HealthPilot ("we", "us", "the app") lets you photograph or upload personal
pathology reports and other medical documents so the app can extract, store,
and present your results over time. This policy explains what data we
collect, how we use it, who we share it with, and your choices. By using
HealthPilot you agree to this policy.
Data we collect
Account data: your email address, and optionally your
name, date of birth, and biological sex. Authentication is handled by
Amazon Web Services (AWS) Cognito.
Health data: pathology report files you upload
(images or PDFs) and the medical values extracted from them, including
analyte measurements, units, reference ranges, and collection dates.
Optional per-report context you choose to add (such as weight on
collection day, whether you were fasted, and free-text notes). When a
single uploaded PDF contains results from more than one collection date,
we store one report per collection date so each appears with its correct
date in your timeline.
Medical documents: any additional medical documents
you choose to add to the in-app document vault (such as referrals,
imaging reports, or discharge summaries), together with the category and
label you assign.
Reminder and care-plan data: reminder definitions
(including medication name, dose, and schedule when you set them),
notification history, selected outcomes, and adherence history.
Appointment notes: discussion points, outcome notes,
and completion status you record for clinical appointments.
Health Connect data (Android): if you grant
permission, the following on-device readings imported from Android
Health Connect: weight, height, heart rate, blood pressure, and
blood glucose. Each permission is requested separately the first
time you choose to enable it. Health Connect access is optional and can
be revoked at any time in the Health Connect app on your device or in
your device settings.
Subscription data: your subscription tier
(free or premium), entitlement state, and the purchase token issued by
the Google Play store. We never see or store your payment card details.
Technical data: basic, non-advertising operational logs
(such as error and request logs) needed to run and secure the service.
We do not use advertising identifiers, and we do not sell your data.
We do not share Health Connect data, pathology reports, or any other
health data with advertisers or data brokers under any circumstances.
How we use your data
To extract, store, and display your lab results and trends over time.
To store and present medical documents you add to your vault.
To sync reminders, appointment notes, and adherence history across
your account.
To generate doctor-ready PDF summaries that you choose to export and
share with a clinician.
To manage your subscription status and unlock premium features.
To authenticate you and secure your account.
To operate, maintain, debug, and improve the service.
How your data is processed and shared
We share data only with infrastructure providers that process it on our
behalf to deliver the service. We do not share your data with advertisers or
data brokers.
Amazon Web Services (AWS), Asia Pacific (Sydney) region:
Cognito for authentication; S3 for encrypted storage of uploaded report
and document files; Textract for optical character recognition of report
files; and Bedrock to structure lab values from the extracted text.
Fly.io: hosts the application server and the encrypted
PostgreSQL database (Sydney region).
Google Play Billing: processes subscription purchases.
All payment card data is handled by Google; we do not receive it.
RevenueCat: validates Google Play purchase tokens and
manages subscription entitlement state on our behalf. RevenueCat receives
the purchase token and your subscription status, but no payment card data
and no health data.
Google Health Connect (on-device, Android): if you
opt in, vitals are read from Health Connect on your device and uploaded
to our service. Health Connect itself runs locally on your device.
We may also disclose data if required by law or to protect the rights,
safety, and security of our users and the service.
Data retention and deletion
Your data is retained while your account is active. You can delete
individual reports at any time from within the app, which removes the
associated file and extracted values. You can delete your entire account
from within the app (Profile → Account → Delete my account),
or by emailing us at the address below.
Account deletion is a two-phase process for anti-abuse and data-recovery
reasons:
Immediately on request: all of your uploaded files
and parse artefacts are deleted from object storage; your profile,
reports, vault documents, reminders, notes, and feedback are removed
from our database; your sign-in account in AWS Cognito is disabled so it
can no longer be used.
30 days later: a scheduled cleanup permanently
removes the disabled Cognito account, freeing the email address for
reuse. After this point the account is irrecoverable.
The 30-day window blocks rapid re-creation of accounts to game the free
tier and gives users a margin to contact us if a deletion was a mistake.
See the account deletion page for full
per-data-type details.
Security
Data is transmitted over encrypted connections (HTTPS/TLS) and stored
using encryption at rest. Biometric credentials, if you enable biometric
sign-in, are stored only in your device's secure storage and are never
transmitted to our servers.
Children
HealthPilot is not directed to children under 16 and we do not knowingly
collect data from them.
Your rights
You may request access to, correction of, or deletion of your personal
data by contacting us. We will respond within a reasonable period.
Changes to this policy
We may update this policy from time to time. Material changes will be
reflected here with an updated "Last updated" date.