تخط إلى المحتوى
Praelion
Privacy · Praelion, Heedli & Lulnara / May 2026

Privacy Notice

Last updated: May 17, 2026

1. Who We Are

Praelion Health Ltd ("Praelion", "we", "us" or "our") is the controller responsible for personal data processed through:

  • the Praelion website at praelion.com;
  • Heedli, including the Heedli mobile app, admin systems, support channels, and related services; and
  • Lulnara, including the Lulnara mobile app, API, admin systems, support channels, and related services.

Praelion Health Ltd is a limited company registered in England and Wales with company number 17209225. Our registered office is First Floor, Swan Building, 20 Swan Street, Manchester M4 5JW, United Kingdom.

You can contact us about privacy matters at privacy@praelion.com.

This notice is written for parents, carers, guardians, young people where relevant, caregivers, website visitors, subscribers, and people who contact us. It is intended to explain clearly what we collect, why we collect it, who we share it with, how long we keep it, and the rights you have.

2. Important Context

Heedli and Lulnara are family-support apps. They may involve information about children, young people, disability, SEND, development, routines, symptoms, medication, sleep, feeding, behaviour, appointments, documents, photos, voice notes, and similar family records.

Some of this information may be sensitive. Under UK data protection law, health data, disability-related data, and some information about children may need particular protection. We design our services on the basis that family and child data should be treated carefully, minimised, protected by default, and used only for purposes that users would reasonably expect.

Our services are not emergency, clinical, legal, safeguarding, or social-care services. If there is an immediate risk to life, safety, or welfare, contact emergency services or the relevant urgent professional service. If you need medical, legal, educational, safeguarding, or SEND tribunal advice, speak to an appropriately qualified professional.

3. The Services Covered by This Notice

Praelion website

The Praelion website provides information about Praelion and our products, allows people to contact us, and may support business, press, partnership, and product enquiries.

Heedli

Heedli helps UK families navigating Special Educational Needs and Disabilities. Features may include rights and SEND information, template letters, emergency and wellbeing tools, child profiles, developmental and SEND records, incident logs, mood and behaviour tracking, AI-assisted letter drafting, pattern insights, professional reports, document storage, calendar management, young-person features, reminders, and push notifications.

Lulnara

Lulnara helps parents and caregivers track baby and family care. Features may include parent accounts, child profiles, feeding, sleep, growth, diaper, medication, vaccination, symptom, appointment, milestone, teething, activity, handoff, caregiver-sharing, export, analytics, AI chat, voice logging, sleep insights, subscriptions, reminders, and push notifications.

4. Personal Data We Collect

We collect only the personal data we need for the purposes described in this notice. The exact data depends on which service you use and which features you enable.

Account and identity data

This may include name, email address, password credentials or authentication tokens, account ID, parent or caregiver role, date of birth where provided, sign-in provider, email verification state, profile preferences, language, locale, app version, device platform, and security information.

If you use Apple Sign In or Google Sign In, we receive information those providers make available for sign-in, such as provider identifiers, email address, and account authentication data.

Child, young-person, and family profile data

This may include a child's name or nickname, date of birth, age, gender, profile photo or avatar, parent or caregiver relationships, school context, developmental history, SEND profile, conditions, suspected conditions, support status, strengths, interests, communication needs, sensory profile, sleep, eating, triggers, strategies, challenges, routines, milestones, teething records, growth records, and other family profile information you choose to enter.

Health, SEND, care, and wellbeing records

This may include feeding, sleep, diaper, activity, mood, behaviour, incidents, symptoms, medication, vaccination, appointment, health-log, journal, handoff, daily-context, check-in, breathing, wellbeing, and care-routine records.

In Heedli, SEND and disability records may include information relevant to EHCP, DLA, school support, reasonable adjustments, advocacy letters, incident evidence, professional reports, and young-person self-advocacy.

In Lulnara, care records may include baby-care logs, sleep questionnaires, sleep prediction inputs, growth and development records, doctor-visit report information, and caregiver coordination data.

Documents, photos, audio, video, and uploaded media

If you use document or media features, we may process files you upload, file names, file metadata, document categories, evidence bundles, profile images, milestone photos, log photos, health-log media, exported reports, voice recordings or transcriptions, handoff-note audio, and related storage identifiers.

Heedli stores documents and related metadata in Supabase systems. Lulnara uses signed Cloudinary upload flows for certain media where enabled. Media and exports can contain sensitive family data; you should share them only with people you trust.

