Privacy Policy | Ulcerative Colitis Insights (UCInsights)

📋 1. Overview

UCInsights ("the App", "we", "us") is a personal health companion for people living with ulcerative colitis (UC). It helps you log daily symptoms, track medications and doctor visits, explore health trends, chat with an AI assistant, and search peer-reviewed research — all in one place, across all your devices.

This Privacy Policy explains what information UCInsights collects, why we collect it, how it is stored and protected, with whom it may be shared, and the choices you have. By creating an account or using the App you agree to the practices described here.

      Core commitment: We collect only what is necessary to provide you with
      a seamless, cross-device experience. We do not sell your data, share it with advertisers,
      or use it to train AI models. Your health data is encrypted in transit and at rest, and
      is accessible only by you.
    

👤 2. Who Is Responsible for Your Data

UCInsights is developed and published by:

Developer: Ermal Hamzaj
App identifier: org.ucinsight.UCInsights
Website: ucinsights.org
Contact: info@ucinsights.org

For privacy questions, data requests, or account deletion, contact us at the email above. We will respond within 30 days.

📊 3. Information We Collect

A. Account Information (when you create an account)

To enable cross-device sync and data backup, UCInsights requires an account. When you register, we collect:

Data	Source	Purpose
Email address	You provide it, or it comes from Google / Apple Sign In	Account identification, login, password recovery
First and last name	You provide it during registration	Personalise the app experience
Age (optional)	You provide it during registration	Contextualise health insights
Gender	You select it during registration	Contextualise health insights
Country (optional)	You provide it during registration	Regional health information
Authentication provider token	Google or Apple, when you use those sign-in options	Verify your identity securely without storing your password

B. Health and Tracking Data (when you use the Tracker)

The following data is collected when you log entries in the App. It is stored on your device and synced to your secure cloud account so you can access it across devices:

Data type	What it contains
Daily health log	Overall feeling score, bowel movement count, symptom names and severity, foods eaten, medications taken, stress level, sleep times, water intake, physical activity, free-text notes
Medication list	Medication names, doses, schedules, and taken/not-taken records
Doctor visits	Visit date, doctor or clinic name, notes from the appointment
UC Profile	Diagnosis status, UC type, bowel movement baseline, current medications, lab values if entered (CRP, calprotectin, endoscopy score)

      Why we store this in the cloud: Cloud sync means you never lose your
      health history if you switch phones, lose your device, or install the app on a new one.
      Your data is tied to your account — not to a single device.
    

C. Data Transmitted to Third-Party Services

When you use search or chat features, text you type is sent to external APIs. No health log or personal profile data is ever included in these requests.

What is sent	To whom	Why
Search queries and chat messages	AI language model (custom)	Generate responses and summaries
Medical keywords	NCBI / PubMed	Retrieve peer-reviewed research
Search keywords	Reddit, Inc.	Surface community discussions
Standard HTTP request (no personal data)	Google News RSS	Display current UC news

D. Automatically Collected Data

We do not collect device identifiers, advertising IDs (IDFA/GAID), precise location, crash logs, or behavioral analytics. The App contains no analytics SDKs or advertising frameworks.

⚙️ 4. How We Use Your Information

Account management: Your email is used to authenticate you, send password-reset emails, and identify your cloud data row.
Cross-device sync: Health logs, medications, doctor visits, and profile data are synced to Supabase (our cloud provider) so they are available on any device where you log in.
Personal insights: Your on-device and cloud logs are analyzed locally to show symptom trends, flare risk scores, and trigger correlations.
Search and AI: Search queries are forwarded to our AI model and PubMed to retrieve and summarise relevant health information.
Community content: Search keywords are sent to Reddit's public API to fetch relevant posts.
News: A standard RSS request is made to Google News for UC-related headlines.
Push notifications: Optional daily reminders scheduled locally on your device.

      We do not use your data for advertising, profiling, sale to third parties,
      training AI models, or any purpose other than those listed above.
    

☁️ 5. Cloud Storage (Supabase)

UCInsights uses Supabase as its backend cloud provider to store your account and health data. Supabase is an open-source Firebase alternative built on PostgreSQL and hosted on AWS infrastructure.

Data location: Your data is stored in Supabase's cloud database.
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access control: Row-Level Security (RLS) is enforced — each user can only access their own data row. Not even we can read your data without your credentials.
Data processing: Supabase acts as a data processor on our behalf. They do not use your data for their own purposes.

Supabase Privacy Policy →

🔐 6. Authentication Providers

You may sign in using your email and password, or via a third-party identity provider. When you use a social login, that provider authenticates you and sends a secure token to Supabase — we never see your social account password.

Google Sign-In

When you tap "Continue with Google", you are redirected to Google's authentication page. Google confirms your identity and returns your email address and a secure token. We store your email; we do not receive or store your Google password, contacts, or any other Google account data.

