Privacy policy

• Controller: Dario Vallés Stahnke
• Tax ID (NIF): 44024379X
• Registered address: Spanish business registration in progress · sole legal contact: [email protected]
• Contact: [email protected]

• We collect no data about your family. Not a count, not an opaque token, not a hash.
• No user account. Every message between the elder's phone (Quiles Mayor) and the caregiver's phone is E2E-encrypted with your family key (AES-GCM, X25519 shared secret derived when you scanned the pairing QR).
• We do operate a relay (api.quiles.app, Cloudflare Worker) that ferries those opaque envelopes when the two phones are on different networks. We do not see what's inside and we do not store the envelopes.
• Medication, the medical card, contacts, the audit log, the PIN hash, and the pairing keys sit on the two phones in your family, and nowhere else. If you smashed both phones, there would be nothing about your family anywhere.
• If the elder uses Quiles Mayor unpaired (solo mode), there is no relay at all: everything lives only on their phone.

The relay is blind by construction. To keep the accounts clean, here is the full list of what passes through api.quiles.app:

• Sees: a random familyId (opaque identifier, no name, no email), the envelope size, its timestamp, and the elder↔caregiver direction.
• Sees: the source IP of the connecting client (Cloudflare logs this for any HTTPS connection). Held for up to 24 hours in anti-abuse logs.
• Does not see: envelope content, medication, the medical card, reminders, locations, audio, or the body of an SOS.
• Does not see: the family member names, the elder's name, or device names.
• Does not see: how often you open Locate beyond the envelope timestamp.
• Does not persist: the envelope is delivered and dropped. If the recipient isn't online, the envelope is held in memory for at most 30 seconds and discarded. No disk.

On Locate and SOS: they ride a separate opaque WS with the same rules. The relay sees timestamps and sizes, never positions or audio. A Locate session lasts up to 15 minutes.

On the safe zone (geofence): the entry/exit alert also travels encrypted through the relay. The envelope carries only the zone ID and timestamp; our server doesn't know which zone that is ("Home" lives only on your phones) nor where your relative stood.

Pairing generates an X25519 keypair on each phone. When you scan the QR, both sides derive the same shared secret via ECDH and from it an AES-GCM key. Every envelope is encrypted at the source with that key and only decrypted at the destination. Our server holds no piece of the key material, so we couldn't decrypt even if we wanted to.

To rotate the key, you repeat pairing. There is no "forget my key" endpoint because we can't forget what we never had.

If the two phones are nearby and the internet is gone, envelopes travel directly over Bluetooth Low Energy. Slower, but offline. The choice is automatic: if there's a network, the relay; if not, BT. In both cases the envelope is encrypted with the same family key.

Android: the phone holds a persistent encrypted WebSocket to our relay. No Firebase, no Google Play Services messaging, no Google middleman of any kind. When a change arrives from the other side, the relay pushes it back down that same socket. The connection lives inside the Quiles foreground service.

iOS (caregiver phone): we use Apple Push Notification service (APNs) — there's no alternative: Apple won't let an app wake in the background without going through APNs. We store the APNs token on the relay, tied to the familyId. It's an opaque identifier only Apple knows how to interpret. The token carries no content; the content travels separately, end-to-end encrypted.

Zero Google dependency. The only outside company that ever sees an identifier of ours is Apple, and only for the caregiver phone on iOS.

When the elder fires an SOS, their phone alerts the contacts the family has configured. The SOS envelope may include the elder's last known location and the emergency fields of their medical card; all of it travels E2E-encrypted with the family key, and the relay only sees opaque bytes.

The two phones also try to open an audio + video call between themselves. It's WebRTC peer-to-peer: audio and video travel directly between the two phones and never hit our server.

When the two endpoints can't see each other directly (strict NAT, cellular networks), we fall back to Cloudflare Realtime TURN as an encrypted last-resort relay. Cloudflare forwards opaque packets — encrypted traffic, no content.

To set up the call, the two phones exchange signalling messages (SDP offer/answer and ICE candidates). These also travel end-to-end encrypted with your family key — the relay only sees opaque bytes and forwards them between the two ends without opening anything. Those messages carry network metadata required by WebRTC; no voice, no video.

In silent mode, the elder's phone also sends two thumbnail photos (front + rear camera, 360×360, JPEG quality 50, encrypted with the family key). The caregiver decrypts them inside the SOS envelope; the relay never sees them in clear.