AI and machine-learning data

If you use AI features, we may process prompts, messages, profile context, activity summaries, letter-generation inputs, AI outputs, voice-transcription text, consent choices, audit logs, usage counters, safety flags, and technical metadata needed to provide, secure, and monitor AI features.

Heedli uses AI for SEND letter drafting and related support. Its server-side flow redacts names and direct identifiers before calling the AI provider, records consent, rate-limits requests, and is designed so user data is not used to train AI models.

Lulnara uses AI for general parenting support, voice logging, and insight features where enabled. Lulnara supports AI consent levels, including a personalised mode using limited context and a general mode without personalised context. Lulnara blocks or redirects AI use for unsupported medical, diagnosis, treatment, emergency, medication, vaccination, and symptom-extraction cases.

Subscription, purchase, and entitlement data

If you subscribe or make in-app purchases, we may process product identifiers, entitlement status, store platform, subscription tier, purchase history, renewal and expiry state, trial state, RevenueCat identifiers, App Store or Google Play transaction information, webhook events, and customer-support records about subscriptions.

We do not receive your full card details from Apple, Google, or RevenueCat.

Notifications and communications data

This may include push notification tokens, device type, notification preferences, reminder settings, scheduled reminders, email preferences, support requests, product communications, transactional emails, admin or support responses, verification emails, broadcast messages, and complaint records.

Technical, analytics, security, and usage data

This may include IP address, request IDs, device model, operating system, app version, browser, language, pages or screens viewed, feature interactions, diagnostic logs, crash reports, performance data, rate-limit records, audit logs, admin access logs, fraud and abuse signals, and security events.

We do not sell personal data. We do not use family health, SEND, child, or care data for behavioural advertising. Where analytics are enabled, we aim to keep them proportionate and privacy protective. Lulnara contains Mixpanel analytics code, but current production documentation states that production Mixpanel collection should remain disabled unless deletion-cleanup credentials and proof are configured.

Information you choose to provide

Free-text fields, notes, messages, documents, voice inputs, photos, and support emails may include more personal or sensitive information than we ask for. Please enter only information you are comfortable storing in the relevant service.

5. Information About Children and Young People

Many records in Heedli and Lulnara relate to children. A parent, guardian, or person with appropriate authority should create and manage records for children who cannot lawfully or practically make those decisions themselves.

Where a young person uses a young-person feature, we may process their activity, mood, self-advocacy, schedule, achievement, or linked-device data to provide that feature. We aim to use privacy-protective defaults, collect only what is needed, avoid unnecessary sharing, and present privacy choices in a way that is appropriate for the service.

If you add information about another adult, child, caregiver, school, clinician, professional, or family member, you are responsible for ensuring you have a fair and lawful reason to do so and that you do not upload information that you are not entitled to share.

6. How We Use Personal Data

We use personal data to:

  • create, authenticate, secure, and manage accounts;
  • provide app features selected by users;
  • store, sync, retrieve, export, and delete family records;
  • support child profiles, care logs, SEND records, documents, reports, reminders, and calendars;
  • provide caregiver-sharing, young-person, and linked-device features where enabled;
  • process subscriptions, trials, entitlements, refunds, restores, and subscription-support requests;
  • generate AI-assisted letters, general parenting support, summaries, reports, insights, and voice-log outputs where consent and feature settings allow;
  • apply AI safety controls, consent controls, rate limits, and abuse-prevention measures;
  • provide push notifications, local reminders, transactional emails, verification emails, and support communications;
  • respond to enquiries, support requests, complaints, and rights requests;
  • maintain product safety, reliability, security, monitoring, audit trails, and fraud prevention;
  • produce anonymised or aggregated statistics and service insights;
  • run admin, moderation, support, and account-management tools with access controls;
  • comply with legal, regulatory, accounting, tax, company, consumer, app-store, and governance obligations; and
  • establish, exercise, or defend legal rights.

7. Lawful Bases

Under UK data protection law, we must have a lawful basis for processing personal data.

We rely on contract where processing is necessary to provide the service you request, including account creation, app functionality, synchronisation, exports, subscriptions, support, and paid features.

We rely on legitimate interests where processing is necessary for proportionate business and user-protection purposes, including service improvement, security, fraud prevention, crash diagnostics, abuse prevention, product analytics, support administration, admin audit logs, and maintaining reliable family-support services. We balance those interests against the privacy rights and expectations of users, children, and families.

We rely on consent where the law requires consent or where we choose to ask for it, including optional AI processing, optional research contribution features, optional marketing communications, certain analytics or cookies where enabled, and push notification permissions at device level. You can withdraw consent at any time, although this may disable the relevant feature.

