Addison's Diary · Privacy Policy · Pribco LLC

ADDISON'S DIARY

Privacy Policy

Pribco LLC · addisonsdiary.com

Effective June 21, 2026 · Version 7.1 · USA Only

Addison’s Diary · Privacy Policy · Pribco LLC

ADDISON’S DIARY

Privacy Policy

Pribco LLC · addisonsdiary.com

Your privacy is central to everything we do.
We do not sell your personal information.
Your care and health data is never shared with advertisers or used for advertising.
We do not allow medical professionals or third parties to access your account.
The Addison's Diary app is a tracker-free environment.
Marketing tools (Meta Pixel) operate only on the public
landing page — they never load inside the app or on any page where health data is present.
Disclosures to service providers (AWS, Stripe, Postmark, Twilio) are made under strict
contractual restrictions solely to deliver the service. These are not sales or commercial sharing.
IN ANY MEDICAL EMERGENCY — CALL 911 IMMEDIATELY.
Addison’s Diary is NOT monitored. Notifications may be delayed or may fail to deliver.
NEVER use this platform to request emergency assistance.
If someone’s life is at risk — call 911 FIRST. Always.

THIS PLATFORM IS NOT AN EMERGENCY SERVICE — IN ANY EMERGENCY, CALL 911 IMMEDIATELY

If someone’s life is at risk right now, put down this app and call 911.

Do not send an SOS alert. Do not post a family message. Do not use any feature of this platform. Pick up the phone and call 911. Every second matters and this platform cannot help you in an emergency. Emergency services can.

The SOS Feature — What It Is and What It Is Not

The SOS feature exists to alert your family members that a situation needs their personal attention. It is not a medical alert system. It is not connected to 911, to any hospital, or to any emergency dispatcher. It must never be used as a substitute for calling 911 when a life is at risk.

No Feature of This Platform Is an Emergency Tool

EMERGENCY NUMBER — SAVE THIS NOW
United States: 911
If someone is in danger, call 911. Do not wait for a response from this platform.

After You Call Emergency Services

Once you have called 911 and help is on the way, you may then use the platform’s SOS or family messaging features to alert your family members. Emergency services first. Family notification second. Never the other way around.

Addison’s Diary is not an emergency service. It is not monitored. Notifications are not guaranteed. In any situation where a life may be at risk — stop, call 911, and get real help on the way.

1. Who We Are

Addison’s Diary is a product of Pribco LLC, a Georgia limited liability company. “We,” “us,” and “our” refer to Pribco LLC. This Privacy Policy explains what information we collect when you use the Platform, how we use and protect it, who can see it, and the choices you have. It applies to the Addison’s Diary website and web application at addisonsdiary.com.

By creating an account or using the Platform, you agree to this Privacy Policy. This Policy should be read together with our Terms of Use, Platform Disclaimer, Acceptable Use Policy, HIPAA Notice and Health Data Policy, Data Deletion and User Rights Policy, and Cookie Policy — all available at addisonsdiary.com. In the event of any conflict, the order of precedence is: Terms of Use, Acceptable Use Policy, Data Deletion and User Rights Policy, HIPAA Notice and Health Data Policy, Privacy Policy, then Cookie Policy.

2. Information We Collect

Information You Provide Directly

Technical Information Collected Automatically

Information We Do Not Collect

3. How We Use Your Information

We use the information we collect to:

What we do NOT do with your care and health information:
We do not sell your personal information.
We do not use your care or health data for behavioral advertising.
We do not build advertising profiles from your care data.
We do not share care or health data with healthcare providers, insurers, employers,
or any commercial third party for their own use.
What we DO on the public landing page (before sign-up):
We run a Meta Pixel on the landing page for advertising and retargeting.
We may use Google reCAPTCHA for bot protection in the future.
These tools operate only on public pages. None of your care or health data
ever reaches Meta or Google.
Disclosures to service providers (AWS, Stripe, Postmark, Twilio) are made under
strict contractual restrictions for service delivery only and are not commercial sharing.

