Legal

Privacy Policy

Effective 13 April 2026 · HypoMe (“we”, “our”, “us”)

1. Information We Collect

We collect the minimum data required to operate the service. We do not collect data for advertising, tracking, or profiling purposes.

• Account data: Email address and/or Apple ID (name, anonymised Apple identifier) provided at sign-up via Apple Sign-In or email/password registration.
• Experiment and entry data: Experiment titles, interventions, outcome values, adherence flags, free-text notes, and confound tags you log.
• Device and notification data: Push-notification token (to deliver reminders you schedule) and device timezone (to compute experiment schedules). We do not collect device identifiers, hardware information, or location data.
• Subscription and billing data: Subscription tier (free or premium), Apple transaction identifiers, and billing state (e.g. active, expired, in billing grace period) stored on our servers to enforce entitlement access. Payment processing is handled entirely by Apple; we never receive or store your payment-card details.
• Crash and diagnostic data: If the app encounters an error, our crash-reporting service (Sentry) may collect device type, operating-system version, app version, and a stack trace of the error. This data does not include your experiment content or account credentials. You may opt out of crash reporting in your device’s system privacy settings.
• Usage events: We collect lightweight product-usage events (e.g. “experiment created”, “check-in completed”) to improve the service. Raw telemetry event files stored in our AWS account contain the event name, timestamp, app environment, and optional non-content properties. Separate daily aggregate records store an internal user identifier solely to calculate daily active users; that identifier does not include your email or name and is removed from those aggregates if you delete your account. We do not include your experiment content or account credentials in telemetry, and we do not share these events with third parties.

2. How We Use Your Information

• Deliver and operate the HypoMe app and its experiment-tracking features.
• Send push notifications for experiment reminders you configure and for experiment-phase transitions (e.g. baseline complete).
• Verify and enforce subscription entitlements.
• Diagnose crashes, errors, and performance issues to maintain app stability.
• Respond to account-deletion requests and support inquiries.

We do not use your data for advertising, user profiling, or sale to third parties.

3. Third-Party Services

The following third-party services process data on our behalf. Each service processes only the minimum data required for its function.

• Amazon Web Services (Cognito): Manages user authentication and secure credential storage. AWS Privacy Policy.
• Expo Push Notification Service: Routes push notifications from our servers to your device. Expo Privacy Policy.
• Apple (App Store / StoreKit): Processes subscription purchases and renewals. Apple provides us with signed transaction records (including transaction IDs and subscription state) to verify entitlements. Apple Privacy Policy.
• Sentry: Collects crash reports and diagnostic data to help us identify and fix errors. Sentry receives an internal user identifier (not your email or name) alongside crash data so we can correlate reports during support. Sentry does not receive your experiment content or account credentials. Sentry Privacy Policy.

We do not share your data with any other third parties. Data processed by the services listed above is subject to their respective privacy policies, linked above.

4. Data Retention

Your account data and experiment data are retained for as long as your account exists. Deleting your account from Settings permanently removes your Cognito credentials and all associated experiment, entry, subscription, and results data from our systems.

Exceptions after deletion:

• Server-side request logs (which may contain your anonymised user ID) are retained for up to 30 days in accordance with our cloud provider’s default log-retention policy, after which they are automatically purged.
• Raw usage telemetry files already written before 13 April 2026 may include an internal user identifier and can remain in our storage for up to 90 days before automatic deletion. Daily telemetry aggregate records persist after account deletion, but the deleted account’s internal identifier is removed from those aggregates during the deletion process.
• Apple retains its own record of your App Store subscription and transaction history independently of us.
• Crash reports already transmitted to Sentry prior to deletion are retained for up to 90 days.

5. Data Security

All data transmitted between your device and our servers is encrypted in transit using TLS. Authentication tokens are stored on your device using the operating system’s encrypted keychain (Secure Enclave on iOS). Server-side data is stored in encrypted-at-rest databases hosted on Amazon Web Services within the US–West–2 (Oregon) region.

6. Your Rights

• Access: Contact us at support@hypome.com to request a copy of the data we hold about you. We will respond within 30 days.
• Portability: Premium subscribers can export their experiment data in CSV or JSON format directly from the app.
• Deletion: Use “Delete Account” in Settings at any time. All associated data will be permanently and irreversibly deleted, subject to the exceptions listed in Section 4.
• Correction: Contact us to correct inaccurate account information.

7. GDPR (European Users)

Our legal basis for processing is:

• Contractual necessity (Art. 6(1)(b) GDPR) — to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f) GDPR) — to maintain app stability, diagnose errors, and prevent abuse.

You have the right to access, rectify, erase, restrict, port, or object to processing of your personal data. To exercise these rights, contact support@hypome.com. You may also lodge a complaint with your local data-protection authority.

8. CCPA (California Residents)

We do not sell or share your personal information for cross-context behavioural advertising.

You have the right to know what personal information we collect, to request deletion, and to non-discrimination for exercising your rights. Contact support@hypome.com to make a request.

9. Children’s Privacy

HypoMe is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will delete the data.

10. Changes to This Policy

We may update this policy when our practices change. We will note the new effective date at the top of this page. If a change materially affects how we handle your data, we will notify you via in-app notice or email before the change takes effect.

11. Contact

Questions or concerns? Email us at support@hypome.com.