SlothLabSlothLab

Privacy Policy

Last updated: March 15, 2026

Sloth Lab Inc. ("Sloth Lab," "we," "us," or "our") operates the ChecKin mobile application (the "App") and related services (collectively, the "Service"). ChecKin enables caregivers to set up automated check-in calls and SMS messages to their elderly family members ("Care Recipients"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you use our Service. It applies to all users of the App, including caregivers who create accounts and Care Recipients who receive communications through the Service.

1. Introduction

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use the Service. This Privacy Policy is designed to comply with applicable privacy and telecommunications laws, including the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Telephone Consumer Protection Act ("TCPA"), Canada's Anti-Spam Legislation ("CASL"), and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA").

2. Information We Collect

We collect the following categories of information to provide and operate the Service:

2.1 Caregiver (App User) Information

When you create an account and use the Service, we collect:

  • Account Information: Email address, display name, and profile photo URL, obtained through social authentication (Google or Apple sign-in) or email-based sign-in.
  • Device Information: Firebase Cloud Messaging (FCM) device token for push notification delivery, app version, operating system version, and device model.
  • Preferences: Timezone, language preference, and notification settings.
  • Subscription Information: Subscription status, tier (Free or Premium), and purchase history, managed through RevenueCat.

2.2 Care Recipient Information

When a caregiver registers a Care Recipient, we collect:

  • Identity Information: First name, last name, and relationship to the caregiver.
  • Contact Information: Phone number in E.164 international format.
  • Localization Data: Timezone and preferred language for scheduling and text-to-speech.
  • Verification Status: Phone number verification status obtained through PSTN-based verification.
  • Consent Records: Timestamps and methods for both caregiver-provided consent and Care Recipient's own consent (see Section 3).

2.3 Voice Recordings (Sensitive Personal Information)

Our Service records voice responses from Care Recipients during check-in calls. We classify voice recordings as Sensitive Personal Information and apply enhanced protections, including strict access controls limiting recordings to the owning caregiver account only, automatic deletion based on subscription tier, storage in access-controlled buckets with user-level isolation, and recording notice provided at the beginning of every call. Voice recordings are collected solely for delivering check-in responses to caregivers and are never used for biometric identification, voice profiling, or any purpose beyond the core Service functionality.

2.4 Call and SMS Logs

We automatically generate and retain logs of all check-in communications, including timestamps of calls and SMS messages sent and received, delivery status (pending, sent, delivered, failed), DTMF (keypad) input from Care Recipients during calls, and Twilio session identifiers for troubleshooting.

2.5 Automatically Collected Data

We automatically collect certain information when you use the App, including analytics events (app usage patterns, screen views, and feature usage) collected through Firebase Analytics, and error and crash logs (stack traces, device information, and error context) collected through Firebase Crashlytics.

3. Consent Mechanisms

We employ multiple layers of consent to ensure that all parties are informed and have agreed to the collection and use of their information:

  • 1. Service Agreement (Clickwrap): At sign-up or sign-in, caregivers agree to our Terms of Service and this Privacy Policy by proceeding with authentication. Links to the full legal documents are displayed on the sign-in screen.
  • 2. SMS/Call Sending Consent: During Care Recipient registration, the caregiver must confirm via an explicit checkbox that they have authorization to enroll the Care Recipient for automated SMS and voice call communications. This consent is recorded with a timestamp, method, and version identifier.
  • 3. Care Recipient's Own Consent (PSTN Verification): The Care Recipient provides direct, verifiable consent by answering a verification call and entering a 4-digit code on their telephone keypad (DTMF). This mechanism is designed to be accessible to elderly individuals who may not use digital devices.
  • 4. Voice Recording Notice: Before any recording begins during a check-in call, the Care Recipient is informed via a text-to-speech announcement that their response will be recorded.
  • 5. Push Notification Permission: Caregivers are prompted to grant push notification permission through the standard operating system dialog (iOS or Android).

