Loading...
CoOwlGDPR / UK DPA 2018 Compliance Plan
Our data protection compliance framework under UK GDPR and the Data Protection Act 2018.
Last updated: 4 May 2026 Data Controller: CoOwl Ltd
1. Data Processing Inventory
1.1 Categories of Data Subjects
| Data Subject | Description |
|---|---|
| Parents / Guardians | Adult users managing co-parenting arrangements |
| Children | Minors whose data is entered by parents (names, photos, health/mood) |
| Extended Family | Grandparents, stepparents, guardians with limited access |
1.2 Data Collected & Processing Purposes
| Data Category | Examples | Purpose | Lawful Basis |
|---|---|---|---|
| Account Information | Name, email, phone, password hash | Account creation, authentication | Contract (Art. 6(1)(b)) |
| Profile Information | Avatar, role, contact preferences | Service personalisation | Contract (Art. 6(1)(b)) |
| Children's Names & Ages | First name, DOB, school year | Custody scheduling | Legitimate Interest (Art. 6(1)(f)) |
| Photos (Picture Wall) | Shared images of children/family | Shared memory keeping | Explicit Consent (Art. 9(2)(a)) |
| GPS Location (Check-ins) | Lat/long during check-in events | Custody exchange verification | Explicit Consent (Art. 9(2)(a)) |
| Messages | Text communications | Co-parenting communication | Contract / Legitimate Interest |
| Expenses | Shared expense entries, receipts | Expense splitting | Contract (Art. 6(1)(b)) |
| Health / Mood Data | Child mood tracking, wellbeing notes | Child wellbeing monitoring | Explicit Consent (Art. 9(2)(a)) |
| Custody Schedule | Calendar entries, exchange times | Core app functionality | Legitimate Interest (Art. 6(1)(f)) |
| Payment Data | Stripe subscription tokens | Subscription billing | Contract (Art. 6(1)(b)) |
1.3 Special Category Data
CoOwl processes the following special category data under Article 9 of the GDPR:
- Children's photographs — processed with explicit consent via clear opt-in at upload
- GPS location data — processed with explicit consent via device permission prompt
- Health / mood data — processed with explicit consent via check-in feature opt-in
- Children's data (inherently sensitive) — additional safeguards per UK ICO Age-Appropriate Design Code
2. Lawful Basis Detail
2.1 Contract (Art. 6(1)(b))
Processing necessary for the performance of a contract with the data subject. Used for:
- Account registration and management
- Core co-parenting features (scheduling, messaging, expenses)
- Subscription billing via Stripe
2.2 Legitimate Interest (Art. 6(1)(f))
Processing necessary for our legitimate interests, provided those interests do not override the data subject's rights:
- Custody scheduling — fundamental app purpose; processing children's names/ages is necessary and expected by users
- Messaging — communication history supports co-parenting coordination
- Service improvement — anonymised analytics to improve the app
- Security monitoring — fraud prevention and account security
Legitimate Interest Assessment (LIA) conducted: users' reasonable expectations are met; processing is necessary and less intrusive means are not available; users can object to non-core processing via settings.
2.3 Explicit Consent (Art. 9(2)(a))
Used for special category data processing:
- Photo uploads to Picture Wall — separate consent at each upload
- GPS check-in location — device-level permission + in-app consent per session
- Health/mood tracking — opt-in feature with granular control
All consent events are logged with timestamp, version of consent, and user ID in Firestore consentLogs collection.
2.4 Legal Obligation (Art. 6(1)(c))
- Retention of messages for potential court evidence (7 years)
- Disclosure to law enforcement when legally required
- ICO registration compliance
3. Data Retention Schedule
| Data Category | Retention Period | Rationale | Deletion Method |
|---|---|---|---|
| Account information | Account deletion + 30 days grace | Contract termination | Hard delete from Firestore |
| Messages | 7 years | Family court evidence preservation | Anonymised after 7 years |
| Photos (Picture Wall) | Until deleted by user / account deletion | User control; children's best interests | Hard delete from Storage + Firestore |
| GPS Location (Check-ins) | 90 days | Check-in verification window | Automated cron deletion |
| Expenses | 7 years | HMRC / court financial disclosure | Anonymised after 7 years |
| Health/Mood data | 2 years after last entry | Limited utility window | Automated deletion |
| Custody schedule | Until account deletion | Core service provision | Hard delete |
| Payment data | Not stored by CoOwl — processed entirely by Stripe | — | |
| Analytics | 26 months | Industry standard | Aggregated/anonymised |
| Consent logs | Account duration + 1 year | Regulatory audit trail | Hard delete |
| Deletion requests | 3 years | Erasure compliance evidence | Hard delete |
Retention periods reviewed annually by DPO.
