Privacy Policy

The App requests access to your device's microphone solely to record voice notes that you initiate by tapping the Record button. You are always in control of when a recording begins and ends.

Audio recordings are transmitted securely to our servers over an encrypted connection (TLS) for transcription and health information extraction. Audio files are deleted from our servers immediately after processing is complete — within seconds. Only the extracted text summary is stored.

We do not record audio passively, in the background, or without your explicit action.

• iOS: You will be shown a system permission prompt the first time you use the Record feature. The reason string shown is: "Health Journal - Symply Notes uses your microphone to record voice notes. Audio is processed to extract health information and is not stored." This is defined in Info.plist as NSMicrophoneUsageDescription.
• Android: Microphone access is declared in the AndroidManifest and requested at runtime when you first use the Record feature.

If you choose to enable biometric sign-in, the App allows you to unlock it using your device's biometric system. This is entirely optional and can be disabled at any time in Settings.

Your login credentials are stored securely on your device. AscMX OÜ never transmits, receives, or stores your biometric data on our servers. Biometric data never leaves your device.

• iOS: Credentials are stored in Apple Keychain, protected by the device's Secure Enclave. The system Face ID or Touch ID sheet is presented when biometrics are used. You will see a prompt: "Health Journal - Symply Notes uses Face ID to let you sign in quickly and securely." This is defined in Info.plist as NSFaceIDUsageDescription.
• Android: Credentials are stored in Android Keystore, which is hardware-backed on supported devices. The system biometric dialog (fingerprint or face unlock) is presented when biometrics are used.

With your permission, the App schedules local notifications on your device to remind you to log how you are feeling, and to prepare for upcoming appointments (24 hours before and 30 minutes before).

These notifications are scheduled entirely on your device. They do not involve any external servers, no data leaves your device for this feature, and we do not use push notification infrastructure for reminders.

• iOS: Notification permission is requested via the iOS system dialog. You can manage notification preferences at any time in your device's Settings > Notifications.
• Android: On Android 13 and above, notification permission is requested via the system runtime dialog. On earlier versions, notifications are enabled by default and can be managed in device Settings.

Paid subscriptions are managed via RevenueCat. AscMX OÜ receives only your entitlement status (whether you are subscribed or not) — we do not receive, process, or store your payment card details or billing information.

• iOS: Subscription payments are processed entirely by Apple via the App Store. Subscription management, cancellation, and refund requests are handled through your Apple ID account settings.
• Android: Subscription payments are processed entirely by Google via Google Play. Subscription management, cancellation, and refund requests are handled through your Google Play account settings.

The following permissions are not requested and the App does not access:

• Your precise or approximate location
• Your camera or photo library
• Your contacts or address book
• Your calendar (appointment dates are entered manually by you)
• Advertising identifiers (IDFA on iOS, GAID on Android)
• Any cross-app tracking or behavioural advertising data

• Voice recordings made within the App (deleted immediately after transcription)
• Transcriptions of those voice recordings
• Structured health journal entries derived from your voice notes
• Your name and email address (for account creation)
• Optional: your doctor's name and appointment dates

• App usage data (screens visited, features used, session duration)
• Device type and operating system version
• Crash logs and error reports
• Subscription entitlement status (subscribed / not subscribed) via RevenueCat

• Payment card or financial details of any kind
• Biometric data — this never leaves your device
• Location data
• Contacts, camera, or photo library content
• Advertising identifiers or cross-app tracking data

• Transcribing your voice notes into text
• Structuring your journal entries using AI processing
• Generating appointment briefs from your logged entries
• Storing your journal history securely
• Sending local on-device reminders if you have opted in

• Diagnosing technical issues and crashes
• Understanding how features are used in aggregate and anonymised form

• Complying with applicable Estonian and EU law
• Responding to lawful requests from regulatory authorities

Your voice recordings are sent to OpenAI's servers for transcription into text. Audio files are deleted from our servers immediately after transcription is complete. OpenAI does not use API data to train its models. OpenAI is located in the United States; transfers are covered by Standard Contractual Clauses (SCCs).

