← Back

Privacy Policy

Effective date: June 2, 2026 · Last updated: June 2, 2026

Operator: Lars Peters, Munich, Bavaria, Germany · privacy@watchover.me

Your privacy matters. This Privacy Policy explains what data Watchover collects, why we collect it, how we use and protect it, and what rights you have over it.

This policy covers two categories of people:

  • Account Holders — adults who create a Watchover account and pay for the service
  • Protected Persons — third parties (typically aging parents or relatives) whose phone numbers are enrolled by an Account Holder

If you are a Protected Person reading this: a family member has enrolled your phone number in Watchover to help protect you from scam messages. This policy explains how your data is handled.

1. Who We Are

Watchover is operated by Lars Peters, an individual based in Munich, Bavaria, Germany. For the purposes of the General Data Protection Regulation (GDPR), Lars Peters is the data controller.

Contact for privacy matters: privacy@watchover.me

2. What Data We Collect

2.1 Data You Provide (Account Holder)

When you create an account and set up Watchover, we collect:

  • Your email address
  • Your password (stored as an encrypted hash — we never store plaintext passwords)
  • Your payment information (processed and stored by Stripe — we do not store full card details)
  • The name you assign to your Protected Person
  • Your Protected Person's mobile phone number

2.2 Data Generated Through Use

When the service is used, we collect and store:

  • The content of messages forwarded by the Protected Person to the Watchover phone number
  • The AI-generated analysis and response returned to the Protected Person
  • The risk classification assigned to each message (high, medium, low, uncertain)
  • The timestamp of each forward and response
  • Whether you were notified of a high-risk assessment

2.3 Data From the Protected Person

The Protected Person interacts with Watchover only by forwarding messages and receiving automated responses via SMS. We collect:

  • Their mobile phone number (provided by you during setup)
  • The content of messages they forward
  • Their opt-out status (if they reply STOP)

We do not create a user account for the Protected Person. We do not collect their name, email address, or any data beyond what is described above.

2.4 Technical Data

When you use the Watchover dashboard, we may collect IP address, browser type and version, device type, pages visited and time spent, and referring URL. This data is used for security monitoring and service improvement. We do not use it for advertising.

3. How We Use Your Data

We use the data we collect for the following purposes:

PurposeLegal basis (GDPR)Legal basis (US)
Providing the service (analyzing forwarded messages, returning responses, powering the dashboard)Performance of contractContractual necessity
Billing and payment processingPerformance of contractContractual necessity
Sending SMS messages to the Protected PersonLegitimate interest / consentConsent (TCPA)
Security monitoring and fraud preventionLegitimate interestLegitimate business purpose
Improving the service (aggregate, anonymized scam pattern analysis)Legitimate interestLegitimate business purpose
Complying with legal obligationsLegal obligationLegal obligation
Communicating with you about your accountPerformance of contractContractual necessity

We do not use your data or your Protected Person's data for advertising. We do not sell your data. We do not share it with data brokers.

4. AI Processing

Watchover uses AI to analyze forwarded messages. Here is what that means in practice:

  • When a Protected Person forwards a message, the text content and any attached images are sent to Anthropic, PBC (the provider of the Claude AI model) via a secure API connection for analysis
  • Anthropic processes the message content under their privacy policy and data processing agreement with Watchover
  • Anthropic does not retain message content for training purposes under our agreement
  • The AI returns a risk assessment and a suggested response, which we send back to the Protected Person
  • The AI analysis is automated. No human at Watchover reads your Protected Person's forwarded messages in real time

Important: Under GDPR Article 22 and California's Automated Decision-making Technology (ADMT) rules effective January 1, 2026, you have the right to request human review of any automated assessment that significantly affects you. If you believe an automated assessment was significantly incorrect, contact us at privacy@watchover.me and we will review the case manually.

