Privacy Policy @Chronicity App

Last Updated: Feburary 21, 2026

INTRODUCTION

Chronicity ("we," "our," or "us") is committed to protecting your privacy and securing your personal health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

We understand that your health information is highly sensitive and deeply personal. This policy has been designed to comply with international privacy laws including HIPAA (USA), GDPR (Europe), PIPEDA (Canada), and the Privacy Act 1988 (Australia), as well as Apple App Store and Google Play Store requirements for health applications.

By using Chronicity, you consent to the data practices described in this policy. If you do not agree with this policy, please discontinue use of the App.

1. INFORMATION WE COLLECT

We collect information in the following categories:

A. PERSONAL IDENTIFICATION INFORMATION:

• Full name and email address • Date of birth and age • Gender identity (optional) • Profile picture (optional) • Username and account credentials • Contact preferences and language settings

B. HEALTH AND MEDICAL INFORMATION (Sensitive Data):

• Diagnosis and condition information

• Symptoms, pain levels, and severity ratings

• Medication names, dosages, schedules, and adherence data

• Medical appointments, procedures, and clinical visits

• Laboratory test results and clinical measurements

• Disease activity scores and wellness metrics

• Physical activity and exercise data

• Dietary intake and nutrition information

• Sleep patterns, duration, and quality metrics

• Vital signs (if entered manually)

• Health notes, observations, and journal entries

• Photographic documentation of symptoms or physical conditions

• Quality of life assessments and mood tracking

C. DEVICE AND USAGE INFORMATION:

• Device model, operating system, and version • Mobile network information • IP address and general location (city/country level only) • App feature usage and interaction patterns • Session duration and frequency • Crash reports, error logs, and diagnostic data • App performance metrics (anonymized)

D. HEALTH PLATFORM INTEGRATION DATA:

• Apple Health (HealthKit) data with explicit permission • Google Fit data with explicit permission • Activity, exercise, and movement data from connected devices • Sleep data from connected health platforms

E. COMMUNICATION DATA:

• Support inquiries and correspondence • Feedback and survey responses • AI assistant chat interactions

F. PAYMENT AND SUBSCRIPTION INFORMATION:

• Subscription plan type (Premium, Premium+, or Elite) • Billing cycle (monthly or yearly) • Subscription status (active, expired, cancelled) • Purchase date and renewal date • Transaction identifiers from App Store or Play Store

IMPORTANT: All payment processing is handled securely by Apple App Store or Google Play Store. We do NOT collect, store, or have access to: • Credit card numbers or payment card details • Bank account information • Billing addresses for payment purposes • Any financial account credentials

TierMonthlyYearlySavings Premium$2.99 $19.99 44% off. Premium Plus$4.99. $29.99. 50% off. Elite$12.99 $79.9949%. off

  • 2. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

A. TO PROVIDE CORE APP FUNCTIONALITY:

• Create and maintain your account • Enable health tracking, logging, and monitoring features • Send medication, appointment, and wellness reminders • Generate personalized health insights and analytics • Calculate disease activity scores and wellness metrics

• Provide AI-powered health assistance via chat and voice (Ava) • Enable photo documentation and AI vision analysis • Facilitate nutrition tracking and personalized meal recommendations • Generate AI flare risk predictions using weather and health data • Create personal health reports for healthcare provider visits • Enable personal health notes (voice and text) • Track sleep patterns and quality • Monitor pain and fatigue levels

B. TO IMPROVE AND PERSONALIZE YOUR EXPERIENCE:

• Customize the app interface and features based on your preferences • Analyze usage patterns to improve app performance • Develop new features and enhancements • Conduct research on disease management and patient outcomes (using anonymized data)

C. TO COMMUNICATE WITH YOU:

• Provide customer support and respond to inquiries • Send important updates, security alerts, and service notifications • Notify you of new features and improvements • Request feedback and conduct user research

