What we collect — and what we don't.

We hold what we need to run the product, and nothing more.

Account. Your email and the full name you typed at signup. Email is your sign-in path (no passwords — we send you a 6-digit code each time) and is the address we use for the welcome email, the 24-hour follow-up if you don't enable push, the Sunday-evening weekly recap, and any account-related notice. The weekly recap contains aggregate counts only — no nudge names, no times, no partner names — and you can opt out anytime by typing "weekly recap off" in the chat or by clicking the unsubscribe link in any recap email.

Your nudges. The names you give them, the schedules you set, and your timezone. Nothing about what's in the nudge — if you call it "Morning pill," we don't know what the pill is, what it treats, or what dose.

Activity history. When each nudge fired, when you tapped Done / Snooze / Skip, and how often you snoozed it. We use this to compute streaks, the two-week Recap, and your daily Today view — and (in aggregate, with personal info stripped) to understand how the product is working.

Push notification details. If you turn on notifications, your browser hands us a push endpoint and two encryption keys. We store those per device so we can send you the actual notifications. We also store the device's user-agent string so we can show an iOS-vs-Android device split in the admin dashboard.

Care Circle. If you invite someone or accept an invitation, we store the relationship (who invited whom, when, status). Once accepted, your daily nudge status becomes visible to that person — and theirs to you, if they've invited you back. You can leave a Care Circle at any time by typing "leave [their name]'s care circle."

Voluntary feedback. If you fill out the contact form on the help page or respond to a survey inside the chat, we keep what you wrote. We use it to fix bugs and decide what to build next.

Periodic check-ins. At signup we ask three short questions — what usually gets in the way of your routines, how consistent you've been in the last 7 days, and how well things are working for you. About every 30 days after that we ask the same three again so we can see, in aggregate across everyone using the app, whether the product is actually helping people stick to their routines over time. We have no access to clinical records or insurance data — these check-ins are how we measure that we're doing what we say we're doing. Every check-in is optional. You can type "later" and we'll ask next time; type "later" a few times and we'll skip the cycle and try next month.

Aggregate analytics. Our analytics provider records pageviews and the URL someone arrived from. It uses no cookies and never assigns you a tracking identifier. It tells us "27 people read the caregivers page yesterday," not "Mark read it at 9:14am."

Things people sometimes assume a health app collects, that we don't:

• Medical records, diagnoses, lab results, or any clinical data.
• Prescription specifics — drug names, dosages, prescribing doctor. If you name a nudge "Metformin 500mg," that's just a label to us; we don't link it to any drug database.
• Health insurance information.
• Payment information. MyHealthNudge is free; there's no checkout.
• Your precise location. We use your timezone (so morning reminders fire in your morning, not someone else's), but not your address or GPS.
• Your contacts, photos, files, or anything else from your phone outside the app.
• Browsing history outside MyHealthNudge.
• Health platform data — we don't integrate with Apple Health, Google Fit, or any EHR.

MyHealthNudge runs on infrastructure from a handful of vendors. Each one sees a specific slice of what we hold, and only what they need to do their job. We don't sell any of your data to any of them; they're paid (or free-tier) service providers, not data buyers.

• Our database and auth provider — runs the database, the sign-in flow, and the scheduled jobs that fire your nudges. Everything in What we collect above lives here. Hosted in a region we chose at project creation.
• Our email provider — sends every email: sign-in codes, the welcome email, the 24-hour push-enable follow-up, and the Sunday-evening weekly recap. It sees the recipient and the message content, nothing else.
• Our website host and analytics provider — serves the website and the chat app, and runs the cookieless pageview analytics. The host sees the URL you requested and rough country-level geography (used for analytics aggregation), not your account.
• A large-language-model API — when you type a schedule in plain English ("every weekday at 8am"), the bot sends just that schedule text to a hosted language model so it can be turned into a structured rule. Your name, email, and the nudge contents aren't sent. The provider's no-training policy applies to API traffic.
• Mobile-platform push services — your phone's browser routes push notifications through whichever push service your device uses (operated by your device's platform vendor). The notification body is encrypted client-side before it gets to them; they can't read the nudge name.
• Public content APIs — some of the reward content in the app is fetched on demand from public content providers (the rest is content I curate and host myself). When a fetch does happen, it doesn't include your name, email, or anything that identifies you.

If you'd like the current legal names of these vendors, send me a note and I'll share. The categories above are the exhaustive set as of the date at the top of this page; if a new category is added, we'll update this page and email people who've signed up.

Care Circle is double-opt-in. Nothing is shared until both people accept.

Once you've accepted a Care Circle invite, the inviter can see:

• The list of nudge names you have today.
• Today's status for each one (done, snoozed, skipped, upcoming).
• A two-week summary of how often you completed each nudge.

