Who we are
INRythm ("the app", "we", "us") is published by SHTRAK BG LTD, a company registered in Bulgaria. This policy explains, in plain English, how the app handles personal data — particularly the health information you log inside it. It applies to the iOS and Android versions of INRythm and to this website at inrythm.app.
Contact: inrythm@shtrak.bg
What we collect
To use INRythm you create an account with an email address and a password. We collect and process the following:
- Account credentials — your email address and a password hash (we never see or store the plaintext password)
- Therapy data — the medication you track (e.g. Warfarin, Sintrom, Coumadin), your daily doses and confirmations, and your INR readings with any notes you attach
- App preferences — your reminder times and notification settings, your target INR range, and your language and display settings
- Email correspondence — any messages you choose to send us at inrythm@shtrak.bg
We do not collect device identifiers, advertising IDs, location data, or behavioural analytics. There are no advertising or analytics SDKs in the app.
How we use your data
We use the data you provide for one purpose: to make INRythm work for you. Specifically:
- To authenticate you when you sign in, and to keep you signed in across devices
- To store and sync your therapy data so you see the same log on every device where you sign in
- To deliver the local reminders you configure
- To respond to support emails you send us
We do not use your data for advertising, profiling, or marketing. We do not send marketing or product‑update emails to registered users — emails from us are limited to what's necessary for the account (for example, password reset).
Legal basis (GDPR): we process your account and therapy data on the basis of the contract between you and us (Article 6(1)(b)) — without it the app cannot work. Health data is processed under your explicit consent (Article 9(2)(a)), which you give by creating an account and entering your therapy details. You can withdraw consent at any time by deleting your account.
Storage & processors
INRythm uses Google Firebase (a Google Cloud service) for authentication and database storage. Firebase acts as our data processor under a Data Processing Addendum with Google. In practical terms:
- Your email and password hash are managed by Firebase Authentication
- Your therapy data and app settings are stored in Firebase, encrypted in transit between the app and Google's servers
- Data is hosted on Google Cloud across multiple regions; standard EU data‑transfer safeguards (e.g. Standard Contractual Clauses) apply where personal data of EU residents is involved
The app is also distributed through Apple's App Store and Google Play. Those platforms collect their own information about downloads and crashes under their own privacy policies — we receive only aggregate, anonymised reports.
Sharing & third parties
We do not sell your personal data. We do not share it with advertisers, data brokers, insurers, or marketing networks. The only entities that ever touch your data are:
- Google Firebase, our infrastructure provider, acting strictly as a processor on our instructions
- Apple and Google, in their roles operating the app stores
- Our email provider, when you write to us — used solely to receive and reply to your messages
Each INRythm account is private to its owner. There is no clinician dashboard, no family sharing, and no cross‑account visibility of any kind. If you want to share your log with a doctor, you do so by exporting it (see below) and sending it yourself.
Security
Communication between the app and Firebase is encrypted in transit using TLS. Firebase stores data on Google Cloud infrastructure, which provides encryption at rest and operates a substantial security programme; you can read about it in Google Cloud's documentation. Your password is never stored in plaintext — Firebase Authentication stores a salted hash.
You're responsible for choosing a strong password and for keeping the device you use signed in. If you suspect your account has been accessed by someone else, change your password immediately and write to us.
Exports & backups
INRythm lets you export your log as a PDF or CSV via your device's standard share sheet, so you can email it to your doctor or save it to your files. Once it leaves the app, the file is governed by whatever app or service you sent it to — we have no visibility or control over it.
Your account data on Firebase is the source of truth. Your phone's iCloud or Google backup will also include a copy of any locally cached data, the same way it would for any other app; those backups are managed by Apple or Google under their own terms.
Retention & deletion
We keep your account and therapy data for as long as your account exists. Many users want long‑term INR history for their own care, so we don't auto‑delete it. You stay in control:
- In‑app deletion: open INRythm, go to Settings, and choose to delete your account. This wipes your authentication record and all therapy data associated with it.
- By email: if you can't access the app, write to inrythm@shtrak.bg from your account email and we will delete the account on your behalf.
After deletion, residual copies may persist for a short period in Google's standard backup systems before being purged on Google's normal retention cycle. Email correspondence with us is kept until your support thread is resolved, then deleted on request.
Children
INRythm is intended for adults managing their own anticoagulant therapy, or for caregivers managing therapy on behalf of someone in their care. The app is not directed at children under 13 (or the equivalent age of digital consent in your country) and we do not knowingly collect data from them.
Your rights
Under GDPR and similar laws you have the right to access, correct, export, restrict, and delete the personal data we hold about you, and to object to certain processing. In practice:
- Access & portability: sign in to see all your data, or use Export to download it as PDF/CSV
- Correction: edit any record directly inside the app
- Deletion: delete your account in‑app, or email us — see Retention & deletion above
- Withdraw consent: deleting your account withdraws your consent to process health data
- Lodge a complaint: with your local data‑protection authority. In Bulgaria, that is the Commission for Personal Data Protection (CPDP).
Changes to this policy
If we change how the app handles data, we'll update this page and update the "Effective" date at the top. If a change is material — for example, if we ever introduce a new third‑party processor or a new category of data collection — we'll surface a clear notice in the app before it takes effect.
Contact
Questions about this policy, requests about your data, or anything else privacy‑related — write to us:
SHTRAK BG LTD · Sofia, Bulgaria