D. TO ENSURE SECURITY AND COMPLIANCE:

• Detect and prevent fraud, abuse, or security breaches • Maintain audit logs for compliance purposes • Comply with legal obligations and regulatory requirements • Enforce our Terms of Service and policies

E. LEGAL BASIS FOR PROCESSING (GDPR):

• Consent: Explicit consent for health data processing • Contract Performance: Necessary to provide app services • Legitimate Interest: App improvement and security • Legal Obligation: Compliance with applicable laws

WE EXPLICITLY DO NOT:

• Sell your personal health information to any third party • Share your health data with advertisers or marketers • Use health data from HealthKit or Google Fit for advertising • Build user profiles for advertising purposes • Use your data for purposes unrelated to health tracking and management

3. DATA SECURITY AND PROTECTION MEASURES

We implement comprehensive security measures to protect your information:

A. ENCRYPTION:

• Data in Transit: TLS 1.3 encryption for all data transmission • Data at Rest: AES-256 encryption for stored data • End-to-end encryption for sensitive health information • Encrypted backups with secure key management

B. ACCESS CONTROLS:

• Multi-factor authentication for account access • Role-based access control for authorized personnel • Principle of least privilege for data access • Regular access reviews and permission audits

C. INFRASTRUCTURE SECURITY:

• HIPAA-compliant cloud hosting infrastructure • Firewall protection and intrusion detection systems • Regular security patches and updates • Distributed denial-of-service (DDoS) protection • Data redundancy and disaster recovery systems

D. MONITORING AND AUDITING:

• 24/7 security monitoring and threat detection • Comprehensive audit logs of data access • Regular third-party security audits and penetration testing • Vulnerability assessments and remediation

E. ORGANIZATIONAL MEASURES:

• Employee training on data protection and privacy • Confidentiality agreements with all personnel • Background checks for employees with data access • Incident response and breach notification procedures

F. SECURITY LIMITATIONS:

Despite our comprehensive security measures, no system can guarantee 100% security. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately of any unauthorized access.

4. DATA SHARING AND THIRD-PARTY DISCLOSURE

We share your information only in the following limited circumstances:

A. WITH YOUR EXPLICIT CONSENT:

• When you export or share health reports • When you integrate with third-party health platforms (Apple Health, Google Fit)

B. SERVICE PROVIDERS (UNDER STRICT AGREEMENTS):

• Cloud hosting and storage providers (Firebase/Google Cloud) • AI and machine learning services (OpenAI for chat assistant) • Analytics providers for app performance monitoring • Customer support platforms • Email delivery services

All service providers are bound by Business Associate Agreements (HIPAA) and Data Processing Agreements (GDPR) and are prohibited from using your data for their own purposes.

C. LEGAL REQUIREMENTS:

• To comply with valid legal processes (subpoenas, court orders) • To protect our rights, property, or safety • To prevent fraud, abuse, or security threats • To comply with regulatory obligations

D. BUSINESS TRANSFERS:

• In the event of merger, acquisition, or sale of assets • Your data will remain subject to this Privacy Policy or an equivalent • You will be notified of any such transfer

E. AGGREGATED AND DE-IDENTIFIED DATA:

• We may share anonymized, aggregated data for research purposes • Such data cannot be used to identify individual users • Used for medical research, public health studies, and service improvement

WE WILL NEVER:

• Sell or rent your personal health information • Share identifiable health data for advertising • Provide health data to insurance companies without consent • Share HealthKit or Google Fit data with third parties for advertising

5. YOUR PRIVACY RIGHTS BY JURISDICTION

Your rights vary based on your location:

A. UNIVERSAL RIGHTS (ALL USERS):

• Right to Access: Request a copy of all data we hold about you • Right to Rectification: Correct inaccurate or incomplete information • Right to Deletion: Request deletion of your account and data • Right to Data Portability: Export your health data in portable formats (PDF, CSV, JSON) • Right to Withdraw Consent: Revoke permissions at any time