Quiles Mayor handles special-category data: the elder's medication (which medicines they take, the reminder schedule, and the dose log — taken or missed) and their medical card (allergies, conditions, medication, blood type, and emergency contact details). Here is how we treat it:

• It lives only on the phones. Stored encrypted at rest (AES-GCM-256) on the elder's phone. Synchronisation with the caregiver's phone is end-to-end encrypted with the family key. There is no copy on our servers and the relay cannot decrypt it: we are not a cloud health-data processor.
• Adherence sharing requires explicit consent. Sharing whether the elder took or missed their medication with the caregiver is off by default and requires the elder's explicit consent on their own phone (GDPR Art. 9.2.a). It can be withdrawn at any time from Settings, with immediate effect (Art. 7.3): from that moment, not a single further dose is sent.
• Retention: 90 days. The dose history is automatically purged after 90 days on the elder's phone. The care record on the caregiver's phone is likewise purged after 90 days.
• Emergency medical card. If the family fills in the medical card, a subset of fields can be shown on the elder's lock screen and inside the SOS alert, so whoever assists them in an emergency can see it. This is deliberate and under your control: only what you choose to fill in is shown.
• Solo mode. Unpaired, medication and the medical card live only on the elder's phone and never leave it.

Battery level and scam-filter alerts are not health data: they are ordinary personal data processed under the legitimate interest of the care relationship (Art. 6.1.f), and they travel down the same encrypted path.

Encrypted at rest, local only:

• Argon2id hash of the family PIN. The PIN itself is never written.
• The elder's trusted contacts (with optional photo), medication, reminders, and medical card (see section 2).
• Local audit log on the caregiver's phone (SOS alerts, battery, detected scams and — only with consent — medication doses). Purged after 90 days. We never transmit it.
• Pairing material: X25519 keypairs and the derived shared secret.
• Location fixes during an active Locate session (15 min) or an SOS: encrypted E2E with the family key, held in memory for the life of the session, never persisted as plaintext. History is off by default; if you turn it on it lives encrypted on your phone and is purged after 7 days.
• The optional safe zone (geofence, off by default). The circle definition and entry/exit events live encrypted on your phones; the event you receive carries only a zone name and timestamp, never a route.

Uninstalling the app, or tapping "Wipe all data" in Settings, removes all of this on the spot.

• The server doesn't open envelopes (it can't: it has no key) and doesn't store them on disk.
• No analytics, advertising, or crash-reporting SDKs.
• Does not read messages, calls, keystrokes, or network traffic.
• Does not track location continuously. Only during an active Locate session (15 min) or an SOS. Each fix travels E2E-encrypted with the family key and our relay only sees timestamps, sizes, and direction, never positions. History is off by default; if you turn it on it lives encrypted on your phone and is purged after 7 days.
• Does not enrol your device into any MDM.
• Does not transmit your relative's data to any third party.
• The relay doesn't know who your family is, nor your device names. It only knows a random familyId.

The subscription is purchased inside the app, through the App Store (Apple) or Google Play (Google) in-app purchase. Apple or Google is the seller (Merchant of Record) and handles your payment, card, and tax data; we never see them. Subscription state is managed with RevenueCat acting as a data processor.

Quiles itself receives only the minimum needed to recognise your entitlement:

• An internal licence/subscription identifier (UUID).
• An anonymous app user id, with no real name attached.
• Subscription status (active, trialing, cancelled) and currency.

There is no buyer database on our side, and we never email you a licence. Cancellation and refunds are handled by the App Store or Google Play under their own policies.

Email to [email protected] arrives in a mailbox in La Garriga (Barcelona). We keep the thread for up to 90 days after we've closed your case, in case you write back, and then we delete it.

We don't centrally store personal data about your family (the relay only sees opaque metadata and drops it within seconds), so there is no record against which to exercise GDPR access, rectification, or erasure rights (Art. 15-17). Your data — health data included — lives on the two phones, under your direct control:

• Erase: Settings, Wipe all data on each phone, or uninstall. This also removes medication, the dose history, and the medical card.
• Withdraw adherence consent: in Settings on the elder's phone, with immediate effect.
• Invalidate the relay familyId: simply repeat pairing.

Quiles can also pair with a child's phone. Exactly the same architecture described above applies to that product: same E2E encryption, same blind relay, nothing on servers. Specifically:

• Child profiles, allowed apps, schedules, daily limits, and SOS contacts live encrypted on the two phones only.
• Optional per-child geofences are off by default; the alert carries only a zone name and timestamp, never a route, and our server doesn't know which zone that is nor where the child stood.
• We do not transmit the child's data to any third party, and we cannot see it.

Any change ships with the next app version. There is no remote-configuration channel that could alter this policy without an app update.

Support and GDPR: [email protected].

Controller: Dario Vallés Stahnke · NIF 44024379X. Business registration in progress; until then, legal notices reach the controller at [email protected].