Privacy Policy for Health Keeper

1. Introduction

Welcome to Health Keeper ("we," "our," or "us"). Health Keeper is a personal health records management application designed to help you securely store, organize, and manage your medical information on your Android device.

Our Commitment to Your Privacy

Your privacy is critically important to us. Health Keeper is built on a foundation of privacy-first principles:

• Local-First Architecture: All your health data is stored locally on your device by default
• No External Servers: We do not operate any servers that collect or process your health data
• User Control: You have complete control over your data, including optional cloud backup
• No Data Selling: We never sell, rent, or share your personal health information
• Transparency: This policy explains exactly what data we collect and how we use it

Scope of This Policy

This Privacy Policy applies to:

• The Health Keeper mobile application for Android
• All features and services within the app
• Optional cloud backup services via Google Drive
• All data you create, store, or share through the app

This policy does not apply to:

• Third-party services you may access through external links
• Your healthcare providers' privacy practices
• Other apps or services not controlled by Health Keeper

2. Information We Collect

Health Keeper is designed to collect only the information necessary to provide you with a comprehensive personal health records management experience. All data collection is transparent and under your control.

2.1 Personal Health Information

You may choose to enter and store the following types of health information:

Quick Health Records (9 Module Types)

1. Medical Visits: Visit dates, hospital/clinic names, doctor names, diagnoses, treatment notes, costs, and document attachments
2. Appointments: Scheduled dates/times, doctor information, purpose, reminders
3. Medications: Names, dosage, frequency, prescribing doctor, side effects, prescriptions
4. Allergies: Allergen names, reaction types, severity, symptoms
5. Vaccines: Vaccine names, dates, dose numbers, provider information, certificates
6. Lab Results: Test names, results, normal ranges, lab reports
7. Radiology Results: Scan types, findings, radiologist reports
8. Surgeries: Surgery names, dates, surgeon information, documentation
9. Medical History: Chronic conditions, diagnosis dates, treatment information

Vital Signs & Wellness (10 Module Types)

1. Blood Pressure: Systolic/diastolic readings, measurement dates
2. Weight: Weight measurements with units
3. Height: Height measurements with units
4. Blood Glucose: Glucose levels with meal context
5. Heart Rate: BPM with activity context
6. Body Temperature: Temperature readings with measurement location
7. Oxygen Saturation: SpO2 percentage levels
8. Sleep: Hours slept and quality ratings
9. Exercise: Activity types, duration, calories burned
10. Hydration: Water intake amounts

2.2 Personal Identifiers

To organize and manage health records for you and your family:

• Family Member Information: Names, ages, relationships, optional profile photos
• Healthcare Provider Information: Doctor names, specialties, contact phone numbers

2.3 Medical Documents and Attachments

When you use our document scanning feature or attach files:

• Scanned Documents: PDFs created from medical documents, prescriptions, lab reports
• Photos: Images of medical documents, prescriptions, x-rays
• Files: Any medical-related PDFs or images you choose to attach

2.4 Technical and Device Information

We collect minimal technical information only when necessary for app functionality:

For Local App Functionality

• App version number (for feature compatibility)
• Database schema version (for data integrity)
• Timestamp information (for record sorting and tracking)

For Cloud Backup (Optional - Only if you enable backup)

• Device manufacturer and model name
• Device identifier for backup organization
• Google Account ID (used only for encryption key derivation)
• Backup creation timestamps
• File sizes and checksums (for data integrity verification)

Advertising-Related Permissions

Permissions Requested:

The app requests the following advertising-related permissions as required by Google Play Services and Firebase SDKs:

• ACCESS_ADSERVICES_AD_ID
• ACCESS_ADSERVICES_ATTRIBUTION
• AD_ID

Why These Permissions Exist:

These permissions are automatically included by Google Play Services and Firebase SDK dependencies (used for authentication, backup, and crash reporting). We do not actively use or access advertising identifiers.

Your Privacy:

Even though these permissions are declared, we do not:

• Collect or track advertising IDs
• Build advertising profiles
• Share data with ad networks
• Display advertisements in the app
• Use your data for any advertising purposes

2.5 What We DO NOT Collect

Health Keeper is designed with privacy in mind. We explicitly DO NOT collect:

