Skip to content
MED Diary
Home Philosophy Privacy Terms Support
Explore the app

Privacy Policy

Privacy, in plain language.

Your health diary is not an advertising profile. Most MED Diary data stays on your devices and in your private iCloud. When a feature needs our server, this policy explains exactly what goes there and why.

Effective and last updated: July 15, 2026

On this page

  1. Scope
  2. Your device and iCloud
  3. Apple Health and devices
  4. AI features
  5. Premium and free AI uses
  6. Shared Access
  7. Operations and support
  8. When data is shared
  9. Retention and deletion
  10. Your choices and rights
  11. Security and other terms
  12. Contact

Our commitments

  • No advertising and no sale of personal or health data.
  • No MED Diary account is required for ordinary diary features.
  • AI and caregiver sharing happen only when you choose to use them.
  • You can export your diary, delete profile data, and stop sharing.

1. Scope and who is responsible

This Privacy Policy applies to the MED Diary iPhone, iPad, Apple Watch, widget, Shared Access features, and the MED Diary website. In this policy, “MED Diary,” “we,” “us,” and “our” mean the developer and operator of MED Diary.

The policy does not replace the privacy terms of Apple, OpenAI, a connected-device manufacturer, a caregiver you choose, or any other service you use independently. Links to those services are provided where useful.

2. Data on your device and in your private iCloud

Your diary can include readings, medications and dose history, meals, appointments, health profiles, lab reports and results, notes, goals, reminders, and app settings. These records are stored by the app on your device. When iCloud is available for MED Diary, supported records and settings sync through private databases in your Apple iCloud account so they can appear on your other devices.

Apple operates iCloud and applies the protections associated with your Apple Account and settings. MED Diary does not receive your iCloud password and does not have a dashboard from which we can browse your private CloudKit database. Connected-device pairing details stay local to the phone that is paired.

The built-in Demo uses a separate local sample-data sandbox rather than your private diary. After about 24 hours, MED Diary offers to refresh the Alex sample. If you added eligible manual readings, you can move them to your primary profile first or postpone the refresh. Sample family profiles created inside Demo are memory-only and disappear on relaunch or when Demo refreshes.

If you enable App Lock, MED Diary stores a separate app passcode in this device's Keychain and can also ask iOS to authenticate with Face ID or Touch ID when you enable that option. MED Diary does not receive your biometric data.

3. Apple Health and connected devices

Apple Health

With your permission, MED Diary can read supported health information from HealthKit, including blood pressure, blood glucose, weight, activity, and workouts, and can write supported entries back to Apple Health. You choose the categories in Apple's permission screen and can change them later in the Health app or iOS Settings.

Health information you import into your MED Diary log becomes part of the diary and follows the storage choices described above. We do not use HealthKit information for advertising, marketing, data brokering, or decisions about credit, employment, or insurance.

Bluetooth meters, cuffs, and scales

If you pair a supported device, MED Diary uses Bluetooth to discover it and receive measurements. The app stores the device model, local Bluetooth identifier, serial number where available, user slot where applicable, and sync progress so it can avoid duplicates and resume imports. Pairing details remain on that phone; imported readings become part of your diary.

4. Optional AI features

Outside the built-in demo, MED Diary's live AI features use the MED Diary server as a secure intermediary and OpenAI as an AI processing provider. We send content only after you start the feature and approve the request. The demo uses bundled inputs and canned results on your device; it does not upload those samples or consume live AI credits.

Lab report extraction

Your original lab report or photo stays on your device. Before upload, the app lets you cover names, dates of birth, account numbers, or other details and then creates a flattened PDF in which any redactions are burned in. You can inspect the exact PDF and must expressly approve it before it is sent.

The approved PDF, including any on-device redactions, is sent to the MED Diary server and then to OpenAI so the report can be converted into structured results for your review. MED Diary uses the PDF and AI response only to complete that request and does not intentionally retain either as an ongoing server-side health record. Hosting and web-server infrastructure may use short-lived request buffers or temporary storage while the request is processed. The result returns to the app; nothing is added to your diary until you confirm it.

Meal nutrition estimates

When you ask for a nutrition estimate, the meal description and any optional photo you selected are sent through the MED Diary server to OpenAI. They are used to return an estimate and are not saved by MED Diary as a server-side meal history. If you save the estimate, it is stored in your diary on your device and, where enabled, your private iCloud.

