Privacy Policy for Cephra

Introduction

ApApps ("we," "our," or "us") operates the Cephra mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application for migraine tracking and management.

Please read this Privacy Policy carefully. By using the Cephra application, you consent to the practices described in this policy.

Privacy First Approach: Cephra is designed with privacy as our top priority. All your health data stays on your device and is never transmitted to external servers. You maintain complete control over your sensitive health information.

Information We Collect

Health and Medical Information

Cephra is designed to help you track and manage your migraine episodes. The health information you may provide includes:

• Migraine Entry Data: Date, time, severity level, duration, notes about episodes
• Medication Information: Names, dosages, and types of rescue and preventive medications
• Symptom Data: Headache status, pain levels, and related symptoms
• Menstrual Cycle Data: Menstruation status (if enabled in settings)
• Work-Related Data: Information about work-induced migraines
• Triggers and Patterns: Data used for analysis and insights

Device and Usage Information

We may automatically collect certain information about your device and how you use the app:

• Device type, operating system, and version
• App version and usage statistics
• Crash reports and error logs (anonymized)

Information You Provide

• Settings and preferences within the app
• Export/import data when using CSV functionality
• Any feedback or support communications

Cloud Mode Information (Optional)

Email Address (Temporary Use Only) - Cloud Mode Only

• Collected when you log in to the app to receive a 6-digit verification code
• Sent securely to our backend via encrypted HTTPS
• Never stored in plain text in any database
• Used only to send a one-time code through Amazon Simple Email Service (SES)
• Automatically deleted within minutes after verification or expiration

Hashed User ID – Cloud Mode Only

• A hashed version of your email (using a private salt) is used to identify your account data in our database
• This value is anonymized, non-reversible, and used to associate your migraine data, medications, and preferences with you
• The hashing ensures your actual email is never stored alongside your health data

Cloud Storage Data

• AWS DynamoDB: Your migraine data, medications, tags, and user preferences are stored in Amazon Web Services DynamoDB
• Authentication: User authentication and session management through AWS services

How We Use Your Information

Primary Functions

• Health Tracking: Store and organize your migraine data locally on your device or in the cloud
• Pattern Analysis: Generate insights about your migraine triggers and patterns
• Data Export: Allow you to export your data in CSV format for personal use
• Medication Management: Help you track medications and their effectiveness
• Cloud Synchronization: Sync your migraine data across devices and provide backup (Cloud Mode only)

App Improvement

• Improve app functionality and user experience
• Fix bugs and technical issues
• Develop new features based on usage patterns (using anonymized data only)

Data Storage and Security

Local Storage (Offline Mode)

Your health data is stored locally on your device. Cephra is designed with privacy in mind:

• All migraine entries, medication data, and personal health information are stored on your device
• We do not automatically upload your health data to external servers
• Your data remains under your direct control

Cloud Storage (Cloud Mode)

We use industry-standard security measures for cloud storage, including:

• End-to-end encryption (HTTPS) for all network requests
• One-way SHA-256 hashing for identity management
• AWS DynamoDB: Your data is securely stored in Amazon Web Services cloud infrastructure
• Encryption: Data is encrypted in transit and at rest using industry-standard encryption
• Access Control: Strict access controls and authentication mechanisms protect your data

Data Security Measures

We implement appropriate technical and organizational measures to protect your information:

• Data encryption on your device and in the cloud
• Secure coding practices
• Regular security updates
• Limited data access within the app
• Privacy-first design with minimal data collection

Data Sharing and Disclosure

We Do Not Sell Your Data

We do not sell, trade, or rent your personal health information to third parties. Your health data is yours and yours alone.

Limited Sharing

We may share information only in the following circumstances:

• With Your Consent: When you explicitly authorize us to share specific information
• Legal Requirements: If required by law, regulation, or legal process
• Safety: To protect the rights, property, or safety of ApApps, our users, or others
• Business Transfer: In connection with a merger, acquisition, or sale of assets (with continued privacy protection)

CSV Export

When you use the export feature:

• Data is exported directly to your device or chosen location
• No data is transmitted to ApApps or third parties during export
• You control where the exported file is stored and shared

Your Rights and Choices

Data Control

You have complete control over your data:

• Access: View all your stored data within the app
• Modification: Edit or update any entries
• Deletion: Delete individual entries or clear all data
• Export: Export your data for personal use or transfer to other applications

Settings Control

You can control data collection through app settings:

