Last reviewed: 23 May 2026. Subprocessor list last updated: 23 May 2026.
Court-directed parents and their lawyers read this page carefully. So we wrote it that way: concrete about what we store, where we keep it, who can see it, and what we honestly do not yet do.
Where Your Record Lives
- Raposa’s servers, database, and uploaded files are hosted on Hetzner infrastructure in Helsinki, Finland, inside the European Union.
- This means your data is held under EU GDPR and, when accessed by UK residents, under UK GDPR.
- The same physical region holds the application database, object storage for uploaded files, and backups.
- HTTPS is enforced everywhere, with auto-renewing certificates managed by Caddy and TLS 1.2 or newer for every connection.
- We do not currently mirror your data to other regions.
What this means in practice. If you are in the UK or the EU, your record never leaves jurisdictions you already understand. If you are in the US, your record is held under stricter privacy law than US-based competitors typically apply: under EU and UK GDPR, not US state law alone.
What We Store
We store only what is needed to keep your care record useful and exportable. Specifically:
- Account information: your email, a hashed password, your name, optional profile photo, and your role on each care record.
- Care record contents: messages, drafts, schedules, handovers, expenses, agreement documents, uploaded files, and the timeline of events tied to the record.
- Artifact metadata: every uploaded file is stored with a SHA-256 checksum, original filename, upload timestamp, and the user who uploaded it.
- Audit events: an append-only log of who did what and when, scoped to your household.
- Billing records: Stripe customer and subscription identifiers. Card details themselves never touch Raposa’s servers; they live with Stripe.
What We Do Not Store
This list is deliberate. If a feature requires data we do not store, we will not build that feature.
- Plaintext passwords. Ever.
- The other parent’s device location outside the location they choose to record on a specific handover entry.
- Communications outside Raposa: your texts, your email, your other apps. We do not import and we do not scrape.
- Tracking data about either parent’s movements, calls, or activity outside the app.
- Payment card details: Stripe holds these.
- Anything you did not add or upload. Raposa is a record you build, not a profile we build about you.
Access Controls
- Every care record has a small group of named members. Each member has a role: parent, lawyer, mediator, caregiver, school contact, or platform staff for support.
- Parents see their full care record for children they have access to.
- Invited third parties see only what their role and access grant allow. A school contact does not see your messages. A lawyer does not see records you have not chosen to share with them.
- Children’s records are protected. Children are not users in Raposa. Third-party access to a child’s information requires an explicit, recorded grant.
- Every access change is logged as a household event. Adding, removing, or changing a member’s role is part of the record.
- API access uses signed JWT tokens with short expiry. Every API call validates the user’s role against the household before returning data.
Integrity — And Its Honest Limits
We try to be specific where competitors are vague.
What We Do
- Sent messages are immutable: once a message is sent, it cannot be edited or deleted by either parent through the app.
- Drafts are private. Only the author sees a draft until they send it.
- Uploaded files carry SHA-256 checksums. If a file’s bytes change, the checksum changes. The original checksum is part of the record.
- Household events are append-only with baseline hash fields, so altering an earlier event would break the chain that follows it.
- Closed threads are locked server-side. Once a conversation is closed, its title, type, and dates cannot be edited and no new messages can be sent inside it.
What We Do Not Claim
- We do not claim “court-approved” or “guaranteed admissibility” in any jurisdiction. Whether a court accepts a Raposa export depends on the court, the case, and your lawyer.
- Our hash chaining is a baseline tamper-evidence layer, not external notarisation, blockchain anchoring, or object-lock storage.
- Replacing our object-storage signing with a fully signed provider chain is on our roadmap; until that ships, we are transparent that the current MVP uses provider-compatible request signing during a controlled rollout.
If you need notarised or court-certified evidence, your lawyer or solicitor is the right person to advise on the right service. Raposa can be a useful clean record to hand them. It is not a replacement for them.
Authentication
- Email and password today, with passwords stored using a modern hashing algorithm.
- We do not use SMS-based two-factor authentication. SMS is vulnerable to SIM-swap attacks and is not appropriate for a high-stakes record.
- Passkey / WebAuthn support is on the roadmap and will be the recommended second factor when it ships.
- Password reset is by email. The reset link is short-lived and single-use.
Subprocessors
We use a small number of named third-party services. Each one has its own privacy and security commitments; we list them so you can verify them.
| Provider | What it processes | Where it operates | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting, database, object storage | Finland (EU) | DPA |
| Stripe Payments Europe / Stripe Inc. | Subscription billing, payment cards | EU and US | DPA |
| Amazon Web Services SES | Account verification, password reset, invite delivery, evidence-export notifications | EU, SES eu-central-1 | GDPR center |
Raposa uses Plausible Analytics self-hosted on the same Hetzner infrastructure as the rest of the application. Because the analytics data never leaves our environment, Plausible is not a third-party subprocessor and is not listed above. Analytics events are page-level and cookie-less.
We update this list when subprocessors change.
Incident Response
- If we discover a security incident affecting your data, we will notify you within 72 hours of becoming aware of it, as required by UK GDPR and EU GDPR.
- We will tell you what we know, what we do not, and what we are doing.
- We will not delay the notification to make the incident look less serious.
Your Rights and What to Email
Under UK GDPR and EU GDPR
- Access the personal data we hold about you.
- Correct it if it is wrong.
- Export it in a portable format. Care record exports work for this.
- Delete your account; we retain only what we are legally required to, such as transaction records for tax purposes.
- Object to specific processing.
- Lodge a complaint with the UK ICO or the data protection authority in your EU country.
For Users in the United States
Raposa applies UK / EU GDPR standards to your data because that is where it is hosted. In addition, where state law gives you stronger rights, we honour those.
What to Email
- Data requests: privacy@raposa.ai
- Account or billing questions: support@raposa.ai
Support Availability
We respond to support emails within 1 working day during UK business hours, Monday to Friday, 09:00–18:00 GMT / BST. Outside business hours, on weekends, or during UK public holidays, responses may take 1–3 working days.
If we are at reduced capacity, our auto-reply will let you know. That is typically up to 5 working days during those periods.
If you are dealing with something urgent right now, such as a custody handover that has gone wrong or a safety concern, please contact your solicitor, the family court, or local emergency services as appropriate. Raposa is here to help you document and coordinate, but we are not a real-time response service. We will follow up with you as soon as we can on the next working day.
Reporting a Security Issue
If you believe you have found a security vulnerability in Raposa, please email security@raposa.ai. We will acknowledge security reports within 72 hours and provide an initial assessment or request for more information within 5 working days.
Our full responsible disclosure policy is published at Responsible disclosure, and the machine-readable contact file is available at /.well-known/security.txt.
What Is in Scope
- Authentication, session, or access-control flaws.
- Vulnerabilities that expose or modify another user’s care record.
- Stored or reflected cross-site scripting on Raposa-owned surfaces.
- Server-side request forgery, command injection, or similar server-side risks.
- Sensitive data exposure through Raposa-owned applications, APIs, or deployment configuration.
What Is Out of Scope
- Denial-of-service, load testing, or high-volume automated scanning.
- Social engineering, phishing, physical attacks, or attempts against Raposa staff or vendors.
- Spam, content injection that does not create a security impact, or missing security headers without exploitability.
- Reports based only on automated scanner output without a working proof of impact.
Credit Policy
Raposa does not currently operate a paid bug bounty program. We appreciate responsible reports and may credit researchers who report valid issues responsibly and want to be named.
We do not currently publish a public GPG key for security@raposa.ai. When an approved public key is available, we will publish it from the responsible disclosure page and add it to /.well-known/security.txt.