The data controller responsible for your personal information is:

We take your privacy seriously. This privacy policy explains how we collect, use, protect, and share your personal health information.

We are not a covered entity under HIPAA, but we follow HIPAA-aligned best practices to protect your health data.

We collect the following categories of personal information as defined by CCPA:

We do NOT collect: Social Security numbers, medical record numbers, insurance information, precise geolocation, biometric data, or any sensitive personal information beyond what you voluntarily provide.

We collect personal information from the following sources:

• Directly from you: When you create an account, log meals, track pain, or contact support
• Automatically: Through cookies and analytics when you use the Service
• Third-party authentication: Via Manus OAuth when you sign in
• Payment processor: Transaction data from Stripe (we do not store credit card details)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract Performance: Processing is necessary to provide the tracking and analytics services you requested
• Consent: You explicitly consent to us processing your health data when you create an account and log information
• Legitimate Interest: We have a legitimate interest in improving our service through anonymized analytics and preventing fraud

You may withdraw your consent at any time by deleting your account. This will not affect the lawfulness of processing based on consent before its withdrawal.

We use your personal information for the following business and commercial purposes:

• Service Delivery: Provide meal tracking, pain logging, and analytics features
• Report Generation: Create printable reports and AI-generated summaries for healthcare discussions
• Account Management: Manage your account, authentication, and subscription
• Service Improvement: Analyze aggregated, anonymized data to improve features and user experience
• Communication: Send service updates, security alerts, and respond to support requests
• Legal Compliance: Comply with applicable laws and regulations
• Fraud Prevention: Detect and prevent fraudulent activity and security threats

We do NOT use your personal health data for advertising, marketing to third parties, or any purpose unrelated to providing the Service.

We implement industry-standard security measures to protect your personal information:

• Encryption in Transit: All data is encrypted using HTTPS/TLS (256-bit encryption) when transmitted between your device and our servers
• Encryption at Rest: Your data is stored in encrypted databases with AES-256 encryption
• Secure Authentication: We use secure session management with HTTP-only, secure cookies
• Access Controls: Strict role-based access controls ensure only authorized personnel can access systems
• Regular Security Audits: We conduct regular security assessments and vulnerability scans
• Data Minimization: We collect only the minimum data necessary to provide the Service

We share personal information with the following categories of third parties:

• Service Providers: Manus platform (hosting, authentication), Stripe (payment processing)
• Analytics Providers: Google Analytics, Meta Pixel (Facebook), StatCounter, and Manus analytics (aggregated, non-PHI data only)
• AI Service Providers: For generating report summaries (anonymized data only, no names or emails)

We do NOT sell, rent, or share your personal information for monetary or other valuable consideration. We do NOT sell your personal information to third parties.

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify.

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequate security measures equivalent to GDPR standards
• Compliance with applicable data protection laws

• Free Plan: Data older than today is automatically deleted daily to comply with free tier limitations
• Premium Plan: Historical data is retained for one year (365 days). Data older than 365 days is automatically deleted to manage storage and comply with our retention policy
• Account Data: Account information is retained until you delete your account
• Billing Records: Transaction records are retained for 7 years as required by law
• Anonymized Data: Aggregated, anonymized analytics data may be retained indefinitely for research and service improvement

We use multiple analytics services to understand how users interact with our Service and improve features:

• Google Analytics: Tracks page views, user behavior, and traffic sources. Uses cookies to collect anonymous usage data. Google Privacy Policy
• Meta Pixel (Facebook): Tracks conversions, user behavior, and enables targeted advertising. Uses cookies and browser fingerprinting. Meta Privacy Policy
• StatCounter: Provides visitor statistics and web analytics. Uses cookies to track page views and user sessions. StatCounter Privacy Policy
• Manus Analytics: Internal analytics for feature usage and performance monitoring (aggregated, non-PHI data only)

Important: No personally identifiable health information (PHI) is sent to external analytics services.

Analytics data includes: page views, button clicks, feature usage, traffic sources, device type, and browser information. It does NOT include: specific foods you log, pain levels, or any health details.

Cookies: We use both essential and analytics cookies:

• Essential Cookies: Required for authentication and session management. Cannot be disabled.
• Analytics Cookies: Used by Google Analytics, Meta Pixel, and StatCounter to track usage patterns. These help us improve the Service but are not strictly necessary for functionality.

Opting Out: You can opt out of analytics tracking by:

• Using browser settings to block third-party cookies
• Installing the Google Analytics Opt-out Browser Add-on
• Enabling "Do Not Track" in your browser settings
• Using privacy-focused browsers or extensions that block tracking scripts

We use AI to generate report summaries for premium users. This is NOT automated decision-making that produces legal or similarly significant effects.

The AI summaries are:

• Generated from anonymized data (no names or emails)
• Used only to help you discuss patterns with your healthcare provider
• Not used to make decisions about your health, eligibility, or access to services
• Subject to your review and interpretation

We do NOT use profiling or automated decision-making for any other purposes.

Under GDPR (for EU/EEA residents) and CCPA (for California residents), you have the following rights:

We do NOT sell your personal information to third parties, and we have not sold personal information in the past 12 months.

Under CCPA, "sale" means disclosing personal information to third parties for monetary or other valuable consideration. We do not engage in this practice.

If our practices change in the future, we will update this policy and provide California residents with a clear "Do Not Sell My Personal Information" opt-out mechanism.

California residents may designate an authorized agent to make privacy requests on their behalf.

To use an authorized agent:

• Provide written authorization signed by you (the consumer)
• The agent must provide proof of their authority
• We may require you to verify your identity directly with us
• We may require you to confirm you gave the agent permission to submit the request

To protect your privacy, we verify your identity before fulfilling data requests:

• For access requests: We verify your email address and require you to log in to your account
• For deletion requests: We require email verification plus additional confirmation to prevent accidental deletion
• For sensitive data requests: We may require additional verification steps

If we cannot verify your identity, we will not be able to fulfill your request and will notify you of the reason.

In the unlikely event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of becoming aware of the breach (GDPR requirement)
• Notify relevant supervisory authorities as required by law
• Provide details about what data was affected and steps we are taking
• Offer guidance on how you can protect yourself

We maintain an incident response plan and conduct regular security assessments to minimize the risk of breaches.

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information immediately.

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements.

When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify you via email or in-app notification
• For significant changes, we may require you to review and accept the updated policy

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

If you have questions about this privacy policy, want to exercise your rights, or have privacy concerns, please contact us:

If you are located in the European Union and have questions about your data protection rights, you may contact us using the information above.

Note: As a small business operator, we may not be required to appoint a formal EU representative under GDPR Article 27(2). However, we are committed to responding to all EU data subject requests promptly.