What We May Be Required to Do

Notwithstanding the commitments above, we may be required to disclose your information without your prior notice or consent in the following limited circumstances:

Where permitted by law, it is our practice to notify you upon receipt of legal process so you have a reasonable opportunity to seek relief. We will disclose only the minimum information required. Third-party providers who store your data may independently receive legal process directed at them, in which case Pribco LLC may have limited ability to provide notice on your behalf. We will not be held liable and disclaim a duty to provide advance notice or notice within a set time period and you waive any duty on our part to do so.

In Connection with a Business Transfer

If Pribco LLC is acquired, merges, or sells assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy. The prohibition on selling or sharing health-related information with healthcare entities, insurers, employers, and commercial third parties will be preserved as a binding commitment in any such transfer.

4. Third-Party Service Providers

The Platform operates through the following service providers. Each is contractually bound to protect your information and may not use it for any purpose other than providing services to Pribco LLC. These disclosures are not sales or commercial sharing.

Amazon Web Services (AWS)

Role: Cloud infrastructure, database, file storage, authentication, and serverless computing. AWS DynamoDB stores all family care content. AWS S3 stores all uploaded files. AWS Cognito manages authentication. AWS is eligible to sign a HIPAA Business Associate Agreement. Role: Pribco LLC is the data controller. AWS acts as a data processor under contractual terms and may not use your data for any independent purpose. Privacy: aws.amazon.com/privacy

Stripe, Inc.

Role: Subscription payment processing. Stripe processes all web and direct billing transactions. Addison’s Diary stores only your Stripe customer ID and subscription ID — no card numbers or bank details. Stripe processes payment data only and does not handle health-related information. Note: iOS subscriptions are processed by Apple via RevenueCat, not by Stripe — see the Apple Inc. and RevenueCat entries below. Privacy: stripe.com/privacy

Postmark (Wildbit LLC)

Role: Transactional email delivery — invitations, care alerts, medication reminders, SOS notifications, and account lifecycle emails. Email alert content is designed to contain no patient names, medication names, or medical details — only a notification that activity has occurred and a sign-in prompt. The sending domain addisonsdiary.com is DKIM-verified in Postmark. Privacy: postmarkapp.com/privacy

Twilio Inc.

Role: SMS text message delivery for SOS alerts, “I’m OK” wellness check-in notifications, and two-factor authentication (MFA) codes. SMS content contains no patient names, medication names, diagnoses, or any identifiable health information — only generic alert text with a sign-in prompt. SMS is opt-in only. See Section 8 of the Terms of Use for the full SMS program terms. Privacy: twilio.com/legal/privacy

Rewardful (affiliate program — not currently active)

Role: Affiliate referral tracking. Rewardful is not currently active. Addison's Diary may use Rewardful to operate its affiliate partner program in the future. If Rewardful is activated, this policy will be updated before any data is transmitted. No health data will ever be shared with Rewardful. Only referral source and subscription confirmation would be transmitted. Privacy: rewardful.com/privacy

Google Analytics 4

Role: Website and platform usage analytics. Google Analytics 4 (GA4) collects anonymised data about how visitors interact with addisonsdiary.com, including page views, session duration, and general usage patterns. GA4 operates on the public landing page only and is blocked until you accept the cookie consent banner. GA4 does not load inside the authenticated app and never receives health or care data. Data shared with Google: anonymised usage events, IP address (truncated), browser and device type, and approximate geographic location. Google acts as a data processor under Pribco LLC’s Google Analytics Data Processing Terms. Privacy: policies.google.com/privacy

RevenueCat

Role: iOS subscription management and billing orchestration. RevenueCat acts as the intermediary between Addison’s Diary and Apple for iOS in-app subscriptions. RevenueCat processes subscription status, entitlement verification, and billing lifecycle events on iOS devices. No payment card data or health data is shared with RevenueCat. Data shared: anonymised device identifier, subscription status, and app version. Privacy: revenuecat.com/privacy

