Migrelle — Privacy Policy

Last updated: [DATE]

Draft for review. This document is a draft and must be reviewed by a qualified lawyer
before publication. Placeholders in `[BRACKETS]` must be completed by the developer.

This Privacy Policy explains what personal data Migrelle ("Migrelle", "the app",

"we", "us") collects, why, how it is protected, and the rights you have over it.

Migrelle is a migraine and headache self-tracking app for iOS and Android. We built it

privacy-first and local-first: your health data lives on your device, and anything that

leaves your device for backup is end-to-end encrypted so that we cannot read it.


Quick summary (the plain-English version)

- Your migraine data stays on your device. An account is optional — you only need one

if you want encrypted backup and sync across devices.

- We can't read your health data. Before it ever leaves your phone, it is encrypted on your

device. Our servers store only an unreadable encrypted blob.

- The trade-off you must understand: because only you hold the key, **if you lose all your

devices and your recovery code, your encrypted backup cannot be recovered — not even by us.**

- No advertising. No third-party ad SDKs, no Google/Firebase Analytics, no selling or sharing

of your data with advertisers. We do not sell your data.

- Insights and your doctor report are calculated on your device, not on our servers.

- Optional, anonymous product analytics help us improve the app. You can turn them off in Settings.

The full detail is below. This summary is for convenience and is not a substitute for the rest

of the policy.


1. Who is responsible for your data (the controller)

The data controller for Migrelle is:

[LEGAL ENTITY NAME]

[REGISTERED ADDRESS], Poland (EU)
Contact: [CONTACT EMAIL]
Data Protection Officer / EU representative: [DPO / EU REPRESENTATIVE — if applicable]

If you have any question about this policy or your data, contact us at [CONTACT EMAIL].


2. The data we process, and why

2.1 Health data (special category data)

When you use Migrelle you can record information about your migraines and headaches, such as:

- migraine/headache attacks (timing, duration, severity, head region, aura, pain type, symptoms);

- suspected triggers and contextual notes (including weather context such as pressure, temperature,

humidity, where you choose to record it);

- medications and supplements you take, and how much relief you felt;

- self-report questionnaire answers and scores (for example MIDAS and HIT-6);

- reminders you set;

- optional photos or notes you attach to an entry.

This is health data, which is a special category of personal data under Article 9 GDPR.

We treat it accordingly: it is encrypted on your device (see Section 4) and, where it is backed

up, our servers hold only ciphertext they cannot read.

Where this data lives: primarily in a local database on your device. It is sent to our servers

only if you turn on backup/sync, and only in encrypted form.

2.2 Account data

If you create an account (optional, only needed for backup/sync), we process:

- your email address, used to authenticate you and to secure and recover access to your account;

- (depending on the sign-in method you choose) a passkey/credential.

2.3 Subscription data

Migrelle is freemium. If you subscribe, your purchase is processed by Apple or Google

through their app stores — we never receive or store your card or payment details. Through our

subscription provider (RevenueCat) we receive your entitlement status (e.g. whether you have

an active trial or subscription, the product, and renewal/expiry dates) so the app can unlock

premium features. This is linked to a subscription identifier, not to your migraine data.

2.4 Sync metadata (please read — honest disclosure)

Even though the content of your health records is encrypted and unreadable to us, the act of

syncing exposes a small amount of metadata to our server for each encrypted record:

- the record type (for example "log entry", "medication", or "profile"),

- timestamps (when a record was created, updated, or deleted).

This means our server can see that an encrypted record of a certain type exists and when you

add, change or delete records — i.e. the cadence of your activity — but **not what the record

says.** We consider this a deliberate, disclosed trade-off of offering encrypted sync. We bind each

encrypted blob cryptographically to its record identity so a record cannot be silently swapped, and

we keep each app in a separate EU database to avoid combining signals across conditions. We do

not use this metadata to profile you or for advertising.