They cannot see: your full nudge history beyond fourteen days, your other Care Circle relationships, any communication you have with us, the contents of any survey responses, or your account email.

Shared nudges are a separate opt-in within Care Circle. When you share a specific nudge ("share cat insulin with Bob"), both of you can mark it done; whoever's first acknowledges it for both. The shared nudge's schedule and status become visible to all owners; nothing else changes about what's visible.

Leaving. You can leave a Care Circle ("leave [name]'s care circle") or unshare a specific nudge ("leave [nudge name]") at any time. The other person sees the change immediately and stops being able to see your status.

When you tap Yes, enable on the notifications prompt, your browser generates a push endpoint URL plus two encryption keys, and we store those next to your account. We need them to send the push.

The notification body itself includes the nudge name ("🌟 Morning medications") plus a deep link to the nudge in the app. It's encrypted using the keys above before being sent — Apple, Google, or Mozilla can route it but can't read it.

To turn it off: type "turn off notifications" in the chat. We immediately delete the push subscription row, and you'll stop receiving anything.

We don't use cookies for advertising, tracking, or marketing analytics. We don't run third-party trackers.

A few small things are stored locally on your device so the app feels responsive:

• Your chat history (3-day retention, so reopening the app picks up where you left off).
• The timestamp of your last interaction (so we don't greet you every time you reload).
• A cached signed URL for any reward image you just saw (so it survives the URL's 5-minute expiry).
• An auth session cookie from our database/auth provider, so you stay signed in.

All of this stays on your device. None of it is sent to us in aggregate or used to identify you across sites.

Our pageview analytics is cookieless. It can't follow you between sessions or across other sites.

While your account is active, we keep your data so the app keeps working. Streaks need history. The Recap needs the last two weeks.

When you deactivate (type "deactivate account" in the chat, or ask via the contact form on the help page), we do the following immediately:

• Stamp your account as deactivated. You can no longer sign in.
• Delete every push subscription so notifications stop.
• Tombstone your email address (rewrite it to a sentinel that can't receive messages) so the address itself becomes available for a new account.

Your nudge history rows stay in the database in pseudonymized form so I can keep track of how the product is doing over time (e.g., total nudges scheduled per week), but they're no longer tied to a usable identity.

To request full deletion — every row of yours, including the pseudonymized history — send a note through the contact form on the help page while signed in (so I can confirm the account is yours). I'll do it within 30 days and confirm by reply to your account email.

Whether you're in the EU (GDPR), California (CCPA / CPRA), or anywhere else, you have rights over your data. Here are the practical things you can do right now without needing to file paperwork:

• See your data. Type "show nudges" in the chat for the live list. For a complete export including activity history, ask via the contact form.
• Correct your data. Edit any nudge name or schedule in the chat ("edit nudge"). Use the contact form for account-level changes you can't do yourself.
• Delete your data. "Deactivate account" in the chat covers most cases; use the contact form for full deletion.
• Take it elsewhere. Ask via the contact form and I'll send your export as a JSON file.
• Object to a specific use. Send a note through the contact form and tell me what you don't want. Outside of sign-in codes, the outbound emails we send are the welcome email, the 24-hour drip campaign for users who haven't enabled push, and the Sunday-evening weekly recap. All three stop on request — the weekly recap also has a one-click unsubscribe link in every email and a "weekly recap off" chat command.
• Withdraw consent. Deactivating your account is the complete withdrawal.

If you live in California, you also have the right to know whether we sell or share your personal information. We don't sell it and we don't share it with anyone outside the vendors listed under Who else touches your data, all of whom are paid service providers under contracts that forbid them from using your data for their own purposes.

If you're not happy with how I handle a request, EU users can complain to their national data protection authority. US users can complain to the FTC. We'd rather you tell me first via the contact form so I can fix it.

MyHealthNudge is built for adults (18+). We don't knowingly collect personal information from anyone under 13 in the United States, or under 16 in the European Economic Area. If you believe a child has signed up, let me know via the contact form and I'll remove the account.

I'll update this page whenever something material changes — a new processor is added, a new piece of data starts being collected, a vendor's region moves. The date at the top reflects the last meaningful change.

For substantial changes, I'll email everyone who's signed up at least seven days before the change takes effect, with a plain-English summary of what's different and why.

For minor edits — fixing a typo, rewording for clarity — I'll just push the change. The git history of this page is the audit trail.

MyHealthNudge is built and operated by me — Mark — as an indie project. Privacy questions, data requests, complaints about how something works, suggestions for what to change here: they all reach me through the same place.

Contact form on the help page →

Drop a note there and it lands in my inbox. If you're signed in when you send it, your account email comes with the message so I can reply to the right person.

I try to respond within a few days. For data requests with a regulatory deadline (GDPR is 30 days), I treat the clock as starting when your message arrives.