• ❌ Location Data: We never access or collect your GPS location
• ✅ Privacy-Preserving Analytics: We use Firebase Analytics to understand app usage patterns and improve the app, but we NEVER include personal health information, names, email addresses, or any identifiable data in analytics events. Only anonymous, aggregate usage statistics are collected (see Section 5.4 for details)
• ❌ Advertising Identifiers: No ad tracking or profiling (ad permissions exist due to SDK dependencies but are not used)
• ❌ Browsing History: No tracking of websites or external activities
• ❌ Contact Lists: No access to your device contacts
• ❌ Phone Call Data: No access to call logs or phone numbers (except doctor contacts you manually enter)
• ❌ SMS/Messages: No access to your messages
• ❌ Social Media Information: No integration with social networks
• ❌ Financial Information: No credit card or payment data (cost tracking is optional and local-only)
• ❌ Biometric Data: No fingerprint or face recognition data (system authentication is handled by Android)
• ❌ Background Location: No background tracking of any kind

3. How We Use Your Information

Health Keeper uses your information solely to provide you with personal health records management services. Here's exactly how we use your data:

3.1 Primary Uses

• Local Storage and Display: All health records you create are stored in a local SQLite database on your device and displayed within the app for your reference
• Data Organization: Organizing records by family member, date, and category for easy access
• Search and Filtering: Enabling you to quickly find specific health records
• Visualizations: Creating charts and graphs from your vitals data to show health trends
• Reminders: Optional appointment and medication reminders (local notifications only)

3.2 Optional Cloud Backup

If you explicitly enable cloud backup:

• Encrypted Backup Creation: Creating AES-256-GCM encrypted backup files of your database and attachments
• Google Drive Upload: Uploading encrypted backups to your personal Google Drive appDataFolder
• Backup Management: Tracking backup history and allowing you to restore from previous backups
• Multi-Device Sync: Enabling you to restore your data on new devices using the same Google account

3.3 What We DO NOT Do With Your Data

• ❌ No Advertising: We never use your health data for advertising
• ❌ No Profiling: We never create profiles or segments based on your health data
• ❌ No Selling: We never sell, rent, or share your personal health data with third parties
• ✅ Privacy-First Analytics: We use Firebase Analytics for app improvement, but all analytics are strictly anonymized and aggregated. We NEVER send your health data values, personal information, or identifiable data to analytics services. See Section 5.4 for complete transparency on what analytics we collect
• ❌ No AI Training: We never use your data to train AI models
• ❌ No Research: We never use your data for medical research without explicit consent
• ❌ No Automated Decisions: We never make automated decisions that affect you based on your data

4. Data Storage and Security

Your data security is our top priority. Health Keeper implements multiple layers of protection:

4.1 Local Data Storage

Primary Storage: Encrypted SQLite Database

• All health records stored in an encrypted local SQLite database on your device
• Encryption: SQLCipher with AES-256 encryption at rest
• Database location: /data/data/com.healthvault/databases/ (app-private, encrypted)
• Accessible only by the Health Keeper app (Android app sandboxing)
• Subject to your device's security (PIN, password, biometric lock)
• Security Level: Military-grade encryption protecting all health data locally

File Attachments: MediaStore API

• Medical documents and images stored using Android MediaStore API
• Location: /Documents/Health Keeper/ (visible in file manager)
• Protected by Android 10+ scoped storage
• Files persist even if app is uninstalled (user choice)

Local Encryption Implementation:

• Technology: SQLCipher 4.5.4
• Algorithm: AES-256 (Advanced Encryption Standard, 256-bit)
• Compliance: Meets HIPAA encryption requirements for Protected Health Information (PHI)
• Key Management: Encryption keys stored securely in Android Keystore (hardware-backed when available)
• Protection: All your health data is encrypted at rest, even if someone gains physical access to your device

4.2 Cloud Backup Security (Optional)

If you enable cloud backup, we implement bank-level security:

Encryption Standards

• Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit, Galois/Counter Mode)
• Key Storage: Android Keystore (hardware-backed when available)
• Key Derivation: Account-based key derivation from your Google Account ID
• Authentication: GCM provides built-in authentication to prevent tampering

Encryption Process

1. Your health data is exported to a ZIP file locally
2. The ZIP file is encrypted using AES-256-GCM before any network transmission
3. Encrypted file is uploaded to Google Drive
4. Original unencrypted ZIP is immediately deleted
5. Only you can decrypt the backup using your Google account and device

4.3 Security Measures

Application Security

• Code obfuscation (ProGuard/R8) in release builds
• Secure coding practices (input validation, SQL injection prevention)
• Regular security updates
• No hardcoded secrets or API keys

Best Practices for Users

• Use a strong device lock (PIN, password, biometric)
• Keep your Android OS updated
• Use a strong Google account password with 2-factor authentication
• Don't root your device if security is a priority
• Regularly review backup history and delete old backups if needed

5. Third-Party Services

Health Keeper integrates with select third-party services to provide specific features. We've carefully chosen services that respect your privacy.

