Privacy Policy

Effective Date: 4 August, 2025

Shtrak BG Ltd ("we," "us," or "our"), located in Varna, Bulgaria, operates the INRythm mobile application ("App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) as the data controller, along with other applicable data protection laws.

By using the App, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

We collect the following types of personal data:

• Account Information: Email address (used for registration, login, and password recovery).
• Health and Usage Data: Daily Sintrom dosage, INR levels, reminder settings (e.g., dosage times, bloodwork reminders), and export history. This is sensitive personal data under GDPR (health-related).
• Device and Technical Data: Automatically collected information such as device ID, IP address, app usage statistics, and crash reports (via Google Analytics).
• Other Data: Any notes or custom settings you input related to your medication tracking.

We do not collect data from children under 13, and the App is not intended for them.

2. How We Collect Information

• Directly from You: When you register, input data (e.g., dosages, INR results), set reminders, or export to CSV.
• Automatically: Through app usage, including push notifications via Expo.
• From Third Parties: We use Google Firebase for data storage and syncing, Google Analytics for app performance insights, and Expo for build and notifications. These services may collect data on our behalf.

3. How We Use Your Information

We process your data based on legal grounds under GDPR (e.g., consent, legitimate interests, or contract performance):

• To provide App features: Track dosages, send reminders (daily Sintrom dose and 12-hour bloodwork alerts), and enable CSV exports.
• To improve the App: Analyze usage via Google Analytics (anonymized where possible).
• To communicate: Send account-related emails (e.g., password recovery).
• To comply with laws: Retain data for legal obligations.
• To provide tips: Display general information (e.g., food/alcohol cautions), but this is not personalized medical advice.

We do not use your data for automated decision-making or profiling that significantly affects you.

4. Data Storage and Security

• Your data is cached locally on your device for offline access and synced to Google Firebase servers (located in the EU or with GDPR-compliant transfers).
• We use industry-standard security measures, including SHA-256 hashing and SSL/TLS encryption for data in transit.
• Data retention: Account data is kept as long as your account is active. Health data is retained until you delete it or your account. Inactive accounts may be deleted after 12 months.
• In case of a data breach, we will notify you and relevant authorities within 72 hours if required by GDPR.

5. Sharing Your Information

We share data only as necessary:

• Service Providers: With Google Firebase (for storage), Google Analytics (for analytics), and Expo (for notifications and builds). These are processors under GDPR Data Processing Agreements.
• Exports: You can export data to CSV, which is handled on your device; we do not share exports unless you choose to (e.g., emailing to a doctor).
• Legal Requirements: If required by law, court order, or to protect rights/safety.

We do not sell your data or share it for marketing purposes.

For international transfers (e.g., if Firebase routes outside the EU), we rely on Standard Contractual Clauses or adequacy decisions.

6. Your Rights Under GDPR

As an EU resident (or if GDPR applies), you have rights:

• Access, rectify, or erase your data.
• Restrict or object to processing.
• Data portability (e.g., export your data).
• Withdraw consent at any time (though this may limit App functionality).
• Lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or your local authority.

To exercise rights, contact us at inrythm@shtrak.bg. We respond within one month.

7. Account Deletion

You can delete your account via the Settings tab, which immediately removes your data from our servers (local data remains on your device until uninstalled).

8. Children's Privacy

The App is not for users under 16 (GDPR threshold for consent). We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Policy; changes will be notified in-app or via email. Continued use constitutes acceptance.

10. Contact Us

Shtrak BG Ltd
Tzar Osvoboditel 72, office 1
9000 Varna
Bulgaria
Email: inrythm@shtrak.bg

This Policy was drafted with reference to GDPR guidelines for health apps.