We rely on legal obligation where we must process or keep records to comply with law, including accounting, tax, company, consumer, regulatory, safety, app-store, court, or lawful authority requirements.

We rely on vital interests only where necessary to protect someone's life or physical safety.

8. Special Category Data

Health, disability, SEND, and some child-related information may be special category data or otherwise highly sensitive. If biometric unlock features such as Face ID are used, biometric matching is normally handled by your device platform rather than by Praelion receiving your biometric template.

Where we process special category data, we rely on an Article 6 lawful basis and an Article 9 condition. Depending on the feature and context, the relevant Article 9 condition may include explicit consent, safeguarding where applicable, legal claims, or another condition permitted by law and documented for the relevant processing.

For core user-entered family records, our practical approach is to process sensitive data only because you choose to use features that require it, to make those features work, to protect the service, and to give you controls such as export, deletion, consent settings, and access management.

9. AI, Automation, and Profiling

AI features are optional or feature-specific. They are intended to help with drafting, organisation, reflection, pattern recognition, and general support. They do not replace clinicians, solicitors, schools, local authorities, tribunals, emergency services, safeguarding professionals, or parental judgement.

We use OpenAI API services where configured for AI features. The OpenAI API key is held server-side and is not exposed to the app. Our apps are designed so user data sent to AI features is not used to train AI models.

Heedli's AI letter feature redacts direct identifiers such as names, emails, phone numbers, postcodes, and school names where detected before building the AI request. Heedli also uses AI consent records and request limits.

Lulnara's personalised AI mode uses limited context such as age, gender, and activity summaries. Its general mode does not use personalised context. Lulnara's safety controls are designed to avoid diagnosis, treatment, medication, vaccination, symptom assessment, and emergency decision-making. Unsupported medical voice requests must be entered manually instead of being created by AI.

Machine-learning and analytics features may identify patterns in user-entered data, such as sleep, mood, incident, activity, or routine patterns. These outputs are informational and may be incomplete or inaccurate. You should review them critically.

We do not make decisions with legal or similarly significant effects about you or a child solely by automated means. Subscription entitlements, access controls, rate limits, and safety checks may be applied automatically to operate the service, but users can contact us if something appears wrong.

10. Research, Benchmarks, and Aggregated Data

Heedli includes optional research contribution and population benchmark features. Where enabled, these are designed to use anonymised or aggregated contribution data rather than raw event records or direct identifiers. Consent can be withdrawn in settings.

We may create aggregated, de-identified, or anonymised information to understand product safety, usage, reliability, feature performance, or broad population-level patterns. We use this only where individuals are not identifiable or where we otherwise have a lawful basis.

We will not treat data as anonymous unless it has been processed so that individuals are no longer reasonably identifiable.

11. Cookies and Website Analytics

The Praelion website uses essential technologies needed to deliver pages, protect the service, and remember basic technical preferences.

If website analytics are enabled, we use privacy-conscious aggregate analytics to understand broad usage patterns. We do not use advertising cookies, cross-site tracking pixels, or behavioural advertising profiles on praelion.com.

Where non-essential cookies or similar technologies require consent, we will ask for consent before setting them.

12. Who We Share Personal Data With

We share personal data only where necessary and with appropriate safeguards. Depending on the product and feature, recipients may include:

  • hosting, database, storage, deployment, infrastructure, and security providers, including Supabase, Railway, Vercel, PostgreSQL hosting, Redis, and related cloud infrastructure;
  • AI providers, including OpenAI, where AI features are used;
  • media and file providers, including Cloudinary for certain Lulnara media uploads and Supabase Storage for Heedli documents;
  • authentication providers, including Apple and Google where social sign-in is used;
  • payment and subscription providers, including Apple App Store, Google Play, and RevenueCat;
  • notification providers, including Expo push notification infrastructure and device platform notification services;
  • email and communications providers, including Resend where configured;
  • crash, diagnostic, monitoring, and observability providers, including Sentry;
  • analytics providers where enabled and configured with appropriate safeguards;
  • professional advisers such as lawyers, accountants, auditors, insurers, compliance consultants, and security advisers;
  • regulators, courts, law enforcement, public authorities, app stores, or payment platforms where legally required or necessary to protect rights, safety, or security; and
  • prospective business counterparties where necessary for due diligence, investment, acquisition, restructuring, or similar corporate activity, subject to confidentiality and data-protection safeguards.

We do not sell personal data. We do not permit third parties to use child, health, SEND, or family-care records for their own advertising purposes.

