Privacy Policy

Effective: May 12, 2026

1. Information We Collect

1.1 Information You Provide

• Name, email address, mailing address, and phone number
• Payment information (processed by our payment processor, Stripe — we do not store full card numbers)
• End User information (the senior using the Service, if different from the subscriber), including name, phone, emergency contacts, and information shared during calls
• Documents, photos, stories, and personal information you upload to the Digital Life Vault
• Health information (medications, allergies, conditions, healthcare providers) — treated as PHI
• Family member information you add to the Family dashboard

1.2 Conversation Data

When Mabel calls, we record and store the conversation for the purpose of providing the Service — specifically: maintaining conversational memory across calls, summarizing calls for family dashboards, detecting potential emergency signals, and improving Mabel's responses to you over time. Recordings and transcripts are encrypted in transit (TLS 1.2+) and at rest (AES-256) and stored securely.

Voice biometrics — what we do NOT do. We do not extract, store, or compare voiceprints, vocal fingerprints, or other biometric identifiers from your conversations. Mabel uses voice solely as a communication channel, not as an identity-verification mechanism. We do not sell, license, or share voice recordings with biometric-identification companies under any circumstance.

AI training — what we do NOT do. We do not use End User conversation content to train third-party AI models. Our underlying language and voice providers (Anthropic, OpenAI, ElevenLabs) operate under business-associate-style contracts with us that prohibit using End User content for their own model training. We may use de-identified, aggregated patterns (e.g., “average call length is 8 minutes”) for internal Service improvement only.

Conversation retention period. Full audio recordings are retained for 90 days, then automatically deleted. Text transcripts and Mabel's long-term memory summaries are retained for the lifetime of the active subscription (so Mabel can “remember” that you mentioned your granddaughter's graduation last year). Upon cancellation, transcripts and memory summaries are deleted within 30 days, except as required for ongoing legal obligations. You may request earlier deletion at any time — see Section 7.

1.3 Automatically Collected Information

• Device and browser information (user agent, operating system)
• IP address and approximate location
• Usage data (pages visited, features used, time on site)
• Cookies and similar technologies (see Section 6)

2. How We Use Information

We use the information we collect to:

• Provide, operate, and improve the Service
• Process payments and manage subscriptions
• Remember the End User across calls (conversational memory)
• Detect potential signs of distress and notify designated emergency contacts when plan features include this
• Send operational emails (welcome, billing, dunning, service updates)
• Send the Call Mabel newsletter to subscribers who opt in
• Respond to support requests and feedback
• Detect fraud, abuse, and security threats
• Comply with legal obligations and enforce our Terms of Service and Service Agreement
• Conduct analytics to improve the Service (always aggregated/de-identified before analysis)

3. Health Information and HIPAA Status

Many users share health-related information with Mabel — medications, symptoms, doctor visits, conditions. We handle this information with the care it deserves: bank-level encryption (TLS 1.2+ in transit, AES-256 at rest), strict role-based access controls, audit logging, and regular security reviews.

Important clarification: Call Mabel is a direct-to-consumer technology service. We are not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). Information you share with Call Mabel is not Protected Health Information (PHI) as defined by HIPAA, and HIPAA-specific consumer rights (such as formal access to medical records, HIPAA-defined breach notification timelines, or Notice of Privacy Practices) do not apply.

Instead, your information is protected by state consumer privacy laws, our contractual promises, and healthcare-grade security practices. The specific state laws that apply to most U.S. End Users include:

• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) — broad consumer rights to access, delete, correct, and opt out of “sale” or “sharing” of personal information.
• California Confidentiality of Medical Information Act (CMIA) — while CMIA primarily binds licensed healthcare providers, we voluntarily apply CMIA-style handling to any health information you share with Mabel: encrypted storage, role-restricted access, no disclosure without authorization, and no use for marketing.
• Washington My Health My Data Act (MHMDA) — applies to consumer health data of Washington residents. We honor MHMDA's heightened consent requirements before sharing consumer health data with any third party, recognize Washington residents' right to withdraw consent and request deletion, and do not sell consumer health data to anyone.
• Connecticut Data Privacy Act (CTDPA) and 2024 health-data amendment — Connecticut residents may opt out of targeted advertising, “sale” of personal data, and profiling. We do none of those for any user, regardless of state.
• Other state laws — we follow comparable consumer-privacy standards from Colorado (CPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), and any successor laws.