5.1 Google Services

Google Sign-In

• Purpose: Authentication for cloud backup feature
• Data Accessed: Your Google account email address and account ID
• Data Shared: None. Authentication is handled by Google's secure OAuth 2.0 flow
• Optional: Yes. Only required if you want cloud backup
• Privacy Policy: Google Privacy Policy

Google Drive API

• Purpose: Cloud backup storage
• Data Stored: Encrypted backup files (database + attachments)
• Storage Location: Your personal Google Drive appDataFolder (hidden folder)
• Data Shared: Only encrypted backup files. Google cannot decrypt your backups
• Access: Only Health Keeper app can access this folder
• Privacy Policy: Google Drive Privacy

Google ML Kit Document Scanner

• Purpose: Scan medical documents and prescriptions
• How It Works: Entirely on-device processing using ML Kit
• Data Shared: None. Images are processed locally on your device
• Network Activity: None during scanning (may download ML models once)
• Privacy Policy: ML Kit Privacy

5.2 Additional Third-Party Services

In addition to Google services, we use:

• ✅ RevenueCat: Subscription management (see Section 5.5)
• ✅ Firebase Analytics: Privacy-preserving app usage analytics (see Section 5.4)
• ✅ Firebase Crashlytics: Crash reporting for bug fixes (see Section 5.4)
• ✅ Firebase Remote Config: Feature flag management (see Section 5.4)

Health Keeper does NOT use:

• ❌ Advertising networks or ad exchanges
• ❌ Social media SDKs (Facebook, Twitter, etc.)
• ❌ Push notification services (all notifications are local-only)
• ❌ A/B testing platforms beyond Firebase Remote Config
• ❌ Marketing automation tools
• ❌ Third-party user behavior tracking beyond Firebase Analytics
• ❌ Data brokers or data resellers
• ❌ Any services that sell or monetize your data

5.3 Third-Party Links

The app may contain links to external websites (e.g., health information resources). These external sites are not controlled by us and have their own privacy policies. We are not responsible for their privacy practices.

5.4 Firebase Services (Google)

We use Google Firebase services to improve app quality, fix crashes, and understand usage patterns. All Firebase services are configured to be privacy-preserving.

Firebase Analytics

• Purpose: Privacy-preserving usage analytics and app improvement
• How It Works: Tracks anonymous app usage patterns to help us understand which features are used and identify areas for improvement
• Data Collected:
  • Anonymous device identifiers (never linked to your identity)
  • Screen views and navigation patterns
  • Feature usage statistics (e.g., "user created a record" - NOT what the record contains)
  • App performance metrics (load times, crashes)
  • Aggregate user counts
  • Device model and OS version (for compatibility)
• Data NOT Collected:
  • ❌ Your name, email, or Google account information
  • ❌ Health data values (blood pressure readings, medications, etc.)
  • ❌ Personal health information (PHI)
  • ❌ Family member names or doctor information
  • ❌ Location data
  • ❌ Any personally identifiable information (PII)
• Data Shared: Anonymous usage events sent to Google Firebase servers
• Data Retention: 2 months (Google's default for free tier)
• Privacy Guarantee: We have configured Firebase Analytics to never include sensitive health information or personally identifiable data. Only anonymous, aggregate statistics are collected.
• Opt-Out: Analytics cannot be disabled as they help us fix bugs and improve the app, but they contain no sensitive data
• Privacy Policy: Firebase Privacy

Firebase Crashlytics

• Purpose: Identify and fix app crashes and errors to improve stability
• How It Works: Automatically reports crashes and errors so we can fix bugs quickly
• Data Collected:
  • Crash stack traces (technical error information)
  • Device model and Android OS version
  • Anonymous user identifiers (not linked to your identity)
  • App state at time of crash (which screen, which operation)
  • Crash timestamp
• Data NOT Collected:
  • ❌ Your personal information
  • ❌ Health data values
  • ❌ Protected health information (PHI)
  • ❌ Any content from your health records
• Data Shared: Crash reports sent to Google Firebase Crashlytics
• Data Retention: 90 days
• Privacy Guarantee: Our code is designed to scrub any sensitive information before crash reports are generated. Crash logs contain only technical debugging information.
• Opt-Out: Cannot be disabled (essential for app stability), but contains no sensitive data
• Privacy Policy: Crashlytics Privacy

Firebase Remote Config

• Purpose: Feature flags and app configuration management
• How It Works: Allows us to enable/disable features and adjust app settings without requiring an app update
• Data Collected:
  • Anonymous device identifier for configuration targeting
  • App version number
• Data NOT Collected:
  • ❌ Personal information
  • ❌ Health data
  • ❌ User activity
• Data Shared: Configuration requests sent to Google Firebase
• Privacy: Minimal data collection, no personal or health information
• Privacy Policy: Firebase Privacy

5.5 RevenueCat (Subscription Management)

We use RevenueCat to manage in-app subscriptions, validate purchases, and sync subscription status across your devices.

Purpose

RevenueCat handles:

• Subscription purchase validation
• Cross-device subscription sync
• Subscription renewal management
• Subscription analytics (aggregate, anonymous)

Data Collected and Shared with RevenueCat

When you purchase a subscription, RevenueCat collects:

• Subscription Information: Product ID (e.g., "monthly_premium"), purchase date, expiration date, subscription status (active/expired/cancelled)
• Transaction Data: Order ID, purchase token (NOT credit card numbers - those are handled exclusively by Google Play)
• Account Identifier: Your Google account email address (to link your subscription across devices)
• App User ID: Anonymous identifier for subscription management
• Device Information: Device model, Android OS version (for feature compatibility)

How RevenueCat Uses Your Data

• Validate subscription purchases with Google Play
• Sync your subscription status across multiple devices
• Manage subscription renewals and cancellations
• Provide aggregate, anonymous subscription analytics to us
• Enable subscription recovery and account restoration

Data Sharing

RevenueCat may share data with:

• Google Play: For subscription validation and billing
• Analytics Providers: Aggregate, anonymized subscription metrics only
• RevenueCat Never:
  • ❌ Sells your personal information
  • ❌ Shares your health data (they never have access to it)
  • ❌ Uses your data for advertising

Data Retention

• Active subscriptions: Retained while your subscription is active
• Expired subscriptions: Retained per RevenueCat's data retention policy (typically 60 days after expiration)
• Deleted accounts: 30 days retention for billing purposes, then permanent deletion

Your Rights

You can request deletion of your RevenueCat data by:

1. Cancelling your subscription through Google Play
2. Deleting your Health Keeper account (Settings > Account > Delete Account)
3. Contacting us at privacy@healthkeeper.app

We will work with RevenueCat to ensure your data is deleted.

Privacy Policy: RevenueCat Privacy Policy

6. Your Rights and Choices

You have complete control over your personal health information in Health Keeper. Here's how to exercise your rights:

6.1 GDPR Rights (EU Users)

If you're in the European Union, you have the following rights under GDPR:

Right to Access

• What: View all your personal data
• How: All data is visible within the app across all 20 health modules
• Export: Use the backup feature to export all data as a ZIP file

Right to Rectification

• What: Correct inaccurate data
• How: Edit any record by tapping it and selecting "Edit"
• Real-time: Changes are immediate and reflected across the app

Right to Erasure ("Right to be Forgotten")

• What: Delete your personal data
• How to Delete Individual Records: Open any health record, tap the delete icon, confirm deletion
• How to Delete All Data: Uninstall the app (deletes local database) or delete backups from Google Drive via Settings
• Timeframe: Immediate for local data, within 24 hours for cloud backups

Right to Data Portability

• What: Export your data in a structured format
• How: Go to Settings > Backup & Restore, create a backup
• Format: ZIP archive with SQLite database + JSON + original files

6.2 CCPA Rights (California Users)

If you're a California resident, you have these rights under CCPA:

Right to Know

• What: Know what personal information we collect
• How: This privacy policy details all collected information
• Request: Contact us at privacy@healthkeeper.app for a formal disclosure

Right to Delete

• What: Request deletion of your personal information
• How: Delete data directly in the app or contact us

Right to Opt-Out of Sale

• What: Prevent sale of your personal information
• Status: We never sell your data. No opt-out necessary.

6.3 How to Exercise Your Rights

Within the App: Most rights can be exercised directly through app features - no need to contact us for basic operations (edit, delete, export)

Contact Us:

• For formal data requests: privacy@healthkeeper.app
• For questions about your rights: support@healthkeeper.app
• Response time: Within 30 days for formal requests

7. Children's Privacy

7.1 Age Restrictions

Health Keeper is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

7.2 Family Member Profiles

While the app allows you to create health records for family members of any age (including children), the app is intended to be used by:

• Parents/guardians managing their children's health records
• Adults managing their own and family health information

7.3 COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA):

• No marketing to children
• No collection of data directly from children
• Parental control over children's data
• No sharing of children's data with third parties

8. Data Retention and Deletion

8.1 How Long We Keep Your Data

Local Data: Indefinitely, until you delete it

• Health records remain on your device until you manually delete them
• No automatic deletion or expiration
• You have complete control over retention