Google Privacy Policy →

Sign in with Apple

When you tap "Continue with Apple", Apple authenticates you natively. Apple may provide a real or anonymised email address (your choice). We store whichever email Apple returns. We do not receive your Apple ID password or any other Apple account data.

Apple Privacy Policy →

🩺 7. Sensitive Health Data

      Important: UCInsights collects and stores detailed health information
      including symptom severity, bowel habits, medications, lab values, and doctor visit notes.
      This is considered sensitive personal data under GDPR, HIPAA-equivalent standards,
      and equivalent laws.
    

Your health data is:

Stored in your encrypted Supabase account — accessible only by you
Never shared with advertisers, data brokers, insurers, employers, or any third party
Never used to train AI models
Never sold under any circumstances
Protected in transit by TLS encryption and at rest by AES-256 encryption
Permanently deleted when you delete your account

UCInsights does not integrate with Apple HealthKit or Google Fit. Your logs within UCInsights are separate from and do not interact with your device's health apps.

🚫 8. Tracking, Analytics, and Advertising

      UCInsights does not track you. There are no advertising SDKs, analytics
      frameworks, fingerprinting tools, or cross-app tracking technologies in the App.
    

The iOS App's PrivacyInfo.xcprivacy manifest declares:

NSPrivacyTracking: false — the App does not track users across apps or websites.
NSPrivacyTrackingDomains: empty — no tracking domains.
UserDefaults access is declared under reason CA92.1 for app functionality only.

🗂️ 9. Data Retention and Deletion

While your account is active

Your health data is retained for as long as your account exists, so it remains available to you across devices. You can delete individual log entries at any time from within the App.

Deleting your account

You can request full account and data deletion at any time by emailing info@ucinsights.org with the subject line "Delete My Account". We will permanently delete your account and all associated health data from Supabase within 30 days and confirm by email.

      Apple App Store and Google Play require apps with accounts to offer in-app account
      deletion. This feature will be added to the App settings in an upcoming update.
      Until then, the email process above is the official deletion method.
    

Third-party services

Text sent to our AI model, PubMed, Reddit, and Google News may be retained by those services per their own policies. UCInsights does not control third-party data retention.

⚖️ 10. Your Privacy Rights

European Union / EEA (GDPR)

Under GDPR you have the right to:

Access: View all your data within the App at any time.
Rectification: Edit any log entry or profile field within the App.
Erasure: Request full account deletion — email info@ucinsights.org.
Portability: Your data is stored as JSON. Contact us to request an export.
Restrict processing: Disable AI search to stop query data being sent externally.
Object: Contact us at any time to object to how we process your data.

Legal basis for account and health data: contract performance (you signed up for cloud sync). Legal basis for search queries to third parties: your consent when you initiate a search.

California (CCPA / CPRA)

California residents have the right to know what personal information is collected, the right to delete it, and the right to opt out of sale. UCInsights does not sell personal information. Contact info@ucinsights.org to exercise your rights.

Turkey (KVKK)

Users in Turkey are protected under Law No. 6698. You have the right to learn whether your data is processed, request information about it, and request correction or deletion. Contact info@ucinsights.org for any KVKK request.

🧒 11. Children's Privacy

UCInsights is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has created an account, contact info@ucinsights.org and we will delete the account promptly.

🔒 12. Security

All network requests use HTTPS (TLS 1.2+) encryption.
Data stored in Supabase is encrypted at rest with AES-256.
Row-Level Security ensures users can only access their own data.
Authentication tokens (access and refresh) are stored securely in device-protected storage.
We do not store passwords in plain text — authentication is handled by Supabase Auth with bcrypt hashing.

While we take commercially reasonable precautions, no system is completely secure. We encourage you to use a strong password and keep your device software up to date.

🔗 13. Third-Party Services

Service	Purpose	Data sent
Supabase	Cloud database & authentication backend	Account info, health data (encrypted)
Google Sign-In	Optional social authentication	Email address, auth token
Apple Sign In	Optional social authentication	Email address (or anonymised relay), auth token
AI language model	Chat and search summaries	Text of your queries only
NCBI / PubMed	Research article retrieval	Medical search keywords
Reddit	Community discussions	Search keywords
Google News RSS	UC news headlines	Standard HTTP request, no personal data

⚠️ 14. Medical Disclaimer

      UCInsights is for general informational purposes only. It is not a medical device and
      does not provide medical advice, diagnosis, or treatment. Always consult a qualified
      gastroenterologist before making any healthcare decisions.
    

📝 15. Changes to This Privacy Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will post a notice within the App. Continued use after any update constitutes acceptance of the revised policy.

The current version is always at ucinsights.org/PrivacyPolicy.html.

✉️ 16. Contact Us

Email: info@ucinsights.org
Website: ucinsights.org

We respond to all requests within 30 days.