Legal

Data Policy

Last updated: April 22, 2026 · Effective: April 22, 2026

This Data Policy supplements our Privacy Policy with a detailed breakdown of every data type we collect, why we collect it, how long we keep it, and where it lives.

Data We Collect

Account

Data type	Purpose	Retention	Location
Email address	Authentication and account recovery	Until account deletion	Supabase Auth (AWS)
Password hash	Authentication (never stored in plain text)	Until account deletion	Supabase Auth (AWS)
Google OAuth token	Google sign-in (if used)	Session only	Supabase Auth (AWS)

Prescription Data

Data type	Purpose	Retention	Location
Prescription image	Display in app; sent once to AI for extraction	Until prescription or account is deleted	Supabase Storage (AWS, private bucket)
Doctor name	Display in prescription card	Until prescription or account is deleted	Supabase Postgres (AWS)
Prescription metadata	Active/inactive status, created date	Until prescription or account is deleted	Supabase Postgres (AWS)

Medication Data

Data type	Purpose	Retention	Location
Medication name, dosage, frequency	Scheduling reminders and displaying your medication list	Until medication or account is deleted	Supabase Postgres (AWS)
Time slots and schedule	Scheduling alarm notifications	Until medication or account is deleted	Supabase Postgres (AWS)
Start and end dates	Determining active medication period	Until medication or account is deleted	Supabase Postgres (AWS)

Dose Logs

Data type	Purpose	Retention	Location
Dose status (taken / missed / skipped)	Adherence tracking and statistics	Until medication or account is deleted	Supabase Postgres (AWS)
Scheduled time and logged time	Adherence accuracy reporting	Until medication or account is deleted	Supabase Postgres (AWS)

Row-Level Security

Every table in our database has row-level security (RLS) enabled. This means that database queries are enforced at the database level — not just in application code — so your data is only readable and writable by your own authenticated session.
Even if application code had a bug that attempted to return another user's records, the database would reject the query. This is a fundamental security control, not just a best-practice suggestion.

AI Processing of Prescription Images

When you add a prescription, the image is encoded as base64 and sent in a single API request to OpenRouter (openrouter.ai), which routes it to Google Gemma — a multimodal AI model.
The AI returns structured JSON containing extracted medication details. We store the extracted data, not the image, in our AI processing pipeline.
OpenRouter's policy states that prompts and completions are not used for model training. The image is processed transiently and is not stored on OpenRouter's servers beyond the API call lifecycle.
The original prescription image is separately uploaded to Supabase Storage for display in the app. This upload is independent of the AI extraction call.

What We Don't Do

We do not sell your personal data or prescription information to any third party.
We do not use your data for advertising or behavioural profiling.
We do not share your data with insurers, pharmaceutical companies, employers, or government agencies (except where required by law).
We do not use prescription images for training our own or third-party AI models.

Data Encryption

All data in transit is encrypted using TLS 1.2 or higher.
Data at rest in Supabase (Postgres and Storage) is encrypted using AES-256 by the underlying AWS infrastructure.
Prescription images in Supabase Storage are stored in a private bucket — they are not publicly accessible via a URL without an authenticated token.

Requesting Your Data or Deletion

Data export: Email knoworg1@gmail.com with the subject line 'Data Export Request'. We will provide a JSON export of all your account, prescription, medication, and dose log data within 7 business days.
Account deletion: Delete individual prescriptions and medications from within the app. To delete your entire account and all associated data (including prescription images), email knoworg1@gmail.com with the subject line 'Account Deletion Request'. All data will be permanently deleted within 30 days.
We may need to verify your identity before processing a data export or deletion request.

Data Residency

Supabase hosts data on AWS infrastructure. The specific AWS region may vary; consult Supabase's documentation for current region options.
OpenRouter processes API requests on infrastructure they manage. Consult openrouter.ai for details on their data residency.

Contact

For data-related questions or requests: knoworg1@gmail.com

Questions? Email us at knoworg1@gmail.com. We respond within 48 hours.