B. ADDITIONAL RIGHTS FOR EU/EEA USERS (GDPR):

• Right to Erasure ("Right to be Forgotten"): Complete data deletion • Right to Restriction of Processing: Limit how we use your data • Right to Object: Object to data processing for specific purposes • Right to Lodge a Complaint: File complaints with supervisory authorities • Right to Human Review: Request human review of automated decisions • Right to Data Protection Impact Assessments: Request information about data processing risks

C. ADDITIONAL RIGHTS FOR CALIFORNIA USERS (CCPA/CPRA):

• Right to Know: What personal information is collected, used, shared, or sold • Right to Delete: Request deletion of personal information • Right to Opt-Out of Sale: We do not sell personal information • Right to Non-Discrimination: Equal service regardless of privacy choices • Right to Correct: Correction of inaccurate personal information • Right to Limit Use of Sensitive Personal Information

D. ADDITIONAL RIGHTS FOR CANADIAN USERS (PIPEDA):

• Right to Challenge Compliance: Challenge our compliance with PIPEDA • Right to Know: Be informed about data collection purposes • Right to Withdraw Consent: Withdraw consent with notice of implications • Right to Complaint: File complaints with Privacy Commissioner

E. ADDITIONAL RIGHTS FOR AUSTRALIAN USERS (Privacy Act):

• Right to Access and Correction: Access and correct personal information • Right to Complain: Lodge complaints with OAIC (Office of the Australian Information Commissioner) • Right to Know: Understand what information is held and how it's used

F. EXERCISING YOUR RIGHTS:

To exercise any of these rights: • Email: chronicity@obsoftsolutions.com • In-App: Use the "Privacy Request" feature in settings • Response Time: We will respond within 30 days (GDPR), 45 days (CCPA), or as required by applicable law • Verification: We may request verification of your identity for security purposes

6. HIPAA COMPLIANCE (USA)

Chronicity is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA):

• Physical Safeguards: Secure facilities and workstation controls • Technical Safeguards: Encryption, access controls, audit logs • Administrative Safeguards: Security policies, workforce training, risk assessments • Business Associate Agreements (BAAs): Executed with all third-party service providers • Breach Notification: Notifications provided within 60 days of discovery • Minimum Necessary Rule: Access to PHI limited to minimum necessary • Patient Rights: Access, amendment, and accounting of disclosures

Note: Chronicity operates as a Personal Health Record (PHR) tool. While we implement HIPAA-level security, the app is primarily for personal use and may not be covered under all HIPAA provisions.

7. GDPR COMPLIANCE (EUROPE)

For users in the European Union and European Economic Area, we comply with the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: Consent, contract performance, legitimate interest, legal obligation • Data Minimization: We collect only data necessary for stated purposes • Purpose Limitation: Data used only for disclosed purposes • Storage Limitation: Data retained only as long as necessary • Accuracy: Mechanisms to ensure data accuracy and correction • Integrity and Confidentiality: Appropriate security measures • Accountability: Documentation of compliance measures • Privacy by Design and by Default: Privacy built into systems from the start • Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing • Supervisory Authority: You may lodge complaints with your local data protection authority • Cross-Border Transfers: Standard Contractual Clauses (SCCs) for data transfers outside EU/EEA

8. PIPEDA COMPLIANCE (CANADA)

For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Accountability: Responsible for personal information under our control • Identifying Purposes: Clear communication of collection purposes • Consent: Meaningful consent obtained for collection, use, and disclosure • Limiting Collection: Only necessary information collected • Limiting Use, Disclosure, and Retention: Used only for stated purposes • Accuracy: Reasonable efforts to ensure accuracy • Safeguards: Security appropriate to sensitivity of information • Openness: Transparent policies and practices • Individual Access: Access to own personal information • Challenging Compliance: Mechanism to challenge compliance • Breach Notification: Notification to Privacy Commissioner for real risk of significant harm