Apple Inc. (iOS App Store)

Role: iOS in-app subscription billing and refunds. iOS subscriptions purchased through the Addison’s Diary iOS app are processed entirely by Apple via the App Store. Addison’s Diary does not handle iOS payment data directly. Apple collects and processes all payment information for iOS purchases under Apple’s own privacy policy and terms of service. All billing inquiries, refund requests, and subscription management for iOS purchases must be directed to Apple. Pribco LLC has no access to iOS payment card details and cannot process refunds for App Store purchases — these are managed exclusively by Apple. RevenueCat facilitates the connection between the app and Apple’s billing system. Privacy: apple.com/legal/privacy

Meta (Facebook Pixel and Conversions API)

Role: Advertising, retargeting, and ad optimization on the public landing page only. Meta technology operates through two mechanisms: (1) the browser-based Meta Pixel, which fires on public landing page views; and (2) the server-side Meta Conversions API (CAPI), which sends two billing events server-to-server — StartTrial (when a free trial begins) and Subscribe (when the first charge clears). The Subscribe event includes the subscription charge amount and currency (e.g., $9.99 USD) and a one-way hashed (SHA-256) version of the account email; it includes no name, contact details, health, or care data. Scope: Public landing page and billing events only. The Pixel does not load inside the authenticated app or on any page where health or care data is present. No health or care information is ever transmitted to Meta. Data controller: Meta acts as an independent data controller for data received via the Pixel and Conversions API. Privacy: facebook.com/privacy/policy

Google (reCAPTCHA)

Role: Bot protection on the public landing page. Addison's Diary does not currently use Google reCAPTCHA. If reCAPTCHA is activated in the future, this policy will be updated before any data is transmitted to Google. No health or care data will ever be shared with Google via reCAPTCHA. Privacy: google.com/privacy

GoDaddy (Web Hosting)

Role: Web hosting and DNS for addisonsdiary.com. GoDaddy hosts the public-facing website. As part of standard hosting operations, GoDaddy may set a host-level cookie (_tcl_visitor) on visitors’ browsers. This cookie is set by GoDaddy’s infrastructure and is not controlled by Pribco LLC. It does not carry health or care data. Pribco LLC has no access to data collected by this cookie. Privacy: godaddy.com/legal/agreements/privacy-policy

Changes to Service Providers

We may change or add service providers from time to time. Where a change materially affects how your data is processed, we will provide you with reasonable prior notice.

Disclaimer of Liability for Third-Party Errors

Addison’s Diary expressly disclaims all liability for any loss, harm, damage, interruption, or failure caused by the acts, omissions, errors, negligence, system failures, outages, or security incidents of any third-party service provider. To the fullest extent permitted by applicable law, our total liability for any claim arising from a third-party provider’s error shall not exceed the greater of (i) the amount you paid to Addison’s Diary in the twelve months preceding the claim or (ii) one hundred dollars ($100.00).

5. Operator Access to Your Data

The Default: Operators Cannot See Your Health Content

The Addison’s Diary operator admin console is technically blocked from reading your care content — patient profile information, care journal entries, medication records, messages, photos, and vault documents. This is an IAM-level restriction, not just a policy. Our admin tools are built so they cannot reach the family health data storage at all. An operator using their normal everyday login cannot access your family’s care content. Period.

The Exception: Break-Glass Access

Occasionally something unusual happens — a user reports a problem we cannot diagnose any other way, a safety concern is raised, or a legal obligation requires us to act. In those rare situations, an authorized team member may temporarily switch into a restricted read-only role. Here is exactly how that works:

A plain example: a family member contacts us and says their medication schedule is showing entries that look wrong. Our support team first tries to resolve this using metadata and technical logs without looking at care content. If that fails and the family wants us to investigate, an authorized team member switches into the restricted role, documents the reason as “user-reported data issue — user consent given,” reviews the relevant portion, then exits. The log records that access permanently. If you ask us whether your account has ever been accessed by Pribco LLC personnel, we will tell you honestly.

