Privacy Policy

Effective: February 8, 2026

ChronicAlly ("we", "us") is a health tracking tool that helps you monitor symptoms, interventions, and patterns. This policy explains how we handle your data.

What We Collect

  • Account information — your email address and name, used for authentication and communication.
  • Health data — readings, interventions, and notes you enter into the app.
  • Usage data — login times and feature usage, used to improve the product.

How We Use It

  • Provide the service — tracking, correlation analysis, and timeline visualization.
  • Improve the product — aggregate, anonymized analytics only.

What We Don't Do

  • We do not sell your health data.
  • We do not use your health data for advertising or marketing.
  • We do not share your health history or account information with third parties, except as described in the Third-Party Services section below.

Third-Party Services

We use the following services to operate ChronicAlly:

  • Amazon Web Services (AWS) — database storage (DynamoDB), email delivery (SES), and infrastructure hosting. Your data is stored in AWS's US East region with encryption at rest.
  • Dodo Payments — payment processing for subscriptions. Dodo receives your email address and payment information but does not have access to your health data.
  • Google OAuth — optional authentication method. If you sign in with Google, we receive your email and name from Google. Google does not receive your health data.
  • OpenAI (Realtime API) — optional voice transcription. If you use voice input, your audio is sent anonymously to OpenAI's Realtime API for speech-to-text conversion. Only the audio clip is sent — no name, no account information, no health history, no identifying data of any kind. You can avoid this entirely by using manual or text input instead.
  • Anthropic (Claude) — optional natural language parsing and onboarding suggestions. If you use voice input, text input, or the onboarding setup, your description is sent anonymously to Anthropic's Claude API to map it to structured readings and interventions. Only the description text is sent — no name, no account information, no health history, no identifying data of any kind. You can avoid this entirely by using manual slider input instead.

AI Service Data Retention & Training Policies

We want to be transparent about how these AI providers handle data sent through their APIs:

  • OpenAI — does not use API data for model training (this is their default policy since March 2023). API inputs and outputs are retained for up to 30 days for abuse and safety monitoring, then automatically deleted. Audio session state is held for up to 1 hour during active sessions. All data is encrypted at rest and in transit. See OpenAI's enterprise privacy page for details.
  • Anthropic — does not use API data for model training. API usage is governed by their Commercial Terms, which explicitly exclude customer data from training. API inputs and outputs are retained for up to 30 days for safety monitoring, then automatically deleted. See Anthropic's privacy center for details.

All data sent to AI services is completely anonymous — there is no way for OpenAI or Anthropic to connect it to your account or identity. We only share the minimum data necessary to provide the service.

The voice and text input features are entirely optional. Users who log check-ins using manual sliders and toggles never send data to OpenAI or Anthropic.

How We Protect Your Data

  • Encryption at rest — all data stored in our database is encrypted.
  • Encryption in transit — all connections use HTTPS.
  • Secure authentication — powered by Auth.js with industry-standard practices.
  • No plain-text storage of sensitive data.

Your Rights

You have full control over your data:

  • Export — download all your data at any time as JSON from your account settings or by visiting /api/account/export.
  • Delete — permanently delete all your data at any time. Deletion is immediate with no grace period because health data is sensitive. This can be done from your account settings or by calling /api/account/delete.
  • Access & correct — view and update any data you've entered.
  • Withdraw consent — close your account whenever you choose.

Data Retention

We retain your data for as long as your account is active, or as long as needed to provide you services.

  • Active accounts — data is retained indefinitely to maintain your tracking history.
  • Deleted accounts — when you delete your account, all data (profile, subscription records, check-ins) is permanently deleted from our systems immediately. We do not keep backups of deleted user data.
  • Session logs — authentication and error logs are retained for 90 days for security and debugging purposes, then automatically deleted.
  • Legal holds — in rare cases (e.g., court order, fraud investigation), we may be required to retain data longer than stated here. We will notify you if this applies to your account.

HIPAA Disclosure

ChronicAlly is not a HIPAA-covered entity. We are not a healthcare provider, insurer, or clearinghouse. You enter your own data using your own equipment, and we are not affiliated with any covered entity.

This means HIPAA regulations do not apply to ChronicAlly. However, we voluntarily follow data protection best practices that meet or exceed what HIPAA would require for data like yours.

FTC Health Breach Notification

We comply with the FTC Health Breach Notification Rule. In the event of unauthorized access to your health data:

  • We will assess and contain the breach within 24 hours.
  • We will notify affected users via email within 72 hours, explaining what happened, what data was affected, what we're doing about it, and what you should do.
  • If 500 or more users are affected, we will notify the FTC and post a notice on our website.

State Privacy Laws

We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA). If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information (which we never do).

Changes to This Policy

If we make material changes, we'll notify you by email before they take effect. Continued use after changes constitutes acceptance.

Contact

Questions about your privacy? Email us at privacy@chronically.app.

ChronicAlly is not a medical device and does not diagnose, treat, cure, or prevent any disease. Always consult your healthcare provider.

© 2026 ChronicAlly