9. AUSTRALIAN PRIVACY COMPLIANCE

For Australian users, we comply with the Privacy Act 1988 and Australian Privacy Principles (APPs):

• Open and Transparent Management: Clear and current privacy policy • Anonymity and Pseudonymity: Options where practicable • Collection of Solicited Information: Only when reasonably necessary • Notification of Collection: Clear information about collection • Use and Disclosure: Only for primary or related purposes • Direct Marketing: Opt-out mechanisms provided • Cross-border Disclosure: APP 8 compliance for overseas transfers • Government Related Identifiers: Not used as our identifiers • Data Quality: Reasonable steps to ensure accuracy • Data Security: Reasonable steps to protect information • Access and Correction: Mechanisms for access and correction • Notifiable Data Breaches (NDB): Notification to OAIC and affected individuals for eligible data breaches

10. DATA RETENTION AND DELETION

We retain your data according to the following policies:

A. ACTIVE ACCOUNTS:

• Health data: Retained indefinitely while account is active • Transaction records: Retained for tax and legal compliance (7 years) • Audit logs: Retained for 6 years for security and compliance

B. ACCOUNT DELETION:

• Deactivated accounts: 60-day grace period for reactivation • Deleted accounts: Health data permanently deleted within 30-90 days • Backup systems: Removed from backup cycles within 60-90 days • Anonymized data: May be retained indefinitely for research

C. LEGAL RETENTION REQUIREMENTS:

• Some data may be retained longer to comply with legal obligations • Financial records retained for tax purposes • Dispute records retained until resolution • Legal hold data retained as required by law

D. DATA MINIMIZATION:

• We regularly review and delete unnecessary data • Automated deletion of expired temporary data • Periodic audits to ensure compliance with retention policies

11. CHILDREN'S PRIVACY

Chronicity is not intended for use by children, and age requirements vary by jurisdiction:

• USA: Not intended for children under 13 (COPPA compliance) • EU/EEA: Users under 16 require verifiable parental consent (GDPR) • Canada: Users under 13 require parental consent in most provinces • Australia: Users under 18 should have parental guidance for health apps

We do not knowingly collect personal health information from children below the applicable age threshold. If we become aware that we have collected data from a child without appropriate consent, we will: • Delete the information immediately • Terminate the account • Notify parents or guardians if contact information is available

If you believe a child has provided information without consent, please contact us immediately at admin@obsoftsolutions.com

12. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to, stored, and processed in countries outside your jurisdiction:

A. PRIMARY DATA STORAGE:

• Data is primarily stored in secure data centers in the United States • Cloud infrastructure: Google Cloud Platform (Firebase) • Backup servers in multiple geographic regions for redundancy

B. TRANSFER SAFEGUARDS:

• EU/EEA to USA: Standard Contractual Clauses (SCCs) approved by European Commission • Supplementary measures beyond SCCs for additional protection • Data Processing Agreements with all international service providers • Equivalent or higher security standards maintained across all jurisdictions

C. JURISDICTION-SPECIFIC PROTECTIONS:

• GDPR: Article 46 transfer mechanisms and adequacy decisions • PIPEDA: Comparable level of protection required for cross-border transfers • Australia: APP 8 compliance - reasonable steps to ensure overseas recipients comply with APPs

D. YOUR CONSENT:

By using Chronicity, you consent to the transfer of your information to the United States and other jurisdictions. You have the right to withdraw this consent, which may limit your ability to use certain features.