We apply these healthcare-grade safeguards by choice, not federal mandate — because your health information deserves that level of care even when HIPAA doesn't require it.

If your situation specifically requires HIPAA-covered services (for example, you are sharing records to or from a licensed healthcare provider as part of their treatment of you), please work with that provider directly. We may offer HIPAA-covered service tiers in the future as we expand into partnerships with healthcare providers and Medicare Advantage plans — and we will clearly identify any HIPAA-covered tier when it becomes available.

4. Sharing of Information

We never sell your personal data or PHI to advertisers, data brokers, or anyone else.

We share information in limited circumstances:

• Service providers: Third parties who provide infrastructure (Supabase for data storage, Stripe for payments, Resend for email, ElevenLabs for voice synthesis, Anthropic/OpenAI for AI processing). These providers are contractually bound to protect your information and use it only to provide services to us.
• Emergency contacts: If your plan includes emergency detection and Mabel identifies a possible distress signal, we may contact your designated emergency contacts.
• Legal compliance: If required by law, court order, or valid subpoena.
• Business transfers: If Call Mabel is acquired or merged, your information may transfer as part of the transaction. You will be notified in advance.
• With your consent: In any other case, only with your explicit consent.

4.5 End User Consent & Family Alerts

Many of our subscribers (the “Subscriber”) sign up on behalf of an aging parent or relative (the “End User”). In our Service Agreement, the Subscriber represents that they have the legal authority to enroll the End User and that they have shared the material terms of the Service with the End User. We rely on that representation.

When Mabel calls, she identifies herself as an AI companion and explains that the call is recorded. The End User may decline to participate at any point during any call without penalty.

Family alert cascade. On plans that include emergency-signal detection, if Mabel identifies a potential distress signal (severe verbal distress, mention of a fall, prolonged unresponsiveness, etc.), we may automatically attempt to contact the emergency-contact phone numbers on file. The End User is informed of this feature during onboarding. The Subscriber is responsible for keeping emergency-contact information current and for ensuring contacts have consented to receive alerts on the End User's behalf.

Right to disenroll. If at any time the End User no longer wishes to use the Service, the Subscriber must immediately cancel the subscription. We will honor a direct request from a verified End User to terminate Service and delete their data even if the Subscriber wishes to continue.

5. Data Retention and Deletion

Default retention by data type:

• Account profile (name, email, phone): retained while subscription is active, plus 12 months after cancellation for reactivation + legal/tax records.
• Conversation audio recordings: 90 days after the call, then auto-deleted.
• Conversation transcripts & memory summaries: retained during active subscription, deleted within 30 days of cancellation.
• Family dashboard summaries & notes: retained during active subscription, deleted within 30 days of cancellation.
• Digital Life Vault documents: retained during active subscription. Upon cancellation, exported to the Subscriber on request and deleted within 30 days unless the Subscriber requests extended retention.
• Payment records: retained for 7 years per tax-record obligations (stored at Stripe, with only minimal references in our system).
• Backups: our encrypted backups retain a rolling 90-day window; deleted records age out of backups automatically.

You may request earlier deletion of any of the above at any time by emailing hello@callmabel.com. We will verify the request, honor it within thirty (30) days, and confirm completion in writing. Where a state law (CCPA, MHMDA, CTDPA, etc.) sets a shorter timeline, we honor the shorter one.

Some information may be retained in legally-required records (e.g., financial transaction history) for the period required by applicable law, but will not be used for any active product purpose.