Admin Tools Cannot Reach Health Data

Our admin software has no permission to access the FamilyData table or the file storage bucket. Support tickets are stored in a completely separate table. Operators cannot edit or delete medication or care log entries under any circumstance — this is enforced both at the UI level and independently at the API level.

Honest Disclosure

Because Pribco LLC’s founders own the underlying AWS account, no purely technical control can make it strictly impossible for them to access family health data — an account owner can always re-grant their own access. The Data Access Policy described above and the CloudTrail audit logging are the practical controls that make any such access deliberate, documented, and accountable rather than accidental or casual. We state this honestly rather than implying a level of protection we cannot technically guarantee.

6. Data Security

No system is perfectly secure. We cannot guarantee that unauthorized access will never occur. You are responsible for maintaining the security of your account credentials and for notifying us promptly of any unauthorized access. In the event of a security incident that results in unauthorized access to health-related information in your account, we will notify you by email as promptly as practicable. See also Section 3.6 of the HIPAA Notice and Health Data Policy for the full breach notification commitment.

7. Data Retention and Deletion

While Your Account Is Active

We retain your account information and all care content for as long as your account is active.

When You Cancel Your Subscription

Your account enters a 90-day dormant period (read-only, fully recoverable by reactivating). If you do not reactivate within 90 days, your account moves to a 30-day pending-closure period with three warning emails (Days 1, 23, and 29) and a deletion confirmation email on Day 30. After the 30-day grace period expires — 120 days total from cancellation — all family data is permanently and irreversibly deleted.

When You Delete Your Account

If you delete your account manually, your account enters the 30-day pending-closure period immediately. All data is permanently deleted after 30 days.

What Survives Deletion

Your Terms of Use acceptance record (version, typed electronic signature, timestamp, IP address) is retained for at least 7 years under WORM Object Lock (S3 archive, governance-mode retention) as a legal record. The legal basis for this retention is a legal obligation that cannot be waived by deletion request. Support ticket history is retained for up to 3 years. Stripe billing records are retained for 7 years as required by applicable financial and tax law. No care content or health-related information is retained after deletion.

How to Request Deletion

In-platform: Sign in → My Account → Delete Entire Family Account (Admin) or Leave Family & Delete My Account (non-Admin) → Confirm

By email: support@addisonsdiary.com | Subject: “Data Deletion Request”

For expedited deletion (CCPA or urgent request): email support@addisonsdiary.com with subject “URGENT Data Deletion Request.” See the Data Deletion and User Rights Policy for the complete process.

8. SMS Text Messages

If you opt in, Addison’s Diary sends SMS text messages for SOS alerts, “I’m OK” wellness check-in notifications, and two-factor authentication (MFA) codes. SMS is opt-in only. Message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for help. Carriers are not liable for delayed or undelivered messages. No mobile information or SMS consent will be sold or shared for marketing or advertising purposes. For the full SMS program terms including TCPA compliance, see Section 8 of the Terms of Use at addisonsdiary.com/terms.

Disclaimer of Liability for SMS Service Interruptions: Addison’s Diary expressly disclaims all liability for any failure, delay, non-delivery, misdirection, or corruption of any SMS message, including failures caused by carrier network outages, spam filtering, or regulatory compliance requirements. Standard carrier message and data rates may apply. SMS delivery is not guaranteed. The Platform’s SMS notification features are provided as a convenience and must never serve as your sole means of communication in a medical emergency or urgent caregiving situation.

9. Cookies

Addison’s Diary uses strictly necessary cookies and browser local storage to maintain your signed-in session and remember your preferences. Inside the app, no advertising cookies or cross-site tracking are used. On the public landing page, the Meta Pixel sets cookies after you accept the cookie consent banner — this tool never loads inside the app. Google reCAPTCHA and Rewardful may be used in the future; if activated, this policy will be updated. For full details including all cookie categories, durations, third-party cookies, and how to manage your cookie preferences, see the Addison’s Diary Cookie Policy at addisonsdiary.com/cookies.