13. International Transfers

Some providers may process personal data outside the United Kingdom. Where that happens, we use safeguards required by UK data protection law, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, standard contractual terms approved for the relevant transfer, or another lawful transfer mechanism.

14. Security

We use technical and organisational measures designed to protect personal data. These may include HTTPS, access controls, authentication, role-based admin access, service-role separation, secure credential storage, encrypted device storage where implemented, private storage buckets where implemented, signed upload flows, rate limiting, audit logs, monitoring, structured safe logging, PHI redaction in logs, supplier review, and deletion workflows.

No internet or mobile service can be guaranteed to be completely secure. You are responsible for keeping your device, operating system, account credentials, email account, app-store account, and exported files secure.

If we identify a personal data breach that creates a risk to individuals, we will assess it and make any legally required notifications.

15. Retention

We keep personal data only for as long as necessary for the purpose for which it was collected.

Account, profile, family, child, health, SEND, care, document, media, AI, report, and log data is normally kept while your account is active or while needed to provide the relevant feature.

If you delete records in the app, we aim to delete or anonymise the relevant live-service records unless we need to keep limited information for legal, security, audit, payment, dispute, backup, or safeguarding reasons.

If you delete your account:

  • Heedli's deletion function is designed to authenticate the requesting user, purge user-owned Supabase Storage objects, and delete the Supabase account and related database data through cascading deletion.
  • Lulnara's deletion service is designed to delete the local account, anonymise or scrub retained email/media references where needed, schedule Cloudinary cleanup, and delete or de-identify RevenueCat and Mixpanel identifiers where configured and applicable.

Some records may remain for a limited period in backups, logs, app-store records, payment records, email delivery records, audit trails, or third-party systems where immediate deletion is not technically possible or where retention is required for legal, tax, fraud-prevention, security, subscription, or dispute reasons.

Typical retention periods include:

  • website security logs: normally up to 90 days unless needed for investigation or legal reasons;
  • general enquiries and support correspondence: normally up to 24 months after last meaningful contact unless longer retention is needed;
  • account and product records: for the life of the account and then deleted or anonymised following account deletion, subject to the exceptions above;
  • consent and audit records: as long as needed to demonstrate compliance, resolve disputes, protect the service, or comply with law;
  • accounting, tax, subscription, and transaction records: normally up to 7 years where required or prudent;
  • anonymised or aggregated information: indefinitely, provided individuals are not reasonably identifiable.

16. Exports and Shared Reports

The apps may allow you to export data or create reports for schools, local authorities, clinicians, caregivers, or other trusted recipients. Exports and reports can contain sensitive personal, child, health, SEND, and family information.

Once you export, download, email, print, or share information outside the app, you are responsible for choosing recipients carefully and storing the file securely. We cannot control what a recipient does with information after you share it.

17. Your Rights

Depending on the circumstances, you may have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate or incomplete personal data;
  • ask us to delete personal data;
  • ask us to restrict processing;
  • object to processing based on legitimate interests;
  • receive certain personal data in a portable format;
  • withdraw consent where processing is based on consent;
  • object to direct marketing; and
  • complain to a data protection regulator.

Some rights are not absolute. For example, we may need to retain certain information for legal, tax, payment, security, safeguarding, audit, app-store, or dispute reasons.

To exercise a right, contact privacy@praelion.com. We may need to verify your identity before acting on a request. We will normally respond within one month unless the law allows a longer period.

If your request involves a child's data, we may need to verify your authority to act for that child and consider the child's rights and best interests.

18. Marketing

We may send service messages, transactional messages, verification emails, account notices, subscription notices, product-safety notices, and important policy updates without marketing consent where necessary.

We send marketing communications only where we have a lawful basis to do so. You can unsubscribe or object to marketing at any time.

19. App Stores and Device Permissions

When you download or buy through an app store, Apple or Google may process personal data under their own terms and privacy notices. Device permissions, such as camera, photo library, microphone, speech recognition, Face ID, notifications, and local storage, are controlled by your device platform.

The apps ask for permissions only where needed for selected features. You can change device permissions in your device settings, although disabling permissions may stop some features working.

20. Complaints

We would appreciate the chance to resolve any privacy concern first. Please contact privacy@praelion.com and explain the issue clearly.

You also have the right to complain to the UK data protection regulator, the Information Commissioner's Office. The ICO's website is ico.org.uk.

21. Changes to This Notice

We may update this notice from time to time, including when we add features, change suppliers, update legal requirements, or alter how we process data.

The latest version will be posted on this page with the updated date. Where changes are material, we may also notify users in-app, by email, or through another appropriate channel.

Made slowly · privacy@praelion.com