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Core Service Delivery: Initiating and delivering automated check-in calls and SMS messages to Care Recipients, recording and delivering voice responses to caregivers, and displaying check-in history.
  • Account Management: Authenticating users, managing subscription tiers, and enforcing service limits.
  • Communication: Sending push notifications when Care Recipients respond to check-ins and delivering service-related notices.
  • Service Improvement: Analyzing usage patterns, identifying feature adoption, and improving the user experience.
  • Quality Assurance: Monitoring errors, diagnosing crashes, and maintaining service reliability.
  • Regulatory Compliance: Maintaining consent records, honoring opt-out requests, and fulfilling legal obligations.
  • Security: Detecting and preventing unauthorized access, fraud, and abuse.
  • We do not use your information for: selling personal data to third parties; targeted advertising or ad profiling; biometric identification or voice profiling; or any purpose unrelated to the Service without your explicit consent.

5. Third-Party Data Sharing

We share personal information with the following third-party service providers, strictly for the purposes described below. We do not sell, rent, or trade your personal information.

Twilio

Data shared: Recipient phone numbers, message text, voice recordings. Purpose: SMS and voice call delivery, call recording.

Amazon Polly (via Twilio)

Data shared: Message text, language setting. Purpose: Text-to-speech conversion for check-in calls.

Firebase (Google)

Data shared: FCM device tokens, analytics events, crash reports, user properties. Purpose: Push notification delivery, analytics, crash monitoring.

RevenueCat

Data shared: User ID, email, subscription status, purchase history. Purpose: Subscription and in-app purchase management.

Google / Apple

Data shared: Email address, name (optional). Purpose: Social login authentication.

Supabase

Data shared: All Service data. Purpose: Backend infrastructure, data storage, serverless function execution.

  • Twilio: https://www.twilio.com/legal/privacy
  • Firebase / Google: https://firebase.google.com/support/privacy
  • RevenueCat: https://www.revenuecat.com/privacy
  • Supabase: https://supabase.com/privacy
  • Amazon Web Services: https://aws.amazon.com/privacy/

6. International Data Transfer and Storage

Your personal information is stored and processed by our service providers. We take reasonable steps to ensure adequate protection.

6.1 Data Processing Locations

Your personal information is stored and processed in the United States by Supabase (AWS, US East Virginia), Twilio (US-based infrastructure), Firebase / Google Cloud (US-based infrastructure), and RevenueCat (US-based infrastructure).

6.2 Cross-Border Transfer Disclosure

If you are located outside the United States, including in Canada, please be aware that your personal information will be transferred to, stored, and processed in the United States. United States law, including the USA PATRIOT Act and the CLOUD Act, may permit US government agencies to access personal data held by US-based service providers in certain circumstances. By using the Service, you acknowledge and consent to the transfer of your information to the United States. For Canadian users, this disclosure is provided in accordance with PIPEDA's requirements regarding transparency about international data transfers.

6.3 Safeguards

We take reasonable steps to ensure that your personal information receives an adequate level of protection, including encryption of data in transit (TLS/HTTPS) and at rest, contractual obligations with service providers regarding data handling, and access controls and authentication requirements for all data systems.

7. Data Retention and Deletion

We retain your personal information only as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

Voice Recordings

Retention: Free tier — 7 days; Premium tier — 90 days. Deletion: Automatic via scheduled database job (daily at 03:00 UTC).

Error and Crash Logs

Retention: 90 days. Deletion: Automatic via scheduled database job.

Analytics Events

Retention: Indefinite (aggregated and anonymizable). Deletion: Manual deletion upon request.

User Account Data

Retention: Until account deletion is requested. Deletion: Full cascade deletion of all associated data.

Check-in Logs

Retention: Until account deletion is requested. Deletion: Cascade deletion with account.

Temporary TwiML Files

Retention: Approximately 60 seconds. Deletion: Automatic cleanup after telephony API retrieval.

Account Deletion

When you delete your account, all associated personal data is permanently removed through cascade deletion, including Care Recipient records, check-in logs, voice recordings, schedules, and consent records.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request a copy of all personal data we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of your request.

8.2 Right of Correction

You have the right to request correction of any inaccurate or incomplete personal data. You may update most information directly within the App settings.

8.3 Right of Deletion

You have the right to request deletion of your account and all associated personal data. Upon receiving a deletion request, we will permanently remove all your data through cascade deletion, subject to any legal retention obligations.

8.4 Right to Opt-Out of Communications

You may opt out of automated communications through the following mechanisms:

  • SMS: Reply "STOP" to any SMS message to immediately cease SMS communications to that number.
  • Calls: Deactivate the check-in schedule through the App to stop automated calls.
  • Push Notifications: Disable notifications through your device's operating system settings.

