Privacy Policy & Consumer Health Data Notice

2. Not a Medical Device

The App is a data management tool for your personal use. It is not a medical device and does not provide medical advice, diagnosis, or treatment. The data you visualize in the App is for your informational purposes only.

3. Data We Collect

We adhere to a "Data Minimization" principle. We collect only what is necessary to provide the tracking features of the App.

4. HealthKit Data Integration

If you choose to connect the App to Apple HealthKit, we will read and/or write data to the Health app on your device. HealthKit integration is entirely optional and you can use the App without granting HealthKit permissions.

• Usage: We use HealthKit data solely to display your progress within the App. Specifically, we may read weight measurements, body mass index, and body fat percentage to show progress charts. We may write medication dose records to your Health app for your records.
• Purpose Limitation: HealthKit data is used ONLY for the core functionality of tracking your medication journey and visualizing health metrics. We do not use HealthKit data for advertising, marketing, or data mining purposes under any circumstances.
• No Sharing or Selling: We do not sell HealthKit data to third parties. We do not share HealthKit data with advertisers, data brokers, or analytics companies.
• Storage: HealthKit data read by the App is processed locally. If you sign in to your JellyPal account, derived health metrics (weight entries, body measurements) may be synced to our secure cloud database to enable cross-device access and backup. We do not store raw HealthKit data on our servers.
• User Control: You can revoke HealthKit permissions at any time via iPhone Settings → Health → Data Access & Devices → JellyPal.

5. Where Your Data is Stored

Your data is stored in two places depending on whether you create an account:

• Local Storage: All data is stored locally on your device using SharedPreferences. The App works fully offline — no account is required to use any core feature.
• Cloud Sync: If you sign in with Google or Apple Sign-In, your data automatically syncs to our secure cloud database (a managed PostgreSQL service hosted in the United States). This enables backup and cross-device sync.
• Authentication: Sign-in is handled through a third-party authentication provider using Google Sign-In or Apple Sign-In.
• Automatic Sync: Cloud sync is automatic when signed in. If you do not sign in, your data stays entirely on your device.

If you create an account, your health data is stored in our secure cloud database to provide backup and cross-device sync. This database is encrypted at rest and in transit. Access is restricted to authorized personnel for technical support purposes only.

6. Data Sharing and Disclosure

We do not sell your Personal Information. We share data only with the following categories of service providers who assist in operating the App:

For a detailed list of our service providers and their Data Processing Agreements, please contact privacy@jellypal.app.

7. Analytics and Tracking

We use limited, privacy-preserving analytics to understand how the App is used (e.g., "How many users visit the Settings screen?"). We do not use "Pixels" or trackers that share your health status with advertising networks like Meta (Facebook) or TikTok.

8. Your Rights

We provide all users with comprehensive control over their data. Depending on your location (such as the EU, UK, Brazil, or California), you may have the following statutory rights:

• Right to Access: You can request a copy of your personal data in a structured, electronic format (JSON or CSV). We will respond within 30 days.
• Right to Rectification: You can correct inaccurate data directly within the App's log screens or by contacting support.
• Right to Erasure ("Right to be Forgotten"): You can request the permanent deletion of your cloud account and all associated health data. We will complete this within 30 days, subject to legal retention requirements.
• Right to Restrict Processing: You can request that we limit how we use your data, for example, by disabling cloud sync and using the App in offline-only mode.
• Right to Data Portability: You have the right to receive your data in a machine-readable format to transfer it to another service.
• Right to Object: You can object to our processing of your data. Since we do not perform direct marketing or profiling, this typically involves withdrawing consent for cloud storage.
• Right re: Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing. JellyPal does not use automated decision-making or profiling that produces legal effects.
• Right to Withdraw Consent: Where processing is based on consent (such as HealthKit access or cloud sync), you may withdraw it at any time via App or System settings.

To exercise any of these rights, please contact support@jellypal.app. We do not charge a fee for these requests and will respond within 30 days.

10. Legal Basis for Processing (GDPR Article 6 & Article 9)

We process your personal data based on the following legal grounds:

• Explicit Consent (Article 9(2)(a)): We process your health data (medication logs, symptoms, weight) only with your explicit consent. This consent is freely given, specific, informed, and unambiguous. You can withdraw this consent at any time by deleting your account or disabling cloud sync.
• Contract Performance (Article 6(1)(b)): We process your account data (email, display name) to provide the services you have requested, such as account management and cross-device synchronization.
• No Automated Decision-Making: We do not use your health data for automated decision-making or profiling that produces legal or similarly significant effects.

11. International Data Transfers

JellyPal is operated from the United States. If you are accessing the App from the EU, UK, Brazil, or other regions with laws governing data collection and use, please note that your data will be transferred to and stored on servers in the United States.

• Standard Contractual Clauses (SCCs): For users in the EEA, UK, and Brazil, we ensure that transfers are authorized via Standard Contractual Clauses or other valid transfer mechanisms.
• Supplementary Safeguards: We implement technical safeguards including encryption in transit (TLS 1.3), encryption at rest, and restricted access logs to protect your data during and after transfer.
• Offline Mode: You can avoid international data transfers by using the App in offline mode without creating a cloud account.

12. Data Retention & Deletion

We retain your data only as long as necessary to provide our services:

• Local Data: Retained on your device until the App is deleted.
• Cloud Data: Retained while your account is active. If you delete your account, cloud data is deleted within 30 days.
• Backups: Data in disaster recovery backups may be retained for up to 90 days after account deletion.
• Security Logs: Retained for 12 months for audit and security purposes.
• Legal Obligations: We may retain data longer if required by law or a valid legal hold.

13. Data Breach Notification

In the event of a data breach:

• Authorities: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals (as per GDPR).
• Individuals: We will notify affected individuals without undue delay if a breach is likely to result in a high risk to their rights and freedoms.
• Reporting: Please report any suspected security vulnerabilities to privacy@jellypal.app.

14. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
• Access Control: We use role-based access controls (RBAC) to ensure only authorized personnel with a legitimate business need can access our systems.
• Audit Logging: We maintain audit logs of all data access and system changes.
• Regular Reviews: We conduct regular security reviews and vulnerability assessments of our infrastructure.

18. Canada (PIPEDA)

For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Rights: You have the right to access and correct your personal information and to withdraw consent.
• Response Time: We will respond to access requests within 30 days.
• Authority: The Office of the Privacy Commissioner of Canada (priv.gc.ca).

19. Australia (Privacy Act 1988)

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988:

• Sensitive Information: We collect health information only with your consent and where necessary for our functions.
• Rights: You have the right to access and correct your information and to make a complaint about a breach of the APPs.
• Authority: The Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

23. Children's Privacy

The App is intended for users aged 18 and older. We do not knowingly collect information from children.

• COPPA (USA): We do not knowingly collect personal information from children under 13.
• GDPR (EU): The age of consent for data processing varies by member state (typically 13-16). We do not knowingly process data from individuals under these ages.
• Action: If you believe a child has provided us with data, please contact privacy@jellypal.app and we will delete it immediately.

24. Changes to This Policy

We may update this policy to reflect changes in our practices or regulatory requirements. If we make material changes, we will notify you via an in-app alert or email.

25. Contact Us

If you have questions about this policy or wish to exercise your rights, please contact our privacy team: