Privacy Policy
Pippa exists to support eating-disorder recovery. That only works if you can trust us with some of the most sensitive information there is. This policy explains exactly what we collect, why, who can see it, how long we keep it, and the controls you have. The short version: your health data is used only to run the service, is shared only with clinicians you approve, is never sold, and is never used for advertising.
1. What We Collect
| Data | What it includes | Why |
|---|---|---|
| Account | Email address, sign-in method, date of birth (from the age screen) | Creating and securing your account; age-appropriate consent flow |
| Profile | Weight, height, birthday, gender; weekly weight check-ins | Personalizing your daily eating rhythm and the chart your care team sees |
| Meal logs | Meal photos and the food name / calorie estimate generated from them | The core of the service: logging meals and tracking consistency |
| Mood & check-ins | Mood entries, daily check-in answers, chat messages with Pippa | Mood support features and, with your consent, care-team visibility |
| Consent records | Terms acceptance (who signed, when, version), data-sharing agreements with clinicians | Legal records of the permissions you've granted |
| Device & usage | Device identifier, push token, app-open times, app settings | Sync, notifications, and timing reminders when they actually help |
Meal photos are re-encoded on your device before upload, which removes location (EXIF/GPS) metadata. We perform no facial recognition or biometric processing on any image, ever. We do not collect your precise location.
2. What We Never Do
- We never sell your data, health data or otherwise.
- We never show you ads or share your data with advertisers or data brokers.
- We put no third-party advertising or analytics trackers in the path of your health data.
- We never use children's or teens' data to train AI models, and never use anyone's data for AI training without a separate, optional opt-in.
- We never make your weight or trends visible to anyone except you and the care team you approved.
3. Who Can See Your Data
- You.
- Clinicians you approve. A clinician sees your detailed data only after a data-sharing agreement is signed, and you can sever it anytime in Settings; access stops immediately. When you're enrolled through a treatment provider, Pippa acts as a service provider (HIPAA business associate) to that provider.
- Service providers that run our infrastructure: cloud hosting and storage (Amazon Web Services, Cloudflare) and the AI service that analyzes meal photos to estimate calories. They process data only on our instructions to operate the service.
- Safety escalation. If the app detects signs of a crisis (for example in chat), it may alert the clinician you've consented to share with.
- Legal requirements. We disclose data if validly required by law, and we limit any such disclosure to what is required.
4. How Long We Keep It (Retention Policy)
- While your account is active: we keep your data so the service works.
- When you delete your account: your care team is notified immediately and loses access; the account can no longer sign in; all your data (photos, logs, moods, chats, profile) is permanently erased from our systems within 30 days. Backup copies age out on our standard rotation schedule.
- What we must keep: a minimal record of consent grants/revocations, the deletion request itself, and clinician-access audit logs, retained approximately six years as required by law, keyed to an internal identifier rather than your name or email.
- Children's data is kept only as long as reasonably necessary for the specific purpose it was collected for, never indefinitely.
5. Children and Teens
- Under 13: Pippa does not accept accounts from children under 13, except through a participating treatment provider under a verifiable-parental-consent program (if and when offered). If we learn we have collected personal information from a child under 13 without verifiable parental consent, we delete it.
- 13–17: a parent or legal guardian must agree to the Terms as the contracting party, and the teen confirms an age-appropriate assent. Guardian consent is recorded. Minor accounts default to the highest-privacy settings: no targeted advertising, no geolocation, no data sale, ever.
- Parent/guardian rights: the consenting guardian may review the categories of information collected, revoke consent, and direct deletion of the minor's information at any time via asraygopa@gmail.com or the in-app deletion flow.
6. Security
Data is encrypted in transit, stored in access-controlled cloud infrastructure, and every clinician read of patient data is written to an append-only audit log. Access to production systems is limited and logged. No system is perfectly secure; if a breach affecting your data occurs, we will notify you and regulators as the law requires.
7. Your Rights and Controls
- Access & export: ask us for a copy of your data anytime.
- Sever clinician access: in Settings, immediately.
- Delete your account: in Settings, with the 30-day erasure timeline above.
- Notification control: manage notifications in iOS Settings.
- State privacy rights: depending on where you live (for example Washington's My Health My Data Act or the California Consumer Privacy Act), you may have additional rights to access, correct, or delete consumer health data, and to a response within statutory deadlines. Email us and we'll honor them.
8. Not for Emergencies
Pippa and your care team do not monitor the app 24/7. If you believe you are experiencing a medical emergency, call 911. If you are in suicidal crisis or emotional distress, call or text 988 (Suicide & Crisis Lifeline), available 24/7.
9. Changes to This Policy
If we make material changes, we'll notify you in the app and require re-acceptance before continued use. The version and effective date at the top of this page always reflect the current policy.
10. Contact
Questions, requests, or concerns: asraygopa@gmail.com.