Privacy Policy

1. Introduction

Welcome to Diverticulitis Tracker ("we," "our," or "the Service"). We are committed to protecting your privacy and ensuring the security of your personal health information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our service.

Important: This application processes sensitive health data. By using this service, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your health data as described herein.

2. Data Controller

The data controller responsible for your personal data is:

Note: Please update this section with your actual contact information.

3. What Data We Collect

3.1 Account Information

• User ID: A randomly generated unique identifier (no personal information)
• Account creation date
• Last access timestamp
• API token (optional, for automated data export)

3.2 Health Data (Special Category Data under GDPR)

We collect the following sensitive health information that you voluntarily provide:

• Daily health summaries: Sleep hours, sleep quality, personal notes
• Activity logs: Activity type, duration, effort level, notes
• Meal logs: Meal descriptions, meal type, fiber ratings, FODMAP ratings, notes
• Symptom tracking: Pain levels, temperature, bloating, stress levels, location, notes
• Bowel movement records: Bristol stool scale consistency, notes
• Medication logs: Medication names, dosages, notes
• Hydration tracking: Water intake amounts
• Mood assessments: Mood ratings, time of day
• Saved recipes: Recipe names, ingredients, dietary preferences

3.3 Technical Data

• Session cookies: To keep you logged in
• Timezone information: To display dates/times correctly
• Browser type and version: For compatibility (if analytics enabled)

4. Why We Collect Your Data (Legal Basis)

4.1 Legal Basis for Processing

Under GDPR Article 6 and Article 9, we process your data based on:

• Explicit Consent (Article 9(2)(a)): You provide explicit consent to process your health data for the purposes described in this policy. You can withdraw consent at any time.
• Contract Performance (Article 6(1)(b)): To provide you with the health tracking service you requested.

4.2 Purposes of Processing

We use your data to:

• Enable you to track your diverticulitis symptoms and identify triggers
• Store and organize your health records
• Generate analytics and insights from your data
• Provide AI-powered meal analysis (fiber and FODMAP ratings) - Optional
• Allow you to export your data for medical consultations
• Improve the service (aggregated, anonymized data only)

5. AI-Powered Meal Analysis

5.1 What Data is Sent to Google

• Meal descriptions you enter
• Food items and ingredients

5.2 What Data is NOT Sent

• Your user ID or any identifying information
• Symptoms, medications, or other health data
• Personal notes

5.3 Purpose of AI Processing

Google Gemini AI analyzes your meal descriptions to provide:

• Fiber content ratings (Low/Medium/High)
• FODMAP content ratings
• Meal recommendations

5.4 Your Control

• AI analysis is optional - the service works without it
• You can enable/disable AI analysis in Settings
• Historical data is not sent retroactively

5.5 Google's Privacy Policy

Google's processing of your meal data is subject to their privacy policy:
https://policies.google.com/privacy

5.6 Data Processing Agreement

We have assessed Google Gemini AI as a data processor. Google processes this data according to their AI terms of service and does not use your data to train their models (as per Gemini API terms).

6. How We Store Your Data

6.1 Storage Location

• All your data is stored locally on our server
• Database file: SQLite database in a secure data directory
• No cloud storage services used
• Server location: [SPECIFY YOUR SERVER LOCATION/COUNTRY]

6.2 Security Measures

• Encryption in transit: HTTPS/TLS encryption for all connections
• Session security: Argon2id password hashing, HttpOnly cookies, CSRF protection
• Access control: Data isolated by user ID - you can only access your own data
• Rate limiting: Protection against brute force attacks
• Regular backups: Encrypted backups stored securely

6.3 Data Retention

• Active accounts: Data retained indefinitely while you use the service
• Inactive accounts: Accounts inactive for 2+ years may be deleted after notification
• Deleted accounts: All data permanently deleted within 30 days of deletion request
• Backups: Deleted data removed from backups within 90 days

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

To exercise any of these rights, please contact us at [YOUR EMAIL]. We will respond within 30 days as required by GDPR.

8. Cookies and Tracking

8.1 Essential Cookies

We use the following essential cookies necessary for the service to function:

• Session cookie: Keeps you logged in (expires after 30 days)
• CSRF token: Protects against cross-site request forgery

These cookies are necessary for the service and do not require consent under GDPR.

8.2 Analytics Cookies (Optional)

If the site administrator has enabled analytics, we may use privacy-focused analytics (such as Plausible Analytics) to understand how users interact with the service. These analytics:

• Do not track individual users
• Do not use personal identifiers
• Are GDPR-compliant by design
• Can be disabled via cookie consent banner

9. Data Sharing and Third Parties

9.1 Who We Share Data With

• Google LLC (Gemini AI): Only meal descriptions, only if you enable AI analysis
• Analytics Provider: Only if enabled by admin, aggregated non-personal data only

9.2 Who We DO NOT Share Data With

• Advertisers
• Data brokers
• Insurance companies
• Employers
• Medical providers (unless you export and share it yourself)
• Any other third parties

9.3 Legal Disclosure

We may disclose your data only if required by law (e.g., court order, subpoena) or to protect our legal rights. We will notify you of such requests unless legally prohibited.

10. Data Breach Notification

In the unlikely event of a data breach that affects your personal data, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
• Notify you without undue delay if the breach poses a high risk to your rights
• Provide information about the breach, its impact, and remediation steps
• Document the breach and our response

11. International Data Transfers

Your data is primarily stored on servers located in [SPECIFY COUNTRY]. If you use AI analysis, your meal descriptions may be processed by Google in the United States or other countries where Google operates data centers. These transfers are protected by:

• Google's participation in the EU-U.S. Data Privacy Framework (or equivalent)
• Standard Contractual Clauses (SCCs)
• Your explicit consent to AI processing

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [YOUR EMAIL] and we will delete such data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify you via:

• Prominent notice on the website
• Notification in your dashboard

Your continued use of the service after changes constitutes acceptance of the updated policy.

14. Right to Lodge a Complaint

If you believe we have not complied with GDPR or other data protection laws, you have the right to lodge a complaint with a supervisory authority:

• EU Citizens: Your country's data protection authority ( Find your authority )
• UK Citizens: Information Commissioner's Office (ICO) - ico.org.uk

15. Contact Us

For privacy-related questions, requests, or concerns, please contact: