Our commitments
- No advertising and no sale of personal or health data.
- No MED Diary account is required for ordinary diary features.
- AI and caregiver sharing happen only when you choose to use them.
- You can export your diary, delete profile data, and stop sharing.
1. Scope and who is responsible
This Privacy Policy applies to the MED Diary iPhone, iPad, Apple Watch, widget, Shared Access features, and the MED Diary website. In this policy, “MED Diary,” “we,” “us,” and “our” mean the developer and operator of MED Diary.
The policy does not replace the privacy terms of Apple, OpenAI, a connected-device manufacturer, a caregiver you choose, or any other service you use independently. Links to those services are provided where useful.
2. Data on your device and in your private iCloud
Your diary can include readings, medications and dose history, meals, appointments, health profiles, lab reports and results, notes, goals, reminders, and app settings. These records are stored by the app on your device. When iCloud is available for MED Diary, supported records and settings sync through private databases in your Apple iCloud account so they can appear on your other devices.
Apple operates iCloud and applies the protections associated with your Apple Account and settings. MED Diary does not receive your iCloud password and does not have a dashboard from which we can browse your private CloudKit database. Connected-device pairing details stay local to the phone that is paired.
The built-in Demo uses a separate local sample-data sandbox rather than your private diary. After about 24 hours, MED Diary offers to refresh the Alex sample. If you added eligible manual readings, you can move them to your primary profile first or postpone the refresh. Sample family profiles created inside Demo are memory-only and disappear on relaunch or when Demo refreshes.
If you enable App Lock, MED Diary stores a separate app passcode in this device's Keychain and can also ask iOS to authenticate with Face ID or Touch ID when you enable that option. MED Diary does not receive your biometric data.
3. Apple Health and connected devices
Apple Health
With your permission, MED Diary can read supported health information from HealthKit, including blood pressure, blood glucose, weight, activity, and workouts, and can write supported entries back to Apple Health. You choose the categories in Apple's permission screen and can change them later in the Health app or iOS Settings.
Health information you import into your MED Diary log becomes part of the diary and follows the storage choices described above. We do not use HealthKit information for advertising, marketing, data brokering, or decisions about credit, employment, or insurance.
Bluetooth meters, cuffs, and scales
If you pair a supported device, MED Diary uses Bluetooth to discover it and receive measurements. The app stores the device model, local Bluetooth identifier, serial number where available, user slot where applicable, and sync progress so it can avoid duplicates and resume imports. Pairing details remain on that phone; imported readings become part of your diary.
4. Optional AI features
Outside the built-in demo, MED Diary's live AI features use the MED Diary server as a secure intermediary and OpenAI as an AI processing provider. We send content only after you start the feature and approve the request. The demo uses bundled inputs and canned results on your device; it does not upload those samples or consume live AI credits.
Lab report extraction
Your original lab report or photo stays on your device. Before upload, the app lets you cover names, dates of birth, account numbers, or other details and then creates a flattened PDF in which any redactions are burned in. You can inspect the exact PDF and must expressly approve it before it is sent.
The approved PDF, including any on-device redactions, is sent to the MED Diary server and then to OpenAI so the report can be converted into structured results for your review. MED Diary uses the PDF and AI response only to complete that request and does not intentionally retain either as an ongoing server-side health record. Hosting and web-server infrastructure may use short-lived request buffers or temporary storage while the request is processed. The result returns to the app; nothing is added to your diary until you confirm it.
Meal nutrition estimates
When you ask for a nutrition estimate, the meal description and any optional photo you selected are sent through the MED Diary server to OpenAI. They are used to return an estimate and are not saved by MED Diary as a server-side meal history. If you save the estimate, it is stored in your diary on your device and, where enabled, your private iCloud.
Provider handling
MED Diary asks OpenAI not to store the response as a saved API object, but that setting does not by itself eliminate OpenAI's separate abuse-monitoring logs. OpenAI says those logs may contain API input and output and are retained for up to 30 days by default, unless the production project has been approved for Modified Abuse Monitoring or Zero Data Retention. MED Diary does not claim either exception unless and until it is confirmed for the production project. OpenAI also states that API business data is not used to train its models by default. See OpenAI's API data-controls documentation for current details.
7. Server operations, website, and support
Security and request metadata
When your app or browser contacts our systems, the server and hosting provider receive normal network information such as IP address, request path, request ID, timestamp, upload size, response status, and processing duration. We use this information for rate limiting, security, reliability, and debugging. MED Diary's application logs do not persist raw client IP addresses, uploaded PDFs, meal descriptions, health values, or decrypted Shared Access records. Raw IP- and user-based rate-limit keys stay in memory for their one-minute window and are then pruned. Hosting infrastructure may maintain its own security and access logs under the provider controls described below.
Website
The current MED Diary website does not set advertising cookies or run behavioral analytics. Its hosting infrastructure may keep basic request logs such as IP address, time, requested page, and browser information for security and delivery.
Support
If you email support, we receive your email address and whatever text, screenshots, diagnostic details, or attachments you choose to send. Please remove health information you do not want us to receive. We use support communications to answer you, investigate problems, prevent abuse, and improve the app.
8. When information is disclosed
We do not sell personal information or health information. We do not use it for targeted advertising. Information is disclosed only as needed for the service or when the law requires it:
- Apple: iCloud, HealthKit, StoreKit, Sign in with Apple, and operating-system services you choose to use.
- OpenAI: the approved lab PDF, including any on-device redactions, or the meal description and optional photo needed for the AI request.
- Infrastructure providers: providers such as Fly.io that host and protect the MED Diary server and process data only to provide that infrastructure.
- People you choose: a caregiver receives the records you select through Shared Access; recipients of exports or reports receive what you send them.
- Safety and law: where reasonably necessary to comply with law, protect rights and security, investigate fraud or abuse, or respond to a valid legal process.
- Business change: as part of a merger, financing, acquisition, or sale, subject to appropriate confidentiality and continued notice of how data is handled.
9. Retention and deletion
- Your diary and device-local data: stay on your devices and in private iCloud until you delete them. Delete My Data removes every real profile and its clinical records and stored files, app and profile settings, the family-profile registry, connected-device metadata, the App Lock credential, MED Diary notifications, and temporary health-data files. It also purges the app's CloudKit-mirrored records. A synchronized erasure marker tells MED Diary on your other devices signed in to the same Apple Account to remove their local-only copies the next time they receive it or the app runs; each device acknowledges the marker only after its cleanup succeeds. An offline device may therefore take time to finish.
- AI request content: the MED Diary server does not keep the uploaded report, meal description/photo, or full AI result as an ongoing record after completing the request. OpenAI's own limited retention may apply as described above.
- AI-use ledger and credential: the server's random-identifier ledger, credential verifier, and per-feature counts remain active to preserve lifetime free-use limits until you explicitly erase them. When a ledger may exist, Delete My Data sends an authenticated deletion request for it. If the request fails, deletion is shown as incomplete and the credential is kept so you can retry. Once server deletion succeeds—or no ledger exists—the server holds no identifier, verifier, counts, or timestamps for that ledger, and MED Diary clears the old server credential from the device and iCloud. Synchronized deletion state prevents a stale device from restoring it. Using live AI later creates a fresh credential and an empty ledger.
- App Store app-account token: Delete My Data asks StoreKit whether MED Diary has verified purchase history. When StoreKit reports a verified transaction, the random app identifier used as that transaction's app-account token remains on your device and in iCloud solely so MED Diary can continue to verify the purchase. When StoreKit reports no verified purchase history, MED Diary deletes the old identifier from the device and iCloud. This token is separate from the server credential, which is always cleared, and contains no name, contact details, or health record.
- Shared Access: active account, invitation, and share records remain while needed to provide sharing. Revoking a share deletes its encrypted record payloads immediately; the revoked share metadata is deleted after 30 days. Expired pending invitations and expired refresh tokens are purged by a daily cleanup after they expire. Deleting the Shared Access account removes its Sign in with Apple identity, tokens, shares, and encrypted records and revokes the server's Apple authorization.
- Logs and support: kept only as long as reasonably needed for security, troubleshooting, legal obligations, and resolving the communication, subject to infrastructure backup and log rotation.
Delete My Data does not remove Apple Health records or cancel an App Store subscription. Uninstalling the app also does not cancel a subscription. Manage those separately through Apple.
10. Your choices and privacy rights
- Use the ordinary diary without creating a MED Diary account.
- Control iCloud for MED Diary in Apple settings.
- Grant or withdraw Apple Health and Bluetooth permissions in iOS Settings.
- Choose whether to use AI, redact lab details, inspect the upload, and decline before sending.
- Select Shared Access categories, revoke a caregiver, or delete the Shared Access account.
- Export your complete underlying diary and use Delete My Data to erase all real profiles and deletable local app data across MED Diary devices signed in to the same Apple Account, the server-side AI-use ledger and credential, and—when signed in—the Shared Access account data. The App Store app-account token remains only when StoreKit reports verified purchase history, as described above.
- Manage or cancel Premium in your Apple subscription settings.
Depending on where you live, you may have rights to request access, correction, deletion, restriction, portability, or objection for personal data held by our server, and to complain to a privacy regulator. Email support@mediary.app. We may need information to verify that the request relates to you. MED Diary cannot retrieve private diary content from your device or iCloud on your behalf.
11. Security, children, transfers, and changes
Security
We use platform protections, encrypted network connections, access controls, rate limits, short-lived server sessions, and end-to-end encryption for Shared Access content. No storage or transmission method is perfectly secure. Protect your devices, Apple Account, invite codes, and exported files, and contact us if you believe something has gone wrong.
Children
MED Diary is not directed to children under 13. A parent or legal guardian who uses MED Diary to track a dependent's information is responsible for doing so lawfully and appropriately. If you believe a child submitted server-held personal data without appropriate permission, contact us.
International processing
Our service providers may process data in countries other than your own. Those countries may have different data-protection laws. We use provider contracts and safeguards appropriate to the service and applicable law.
Policy changes
We may update this policy as MED Diary changes. We will change the date above and, when a change is material, provide a prominent notice in the app, on the website, or both before it takes effect where required.
12. Contact us
Questions, deletion requests, or privacy concerns are welcome at support@mediary.app.
For ordinary troubleshooting and subscription help, visit MED Diary Support.