Transcribed text is sent to Anthropic's API to extract structured information and generate appointment briefs. Anthropic does not use API data to train its models. Anthropic is located in the United States; transfers are covered by Standard Contractual Clauses (SCCs).

Your account information and journal entries are stored securely using Supabase. Data is encrypted at rest. Supabase infrastructure is hosted on AWS in the EU (Frankfurt region) where possible.

RevenueCat is used to manage subscription entitlements across both platforms. RevenueCat receives only your app user ID and entitlement status. Payment processing itself is handled by Apple (iOS) or Google (Android) — RevenueCat does not process payment card data.

For iOS users, subscription payments are handled entirely by Apple via the App Store. We do not receive or store your payment card details. Apple's privacy policy applies to payment processing.

For Android users, subscription payments are handled entirely by Google via Google Play. We do not receive or store your payment card details. Google's privacy policy applies to payment processing.

You have the right to request a copy of all personal data we hold about you.

You have the right to correct any inaccurate or incomplete personal data we hold about you.

You have the right to request permanent deletion of your personal data. You can delete your account directly in the App under Settings > Delete Account, or by contacting us.

You have the right to request that we limit how we use your data in certain circumstances.

You have the right to receive your personal data in a structured, machine-readable format (JSON or CSV) and to transfer it to another controller.

You have the right to object to processing of your personal data for purposes other than providing the service.

Where processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the supervisory authority in your country of residence.

The App is not directed at, designed for, or intended to be used by anyone under the age of 16. The App does not target children as a primary or secondary audience. Our content, features, and purpose — personal health journaling to prepare for medical appointments — are intended for adults.

In our Google Play and Apple App Store listings, the App is declared as targeting users aged 16 and above. We do not knowingly collect personal data from anyone under 16.

The App's content consists solely of the user's own journal entries and AI-generated summaries of those entries. The App does not contain or display third-party content, user-generated public content, social features, chat, or community features. All content within the App is private to the individual user.

If we become aware that a child under 16 is using the App, we will: (a) immediately delete any personal data associated with that account; (b) terminate the account; and (c) take reasonable steps to prevent further access. To report a child using the App, contact privacy@symplynotes.com.

The App contains no third-party advertising of any kind. We do not display ads, serve ads through third-party ad networks, use advertising identifiers (IDFA on iOS, GAID on Android), or engage in any behavioural or targeted advertising.

This applies universally — whether the App is being used by an adult or a minor, no advertising is present. We have no partnerships with ad networks, including Google AdMob or any other network.

We do not intend to introduce advertising into the App. If this changes in the future, we will update this policy, provide advance notice, and ensure full compliance with all applicable children's advertising regulations before any ads are introduced.

All third-party SDKs and APIs integrated into the App have been reviewed for compliance with applicable children's laws. We confirm the following:

• OpenAI (Whisper) — used for voice transcription only. Audio is deleted immediately after processing. OpenAI's API is not used for advertising or profiling.
• Anthropic (Claude) — used for AI structuring of journal entries only. Not used for advertising, profiling, or data sharing.
• Supabase — used for secure data storage and authentication. No advertising functionality.
• RevenueCat — used for subscription entitlement management only. No advertising or tracking functionality.
• Expo / React Native — the App's development framework. No advertising SDKs are included.

None of the above SDKs or APIs collect, share, or process data for advertising purposes. We do not include any analytics SDKs that use advertising identifiers.

The App is not directed at children under 13 as defined by the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. We do not require parental consent because the App is not intended for use by children under 13.

If we discover that we have inadvertently collected personal information from a child under 13, we will delete it immediately. Parents or guardians who believe their child under 13 has used the App should contact privacy@symplynotes.com immediately.

Under GDPR Article 8, processing of personal data of children under 16 requires parental or guardian consent in the EU (member states may lower this to 13). As the App is not directed at children under 16, we do not seek or process data from this age group and do not have parental consent mechanisms in place. If a child under 16 uses the App in breach of these Terms, their data will be deleted upon discovery.