6. Cookies and Tracking

We use essential cookies (for login, session management, and security) and limited analytics cookies (to understand aggregate usage). We do not use cookies for cross-site advertising tracking. You may disable cookies in your browser settings, though some features of the Service may not work without them.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your personal information
• Export your data in a portable format
• Opt out of the Call Mabel newsletter (via the unsubscribe link in every email)
• Withdraw consent where we rely on consent as the legal basis for processing
• Lodge a complaint with a data protection authority (if you are in a jurisdiction with one)

To exercise any of these rights, email hello@callmabel.com.

8. Security

We protect your data with encryption in transit (TLS 1.2+) and encryption at rest, access controls, audit logging, and regular security reviews. However, no system is perfectly secure. In the event of a data breach affecting your information, we will notify you and relevant authorities in accordance with applicable law.

9. Children's Privacy

The Service is intended for adults. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly.

10. International Users

Call Mabel operates from the United States, and your data will be processed in the United States. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the U.S.

11. State-Specific Consumer Health-Data Rights

11.1 California (CCPA / CPRA / CMIA)

California residents have the right to: (a) know what personal information we collect, the categories of sources, and the business purposes of collection; (b) request deletion of personal information; (c) correct inaccurate personal information; (d) opt out of the “sale” or “sharing” of personal information (we do neither for any user); (e) limit use of “sensitive personal information” (we do not use sensitive information for anything beyond providing the Service); and (f) be free from discrimination for exercising these rights.

For health information specifically, we voluntarily apply California Confidentiality of Medical Information Act (CMIA)–style handling: no disclosure of medical information without authorization, no use for marketing, restricted internal access on a need-to-know basis, and explicit recipient-level controls. California residents may request a record of all internal access to their health information by emailing hello@callmabel.com.

11.2 Washington (My Health My Data Act)

Washington residents have heightened rights over “consumer health data” under the My Health My Data Act (MHMDA), including:

• The right to confirm whether we are processing your consumer health data and to access that data.
• The right to withdraw consent for processing of consumer health data at any time.
• The right to request deletion of consumer health data, including deletion from any of our archives and backups within a reasonable period.
• The right to not have your consumer health data shared with third parties without your explicit, separate consent. (We do not share consumer health data with third parties for advertising, marketing, or any non-Service purpose.)
• The right to not have your consumer health data “sold” in any sense recognized by the MHMDA. We do not sell consumer health data.

Washington residents may exercise any of these rights by emailing hello@callmabel.com. We will respond within 45 days.

11.3 Connecticut (CTDPA + 2024 Health-Data Amendment)

Connecticut residents have the right to: (a) access, correct, and delete personal data; (b) obtain a portable copy of personal data; (c) opt out of targeted advertising, “sale” of personal data, or profiling that produces legal or similarly significant effects; and (d) appeal a refusal to take action on a privacy request. Connecticut residents may not be subject to discrimination for exercising these rights.

We do not engage in targeted advertising, do not “sell” personal data, and do not profile users in a way that produces legal or similarly significant effects. We honor Connecticut requests at hello@callmabel.com.

11.4 Other States with Comprehensive Privacy Laws

Residents of Colorado, Virginia, Utah, Texas, Oregon, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, and any other state with a comprehensive consumer-privacy law have substantially the same rights described above. We honor all such state requests at hello@callmabel.com regardless of which state you reside in.

11.5 Authorized-Agent Requests

Where state law permits an authorized agent to make a privacy request on your behalf (CCPA Article 5 §1798.130, CTDPA §6 et seq.), we will honor verified agent requests. We may require the agent to provide signed written authorization, and we may require direct verification from you of your identity and the authorization.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to active Subscribers at least thirty (30) days before taking effect. The "Effective" date at the top of this Policy will reflect the most recent version.

13. Contact Us

Questions about this Privacy Policy or your information? Email hello@callmabel.com.