5. Data Sharing and Third Parties

We share data only with the following categories of third parties, and only to the extent necessary to operate the service:

Anthropic, PBCAI message analysis. Messages are transmitted to Anthropic's API for processing. Anthropic is subject to a Data Processing Agreement with Watchover.
Twilio, Inc.SMS infrastructure. Twilio transmits messages between Protected Persons and Watchover's processing system. Data transferred to Twilio is protected by Standard Contractual Clauses.
Supabase, Inc.Database and authentication. Your account data and message logs are stored in Supabase's infrastructure. Supabase is SOC 2 Type II certified.
Stripe, Inc.Payment processing. Watchover does not store full card details. Stripe is PCI-DSS compliant.
Vercel, Inc.Hosting and infrastructure. The Watchover web application is hosted on Vercel.
Legal authoritiesWe may disclose data if required by law, court order, or valid legal process, or if we believe disclosure is necessary to protect the safety of any person or to prevent fraud or abuse of the service.

We do not sell your data. We do not share it with advertising networks, data brokers, or marketing platforms.

6. International Data Transfers

Watchover is operated from Germany. Some of our third-party service providers are located in the United States (Anthropic, Twilio, Stripe, Supabase, Vercel).

When we transfer personal data from the European Economic Area (EEA) to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable, and the adequacy and certification frameworks applicable to each provider.

By using Watchover, you acknowledge that your data may be processed in the United States and other countries whose data protection laws may differ from those of your country of residence.

7. Data Retention

Data typeRetention period
Account information (email, name)Until account deletion + 30 days
Payment records7 years (legal and tax compliance)
Forwarded message content and AI responses90 days from the date of the forward, then automatically deleted
Dashboard logs (risk classification, timestamp)12 months, then automatically deleted
Protected Person's phone numberUntil removed from the account or account deletion
Technical/server logs30 days

Automated deletion: Forwarded message content — including the text and any images your Protected Person sent — is automatically and permanently deleted after 90 days. This is the most sensitive data we hold and we delete it proactively regardless of whether you request it.

8. Security

We take reasonable technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2 or higher for all data transfers)
  • Encryption at rest for database storage
  • Row-level security on all database tables (each account holder can only access their own data)
  • Password hashing (bcrypt)
  • Access controls limiting who can access production systems

No system is completely secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR where applicable).

9. Your Rights

9.1 Rights Under GDPR (EEA and UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations
  • Right to restriction: Request that we limit processing of your data in certain circumstances
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time
  • Right not to be subject to automated decision-making: See Section 4

To exercise any of these rights, contact privacy@watchover.me. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany, the relevant authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

9.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete: Request deletion of your personal information, subject to certain exceptions
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt out of sale or sharing: Watchover does not sell or share personal information for advertising. No opt-out mechanism is required for this practice.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of personal information collected: Identifiers (email, phone number); commercial information (subscription records); internet/network activity (dashboard usage); and message content submitted through the service.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise your California rights, contact privacy@watchover.me. We may need to verify your identity before processing your request.

9.3 Rights for All Users

Regardless of your location, you may at any time:

  • Delete your account: In account settings, or by emailing privacy@watchover.me. Account deletion permanently removes your personal data within 30 days, except data we are required to retain by law.
  • Remove a Protected Person: In account settings, which immediately removes their phone number from active enrollment and stops all automated messages to them.
  • Export your data: Contact privacy@watchover.me to request a machine-readable export of your account data.

10. Cookies and Tracking

Watchover's dashboard uses essential cookies to maintain your login session and provide the service. We do not use advertising cookies, tracking pixels, or third-party analytics that profile you across websites.

We use privacy-respecting analytics (no personally identifiable tracking) to understand aggregate usage patterns and improve the service.

11. Children's Privacy

Watchover is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact privacy@watchover.me and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The updated policy will be posted at watchover.me/privacy with a revised effective date.

Your continued use of Watchover after the effective date of a revised policy constitutes your acceptance of the changes.

13. Contact

For any privacy-related questions, requests, or complaints:

Lars Peters
Munich, Bavaria, Germany
privacy@watchover.me

We aim to respond to all privacy requests within 5 business days and to resolve them within 30 days.

This Privacy Policy was last updated on June 2, 2026.