Cloud Backups: Until you delete them

• Backups remain in Google Drive until you manually delete them, uninstall the app, or revoke Google Drive access
• No automatic backup expiration

8.2 Data Deletion Methods

Delete Individual Records

1. Open any health record
2. Tap the delete icon
3. Confirm deletion

Delete All Local Data

• Method: Uninstall the app
• Effect: Completely removes local database and all data
• Note: Attachments in /Documents/Health Keeper/ folder persist (Android behavior)

Delete Cloud Backups

1. Go to Settings > Backup & Restore
2. View backup history
3. Delete individual backups or all backups

9. International Data Transfers

9.1 Data Location

Local Data:

• Stored on your Android device
• Location: Wherever your physical device is located
• No cross-border transfers

Cloud Backups (if enabled):

• Stored in Google Drive
• Location: Google's data centers (varies by your Google account region)
• Subject to Google's data transfer practices

9.2 Safeguards for EU Users

If you're in the EU and use cloud backup:

• Standard Contractual Clauses: Google uses EU-approved Standard Contractual Clauses
• Encryption: Your data is encrypted before any international transfer
• Google's Commitments: Subject to Google's GDPR compliance measures
• Your Control: You can opt out of cloud backup at any time

9.3 Data Sovereignty

For maximum data sovereignty:

• Use local-only mode: Don't enable cloud backup
• All data stays on your device: No international transfers
• Full control: Data remains in your country/region

10. Changes to This Privacy Policy

10.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in app features
• Changes in privacy laws or regulations
• Changes in our data practices
• User feedback and improvements

10.2 Notification of Changes

Minor Changes (e.g., clarifications, typo fixes):

• Updated policy posted in the app
• Version number incremented (e.g., 1.0.0 → 1.0.1)
• Notice in Settings screen

Material Changes (e.g., new data collection, new third parties):

• In-app notification when you open the app
• Email notification (if we have your email through Google Sign-In)
• Version number major/minor increment (e.g., 1.0.0 → 1.1.0 or 2.0.0)
• Prominent notice in Settings screen
• Opportunity to review and accept changes

10.3 Version History

Current Version: 1.0.0 (Effective November 27, 2024) - Initial release of Privacy Policy

11. Contact Us

We're committed to addressing your privacy questions and concerns.

11.1 Privacy Inquiries

Email: privacy@healthkeeper.app

Subject Line: "Privacy Inquiry - [Your Topic]"

Response Time:

• General questions: Within 5 business days
• Data rights requests: Within 30 days (as required by GDPR/CCPA)
• Security concerns: Within 24 hours

11.2 Support Channels

• General Support: support@healthkeeper.app
• Bug Reports: bugs@healthkeeper.app
• Feature Requests: feedback@healthkeeper.app

11.3 Data Protection Officer

For EU users or GDPR-related inquiries:

Email: dpo@healthkeeper.app

12. Legal Compliance

12.1 GDPR Compliance (European Union)

Health Keeper complies with the General Data Protection Regulation (GDPR) by:

Lawful Basis for Processing:

• Consent: You explicitly consent to data processing when you enter health information
• Legitimate Interest: Processing necessary for app functionality

Data Protection Principles:

• ✅ Lawfulness, fairness, and transparency
• ✅ Purpose limitation (health records management only)
• ✅ Data minimization (only essential data collected)
• ✅ Accuracy (you control and update your data)
• ✅ Storage limitation (you control retention)
• ✅ Integrity and confidentiality (encryption and security measures)
• ✅ Accountability (this privacy policy and our practices)

12.2 CCPA Compliance (California)

Health Keeper complies with the California Consumer Privacy Act (CCPA):

CCPA Categories of Information:

• Personal identifiers (names, ages)
• Protected health information
• Professional information (doctors, healthcare providers)

We DO NOT:

• ❌ Sell personal information
• ❌ Share for cross-context behavioral advertising
• ❌ Use automated decision-making

12.3 HIPAA Considerations (United States)

However, we implement HIPAA-level security standards:

• ✅ Encryption of data (AES-256-GCM for backups)
• ✅ Access controls (device security, app sandboxing)
• ✅ Audit trails (backup history)
• ✅ Data integrity (checksums)
• ✅ User authentication (Google Sign-In for backup)

12.4 Law Enforcement and Legal Requests

Our Position:

• We do not have access to your health data (it's local or encrypted)
• We cannot comply with requests for user health data
• We may comply with valid legal process for account information (if we have it)

Your Protection:

• Local data is protected by your device security
• Cloud backups are encrypted and we cannot decrypt them
• Only you can access your health information

Acknowledgment

© 2025 Health Keeper. All rights reserved.
This Privacy Policy is effective as of November 27, 2024.