Provider handling

MED Diary asks OpenAI not to store the response as a saved API object, but that setting does not by itself eliminate OpenAI's separate abuse-monitoring logs. OpenAI says those logs may contain API input and output and are retained for up to 30 days by default, unless the production project has been approved for Modified Abuse Monitoring or Zero Data Retention. MED Diary does not claim either exception unless and until it is confirmed for the production project. OpenAI also states that API business data is not used to train its models by default. See OpenAI's API data-controls documentation for current details.

5. Premium purchases and free AI uses

Apple processes Premium purchases through the App Store. MED Diary receives StoreKit status and transaction identifiers needed to unlock Premium, restore purchases, and verify subscription access. We do not receive your full payment-card details.

To enforce lifetime free AI-use limits fairly across reinstalls and your devices, MED Diary creates a random app identifier and a separate high-entropy server credential. Neither contains your name, email address, or health record. Both are kept on your device, synchronized using iCloud key-value storage, and sent to the MED Diary server with metered AI requests. The server stores the random identifier, the feature name, use count, last-updated time, and a one-way SHA-256 hash of the credential; it does not store the credential itself. The credential proves that the app is allowed to read or delete the matching ledger.

MED Diary also supplies the random app identifier to Apple as an App Store app-account token when you purchase Premium, and may send the current App Store transaction identifier to the MED Diary server so it can verify access with Apple. The app-account token and server credential have separate deletion rules described below.

6. Shared Access

Shared Access is optional and is the only MED Diary feature that requires an identity. When you use it, Sign in with Apple gives the MED Diary server a stable Apple account identifier and, depending on your Apple choices, an email address that may be an Apple private-relay address. We may also store the display name you provide.

MED Diary and MED Diary Care treat the same Apple Account as one Shared Access identity. Deleting that identity from either app removes every share it sent or accepted and the related encrypted relay records. It does not delete the private diary or cancel Premium.

To invite a caregiver, the server stores the caregiver's email address, your display name for the invite, the categories you chose to share, the invite status and code, and creation, acceptance, or revocation dates. The email is used to ensure that only the intended caregiver can accept the invite.

Shared health-record content is encrypted on the sender's device with a key carried in the invite and never sent to the server. The server stores and relays only encrypted record envelopes. The caregiver's device decrypts them. MED Diary cannot read the values inside those envelopes.

End-to-end encryption hides content, not all activity. The server can see that a share exists; the selected category names; encrypted-record counts and stable record identifiers; when records are added, changed, or deleted; and when a caregiver checks for updates. This can reveal patterns — for example, that a user updates glucose records frequently — without revealing the readings themselves.

Your caregiver can see whatever you choose to share after their device decrypts it. Creating an invite, adding a category, or restarting a stopped share requires Premium. If Premium ends, an existing share continues receiving updates until you narrow or revoke it; those privacy-reducing actions remain available without Premium. Choose recipients carefully and revoke access if it is no longer appropriate.

7. Server operations, website, and support

Security and request metadata

When your app or browser contacts our systems, the server and hosting provider receive normal network information such as IP address, request path, request ID, timestamp, upload size, response status, and processing duration. We use this information for rate limiting, security, reliability, and debugging. MED Diary's application logs do not persist raw client IP addresses, uploaded PDFs, meal descriptions, health values, or decrypted Shared Access records. Raw IP- and user-based rate-limit keys stay in memory for their one-minute window and are then pruned. Hosting infrastructure may maintain its own security and access logs under the provider controls described below.

Website

The current MED Diary website does not set advertising cookies or run behavioral analytics. Its hosting infrastructure may keep basic request logs such as IP address, time, requested page, and browser information for security and delivery.

Support

If you email support, we receive your email address and whatever text, screenshots, diagnostic details, or attachments you choose to send. Please remove health information you do not want us to receive. We use support communications to answer you, investigate problems, prevent abuse, and improve the app.

8. When information is disclosed

We do not sell personal information or health information. We do not use it for targeted advertising. Information is disclosed only as needed for the service or when the law requires it:

  • Apple: iCloud, HealthKit, StoreKit, Sign in with Apple, and operating-system services you choose to use.
  • OpenAI: the approved lab PDF, including any on-device redactions, or the meal description and optional photo needed for the AI request.
  • Infrastructure providers: providers such as Fly.io that host and protect the MED Diary server and process data only to provide that infrastructure.
  • People you choose: a caregiver receives the records you select through Shared Access; recipients of exports or reports receive what you send them.
  • Safety and law: where reasonably necessary to comply with law, protect rights and security, investigate fraud or abuse, or respond to a valid legal process.
  • Business change: as part of a merger, financing, acquisition, or sale, subject to appropriate confidentiality and continued notice of how data is handled.

