Legal
Privacy Policy
Last updated: 8 April 2026 · Version 2.2
1. Who we are
The Ken is operated by TheKen Ltd, a company registered in England and Wales (company number 17136686). We ("us", "our") are the data controller for personal data processed through our device, family portal and mobile app. Contact: howard@theken.uk.
2. What data we collect
| Data | Purpose | Basis |
|---|---|---|
| Name, email, phone number | Account creation and portal access | Contract |
| Password (hashed + salted) | Authentication | Contract |
| Device ID | Linking your account to a Ken device | Contract |
| Contact names, photos, phone numbers | Displaying contacts on the device | Legitimate interest |
| Messages (text) | Delivering messages between portal and device | Contract |
| Video voicemails (video/audio recordings) | Allowing family to leave messages | Consent |
| Call history (times, duration) | Showing recent calls in the portal | Legitimate interest |
| Medical records (GP, medications, allergies, conditions) | Care coordination and emergency access | Vital interests / Explicit consent |
| Care notes and medication logs | Safeguarding and care continuity | Legitimate interest (safeguarding) |
| Device heartbeat (online/offline status) | Monitoring device connectivity | Legitimate interest |
| Settings and preferences | Syncing device configuration | Contract |
| Audit log (who changed what setting, when) | Accountability and transparency | Legitimate interest |
| Photos (uploaded by family) | Photo carousel on the device | Consent |
| Consent records (what you agreed to, when) | Demonstrating lawful basis for processing | Legal obligation |
| Push notification tokens (mobile app) | Delivering alerts for messages, calls and reminders | Consent |
| Device platform and OS version (mobile app) | Ensuring app compatibility and debugging | Legitimate interest |
3. How and where we store your data
The Ken is operated from the United Kingdom by TheKen Ltd. Your data is stored and processed on infrastructure provided by Cloudflare, Inc. (headquartered in the USA) across their global network, including our primary database (Cloudflare D1), key-value stores (Cloudflare KV), media storage (Cloudflare R2) and real-time signalling (Cloudflare Durable Objects). Cloudflare is certified under ISO 27001 and SOC 2 Type II. Video call relay, when a direct peer-to-peer connection is not possible, is handled by TURN servers hosted by Hetzner Online GmbH in Germany. Data is encrypted in transit (TLS 1.3) and at rest.
International transfers. Because Cloudflare operates a global network, some processing may take place outside the UK and the European Economic Area. Where this occurs, transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, incorporated into our processors' Data Processing Agreements. Hetzner processing takes place within the EEA (Germany), which benefits from a UK adequacy decision.
We apply additional layers of protection:
- Passwords are salted and hashed using PBKDF2 with 600,000 iterations - never stored in plain text
- Sensitive medical data (GP details, medications, allergies, conditions, care notes) is encrypted at the field level using AES-256-GCM before storage
- MFA backup codes are individually hashed - we cannot read them
- Deleted user data is tokenised and the identity mapping is encrypted with a separate key in an isolated data store (see Section 6)
4. Who has access to your data
- Device users can see contacts, receive messages and calls on the physical device
- Standard users can see their own messages, calls and voicemails via the portal
- Admin users can manage contacts, messages, settings, medication reminders, and view the audit log
- Carer users can access care notes, medical records, medication management, and check-in schedules for devices they are assigned to
- HQ administrators can view all devices, manage user roles, and - with documented justification - resolve tokenised identity records for legal or safeguarding purposes. Every such access is audit-logged
- The Ken team may access data for technical support or to resolve issues, only when necessary
- We do not sell, rent or share your personal data with third parties for marketing purposes
5. Third-party services (sub-processors)
We use the following third-party services to operate The Ken. Each acts as our data processor under a written Data Processing Agreement:
- Cloudflare, Inc. (USA / global network) - API hosting, D1 database, KV stores, R2 media storage, Durable Objects signalling, and video call signalling (privacy policy)
- Hetzner Online GmbH (Germany) - TURN relay servers for video calls when peer-to-peer is not possible (privacy policy)
- Netlify, Inc. (USA) - marketing website hosting (privacy policy)
- Resend (USA) - transactional email delivery (privacy policy)
- Apple Inc. (Apple Push Notification service) and Google LLC (Firebase Cloud Messaging) - delivering push notifications to the mobile app. Only an anonymous device token is shared; no message content is transmitted via these services
Video calls use peer-to-peer WebRTC connections. When a direct connection is not possible, calls are relayed through our TURN servers hosted by Hetzner in Germany. Call content is not recorded or stored.