4. Children's Data Safeguards
CoOwl complies with the UK ICO Age-Appropriate Design Code (the "Children's Code"):
4.1 Best Interests of the Child
- Children's data processed only where necessary for core co-parenting function
- No behavioural advertising, profiling, or recommendation algorithms targeting children
- No nudge techniques to increase children's usage or data sharing
4.2 Age-Appropriate Application
- App designed for parents; children do not create accounts
- Children's data entered and controlled exclusively by parent accounts
- Teen View mode with limited data exposure
4.3 Transparency
- Concise, layered privacy information
- Bite-sized just-in-time notices at data collection points
- Accessible language for non-expert parents
4.4 Default Settings
- High-privacy defaults: location off, photo sharing requires action
- Messaging between co-parents only — no public/social features
- Picture Wall private to the family unit
4.5 Data Minimisation
- Only minimum necessary children's data collected (name, age)
- Optional fields require explicit parental opt-in
- GPS location at check-in moments only, not continuous
4.6 Data Sharing
- Children's data shared only between parent accounts and authorised family
- No third-party data sharing for children's data
- Parents control all sharing via family permissions system
4.7 Erasure
- Parents can delete children's data at any time via settings
- Automated deletion schedules enforced
- Right to erasure response within 30 days
4.8 Data Protection Impact Assessment
- DPIA conducted prior to processing children's data
- Reviewed annually or when new features affecting children are introduced
5. Technical & Organisational Measures
5.1 Encryption
| Layer | Measure |
|---|---|
| At Rest | Firestore and Cloud Storage encrypted using AES-256 (Google-managed keys) |
| In Transit | TLS 1.3 for all client-server communication |
| End-to-End | Messages encrypted in transit and at rest |
| Backups | Encrypted with customer-managed encryption keys (CMEK) |
5.2 Pseudonymisation
- User IDs are UUIDs, not email addresses or names
- Messages indexed by conversation ID, not individual identifiers
- Analytics processed on pseudonymised data
- Full de-pseudonymisation possible only by authorised administrators with legitimate business need
5.3 Access Controls
| Role | Access |
|---|---|
| User | Own data only; shared within family per permission model |
| Family Member | Role-based permissions (parent, extended family, teen) |
| System Administrator | Limited support access; all access logged |
| DPO | Compliance and SAR processing |
Technical controls:
- Firestore Security Rules enforce document-level access
- Firebase Authentication with email/password plus optional 2FA
- Row-level security: users can only access their own family's documents
- Admin access requires break-glass procedure with audit logging
- Principle of least privilege applied to all service accounts
5.4 Audit Logging
- All administrator access to personal data logged (who, what, when, why)
- Consent events logged to immutable
consentLogscollection - Deletion requests logged to
deletionRequestscollection - Security events logged to separate audit trail
5.5 Organisational Measures
- Staff training on GDPR and data protection annually
- Data Protection Officer appointed: privacy@coowl.app
- Data Processing Agreement (DPA) with Google Cloud Platform (Firebase)
- Breach notification procedure: ICO notified within 72 hours per Art. 33
- Annual internal data protection audit
6. Subject Access Request (SAR) Flow
Data subjects can request access via privacy@coowl.app or the in-app data export feature. SARs are processed within 30 calendar days per Art. 15 UK GDPR.
Data Subject → privacy@coowl.app (verify identity within 7 days) → Acknowledge (3 working days) → Search & collate (20 days) → Review third-party data — Apply exemptions — Redact → Respond (25-30 days)
Data provided in machine-readable format (JSON) or human-readable (PDF). Includes right to rectification, erasure, and objection.
7. Right to Erasure (Art. 17)
Data subjects can request erasure via in-app deletion or email to privacy@coowl.app. Executed within 30 calendar days, except where legal retention applies (messages/expenses: 7 years for court evidence). Self-service deletion writes to deletionRequests and is processed within 48 hours.
8. Right to Rectification (Art. 16)
Data subjects can correct most data directly via in-app settings (profile, children's details, expenses). Messages are not editable for court evidence integrity. Contested corrections are mediated with supporting evidence within 30 days.
9. Data Protection Impact Assessment (DPIA)
A DPIA has been conducted. High-risk processing (children's data, location, photographs) is mitigated by explicit consent, data minimisation, strict access controls, and encryption. ICO consultation not required as mitigations adequately address risks. Reviewed annually.
10. International Data Transfers
Primary hosting: Google Cloud Platform (EEA — europe-west1 Belgium, europe-west2 London). Sub-processors: Google Cloud Platform and Stripe (DPAs in place). UK Adequacy Regulations recognise EEA as adequate. SCCs in place with non-EEA sub-processors.
11. Breach Notification Procedure
- Detection — Automated monitoring + user reports
- Containment — Within 1 hour: isolate, rotate credentials
- Assessment — DPO assesses risk within 24 hours
- Notification to ICO — Within 72 hours (Art. 33)
- Notification to data subjects — Without undue delay if high risk (Art. 34)
- Documentation — All breaches logged with facts, effects, remedial actions
12. Data Protection Officer
| DPO | [INSERT NAME], CoOwl Ltd |
| privacy@coowl.app | |
| ICO Registration | [INSERT ICO REGISTRATION NUMBER] |
13-14. Record of Processing & Governance
A Record of Processing Activities (Art. 30) is maintained and updated annually. Available for ICO inspection upon request.
| Item | Frequency | Owner |
|---|---|---|
| Compliance plan review | Quarterly | DPO |
| Data retention audit | Annual | DPO + Engineering |
| DPIA review | Annual or on feature change | DPO |
| Consent mechanism audit | Annual | Product + Legal |
| Staff training | Annual | DPO |
| Penetration testing | Bi-annual | External security firm |
| ICO registration renewal | Annual | Finance + Legal |
This document is for compliance purposes and does not constitute legal advice. CoOwl recommends independent legal advice for specific compliance obligations.