8.5 Right to Data Portability

You have the right to request an export of your personal data in a structured, commonly used, and machine-readable format.

8.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Exercising your rights will not affect the quality of service you receive.

8.7 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the CCPA/CPRA:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of your Sensitive Personal Information to purposes necessary for performing the Service.

8.8 Rights Under PIPEDA (Canadian Users)

If you are located in Canada, you have the right to:

  • Access your personal information held by us.
  • Challenge the accuracy and completeness of your information and have it amended as appropriate.
  • Withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions).
  • File a complaint with our Privacy Officer or with the Office of the Privacy Commissioner of Canada.

8.9 How to Exercise Your Rights

To exercise any of the above rights, you may:

  • Email: admin@slothlab.app
  • In-App: Navigate to Settings > Help within the App
  • We will respond to all verifiable requests within 30 days (or 45 days for CCPA/CPRA requests where an extension is necessary).

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal information. Despite these measures, no method of transmission over the Internet or electronic storage is completely secure.

  • Row-Level Security (RLS): All database tables enforce user-level data isolation, ensuring that users can only access their own data.
  • Encryption in Transit: All data transmitted between your device, our servers, and third-party services is encrypted using TLS/HTTPS.
  • OAuth 2.0 Authentication: User authentication is handled through Google and Apple OAuth providers. We do not store passwords.
  • Service Role Isolation: Elevated database access is available only to serverless backend functions and is never exposed to client applications.
  • Twilio Authentication: All telephony operations are authenticated using Account SID and Auth Token credentials.
  • Firebase Service Account Security: Push notifications use RSA-256 signed JSON Web Tokens for authentication.
  • Recording Access Control: Voice recordings are stored in access-controlled storage buckets with policies that restrict access to the owning caregiver account.
  • Temporary File Cleanup: Temporary telephony instruction files (TwiML) are automatically deleted after retrieval by the telephony API, typically within 60 seconds.
  • Input Validation: Phone numbers are validated against the E.164 international standard, and DTMF input is constrained to expected digit ranges.

10. TCPA Compliance

The Telephone Consumer Protection Act (TCPA) regulates automated telephone communications in the United States. Our compliance measures include:

  • A2P 10DLC Registration: Our messaging is registered under the Application-to-Person 10-Digit Long Code (A2P 10DLC) framework as required by US carriers and the TCPA.
  • Prior Express Consent: We obtain explicit consent from the caregiver (via checkbox) before sending any automated communications to a Care Recipient's phone number.
  • Recipient Verification: We obtain direct consent from the Care Recipient through PSTN-based DTMF verification before initiating recurring communications.
  • Opt-Out Mechanism: Care Recipients may reply "STOP" to any SMS message to immediately cease SMS communications. Call schedules may be deactivated by the caregiver through the App.
  • Consent Records: All consent is recorded with timestamps, methods, and version identifiers for audit purposes.

Reply STOP to opt-out, HELP for help. Message frequency varies. Message and data rates may apply.

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes.

11. CASL Compliance

Canada's Anti-Spam Legislation (CASL) regulates commercial electronic messages. Our compliance measures include:

  • Consent Tracking: We maintain records of consent for all electronic communications, including the timestamp, method, and version of consent.
  • Opt-Out Mechanism: Care Recipients may reply "STOP" to any SMS message. The opt-out is processed immediately.
  • Sender Identification: All communications identify Sloth Lab Inc. as the sender.

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. Our target users are adults aged 30 to 50 who are caregivers for elderly family members. If we become aware that we have collected personal information from a child under 13, we will take steps to promptly delete that information. If you believe a child under 13 has provided us with personal information, please contact us at admin@slothlab.app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy.
  • Notify you through the App (via in-app notification or push notification) prior to the changes taking effect.
  • For material changes that affect the processing of Sensitive Personal Information (such as voice recordings), we will seek renewed consent where required by law.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: admin@slothlab.app
  • In-App: Settings > Help
  • For Canadian users who wish to file a complaint, you may also contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.
  • For California residents, you may contact the California Attorney General's office at https://oag.ca.gov if you believe your CCPA/CPRA rights have been violated.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Province of Ontario, Canada, and the federal laws of Canada applicable therein, without regard to conflict of law principles. For users located in the United States, applicable US federal and state laws (including the TCPA and CCPA/CPRA) also apply to the extent required.