• Enable or disable menstruation tracking
• Manage which data fields are required or optional
• Control data export options
• Offline Mode: You can use the app in offline mode without cloud synchronization
• Cloud Mode: You can choose to enable cloud synchronization for cross-device access
• Data Sync: You can control whether your data is synced to the cloud

Account Management

Offline Mode

• Uninstalling the app removes all local data
• No server-side account deletion is necessary
• You can clear all data through the app's settings before uninstalling

Cloud Mode

• Delete Account: You can request deletion of your account and all associated cloud data by opening the app and choosing "Delete Account" in Settings
• Switch Modes: You can switch between offline and cloud modes at any time
• Data Backup: Cloud data serves as a backup and enables cross-device synchronization

Children's Privacy

Cephra is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Third-Party Services

Analytics and Crash Reporting

We may use third-party services for app analytics and crash reporting:

• These services receive only anonymized, non-health data
• No personal health information is shared with analytics providers
• Data is used solely for app improvement and bug fixing

No Third-Party Health Data Sharing

We do not integrate with or share data with third-party health platforms without your explicit consent.

Data Retention

Offline Mode

• Local Data: Your data is stored locally on your device and is retained only while you keep the app installed
• When you delete the app, all local data is permanently deleted

Cloud Mode

• Account Deletion: When you delete your account, all cloud data is deleted immediately
• Inactive Accounts: If you don't log in for 1 year, your cloud data will be automatically deleted
• Active Use: Your data is retained as long as you maintain an active account and log in regularly
• Backup: Cloud data serves as a backup and enables cross-device synchronization

General

• App Logs: Technical logs are retained for a reasonable period for troubleshooting purposes
• Support Communications: Communications with our support team are retained as necessary

International Data Transfers

Offline Mode

Since your health data is stored locally on your device, international data transfers are minimal and limited to:

• Technical support communications (if you contact us)
• Anonymized analytics data (if you consent)

Cloud Mode

Since your health data can now be stored in the cloud:

• Your data may be processed and stored in countries other than your own
• We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws
• All data transfers use industry-standard encryption and security measures

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We will notify you through the app or other means
• The "Last Updated" date will be revised
• Continued use of the app constitutes acceptance of the updated policy
• For material changes affecting health data, we will seek your explicit consent

Data Security

Security Measures

We implement comprehensive security measures to protect your health data:

• Encryption: All data is encrypted in transit and at rest
• Authentication: Secure user authentication and session management
• Access Controls: Strict access controls for cloud data
• Regular Updates: Regular security updates and vulnerability assessments
• Privacy Protection: We do not store personally identifiable information on our servers. Only a hash of your email address is stored for authentication purposes, which cannot be used to identify you personally

Data Breach Notification

Due to our privacy-first approach, we do not store any personally identifiable information on our servers. The only data stored is a hash of your email address for authentication, which cannot be reversed to reveal your actual email. Therefore, in the unlikely event of a data breach, there would be no personally identifiable information at risk that would require notification under typical breach notification laws.

Your Responsibilities

• Device Security: Keep your device secure and use strong authentication
• Account Protection: Protect your account credentials and log out when not in use
• App Updates: Keep the app updated to benefit from security improvements

GDPR Compliance (EU Users)

If you are in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

Your Rights

• Right to Access: You can request a copy of all personal data we hold about you
• Right to Rectification: You can correct any inaccurate or incomplete data
• Right to Erasure: You can request deletion of your personal data ("right to be forgotten")
• Right to Data Portability: You can receive your data in a structured, machine-readable format
• Right to Restrict Processing: You can limit how we process your data
• Right to Object: You can object to certain types of data processing
• Right to Withdraw Consent: You can withdraw your consent at any time

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided in the Contact Information section. We will respond to your request within one month of receiving it.

Legal Basis for Processing

We process your personal data based on:

• Consent: When you choose to use Cloud Mode, you consent to the processing of your data for synchronization purposes
• Legitimate Interest: For app functionality, security, and improvement purposes
• Contract Performance: To provide the services you have requested

Data Protection Officer

For GDPR-related inquiries, please contact us at the email address provided in the Contact Information section, with "GDPR - Cephra" in the subject line.

Compliance

This Privacy Policy is designed to comply with applicable privacy laws, including:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Health Insurance Portability and Accountability Act (HIPAA) principles
• Other applicable local privacy regulations

Your Consent

By using Cephra, you consent to the collection and use of your information as outlined in this Privacy Policy. This consent is revocable - you may stop using the app and delete your data at any time.