Privacy Policy
Version 1.0 · Effective: 27 May 2026
Circle247 (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Circle247 application and website (the “Service”).
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data We Collect
1.1 Information You Provide
- Account data: Name, email address, password (stored hashed)
- Profile data: Phone number, home address, profile photo
- Payment data: Processed by our payment provider (Control Suite PayLink). We do not store your card details.
1.2 Data We Collect Automatically
- Location data: Precise GPS coordinates shared at regular intervals while the app is active. This includes SOS alert locations, check-in locations, and location history.
- Device data: Device type, operating system, push notification tokens, browser type (web app)
- Usage data: Feature interactions, timestamps of actions (SOS triggers, check-ins, logins)
- Technical data: IP address, session identifiers
1.3 Data from Other Sources
- Circle members: When a Guardian adds you to their circle, they provide your relationship context. When you join a circle, your location becomes visible to that circle’s Guardian.
2. How We Use Your Data
| Purpose | Data Used | Lawful Basis (UK GDPR) |
|---|
| Provide the core service (location sharing, SOS alerts, check-ins, offline detection) | Location, account, device | Performance of contract (Art 6(1)(b)) |
| Send push notifications and SMS alerts | Device tokens, phone number | Performance of contract (Art 6(1)(b)) |
| Process payments | Account data (card data handled by payment provider) | Performance of contract (Art 6(1)(b)) |
| Protect vital interests in an SOS event | Location, account | Vital interests (Art 6(1)(d)) |
| Maintain security, prevent fraud | IP address, usage data | Legitimate interests (Art 6(1)(f)) |
| Improve the Service | Anonymised usage data | Legitimate interests (Art 6(1)(f)) |
| Comply with legal obligations | Account, payment records | Legal obligation (Art 6(1)(c)) |
| Send service updates and communications | Email | Legitimate interests (Art 6(1)(f)) |
| Marketing communications (only with your consent) | Email | Consent (Art 6(1)(a)) |
3. Location Data — Special Considerations
Location data is central to our Service. We want you to understand exactly how it works:
- Inner Circle members: Your precise location is continuously visible to your Guardian(s) while you are online.
- Wider Circle members: Your location is only shared with Guardians when you have an active SOS alert.
- Location history: We retain location history for up to 30 days, after which it is permanently deleted.
- Visible indicator: When location sharing is active, a visible indicator is displayed in the app.
- You can stop sharing: You can disable location services on your device at any time, though this will affect the Service’s ability to function.
4. Children’s Privacy
Circle247 is designed for family use and may be used by children aged 13 and over with parental consent. We comply with the ICO’s Age Appropriate Design Code (Children’s Code):
- Children under 13 may not create accounts. A parent or guardian must create and manage accounts for children under 13.
- Children under 18 must have a parent or legal guardian accept our Terms and this Privacy Policy on their behalf.
- We collect only the minimum data necessary for the Service to function.
- When a Guardian monitors a child’s location, the child sees a clear visible indicator that tracking is active.
- We do not serve targeted advertising to any users, including children.
- Privacy settings default to the highest privacy level.
5. Who We Share Your Data With
- Your circle members: Guardians see Inner Circle members’ locations. All circle members see names and avatars. Location is shared with the Wider Circle only during an active SOS.
- Service providers:
- Push notification services (Apple APNS, Google FCM) — device tokens only
- SMS gateway — phone numbers for SOS alerts only
- Email delivery service — email addresses for alerts and communications
- Payment processor (Control Suite PayLink) — payment data only
- Hosting provider — all data as necessary to operate servers
- Law enforcement: We will disclose personal data where required by law, court order, or if we believe disclosure is necessary to protect life or prevent serious harm.
We do not sell your personal data. We never have and we never will.
6. Data Retention
| Data Type | Retention Period |
|---|
| Location history | 30 days |
| SOS event records | 12 months |
| Activity logs | 12 months |
| Account data | While account is active + 30 days after deletion |
| Payment records | 6 years (HMRC requirement) |
| Consent records | 6 years after consent given |
After the retention period, data is permanently deleted or anonymised.
7. International Data Transfers
Your data is primarily stored on servers located in the United Kingdom. Where we use third-party services that process data outside the UK (such as push notification services), we ensure appropriate safeguards are in place, including UK adequacy decisions or Standard Contractual Clauses.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are hashed using industry-standard algorithms
- HTTPS encryption for all data in transit
- Access controls limiting who can access personal data
- Regular security reviews
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours as required by UK GDPR Article 33.
9. Your Rights
Under the UK GDPR, you have the following rights:
- Right of access: Request a copy of your personal data (Subject Access Request)
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Request deletion of your data (“right to be forgotten”)
- Right to restrict processing: Ask us to limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
- Rights related to automated decision-making: We do not use automated decision-making or profiling that produces legal effects.
To exercise any of these rights, email us at hello@circle247.com. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Cookies
We use cookies and similar technologies. For full details, see our Cookie Policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The current version will always be available on our website.
12. Contact Us
For privacy-related enquiries or to exercise your data rights:
Circle247
Email: hello@circle247.com
You may also contact the ICO:
Information Commissioner’s Office
ico.org.uk
Tel: 0303 123 1113