10. HIPAA Notice

Pribco LLC is not a “covered entity” or “business associate” under HIPAA. The Platform is not HIPAA-certified and has not been independently audited for HIPAA compliance. The accurate description is HIPAA-adjacent — we are not legally required to comply with HIPAA, but we have built the platform with HIPAA-minded security practices because the information families share deserves that level of protection. For the full disclosure including our voluntary health data commitments, named third-party processors and their health data roles, IAM-enforced MFA break-glass role controls for operator access, and WORM Object Lock immutability for legal and consent records, see the HIPAA Notice and Health Data Policy at addisonsdiary.com/health-data.

11. Children’s Privacy

The Platform is for adults 18 and older. We do not knowingly collect personal information directly from children under 13. If a child is the patient in a family account, information about them is entered by adult family members and protected under this Policy. If you believe a child under 13 has created an account, contact privacyandlegal@pribco.com and we will delete it promptly. If a parent or guardian is using the Platform on behalf of a minor, they assume all duties and responsibilities with respect to that minor’s information.

12. Your Rights and Choices

All Users

You have the right to access, correct, and delete your personal data, update your notification preferences, and be informed about how your data is used. To request a copy of your data by sending your request via email to privacyandlegal@pribco.com. Contact privacyandlegal@pribco.com as the primary channel for all privacy and legal requests.

California Residents — CCPA/CPRA Rights

California residents have the right to opt out of the sale of personal information and sharing for cross-context behavioral advertising. Addison’s Diary shares landing page browsing data with Meta via the Meta Pixel, which constitutes “sharing for cross-context behavioral advertising” under CCPA/CPRA. To exercise your right to opt out, decline cookies on the consent banner or use the Cookie Preferences center at addisonsdiary.com/cookies. Rewardful is not currently active; if activated, it would receive only referral source and subscription confirmation — not health data.

To exercise CCPA/CPRA rights: privacyandlegal@pribco.com | Subject: “California Privacy Rights Request.” We respond within 45 days (extendable to 90 with prior notice). You may also file a complaint with the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.

Virginia, Colorado, Connecticut, Texas, and Other US States

Residents of states with comprehensive consumer privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Montana, Oregon, Delaware, Iowa, Indiana, Nevada, Utah, Tennessee, and others) have rights to access, correct, delete, and port their personal data, and to opt out of certain processing. Contact privacyandlegal@pribco.com — Subject: “State Privacy Rights Request.” We respond within the timeframe required by your state’s law.

Exceptions to Deletion

In limited circumstances we may retain data despite a deletion request: where required by legal obligation (Terms acceptance record, Stripe billing records, support tickets during legal holds), where necessary to establish or defend a legal claim, or where required by mandatory reporting obligations. If we decline to delete data based on an exception, we will provide a written explanation identifying the specific items retained, the applicable legal basis, and the anticipated retention period or review date.

13. Changes to This Privacy Policy

We may update this Policy from time to time. For material changes, we will notify registered users by email and in-app notice before the changes take effect. Continued use after the effective date constitutes acceptance.

14. Contact Us

Pribco LLC — Addison’s Diary

Primary Privacy and Legal Requests: privacyandlegal@pribco.com

Data Deletion Requests: support@addisonsdiary.com

Cookie Preferences: addisonsdiary.com/cookies

HIPAA Notice & Health Data Policy: addisonsdiary.com/health-data

Website: addisonsdiary.com

Addison's Diary · A product of Pribco LLC · addisonsdiary.com · For the moments that matter most.

Privacy Policy · Terms of Use · Cookie Policy · Cookie Preferences · SMS Disclosure · HIPAA Notice & Health Data Policy

Addison's Diary · A product of Pribco LLC · addisonsdiary.com · For the moments that matter most.