2.5 Product analytics (optional, anonymous, opt-out)

To understand how the app is used and to improve it, we collect anonymous, first-party product

analytics — for example onboarding steps completed, screens viewed, paywall views, and subscription

events. These analytics:

- contain only product-usage mechanics — never your health content (no attack logs, symptom

values, scores, or notes are ever sent to analytics);

- do not use advertising identifiers (no IDFA/Ad ID) or third-party advertising/attribution SDKs;

- are not sent to Google Analytics or Firebase Analytics;

- use no stable identifier linking your usage to your health status; IP is truncated and retention is short.

These analytics are on by default and you can turn them off at any time in

Settings → Privacy. Our analytics processor is [ANALYTICS PROVIDER], hosted in [REGION — EU].

2.6 Crash and diagnostic data

We use a crash-reporting tool ([CRASH TOOL — e.g. Sentry, EU-hosted]) to detect and fix bugs.

Crash reports are scrubbed of personal and health data before they reach us. *(Remove this

section if you do not ship crash reporting.)*

2.7 Anything sensitive we want to do later requires your explicit opt-in

Any feature that would need our servers to read your data (for example optional server-side AI

narration) is off unless you explicitly turn it on, and would run only on a minimized,

de-identified, temporary slice of data. We will never do this silently, and this policy will be

updated before any such feature ships.


3. Legal bases (GDPR)

| What we process | Legal basis |

|---|---|

| Providing the core app and storing/syncing your encrypted data | Performance of a contract (Art. 6(1)(b)) — our Terms with you |

| Processing your health data (special category) | Your explicit consent (Art. 9(2)(a)), given during onboarding; you can withdraw it at any time |

| Managing your account and authentication | Performance of a contract (Art. 6(1)(b)) |

| Subscriptions and entitlements | Performance of a contract (Art. 6(1)(b)) |

| Anonymous first-party analytics | Legitimate interests (Art. 6(1)(f)) in improving the app, balanced by anonymity, no third-party sharing, and an opt-out |

| Crash diagnostics | Legitimate interests (Art. 6(1)(f)) in app stability |

| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |

We apply data minimization: we collect only what we need, and we keep health content

unreadable to us by design.


4. How your data is protected: end-to-end encryption (zero-knowledge)

This is the most important part of how Migrelle works, so we explain it plainly.

- Encryption happens on your device. Your migraine and health data is encrypted on your phone

using strong encryption (AES-GCM-256) before any of it is sent to our servers for backup.

- We store only ciphertext. Our servers (provided by Supabase, hosted in the EU) store

the encrypted blobs. We do not hold the key and cannot decrypt or read your health content.

This is what "zero-knowledge" means.

- Where the key lives. Your encryption key is stored in your device's secure hardware keychain

(Apple Secure Enclave / Android Keystore). It can sync to your other devices through the platform's

own end-to-end-encrypted keychain (e.g. iCloud Keychain or the Android equivalent).

- Your recovery code. When you create an account we give you a one-time recovery code that

wraps your key, as a backup way to regain access.

The trade-off you must understand (data-loss risk)

Because only you control the key, nobody else — including us — can reset it. If you **lose

access to all of your devices AND lose your recovery code, your encrypted backup cannot be

recovered.** We will not be able to restore it for you. This is the unavoidable cost of true

zero-knowledge encryption, and we want you to know it clearly:

**Save your recovery code somewhere safe. If you lose all your devices and your recovery code,

your backed-up data is permanently unrecoverable.**

Data that is only on your device (no account/backup) follows the same logic: if you lose or wipe the

device with no backup, that local data is gone.

Other safeguards: reminders are delivered as local notifications and **push notifications never

contain health content**; access to our infrastructure is restricted and logged; we keep each app in

a separate EU project.

No method of storage or transmission is 100% secure, but zero-knowledge encryption means that even a

breach of our servers would expose only unreadable ciphertext, not your health content.