13. COOKIES, TRACKING, AND ANALYTICS

As a mobile application, we use minimal tracking technologies:

A. ESSENTIAL DATA COLLECTION:

• Authentication tokens: Required for account security and login • Session data: Necessary for app functionality • User preferences: Settings and customization data

B. ANALYTICS AND PERFORMANCE:

• Firebase Analytics: Anonymized usage patterns and app performance • Crash reporting: Diagnostic data for bug fixes • Feature usage: Understanding which features are most valuable • All analytics data is aggregated and anonymized

C. NO ADVERTISING TRACKING:

• We do not use advertising identifiers (IDFA on iOS, AAID on Android) • No third-party advertising SDKs • No cross-app tracking • No behavioral advertising

D. CONTROLLING TRACKING:

• iOS: Settings > Privacy > Tracking • Android: Settings > Google > Ads • In-App: Analytics can be disabled in app settings

E. DO NOT TRACK:

We honor Do Not Track signals where applicable, though as a mobile app, traditional browser-based DNT may not apply.

14. THIRD-PARTY SERVICES AND INTEGRATIONS

We use select third-party services that may process your data:

A. CLOUD INFRASTRUCTURE AND STORAGE:

• Google Cloud Platform / Firebase: Authentication, database, storage, hosting • Privacy Policy: https://policies.google.com/privacy • Safeguards: HIPAA Business Associate Agreement, GDPR Data Processing Agreement

B. AI AND MACHINE LEARNING (OpenAI):

• Purpose: AI health companion (Ava), food analysis, health insights, and personalized recommendations • Provider: OpenAI (Responses API) • Privacy Policy: https://openai.com/privacy • Data Retention: ZERO - We use store: false setting, meaning OpenAI does NOT retain your health data • Model Training: Your data is NEVER used to train OpenAI models • Processing: Data is processed in-memory only, then immediately discarded • Context Management: We use encrypted reasoning items for conversation continuity without server storage • Safeguards: HIPAA-compliant configuration, Data Processing Agreement in place • See Section 14A below for detailed AI Data Processing information

C. HEALTH PLATFORM INTEGRATIONS (WITH YOUR PERMISSION):

• Apple HealthKit: iOS health data integration • Google Fit: Android health data integration • Note: Data accessed through these platforms is NOT shared with third parties for advertising

D. ANALYTICS AND MONITORING:

• Firebase Analytics: App usage and performance metrics (anonymized) • Crashlytics: Crash reporting and diagnostics

E. COMMUNICATION SERVICES:

• Email delivery services: Transactional and notification emails • Push notification services: Apple Push Notification Service (APNS), Firebase Cloud Messaging (FCM)

F. PAYMENT PROCESSING:

• Apple App Store / Google Play Store: Subscription billing and payment processing • We do not store payment card details

G. THIRD-PARTY RESPONSIBILITIES:

• All third-party providers are bound by contractual obligations to protect your data • Service providers may only use data to provide services to us • We conduct due diligence on all service providers • You should review third-party privacy policies for their data practices

14A. AI DATA PROCESSING AND PRIVACY

Chronicity uses artificial intelligence to provide personalized health insights. This section explains how your data is processed by AI systems:

A. AI FEATURES IN CHRONICITY:

• Ava Health Companion: Conversational AI for health questions, symptom analysis, and personalized guidance • Food Analysis: AI-powered analysis of meal photos for nutritional insights and condition-specific recommendations • Health Score: AI-generated wellness scores based on your tracked health data • Flare Risk Prediction: AI analysis of symptoms, weather, and patterns to predict potential flares • Blood Pressure Insights: AI interpretation of BP readings (for users 45+) • Meal Recommendations: Personalized anti-inflammatory meal suggestions

B. HOW AI PROCESSES YOUR DATA:

• Your health data (symptoms, medications, logs) is sent to OpenAI's API for processing • Data is processed in real-time to generate personalized responses • Processing occurs in encrypted, secure channels (TLS 1.3) • AI responses are generated and returned to you immediately

C. ZERO DATA RETENTION (HIPAA/GDPR COMPLIANT):

• We use OpenAI's "store: false" setting - your data is NOT stored on OpenAI servers • Data is processed in-memory only, never written to disk • After generating a response, your input data is immediately discarded • No conversation history is retained by OpenAI • Your data is NEVER used to train or improve AI models

