Data retention, export, deletion.

What gets uploaded to the cloud

Nothing that resembles raw radar data, ever. Only the categorical events produced by the on-device classifier:

• Presence (yes / no) per room, sampled at coarse intervals during change events.
• Activity category (sleeping, resting, moving, away).
• Posture transitions (standing <-> sitting <-> lying), where they occur.
• Fall signatures (timestamped event, with an internal confidence score).
• Lack-of-motion events crossing a configurable threshold.
• Acknowledgment chain for any alert (which contact, when, what action).

What never leaves the sensor:

• Raw radar IQ data.
• Spatial reconstructions of the room.
• Anything resembling an image, audio, or identity.

Family kit (Wellytic Home) retention

Defaults you can adjust in the app under Privacy, except where noted as fixed by the data-handling architecture.

• Categorical events: 90 days hot, then summarized to daily aggregates. Adjustable down to 7 days hot.
• Daily summaries: retained for the life of the subscription.
• Fall events: retained indefinitely while the subscription is active. Available for export as evidence bundles on request.
• Acknowledgment chains: retained for the life of the corresponding fall or lack-of-motion event.
• On account deletion: full event purge within 30 days. Backups age out within an additional 30 days.

Care home (Wellytic Care) retention

• Categorical events: 365 days hot for audit and regulator access.
• Evidence bundles: retained for the life of the operator agreement, plus the regulator-mandated minimum (varies by jurisdiction).
• Resident-facing data export and erasure: within the operator's documented data-handling SLA. Operator is the data controller; Wellytic is the processor.
• Per-resident deletion: on operator request, full event purge for the named resident within 30 days. Backups age out within an additional 30 days.

Export paths

For families:

• App-driven JSON or CSV export of any time range. Daily summaries and fall events.
• Email-delivered archive bundle on account closure (timestamped, signed).

For care homes:

• Webhook-driven event stream (real-time).
• SFTP daily summary push.
• Evidence bundle CSV export, signed via the RelayOne audit substrate.
• Operator-portal triggered per-resident export.

Deletion guarantees

Deletion targets the same retention surfaces as backup. We do not retain "shadow copies" outside the documented retention chain.

• Hot store: deleted within 24 hours of request.
• Daily aggregates: deleted on the same schedule as hot store.
• Backup: ages out within 30 days.
• Audit ledger entries that were cryptographically signed cannot be deleted; instead, a deletion-marker entry is appended. This is the trade-off of having a tamper-evident audit chain.

Sovereign Canadian hosting (Heroa BC substrate)

For Canadian care home operators with strict in-province requirements:

• All event data, evidence bundles, and audit ledger entries reside within Canada under Canadian-entity MSA.
• Hosted on the Heroa BC substrate (the same substrate used by other Good Ventures Lab Canadian-sovereign deployments).
• Cross-border access (e.g. for engineering troubleshooting) is gated and logged; no data leaves Canada under this deployment unless an operator explicitly authorizes it.

Compliance regimes

• HIPAA, US care home operators. BAA execution available.
• PHIPA, Ontario operators. PIA support available.
• PIPEDA, federal Canadian privacy law. Default for non-Ontario Canadian operators.
• State and provincial regulators. Specific certifications listed per jurisdiction; please ask for the latest sheet.

Audit access

• Operators have evidence-bundle export access via the operator portal.
• Regulators receive read-only audit ledger access through a regulator-specific account, on operator request.
• Family members do not have audit ledger access; they have summary-level access through the app.

Contact for data-handling questions

For data-handling questions or to initiate a deletion request, email [email protected].