OldCare

Security that goes down to the database

Most products enforce privacy rules in application code. OldCare makes consent, retention, and deletion structural constraints the database itself must obey — not optional settings.

What happens to a single phone call

01

The call connects

OldCare calls your parent, and the assistant talks with them over a secure voice session. Raw call data only ever enters a private, internal-only region of the database.

02

Consent decides

Before anything reaches you, the database checks your parent’s current permissions field by field. No consent, no data: not hidden by the interface — absent from the response.

03

You receive the daily note

What you get is a short note about the day. Recordings, transcripts, and the assistant’s memory never leave the private core; raw recordings are kept at most 30 days, and transcript retention is still pending attorney review.

How this actually holds

This list describes only the database-side constraints already implemented. Production wiring, end-to-end deletion, and real drills that remain incomplete are called out explicitly.

A private boundary at the schema level

Raw calls, memories, and audit records live in private database structures the web application cannot query. The browser-facing interface only ever sees the minimal family-side data.

Consent is verifiable evidence, not a checkbox

Every consent is an append-only event containing a cryptographic fingerprint of the exact text your parent saw. Revocation creates a new event; history is never rewritten. Without written consent, the system cannot even create an outbound call.

Sharing filtered field by field

Family members read through a secure projection that checks every field against your parent’s current sharing choices. Change a choice, and the very next read reflects it.

“Don’t record this” is enforced at write time

When your parent asks for something not to be kept, the database write gate refuses to store it. The system keeps only a fingerprint proving the refusal happened — never the content.

The schema enforces the 30-day recording cap

Raw call recordings carry a retention limit of at most 30 days, and the database rejects any write that tries to keep them longer. Transcripts live in the private system and are covered by deletion requests, but their routine retention is still pending attorney review.

The database has deletion inventory and state gates

The database has part of the deletion inventory, state constraints, and audit structure. The real log adapter, independent tombstone service, file-storage and Twilio deletion, and post-PITR replay drills are not complete. We do not promise end-to-end erasure or verified results.

Least-privilege runtime

Every backend process uses its own minimal database role. The role serving this website holds no keys to the phone system, and vice versa.

Auditable without keeping identities forever

Actions are attributed to randomly generated audit principals, so accountability survives account deletion without keeping anyone’s identity on file.

Secrets never reach code or the browser

Repository scanning and runtime boundaries refuse to let vendor keys into code, public config, or the browser. Local rehearsals read only from the OS keychain; OldCare won’t launch to real families before the production secret store and rotation are wired.

Monitoring that can’t leak privacy

Health checks return only booleans and counts — never message content or personal data. An engineer debugging at 3 a.m. sees numbers, not what your mother said.

If something is truly wrong

An independent safety layer checks every conversation for signs of real danger and enforces safe stops on the backend. The current version does not automatically send notifications to contacts. OldCare is not an emergency service; if you believe someone is in immediate danger, call 911.

External vulnerability reporting is not open yet

OldCare does not currently have a configured, monitored external security-reporting channel and does not promise a response time. Do not send vulnerability details or personal data to placeholder addresses; the real channel will be published here when available.

Want to know more about how OldCare handles data? Read the Privacy Policy