9. Retention and deletion

  • Your diary and device-local data: stay on your devices and in private iCloud until you delete them. Delete My Data removes every real profile and its clinical records and stored files, app and profile settings, the family-profile registry, connected-device metadata, the App Lock credential, MED Diary notifications, and temporary health-data files. It also purges the app's CloudKit-mirrored records. A synchronized erasure marker tells MED Diary on your other devices signed in to the same Apple Account to remove their local-only copies the next time they receive it or the app runs; each device acknowledges the marker only after its cleanup succeeds. An offline device may therefore take time to finish.
  • AI request content: the MED Diary server does not keep the uploaded report, meal description/photo, or full AI result as an ongoing record after completing the request. OpenAI's own limited retention may apply as described above.
  • AI-use ledger and credential: the server's random-identifier ledger, credential verifier, and per-feature counts remain active to preserve lifetime free-use limits until you explicitly erase them. When a ledger may exist, Delete My Data sends an authenticated deletion request for it. If the request fails, deletion is shown as incomplete and the credential is kept so you can retry. Once server deletion succeeds—or no ledger exists—the server holds no identifier, verifier, counts, or timestamps for that ledger, and MED Diary clears the old server credential from the device and iCloud. Synchronized deletion state prevents a stale device from restoring it. Using live AI later creates a fresh credential and an empty ledger.
  • App Store app-account token: Delete My Data asks StoreKit whether MED Diary has verified purchase history. When StoreKit reports a verified transaction, the random app identifier used as that transaction's app-account token remains on your device and in iCloud solely so MED Diary can continue to verify the purchase. When StoreKit reports no verified purchase history, MED Diary deletes the old identifier from the device and iCloud. This token is separate from the server credential, which is always cleared, and contains no name, contact details, or health record.
  • Shared Access: active account, invitation, and share records remain while needed to provide sharing. Revoking a share deletes its encrypted record payloads immediately; the revoked share metadata is deleted after 30 days. Expired pending invitations and expired refresh tokens are purged by a daily cleanup after they expire. Deleting the Shared Access account removes its Sign in with Apple identity, tokens, shares, and encrypted records and revokes the server's Apple authorization.
  • Logs and support: kept only as long as reasonably needed for security, troubleshooting, legal obligations, and resolving the communication, subject to infrastructure backup and log rotation.

Delete My Data does not remove Apple Health records or cancel an App Store subscription. Uninstalling the app also does not cancel a subscription. Manage those separately through Apple.

10. Your choices and privacy rights

  • Use the ordinary diary without creating a MED Diary account.
  • Control iCloud for MED Diary in Apple settings.
  • Grant or withdraw Apple Health and Bluetooth permissions in iOS Settings.
  • Choose whether to use AI, redact lab details, inspect the upload, and decline before sending.
  • Select Shared Access categories, revoke a caregiver, or delete the Shared Access account.
  • Export your complete underlying diary and use Delete My Data to erase all real profiles and deletable local app data across MED Diary devices signed in to the same Apple Account, the server-side AI-use ledger and credential, and—when signed in—the Shared Access account data. The App Store app-account token remains only when StoreKit reports verified purchase history, as described above.
  • Manage or cancel Premium in your Apple subscription settings.

Depending on where you live, you may have rights to request access, correction, deletion, restriction, portability, or objection for personal data held by our server, and to complain to a privacy regulator. Email support@mediary.app. We may need information to verify that the request relates to you. MED Diary cannot retrieve private diary content from your device or iCloud on your behalf.

11. Security, children, transfers, and changes

Security

We use platform protections, encrypted network connections, access controls, rate limits, short-lived server sessions, and end-to-end encryption for Shared Access content. No storage or transmission method is perfectly secure. Protect your devices, Apple Account, invite codes, and exported files, and contact us if you believe something has gone wrong.

Children

MED Diary is not directed to children under 13. A parent or legal guardian who uses MED Diary to track a dependent's information is responsible for doing so lawfully and appropriately. If you believe a child submitted server-held personal data without appropriate permission, contact us.

International processing

Our service providers may process data in countries other than your own. Those countries may have different data-protection laws. We use provider contracts and safeguards appropriate to the service and applicable law.

Policy changes

We may update this policy as MED Diary changes. We will change the date above and, when a change is material, provide a prominent notice in the app, on the website, or both before it takes effect where required.

12. Contact us

Questions, deletion requests, or privacy concerns are welcome at support@mediary.app.

For ordinary troubleshooting and subscription help, visit MED Diary Support.

Privacy Terms Support Our philosophy

© 2026 MED Diary. Made with care for people who track their health.

MED Diary is a personal health diary, not a medical device. Always consult your healthcare provider.