Privacy Policy

**MediOne**

**Last updated: 9 March, 2026**

**Effective date: 9 March, 2026**

1. Introduction

MediOne ("we," "our," or "us") is operated by [YOUR NAME / COMPANY NAME] ("Developer"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding it when you use the MediOne mobile application ("App").

Please read this policy carefully. By using the App you agree to the practices described here. If you disagree, please stop using the App and delete it from your device.

2. Summary (Plain English)

  • **Your health data never leaves your device by default.** It is encrypted locally and only you can access it.
  • **Cloud sync is opt-in and Plus-only.** If you create an account and enable sync, your data is transmitted to our servers. You can delete it at any time.
  • **We use third-party crash and analytics tools** (Firebase, Sentry, PostHog) to fix bugs and improve the App. These do not receive the contents of your medical documents.
  • **We use RevenueCat** to manage subscriptions. Your purchase history is handled by Apple and RevenueCat, not by us directly.
  • **We never sell your data.**
  • **We are not a HIPAA Covered Entity.** MediOne is a personal-use tool, not a healthcare provider or business associate.

    • 3. Information We Collect

    3.1 Information You Provide

    When you use MediOne, you may enter:

  • **Health and medical data** — episode dates, notes, clinic and doctor names, category labels, and file attachments (photos, PDFs, scanned documents, and other files you add).
  • **Person profiles** — names or labels you assign to profiles (e.g. "Me", "Child", "Parent"). These are stored locally and optionally synced.
  • **Account credentials** — if you choose to create an account for cloud sync, we collect your **email address** and a hashed password (via Supabase Auth). We do not store your password in plain text.

    • 3.2 Information Collected Automatically

    **Crash reports and diagnostics (Sentry)**

    If Sentry is configured, anonymized crash reports and stack traces are sent to Sentry, Inc. when the App crashes. These reports contain device type, OS version, and app version. They do not contain the contents of your medical documents.

    **Usage analytics (Firebase Analytics)**

    Firebase Analytics (Google LLC) is always enabled. It collects:

  • App open/close events and screen views (screen names only, not document content).
  • Feature interaction events (e.g. "episode created," "sync triggered") — these are aggregate counts, not document contents.
  • Device identifiers assigned by Firebase (anonymous advertising ID or instance ID).
  • Approximate location (country/region level) derived from IP address.

    • See [Firebase Privacy Policy](https://firebase.google.com/support/privacy).

    **Usage analytics (PostHog)**

    If a PostHog API key is configured in the release build, additional usage events are sent to PostHog, Inc. The same data-minimization principles apply: event names and metadata only, never document content. PostHog processes data under a Data Processing Agreement.

    **Subscription and purchase data (RevenueCat)**

    RevenueCat, Inc. manages our in-app subscription. When you purchase or restore a Plus subscription, RevenueCat receives:

  • An anonymous RevenueCat user ID (linked to your Supabase user ID if signed in, or a device-level anonymous ID otherwise).
  • Your App Store transaction receipt and entitlement status.
  • Device platform and app version.

    • RevenueCat does not receive your medical data. See [RevenueCat Privacy Policy](https://www.revenuecat.com/privacy).

    **Apple App Store and StoreKit**

    All payments are processed by Apple. We do not receive your full payment card details. Apple's Privacy Policy governs that transaction.

    3.3 Share Extension

    When you share a file into MediOne from another app (e.g. Files, Mail), the file is:

    1. Temporarily copied to an App Group container on your device.

    2. Processed by the main App and moved to its encrypted storage.

    3. The temporary copy is deleted immediately after import.

    No file content is transmitted to any server during this process.

    3.4 What We Do NOT Collect

  • The **contents** of your medical documents or attachments (these stay on-device and, if synced, are stored as your own files in your Supabase account).
  • Biometric data (Face ID / Touch ID is evaluated on-device by iOS; we never receive the result, only a boolean success/failure from the system framework).
  • Your contacts or address book.
  • Precise GPS location.
  • Microphone or camera data beyond the photo/file you explicitly capture and add to an episode.

    • 4. How Your Data Is Stored

    4.1 On-Device (Default)

    All data you enter in MediOne is stored locally on your device:

  • **Database** — encrypted with SQLCipher (AES-256-CBC). The encryption key is stored in the iOS Keychain.
  • **Attachment files** — encrypted with AES-256-CBC. Keys are stored in the iOS Keychain.
  • **Temporary files** — App Group container (`group.com.a17studio.medione`) used only during Share Extension import; cleaned up immediately after processing.

    • If you do not create an account, **nothing is ever sent to any server**.

    4.2 Cloud Sync (Optional — Plus Subscribers)

    If you sign in and enable sync:

  • Your episode metadata and attachment files are uploaded to Supabase (hosted on AWS infrastructure). Supabase stores data in a region selected at project creation (see your account region).
  • Data is transmitted over TLS. Storage at rest uses Supabase's server-side encryption.
  • **Important:** As of this version, attachment file content is uploaded to Supabase Storage. The encryption described in §4.1 protects data on your device; cloud copies are protected by Supabase's server-side encryption and your account credentials, **not** by your local device key. A future version may add client-side encryption before upload.
  • Row-level security policies ensure only your authenticated user ID can read or write your data.

    • When you sign out, all data associated with your account is wiped from your device. Your cloud copy is **not** automatically deleted on sign-out (you can delete it manually — see §6).

    4.3 Backup Exports

    If you use the Export Backup feature in Settings, a backup file is written to your device and can be shared anywhere using the standard iOS share sheet. You are solely responsible for the security of that exported file.