5. Who we share data with (processors and recipients)

We do not sell your personal data, and we do not share it with advertisers. We use a small

number of service providers ("processors") who act on our instructions:

| Provider | Purpose | What they can access |

|---|---|---|

| Supabase (EU region) | Account authentication and encrypted backup/sync storage | Your email (auth) and encrypted, unreadable health blobs + the sync metadata in Section 2.4 |

| RevenueCat | Subscription/entitlement management | Subscription/entitlement status tied to a subscription identifier — no health data |

| Apple App Store / Google Play | Processing your subscription payment | Your payment details (handled entirely by them; we never see your card data) |

| [ANALYTICS PROVIDER] | Anonymous first-party product analytics (opt-out) | Anonymous usage events — no health content, no ad identifiers |

| [CRASH TOOL] (if used) | Crash diagnostics | Scrubbed crash data — no health content |

We may also disclose data if legally required (e.g. a valid court order) — but for your health

content this would only ever be unreadable ciphertext, because we do not hold your key.

Apple and Google process your purchases under their own privacy policies; please review them.


6. International data transfers

Your account data and encrypted backups are hosted in the European Union (Supabase EU region).

We design Migrelle so that no health data is transferred or stored outside the EU/EEA.

Some providers (for example app-store billing, or a non-EU analytics/crash tool if we use one)

may process limited data outside the EEA. Where that happens, the transfer is protected by an

appropriate safeguard such as the EU Standard Contractual Clauses or an adequacy mechanism (e.g. the

EU–US Data Privacy Framework). If our processor list changes in a way that affects transfers, we will

update this policy. (Confirm the final processor list with your lawyer.)


7. How long we keep your data

- On-device data: kept until you delete it or uninstall the app.

- Encrypted backups: kept while your account is active, so you can restore and sync. Deleted

records are removed from the backup as part of sync; deleting your account removes your backups.

- Account/email: kept while your account exists.

- Subscription records: kept as required for billing, tax and accounting obligations.

- Anonymous analytics: kept only for a short period in aggregate form.

When you delete your account, we delete your account data and encrypted backups from our active

systems within a reasonable period, except where we must keep limited records to meet a legal

obligation (e.g. proof of a transaction).


8. Your rights

Under the GDPR you have the right to:

- Access the personal data we hold about you;

- Rectify inaccurate data;

- Erase your data ("right to be forgotten");

- Port your data — receive it in a structured, machine-readable format;

- Restrict or object to certain processing;

- Withdraw consent at any time (this doesn't affect processing done before withdrawal).

How to exercise them:

- Export your data and delete your account/data directly in the app:

Settings → Privacy → Export data and Settings → Account → Delete account. In-app deletion

removes your encrypted backups from our servers.

- Withdraw consent for health-data processing, or turn off analytics, in Settings → Privacy.

- For anything else, email [CONTACT EMAIL] and we will respond within the time the law requires

(normally one month).

Note: because of zero-knowledge encryption, an "access/export" request is fulfilled **on your

device**, where your data is readable. We cannot export your health content from our servers because

we cannot decrypt it.

You also have the right to lodge a complaint with a supervisory authority. In Poland this is the

President of the Personal Data Protection Office (UODO), or the authority in your EU country of

residence.


9. Children

Migrelle is not intended for children. You must be at least [MINIMUM AGE — assumption: 16]

years old to use the app and to create an account. We do not knowingly collect data from anyone under

that age; if we learn that we have, we will delete it. *(The age line is an assumption to confirm with

your lawyer — GDPR Art. 8 defaults to 16, and Poland's digital-consent age is 16; US/COPPA framing is

13+.)*


10. Changes to this policy

We may update this policy as the app evolves or the law changes. We will update the "Last updated"

date and, for material changes (especially anything affecting your health data or a new processing

purpose), we will notify you in the app and, where required, ask for renewed consent before the change

takes effect.


11. Contact

Questions, requests, or complaints:

[LEGAL ENTITY NAME][CONTACT EMAIL][REGISTERED ADDRESS], Poland (EU)


*This is a draft pending legal review. Migrelle is a wellness and self-tracking tool, not a medical

device — see the separate Medical Disclaimer.*