We do not sell, rent or share your personal data with third parties for marketing purposes.
6. Data retention and deletion
While your account is active:
- Account data is retained for the lifetime of your account
- Messages are retained up to 100 per device, oldest removed first
- Voicemails and video messages are retained for 30 days by default, or longer if you have an extended storage plan
- Audit logs are retained up to 500 entries per device (older entries archived, up to 5 archive files)
- We may retain voicemail and video message data in our secure cloud infrastructure for a limited period beyond your visible retention window, to allow for service recovery, dispute resolution, or in case you choose to extend your storage plan. This data is not accessible to users during this period and is permanently deleted in accordance with our internal retention schedule
When your account is deleted, we use a tokenisation process to protect your identity while retaining records we are legally required to keep:
- Your personal identifiable information (name, email, phone number) is replaced with a random token across all records
- The mapping between your token and your real identity is encrypted with a separate key and stored in an isolated, access-controlled data store
- Only HQ administrators can resolve a token back to a real identity, and only with a documented reason - every lookup is audit-logged
- After the retention period expires, the token mapping is permanently deleted, making re-identification impossible
Post-deletion retention periods:
| Data type | Retention period | Justification |
|---|---|---|
| Medical records and care notes | 3 years | UK safeguarding obligations |
| Audit logs | 6 years | Legal and regulatory compliance |
| Messages and feedback | 1 year | Dispute resolution |
| All other data | 90 days | Operational cleanup |
Expired records are automatically purged by a daily process. Once the token mapping is deleted, the retained records are effectively anonymous and cannot be linked back to any individual.
7. Your rights (UK GDPR)
You have the right to:
- Access - request a copy of all personal data we hold about you (Subject Access Request). We will provide this within 30 days in a machine-readable format
- Rectification - correct inaccurate data via your profile settings or by contacting us
- Erasure - request deletion of your data ("right to be forgotten"). We will tokenise your identity and delete your account. Certain records may be retained in tokenised form where we have a legal obligation (see Section 6)
- Portability - receive your data in JSON format via the portal's data export feature (available to Admin and HQ users)
- Object - object to processing based on legitimate interest
- Restrict processing - request that we limit how we use your data
- Withdraw consent - for data processed on the basis of consent (e.g. voicemails, photos, marketing communications). You can manage your consent preferences at any time via the portal's subscription settings
To submit a Subject Access Request or exercise any of these rights, email howard@theken.uk. We will respond within 30 days. HQ administrators can also process Subject Access Requests via the portal's HQ Admin panel.
8. Consent
When you create an account, you are asked to confirm that you have read and agree to this privacy policy and our Terms & Conditions. This consent is recorded with a timestamp and the policy version number in your account record.
You can manage your communication and data preferences at any time via the Subscriptions section in your profile settings. Each preference records when it was last changed. The following are individually configurable:
- Email notifications (messages, voicemails, missed calls, medication alerts)
- Birthday reminders
- Product updates and announcements
Withdrawing consent for optional features will not affect the core functionality of your Ken device.
9. Children's data
The Ken service is not intended for use by children under 13. We do not knowingly collect data from children. Contact photos of children (e.g. grandchildren) uploaded by family members are stored solely for display on the device.
10. Security
- All data in transit is encrypted using TLS 1.3
- Passwords are individually salted and hashed - never stored in plain text
- Sensitive medical fields are encrypted at rest using AES-256-GCM
- Deleted user identity mappings are encrypted with a separate key in an isolated data store
- Session tokens expire after 30 days and are HttpOnly + Secure
- Optional two-factor authentication (TOTP) is available
- Rate limiting is applied to authentication, password reset, and sensitive endpoints
- CSRF protection is enforced on all state-changing requests
- Content Security Policy headers restrict script execution
- The audit log tracks all administrative changes and data access
- Automated anomaly detection monitors for unusual access patterns (e.g. excessive authentication failures, bulk data access)
11. Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of UK GDPR
- Notify affected individuals without undue delay where the breach is likely to result in a high risk, as required by Article 34
- Document the breach, its effects, and the remedial actions taken in our internal audit log
Our automated monitoring systems alert us to potential breaches including unusual login patterns, bulk data access, and unauthorised PII lookups.
12. Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated date. For material changes, we will notify you via email. If a policy change affects how we process your data, we may ask you to re-confirm your consent.
Policy version: 2.2
13. Contact
For privacy-related questions or to exercise your rights, contact us at howard@theken.uk or call +44 7845 546 551.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.