    5. How We Use Your Information

    | Purpose | Data used | Legal basis |

    |---|---|---|

    | Provide core app functionality | Health data, person profiles, attachments | Contract / legitimate interest |

    | Cloud sync (if opted in) | All user content, account email | Contract / consent |

    | Crash reporting and diagnostics | Device info, stack traces | Legitimate interest |

    | App improvement and analytics | Anonymized usage events | Legitimate interest |

    | Subscription management | RevenueCat user ID, purchase receipts | Contract |

    | Respond to support requests | Email you provide when contacting us | Consent |

    We do not use your health data for advertising, profiling, or any purpose beyond operating the App for you.

    6. Data Retention and Deletion

    Your device data

    Data stays on your device until you delete the App or use "Delete All Data" in Settings → Data. Deleting the App removes the database and all attachment files.

    Cloud data (if synced)

    When you sign out, your local synced data is wiped from the device. Your cloud copy remains on Supabase until you explicitly request deletion.

    **To delete your cloud data:** Go to Settings → Data → Delete All Data, or email us at [CONTACT EMAIL] with the subject "Account Deletion Request." We will delete your Supabase account and all associated data within 30 days.

    Analytics data

    Firebase Analytics data is retained per Google's standard retention periods (up to 14 months). Sentry crash reports are retained for 90 days. PostHog data retention is governed by our PostHog configuration.

    Backup exports

    We have no control over backup files you export. Delete them from wherever you saved them.

    7. Data Sharing and Third Parties

    We do not sell, rent, or trade your personal information.

    We share data only in these limited circumstances:

    | Recipient | What is shared | Why |

    |---|---|---|

    | **Supabase, Inc.** | Account data, episode metadata, attachment files (Plus sync only) | Cloud sync infrastructure |

    | **Google (Firebase)** | Anonymized app events, device identifiers | Crash analytics |

    | **Sentry, Inc.** | Crash reports, device info | Crash diagnostics |

    | **PostHog, Inc.** | Anonymized usage events | Product analytics |

    | **RevenueCat, Inc.** | Subscription status, purchase receipts | IAP management |

    | **Apple, Inc.** | Payment transactions | App Store billing |

    | **Law enforcement / courts** | Only as required by law | Legal obligation |

    All third-party processors are bound by data processing agreements consistent with applicable privacy law.

    8. Health Data and HIPAA Notice

    MediOne is a **personal productivity tool** for organizing your own medical records. It is not:

  • A healthcare provider.
  • A health plan.
  • A healthcare clearinghouse.
  • A Business Associate under HIPAA.

    • The Health Insurance Portability and Accountability Act (HIPAA) governs "Covered Entities" and their Business Associates. Individual consumers using personal apps to manage their own health information are **not** subject to HIPAA as data controllers, and MediOne does not serve in a HIPAA-regulated capacity.

    We strongly encourage you to treat your health data with care: use a device passcode, enable Face ID lock within the App, and avoid exporting unencrypted backups to untrusted locations.

    9. Children's Privacy

    MediOne is intended for users who are **17 years of age or older** and is rated 17+ on the App Store. We do not knowingly collect personal information from children under 13 (US) or under 16 (EU/UK). If you believe a child has provided us with personal information, contact us at [CONTACT EMAIL] and we will delete it promptly.

    10. Your Privacy Rights

    10.1 All Users

  • **Access** — You can view all your data within the App at any time.
  • **Export** — Use Settings → Data → Export Backup to download a copy of your data.
  • **Deletion** — Use Settings → Data → Delete All Data to erase all local data. For cloud data, email us at [CONTACT EMAIL].
  • **Correction** — Edit your data directly in the App.

    • 10.2 EU / UK Users (GDPR / UK GDPR)

    In addition to the rights above, you have the right to:

  • **Data portability** — request your data in a machine-readable format.
  • **Restriction of processing** — request we limit how we process your data.
  • **Object to processing** — object to processing based on legitimate interests.
  • **Lodge a complaint** — with your local supervisory authority (e.g. your national DPA).

    • To exercise these rights, contact us at [CONTACT EMAIL]. We will respond within 30 days.

    Our legal basis for processing personal data is:

  • **Contract** — to provide the App's features (including sync).
  • **Legitimate interest** — for crash reporting and analytics (you can opt out of analytics via Settings → [Analytics Toggle if implemented]).
  • **Consent** — for optional cloud sync.

    • 10.3 California Residents (CCPA / CPRA)

    California residents have additional rights:

  • **Right to Know** — what personal information we collect, use, and share.
  • **Right to Delete** — request deletion of your personal information.
  • **Right to Opt-Out of Sale** — we do not sell personal information.
  • **Right to Non-Discrimination** — we will not discriminate for exercising your rights.

    • To submit a request, contact us at [CONTACT EMAIL]. We may need to verify your identity before processing the request.

    11. Security

    We implement industry-standard measures to protect your data:

  • AES-256-CBC encryption for the on-device database and attachment files.
  • Encryption keys stored in the iOS Keychain (hardware-backed on devices with Secure Enclave).
  • TLS for all network communications.
  • Optional Face ID / Touch ID / PIN access control within the App.
  • Row-level security on all Supabase tables.

    • No security system is perfect. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

    12. International Data Transfers

    If you use cloud sync, your data is transferred to and stored on Supabase servers (AWS infrastructure, region varies). These servers may be located outside your country of residence, including outside the EU/EEA. By enabling sync, you consent to this transfer. We ensure appropriate safeguards are in place (including Supabase's Standard Contractual Clauses for EU data transfers).

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this document and, where possible, via an in-app notice. Continued use of the App after changes constitutes acceptance of the updated policy.

    14. Contact Us

    For any privacy-related questions, requests, or complaints:

    **Arslan Aimenov**

    Email: jstarsik200211@gmail.com