D. ENCRYPTED CONTEXT MANAGEMENT:

• For multi-turn conversations, we use encrypted reasoning items • These encrypted tokens allow conversation continuity without server-side storage • Encrypted items are decrypted in-memory for each response, then discarded • This stateless approach ensures no health data persists on AI servers

E. WHAT AI CAN AND CANNOT ACCESS:

AI CAN access (when you use AI features): • Information you explicitly share in conversations • Photos you submit for analysis • Health context you've authorized (diagnosis, symptoms, medications) • Data required to generate your requested insight

AI CANNOT access: • Your data when you're not actively using AI features • Historical conversations (not retained) • Data from other users • Your payment or billing information • Data you haven't explicitly shared

F. AI LIMITATIONS AND DISCLAIMERS:

• AI features provide informational content only, NOT medical advice • AI cannot diagnose conditions or prescribe treatments • Always consult healthcare professionals for medical decisions • AI responses are based on general knowledge, not your complete medical history • AI may occasionally produce inaccurate or incomplete information

G. OPTING OUT OF AI FEATURES:

• AI features are optional - you can use Chronicity without them • You can disable AI features in Settings > Privacy > AI Features • Disabling AI features does not delete previously processed data (as none is retained) • Core tracking features work independently of AI

H. AI DATA REQUESTS:

• Because we use zero-retention settings, there is no AI-stored data to retrieve or delete • Your locally-stored health data remains subject to standard deletion requests • Contact privacy@chronicity.app for any AI-related privacy concerns

15. DATA BREACH NOTIFICATION

In the event of a data breach involving personal or health information:

A. DETECTION AND ASSESSMENT:

• 24/7 security monitoring for potential breaches • Immediate investigation and assessment of scope • Determination of affected individuals and data types

B. NOTIFICATION TIMELINES BY JURISDICTION:

• USA (HIPAA): Within 60 days of discovery for breaches affecting 500+ individuals • USA (State Laws): Immediate to 90 days depending on state requirements • Europe (GDPR): Within 72 hours to supervisory authority; without undue delay to individuals • Canada (PIPEDA): As soon as feasible if real risk of significant harm • Australia: Within 30 days if eligible data breach

C. NOTIFICATION CONTENT:

• Description of the breach and when it occurred • Types of information involved • Steps we have taken to address the breach • Recommended actions for affected individuals • Contact information for questions

D. NOTIFICATION METHODS:

• Email to registered email address • In-app notification • Public notice on website if contact information unavailable • Regulatory notifications as required by law

16. CHANGES TO PRIVACY POLICY

We may update this Privacy Policy periodically. We will notify you of any material changes via:

• Email notification • In-app notification • Updated "Last Modified" date

Continued use of the App after changes constitutes acceptance of the updated policy.

17. CONTACT US AND DATA PROTECTION OFFICERS

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

A. GENERAL PRIVACY INQUIRIES:

Email: admin@obsoftsolutions.com Subject Line: Privacy Inquiry Response Time: Within 5-10 business days

B. DATA PROTECTION OFFICER (GDPR):

Email: dpo@chronicity.app For EU/EEA residents with GDPR-related concerns

C. DATA PRIVACY RIGHTS REQUESTS:

Email: privacy@chronicity.app Subject: Data Rights Request - [Access/Deletion/Correction/Portability] Include: Your name, email, and description of request Response Time: 30 days (GDPR), 45 days (CCPA)

D. SUPERVISORY AUTHORITIES:

You have the right to lodge a complaint with your local data protection authority: • EU/EEA: Your national Data Protection Authority • UK: Information Commissioner's Office (ICO) • Canada: Office of the Privacy Commissioner of Canada • Australia: Office of the Australian Information Commissioner (OAIC) • USA: State Attorney General or HHS Office for Civil Rights (for HIPAA)

E. SECURITY INCIDENTS:

Email: security@chronicity.app For reporting security vulnerabilities or suspicious activity

Your Privacy is Protected