Privacy Policy
Last updated: 28 June 2026
1. Who we are
Stimz Connect is operated by Flexi Fidgets Co. Ltd, a company registered in England and Wales (Company No. 15982398, VAT No. GB 494303485). Our registered office is 43 Dollywaggon Way, Bamber Bridge, Preston PR5 6EW, United Kingdom. Flexi Fidgets Co. Ltd is the data controller for personal data processed through the Stimz Connect service. When we say "we", "us", or "Stimz Connect" in this policy, we mean Flexi Fidgets Co. Ltd trading as Stimz Connect.
2. What data we collect
We collect the following categories of personal data:
Account information
Name, email address, and account profile details used for secure sign-in and account access. We do not store plaintext passwords in our application database.
Profile content
Information you choose to add to profiles: names, photos, medical conditions, medications, emergency contacts, help instructions, and communication grid settings. This data is entered by you as the carer and is only shared when someone scans the NFC tag or QR code.
Contact details
Phone numbers and email addresses of carers and emergency contacts. These are used solely to send scan alerts via SMS or email.
Billing & shipping address
If you buy a physical NFC tag, lanyard, or other product, your billing and shipping address is collected at checkout so we can dispatch the order. Card details themselves are entered directly into Stripe and never reach our servers.
Photos & videos
Profile photo, optional 30-second helper video, and any document images you upload (medical letters, care plans, etc.). These are stored in Supabase Storage and shown only on profiles you control.
Audio recordings
Optional audio clips you record or upload for individual communication grid buttons (e.g. a voice clip that plays when a helper taps "Phone home"). Stored alongside the corresponding profile and never used for any purpose other than playback in your own grid.
Diagnostics
Crash reports and basic performance data (page load timing, error rates) so we can fix bugs and keep the app fast. Not linked to advertising and never shared with ad networks or data brokers.
Device tokens
For mobile push notifications, we store an Apple Push Notification Service (APNs) device token tied to your account so we can deliver alerts to your iPhone or iPad.
NFC tag identifiers
Each NFC tag has a unique identifier (UID) and a public profile slug. We link these to your profile so that taps and scans resolve to the right person.
Scan logs
When someone scans an NFC tag or QR code, we record the time, an anonymised IP address, and browser type. If the scanner voluntarily shares their GPS location, we record that too and pass it to the profile's emergency contacts.
Location data (optional)
If you enable geofencing or location features on a paid tier, we process location data from the cared-for person's device to trigger alerts. Location features are opt-in and can be disabled at any time.
3. Lawful basis for processing
Under UK GDPR and EU GDPR, we rely on the following lawful bases:
- Contract (Article 6(1)(b)): processing account data, profile content, contact details, NFC tag identifiers, and device tokens is necessary to deliver the Stimz Connect service you have signed up for.
- Consent (Article 6(1)(a) and Article 9(2)(a)): for special-category data such as health, medical conditions, and medications, and for any optional location processing, we rely on your explicit consent. You can withdraw consent at any time by removing the data from your profile or disabling the relevant feature.
- Legitimate interests (Article 6(1)(f)): we keep scan logs so you can see when a tag was scanned and so we can prevent abuse and debug technical issues. Our legitimate interest is balanced against your privacy rights, and you can request scan log deletion at any time.
4. Special-category (sensitive) data
Stimz Connect lets you store health information, including diagnoses and medications. Under UK GDPR Article 9, this is special-category personal data and requires extra protection. We process this data only with your explicit consent, given when you choose to add it to a profile. You control whether medical information is displayed to helpers via the "Show Medical Info" toggle in profile settings. You can remove medical information at any time, and removal is permanent.
5. How we use your data
We use your data to provide the Stimz Connect service: displaying profile information to helpers who scan a tag, sending scan alerts to emergency contacts, delivering push notifications to subscribed devices, and showing scan history and analytics in your dashboard. We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except the processors listed in section 7.
6. Location data
When someone scans a Stimz Connect tag, they are asked whether they would like to share their location. This is entirely voluntary, the browser requests permission, and the scanner can decline. If they share their location, it is sent to the profile's emergency contacts via a Google Maps link. Location data is stored in the scan event record so carers can see where scans occurred. We do not continuously track the location of carers or cared-for people unless geofencing is explicitly enabled on a paid plan.
7. Third-party processors
We use the following processors to operate Stimz Connect. Each acts on our instructions under a written data processing agreement:
Supabase - database hosting, authentication, and file storage
Vercel - web hosting and edge delivery
Apple - App Store in-app purchases and Apple Push Notification Service
RevenueCat - subscription management for the iOS app
Stripe - web payment processing for one-off purchases (we never see or store your full card details)
Twilio - SMS alert delivery
SendGrid - transactional email delivery (order confirmations, tag activation codes, contact form replies, scan alerts)
Shopify - storefront for physical NFC tags and related products, processes order checkout and shipping
Anthropic - on-demand translation of alert content when the Connect Alerts subscription is active
8. International transfers
Some of our processors (including Supabase, Apple, RevenueCat, Stripe, and Anthropic) operate infrastructure in the United States. Where personal data is transferred outside the UK or European Economic Area, we rely on the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses (SCCs), together with appropriate supplementary measures, to protect your data.
10. Data storage and security
Your data is stored securely on Supabase (hosted on AWS) with row-level security policies ensuring each family can only access their own data. Session tokens expire automatically. All data is transmitted over HTTPS. We use anonymised IP addresses and do not store tracking cookies on the scanner's device.
11. Data about children
Stimz Connect accounts must be held by adults aged 18 or over. Profiles may be created for children by their parent, legal guardian, or authorised carer, and may contain a minor's personal data including health information. Only the authorised adult account holder can create, edit, or delete a child's profile. Consistent with the ICO's Children's Code (Age Appropriate Design Code), we treat under-18 profile data with additional care: we minimise what is shown, we do not profile children, and we do not use their data for any purpose other than running the service. The UK age of consent for digital services is 13.
12. Your rights
Under UK GDPR and EU GDPR you have the right to:
- request access to the personal data we hold about you
- request rectification of inaccurate or incomplete data
- request erasure of your data (the right to be forgotten)
- request restriction of processing in certain circumstances
- receive your data in a portable, machine-readable format
- object to processing based on legitimate interests
- withdraw consent at any time where processing is based on consent
You can exercise most of these rights directly from your dashboard (edit or delete profiles, request a data export, or close your account). For anything you cannot do yourself, email hello@stimz.com. If you are unhappy with how we handle your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or to your local EU supervisory authority.
13. Data retention
Profile data is retained for as long as your account is active. Scan logs are retained for 90 days, after which they are automatically deleted. Medication history is retained for 3 months for review purposes. When you delete a profile or close your account, all associated data (medical records, contacts, scan history) is permanently removed from our active systems within 30 days, subject to limited backup retention required for disaster recovery.
14. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The "last updated" date at the top of this page reflects when the policy was most recently revised.
15. Contact us
If you have questions about this privacy policy or how we handle your data, please email hello@stimz.com. You can also write to us at Flexi Fidgets Co. Ltd, 43 Dollywaggon Way, Bamber Bridge, Preston PR5 6EW, United Kingdom.