audio — the important paragraph
Speech is recognised on the iPhone itself, using Apple’s on-device speech recognition framework. The raw audio is processed inside the phone, converted to text, and immediately discarded. No audio file is ever written to the phone’s long-term storage, sent to our server, or sent to anyone else. What leaves the phone is the transcript text, never the recording.
The same is true of the app’s voice replies: they are generated on the phone by Apple’s text-to-speech, locally, and not recorded.
3.4 Daily reports and urgent alerts (Hermes)
Once a day, our server reads the conversations for that patient, asks an AI model to summarise them, and posts a short report to the family’s Telegram group. The report describes the day’s mood and rhythm, notes anything the family may want to follow up on, and sometimes quotes the patient verbatim where the quote matters.
Separately, if the system detects a phrase the patient said that suggests distress (for example, an expression of physical pain), it sends an immediate alert to the same Telegram group.
Why: the entire point of the product. Legal basis (GDPR): explicit consent. The caregiver opts in to this routing when they connect the app to a Telegram group. Retention: the report and alert messages live in your Telegram group until you delete them — Telegram is the system of record there, not us. On our side, we keep a copy of what we sent.3.5 Account and authentication
To sign in, the patient (or the caregiver on their behalf) uses Sign in with Apple. Apple gives us an opaque identifier (the “Apple subject” — a string that means nothing outside this app) and confirms that the sign-in is genuine. We do not receive the user’s Apple ID email, name, or any other Apple account information beyond that identifier, unless Apple includes them and the user explicitly chooses to share them.
On our server we store: the Apple identifier, a hashed session token (the original is never written to disk), a creation date, and a “last seen” date. On the iPhone, the session token is stored in the secure Keychain.
Why: so the app knows it’s still the same person on the same phone, without asking them to log in every day. Legal basis (GDPR): contractual necessity (Article 6(1)(b)) — without authentication, the app cannot function. Retention: for as long as the account is active. When you delete your account, the identifier and tokens are removed within thirty days.3.6 Family contacts
The patient’s profile includes the names and phone numbers of family contacts (typically the caregiver and one or two others). We treat these contacts as personal data belonging to those individuals.
Why: so the app and the family group know who to call or refer to in the conversation. Legal basis (GDPR): legitimate interest (Article 6(1)(f)) — the family’s interest in being reachable for the patient’s care — provided the caregiver confirms the contacts are aware their details have been added. We rely on the caregiver to obtain that confirmation. Retention: same as the patient profile.3.7 What we do not collect
To remove any doubt:
- We do not collect your location.
- We do not collect contacts from your phone book.
- We do not collect photos or media.
- We do not use any advertising identifier.
- We do not run any analytics, telemetry, or crash-reporting service (no Google Analytics, no Firebase, no Sentry, no Mixpanel — none).
- We do not sell, rent, or share personal data with advertisers or data brokers.
- We do not profile users for any purpose other than running the app.
4Who else handles your data
That’s Right. depends on a small number of external services. We’ve chosen each of them deliberately and we keep the list short.
| Service | What they do for us | What data reaches them | Where |
|---|---|---|---|
| Apple | Sign in with Apple, on-device speech recognition, text-to-speech | The Sign in with Apple identifier; speech is processed entirely on the iPhone and not transmitted to Apple’s servers | Apple Inc., USA / EU |
| OpenRouter (Anthropic models) | Generates the app’s spoken replies and the daily family report | The patient profile and the transcribed text of conversations, sent at the moment of the request | Routed through OpenRouter’s infrastructure to Anthropic’s models (USA) |
| Telegram | Delivers the daily report and urgent alerts to the family group | The text of each message; the Telegram chat ID of the family group | Telegram FZ-LLC (UAE / global) |
| Hetzner Online GmbH | Hosts our server | All server-side data described in this policy is stored on a Hetzner virtual machine | Falkenstein, Germany (EU) |
Each of these providers acts as a “processor” or independent controller, under their own privacy terms, which we recommend you read. They are not permitted, under our agreements with them or under applicable law, to use your data for their own purposes beyond providing the service.
5Where your data lives
Our primary server is in Germany (an EU member state), operated by Hetzner. Data is stored there on disk, encrypted at rest at the file-system level and accessible only to processes running on the machine.
Some of the providers above (notably Anthropic, via OpenRouter, and Telegram) operate outside the European Economic Area. When data is sent to them, we rely on the appropriate legal mechanisms — standard contractual clauses or equivalent — to keep that transfer lawful under GDPR and similar laws.
6How we protect your data
- All traffic between the app and our server uses TLS 1.2 or higher.
- The session token on your iPhone is stored in the iOS Keychain, the same secure store the operating system uses for passwords.
- On our server, the database is readable only by the application process, and the host is firewalled to the public internet except for the application port.
- We do not log raw transcripts or conversation contents to operational logs. We log only what we need to debug — request counts, error codes, and the like.
- We do not export, back up, or copy personal data outside of routine encrypted snapshots of the server, which themselves live in the same data centre.
No system is perfect. If we ever discover that personal data has been exposed, we will tell affected users within 72 hours of discovering it, and notify the supervisory authority where required.
7Your rights
If you live in the EU, the UK, or another jurisdiction with a GDPR-style regime, you have the right to:
- Access the personal data we hold about you, and receive a copy.
- Correct anything that is wrong.
- Delete your data (“right to be forgotten”). For a patient account, this deletes the profile, all conversation records, the authentication identifier, and any pending family reports. It does not retroactively remove messages already sent to your Telegram group — those are yours to delete from Telegram itself.
- Restrict or object to how we use your data.
- Port your data to another service, in a machine-readable format.
- Withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing that already happened.
- Complain to your local data protection authority. In France, that is the Commission Nationale de l’Informatique et des Libertés (CNIL). In other EU countries, the equivalent regulator.
If you live in California, you have analogous rights under the CCPA/CPRA, including the right to know what we collect, the right to delete, and the right to opt out of any “sale” or “sharing” of personal information — though, as noted above, we do not sell or share for advertising.
To exercise any of these rights, email domlecadev@gmail.com. We may ask you to confirm your identity (for the patient’s account, normally by confirming the Apple identifier or by being signed in through the app). We will respond within 30 days.
8Children
That’s Right. is not designed for, marketed to, or intended for use by children under 16, and we do not knowingly collect personal data from them. If you believe a child’s data has reached us, please write and we will delete it.
9Changes to this policy
When we change this policy in a way that materially affects how we handle your data, we will:
- update the effective date at the top of the page,
- notify the caregiver through the family Telegram group, with a short summary of what changed, and
- post the previous version below (we keep an archive).
Smaller, clarifying edits — fixing a typo, clarifying a sentence — will just be made silently. The effective date will still tell you when the page was last touched.
10Contact
For any question, request, complaint, or concern related to this policy or to your data:
That’s Right SAS
Email: domlecadev@gmail.com
We read every message ourselves.