Privacy Policy
Effective date: March 30, 2026
Updated March 2026. Added subprocessor list, HIPAA disclaimer, data retention details, security disclaimer, export and offline disclaimers, encryption limitations, and COPPA compliance section.
BodySitRep ("we", "our", or "us") operates the BodySitRep health tracking application available at bodysitrep.com. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
By using BodySitRep, you agree to the practices described in this Privacy Policy and our Terms of Service.
1. VA Disclaimer
BodySitRep is not affiliated with the U.S. Department of Veterans Affairs or any government agency. BodySitRep does not provide documentation for legal, disability, or benefits claims of any kind.
2. Non-Medical Disclaimer
BodySitRep is for informational and personal record-keeping purposes only. It is not intended to diagnose, treat, cure, or prevent any disease or health condition.
3. HIPAA Disclaimer
BodySitRep is not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). The Service is not designed, intended, or authorized for use as a system of record for Protected Health Information (PHI) under HIPAA.
If you are a healthcare provider, health plan, or healthcare clearinghouse, do not use BodySitRep to store, process, or transmit PHI on behalf of patients. BodySitRep is a personal health tracking tool for individual consumers only.
4. Information We Collect
Account information. When you create an account, we collect your email address and any profile information you choose to provide, including name, date of birth, sex, and location.
Health data. We collect the health log entries, symptom records, medication logs, sleep sessions, and other tracker data you create within the app.
Usage data. We collect information about how you interact with the Service, including pages visited, features used, and device information. This data is used solely to improve the Service.
Payment information. If you subscribe to a paid plan, payment details are collected and processed by Stripe. We do not store your credit card number, bank account number, or other payment credentials on our servers. See our Pricing page for plan details.
5. How We Use Your Information
Your information is used solely to provide the BodySitRep service to you. Specifically:
- To operate and maintain your account.
- To store and display your health logs and tracker data.
- To process payments and manage subscriptions.
- To send service-related communications (account verification, billing notices).
- To improve the Service based on aggregated, anonymized usage patterns.
We do not sell, rent, or share your personal information with third parties for their marketing purposes. We do not use your health data to train AI or machine learning models.
6. Subprocessors
We use the following third-party services to operate BodySitRep. Each processes data only as necessary to provide their service to us:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database and authentication | Account data, health logs, encrypted fields |
| Vercel | Application hosting | Request logs, anonymous performance metrics |
| Stripe | Payment processing | Email, payment method, billing address, transaction history |
| Google Analytics | Marketing website analytics (consent-based) | Page views, device type, general location (country/region) |
We do not share your health log data with any subprocessor beyond what is required for database storage and hosting.
7. Data Storage
Your data is stored securely on Supabase servers located in the United States. All data is encrypted in transit (TLS) and at rest.
8. Field-Level Encryption
Free-text health log fields, including daily notes and medication notes, are encrypted with AES-256-GCM before being saved. Each account has a unique encryption key that is derived server-side from your user ID and a secret salt that never leaves our servers. Your key is never stored in plaintext. This means that even if database storage were compromised, your health notes would remain unreadable without your account credentials.
Encrypted data is automatically decrypted when you export your records. If you lose access to your account, encrypted fields cannot be recovered. This is a deliberate security property.
9. Encryption Limitations
Field-level encryption protects your data at rest. However, encryption does not protect data if your account credentials are compromised. If someone gains access to your account, they can view your decrypted data through normal app usage. You are responsible for keeping your login credentials secure.
Encryption does not apply to structured fields such as dates, severity scales, or checkbox selections. Only free-text fields (daily notes, medication notes, treatment notes) are encrypted. For full details, see our Security page.
10. Security Disclaimer
We take reasonable measures to protect your data, including encryption in transit and at rest, field-level encryption for sensitive text, and access controls on our infrastructure. For more details, see our Security page.
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for protecting your account credentials and for the security of any device you use to access the Service.
If you discover a security vulnerability, please report it to support@bodysitrep.com.
11. Cookies and Analytics
BodySitRep uses Google Analytics on our public marketing website to understand how visitors navigate our pages. This helps us improve the experience.
What we track: Page views and navigation patterns on public marketing pages only. General location (country/region level). Browser type and device category.
What we do NOT track: Your health logs or symptom data. Your personal profile information. Any activity inside the logged-in app.
Your choices: When you visit bodysitrep.com for the first time, you will see a consent banner. You can Accept All analytics cookies or Reject Non-Essential cookies.
If you reject: No analytics scripts are loaded. No data is collected from your visit. This choice is stored in your browser's local storage.
If you accept: Google Analytics loads with IP anonymization enabled. Standard Google Analytics data collection applies per Google's privacy policy.
You can change your preference at any time by clearing your browser's local storage for bodysitrep.com, or by clicking "Do Not Sell or Share My Information" in the site footer.
We also use Vercel Analytics for anonymous server-side performance metrics. No personal or health data is included.
12. Data Retention
Active accounts. We retain your data for as long as your account is active. Your health logs, settings, and profile data persist until you delete them or delete your account.
Account deletion. When you delete your account (through Settings or by contacting us), all associated data is permanently deleted from our production database immediately. This includes all health logs, profile information, settings, encryption keys, achievements, and subscription data. See our Account Deletion page for full details.
Backups. Supabase maintains automated database backups for disaster recovery. Deleted data may persist in encrypted backups for up to 30 days before being permanently removed through normal backup rotation.
Billing records. Stripe may retain billing transaction records independently in accordance with their data retention policies and applicable financial regulations. BodySitRep does not retain health or personal data after account deletion.
Anonymized data. We may retain aggregated, anonymized usage statistics (such as total user counts or feature usage rates) that cannot be linked back to any individual.
13. Export Disclaimer
BodySitRep allows you to export your data in various formats (CSV, PDF, JSON). Once data is exported and downloaded to your device, it leaves our control. You are solely responsible for the security, storage, and handling of exported files. Exported files are not encrypted by default and may contain sensitive health information.
14. Offline Data Disclaimer
Some features of BodySitRep use your browser's local storage (localStorage) to store data locally on your device. This data may be lost if you clear your browser data, switch browsers, or use a different device. Local storage data is not encrypted by BodySitRep and is accessible to other scripts running on the same origin.
Data stored in local storage prior to syncing with our servers may not be recoverable if lost. We recommend logging in and allowing data to sync before clearing browser data.
15. California Residents (CCPA)
Under the California Consumer Privacy Act, you have the right to opt out of the sale or sharing of your personal information.
BodySitRep does not sell your personal information. We use Google Analytics for website analytics, which may be considered "sharing" under CCPA.
To opt out: Click "Reject Non-Essential" on our cookie banner, click "Do Not Sell or Share My Information" in the footer, or clear your browser local storage for bodysitrep.com.
To request deletion of your account data: Use the account deletion feature in Settings or contact us.
16. EU, EEA, and UK Residents (GDPR / UK GDPR)
Under GDPR and UK GDPR, we process analytics data only with your consent. We will ask for your consent before loading any analytics tools.
You can withdraw consent at any time by clearing your browser local storage for bodysitrep.com or clicking "Do Not Sell or Share My Information" in the footer. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
Legal basis for processing:
- Contract performance (Article 6(1)(b) GDPR) for providing the Service to you.
- Consent (Article 6(1)(a) GDPR) for analytics.
- Legitimate interests (Article 6(1)(f) GDPR) for security and fraud prevention.
Your rights under GDPR: You have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to lodge a complaint with a supervisory authority. To exercise these rights, contact us.
17. Your Rights
Regardless of your location, you have the following rights:
- Access. You can view all your data within the app at any time.
- Export. You can export all your data using the Export feature.
- Deletion. You can delete your account and all associated data at any time through Settings or by contacting us.
- Correction. You can edit or delete individual log entries at any time.
- Opt out of analytics. You can reject analytics cookies at any time.
18. Children's Privacy (COPPA)
BodySitRep is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that data immediately.
If you are a parent or guardian and believe your child has created a BodySitRep account, please contact us or email support@bodysitrep.com and we will delete the account and all associated data promptly.
19. No AI Training
We do not use your health data to train AI or machine learning models. Your data is used only to provide the Service to you.
20. Pet Tracking Disclaimer
Pet tracking features are for personal record-keeping only. BodySitRep is not a veterinary service and does not provide veterinary advice.
21. Changes to This Policy
We may update this Privacy Policy periodically. We will post the updated policy on this page and update the effective date. For material changes, we will make reasonable efforts to notify you through the app or by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
22. Contact
For privacy questions or to exercise your data rights, use our contact form or email support@bodysitrep.com.