This Privacy Policy explains how Trackd Co Pty Ltd ("Trackd", "we", "us", "our") collects, uses, stores, and shares your personal information when you use the Trackd Co application and the website at trackdco.app (the "Service"). It forms part of, and should be read with, our Terms of Service and Medical Disclaimer.
1. The sensitivity of your data — read this first
By its nature, Trackd handles health-related information: the substances you track, your doses, the bloodwork you upload, your body metrics, and your journal notes. In many places this counts as "sensitive" or "special-category" personal information that gets extra legal protection. We treat all of your protocol, bloodwork, body-metric, and journal data as sensitive. By entering this information into Trackd, you explicitly consent to us processing it as described here in order to provide the Service to you.
⚠ NOTE — Explicit consent is the cleanest lawful basis for handling health data (GDPR Art. 9, Australian Privacy Principles for sensitive info). Note that US HIPAA most likely does NOT apply to you — you are not a healthcare provider or covered entity — but claude should confirm this for your markets and confirm the consent mechanism (the signup tick-box) is captured properly.
2. Information we collect
Information you give us
• Account information — your email address and password, handled through Supabase Auth. We do not store your password in readable form.
• Age confirmation — your confirmation that you are 18 or older.
• Profile and settings — preferences and configuration you set in the app.
• Protocol data — cycles, the compounds you add, inventory items, doses you log, injection sites, and schedules.
• Journal and subjective markers — daily journal entries and the markers you record, including side-effect markers.
• Body metrics — measurements you choose to record.
• Bloodwork — the lab files you upload and any biomarker values associated with them.
Information collected automatically
• Authentication and session data — strictly-necessary cookies / local storage used to keep you signed in.
• Basic technical logs — limited server and security logs from our hosting provider. During beta we do not run third-party analytics or advertising trackers.
⚠ NOTE — When you add analytics (PostHog is planned) or error monitoring (Sentry) after beta, you must list them here, update the cookies section below, and obtain consent where required (especially EU/UK). Don't switch them on silently.
3. How we use your information
We use your information to:
• provide and operate the Service, including computing your inventory figures and where your biomarkers sit relative to reference ranges (these are derived live and shown only to you);
• authenticate you and keep your account secure;
• respond to your support requests; and
• meet our legal obligations.
We do not use your health data for advertising, and we do not sell your personal information.
4. Legal bases for processing (where applicable)
Where laws such as the UK or EU GDPR apply, we rely on: performance of our contract with you (to run the Service); your explicit consent (for sensitive health data, and for any optional analytics); our legitimate interests (keeping the Service secure and working); and compliance with legal obligations. You can withdraw consent at any time, as described in Section 9.
5. How and where your data is stored
Your data is held with our infrastructure providers. Our database, authentication, and file storage are provided by Supabase; our application hosting and content delivery are provided by Vercel. Bloodwork files are kept in a private, access-controlled storage bucket, and database access is enforced row-by-row so that one user cannot read another user's data.
Your data may be stored and processed in REGION(S) — e.g. your Supabase project region and Vercel's edge network — CONFIRM AND NAME.
⚠ NOTE — Find your actual Supabase project region and Vercel region and name them here — this drives the international-transfers section below. If your users and your servers are in different countries, you're making a cross-border transfer and need to say so. keep this here fro now claude because i will need to do it.
Our sub-processors
• Supabase — database, authentication, and file storage.
• Vercel — application hosting and content delivery.
• To add when live: Stripe (payments), Resend / ConvertKit (email), PostHog (analytics), Sentry (error monitoring).
⚠ NOTE — Keep this list current. Every new vendor that can touch personal data belongs here, and adding one is exactly the kind of change to notify users about. keep this here too
6. Sharing and disclosure
We do not sell or rent your personal information. We share it only: with the sub-processors listed above, so they can help us run the Service; where we are required to by law or valid legal process; or as part of a business transfer (such as a merger or sale), in which case we will take reasonable steps to notify you.
7. Data retention and deletion
We keep your data while your account is active. Within the app, cycles are archived rather than permanently deleted, so your history is preserved and longitudinal tracking keeps working. You can request full deletion of your account, which erases your personal data — including your uploaded bloodwork files — except anything we are legally required to retain for a limited period.
⚠ NOTE — A user will request deletion through an in-app button. The deletion will take within 30 days. The backup retention window has not been confirmed yet, so note it down that we need to confirm that. Then I want you, Claude, to state the first two in this data retention and deletion section.
8. Security
We take reasonable measures to protect your information, including:
• encryption of data in transit (HTTPS);
• row-level access control so each user can only reach their own data;
• a private, access-controlled bucket for bloodwork files; and
• least-privilege handling of our service keys.
No method of storage or transmission is perfectly secure. Please help protect your account by keeping your password confidential.
9. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, to restrict or object to certain processing, and to withdraw consent. You may also have the right to complain to a data-protection regulator. To exercise any of these, contact us using the details in Section 14, and we will respond as the law requires.
As you can see, the note below says to tailor the exact list of rights to your markets. I think it's better off to add a clause saying that you consent that you will follow whatever the law is in that region. If that's something legally that you can do, then put that in.
⚠ NOTE — Tailor the exact list of rights to your markets (GDPR vs. California's CCPA/CPRA vs. the Australian Privacy Principles) and name the relevant regulator — for example the OAIC in Australia. Your lawyer will localise this.
10. International data transfers
If your information is stored or processed in a country other than the one you live in, we will take steps required by applicable law to protect it during that transfer.
⚠ NOTE — Fill this in once Section 5's regions are confirmed. If, say, your users are in Australia but data sits in a US/EU region, name that and the safeguard claude recommends (e.g. standard contractual clauses).
11. Children
Trackd is for adults only. The Service is not directed to anyone under 18, and we do not knowingly collect personal information from minors. If we learn we have, we will delete it.
12. Cookies and local storage
We use only strictly-necessary cookies and local storage — for example, to keep you signed in and to operate the app. During beta we do not use advertising cookies or third-party tracking. If that changes, we will update this section and seek consent where required.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes we will take reasonable steps to notify you, and we will update the effective date at the top of this document.
14. Contact
For privacy questions or to exercise your rights, contact us at legal@trackdco.app