Privacy Policy

Last Updated: February 7, 2026

Our Privacy Promise

Your health data is deeply personal. At TrackBack, we built privacy into our foundation, not as an afterthought. We believe your health information belongs to you—period.

đź”’

Local-First Storage

All your health data lives on your device. No cloud storage, no accounts required.

🤖

AI Processing Only

Voice/text sent to OpenAI for parsing, then immediately discarded.

đźš«

Never Sold

We will never sell, share, or train AI models on your symptoms.

What Information We Collect

Health Data (Stored Locally Only)

The following information is stored exclusively on your device using secure local storage (AsyncStorage):

  • Symptom logs: Descriptions, severity ratings, timestamps, location on body
  • Factor tracking: Foods, medications, stress levels, environmental factors you've logged
  • Investigations (Targets): Your custom health investigations and what you're tracking
  • Correlations: Pattern analysis and insights generated on your device
  • Daily journals: Free-form text notes and observations
  • Regime changes: Records of starting/stopping treatments or interventions

Important: This data never leaves your device except during AI processing (see below). It is not stored on our servers or in any cloud database.

Voice & Text Input (Processed Temporarily)

When you use voice logging or type descriptions:

  • Voice recordings: Audio is recorded on your device, sent to our server for transcription, then immediately discarded. We do not store voice recordings.
  • Text input: Your typed symptom descriptions and factor notes are sent to our server for AI parsing
  • Server processing: Our server acts as a secure pass-through to OpenAI's API (using models gpt-4o-mini and gpt-4o-mini-transcribe) to parse your descriptions into structured data
  • OpenAI processing: Your voice/text is processed by OpenAI to extract symptoms, factors, severity, and timing. See OpenAI's data policy below.

Your health descriptions are transmitted to OpenAI solely for parsing. The parsed structured data returns to your device. The original audio/text is not permanently stored anywhere.

Survey Data (Stored Locally)

If you participate in our willingness-to-pay survey, we collect:

  • Days active in the app
  • Total number of logs you've made
  • Number of investigations (Targets) you've created
  • Number of correlations you've discovered
  • Your pricing tier preference and price perception
  • A/B test variant assignment

This survey data is stored locally on your device and used to inform our pricing decisions. It is never transmitted to our servers.

Device Permissions

TrackBack requests the following device permissions:

  • Microphone: Required for voice logging feature. Audio is processed on-device and sent to our server only when you explicitly use voice input.

Account Information (If Applicable)

TrackBack does not require accounts or authentication. If you contact us for support:

  • Email address (to respond to you)
  • Device information (if you're reporting a bug)
  • Any information you choose to share in your message

How We Use Your Information

Your Health Data

We don't use it—because we don't store it. All symptom tracking, pattern analysis, and correlation discovery happens entirely on your device. Your health data never leaves your device except for temporary AI processing.

AI Processing

When you use voice logging or type symptom descriptions:

  • Your voice/text is sent to our server, which forwards it to OpenAI's API
  • OpenAI processes it to extract structured data (symptoms, factors, severity, timing)
  • The structured data returns to your device
  • The original audio/text is immediately discarded—not stored on our servers or by OpenAI

Your Data is Never Used for AI Training: We connect to OpenAI through their API, which has a strict no-training policy. By default, OpenAI does not use API data to train or improve their models. Your health descriptions remain private and are only used for your immediate parsing request. See OpenAI's Enterprise Privacy policy for details.

How We Store Your Data

Local Storage

All health data is stored on your device using AsyncStorage, React Native's secure local storage system. This data is:

  • Isolated from other apps on your device
  • Protected by iOS security features (encryption at rest)
  • Accessible only by TrackBack
  • Not synchronized to any cloud service
  • Deleted when you uninstall the app

Server Processing (Temporary)

Our server acts as a secure pass-through for AI processing:

  • Voice recordings and text input are received in-memory only
  • Data is immediately forwarded to OpenAI's API
  • No logs, databases, or permanent storage of your health descriptions
  • Server exists solely to keep API keys secure (not exposed in the app)

Data We Store (Non-Health)

If you contact us for support, we store your email and correspondence using standard email providers (currently Gmail) with industry-standard security.

How We Share Your Data

OpenAI Processing

When you use voice logging or type symptom descriptions, that input is sent to OpenAI for AI-powered parsing. This is the only time your health descriptions leave your device.

  • What's shared: Your voice recordings (audio) or typed text describing symptoms and factors
  • Why: To extract structured data (symptoms, factors, severity, timing) from natural language
  • OpenAI's use: Processing only—your data is NOT used to train OpenAI's models
  • How we connect: Through OpenAI's API, which has a default no-training policy for all API data
  • Retention: OpenAI does not retain your data after processing (30-day maximum for abuse monitoring, then deleted)
  • Your choice: Don't want to use AI parsing? Type data directly into forms instead of using voice/natural language input

OpenAI's API policy guarantees that data sent via API is not used to train their models. This is automatic—no opt-out needed. See OpenAI's Enterprise Privacy policy and API Data Usage Policies for more details.

We Don't Sell or Share

Beyond OpenAI processing, we do not share your data:

  • We do not sell your data to advertisers, data brokers, or anyone else
  • We do not share your health data with third parties for marketing
  • We do not monetize your symptoms in any way
  • We do not use your data to train our own AI models

Exception: If You Choose to Share

TrackBack includes an export feature that lets YOU choose to:

  • Generate PDF reports to share with your doctor
  • Export your data in CSV format for your own analysis
  • Delete your data entirely from your device

This sharing is entirely under your control—we're just the tool that enables it.

Your Privacy Rights

Because your health data lives on your device, you have complete control:

Access & Export

Export your complete health data anytime in standard formats (CSV, PDF, JSON). No waiting, no approval needed—it's your data.

Deletion

Delete all your data from TrackBack anytime:

  • Through the app's settings (if we add a "Delete All Data" feature)
  • By uninstalling the app (removes all local data)
  • No server-side data to worry about—it's all on your device

Portability

Your data is yours to take anywhere. We use standard formats so you can import it into other apps or keep it for your records.

Opt-Out of AI Processing

Don't want your descriptions sent to OpenAI? You can:

  • Use manual form entry instead of voice/natural language input
  • Type structured data directly into fields
  • AI parsing is never required—it's a convenience feature

Third-Party Services

TrackBack uses the following third-party services:

OpenAI API

We use OpenAI's API to parse your voice recordings and text input into structured health data:

  • Models used: gpt-4o-mini (text parsing) and gpt-4o-mini-transcribe (voice transcription)
  • Data sent: Your spoken or typed descriptions of symptoms and factors
  • Data retention: Maximum 30 days for abuse and misuse monitoring, then permanently deleted
  • Training: Your data is NOT used to train or improve OpenAI's models (automatic for all API usage)
  • Security: Data is encrypted in transit (HTTPS)
  • Connection method: We connect through Replit's AI Integrations, which uses OpenAI's API with no-training guarantees

OpenAI's privacy policies:

Tally.so (Waitlist & Support Forms)

Our website's waitlist and support forms are hosted by Tally. When you submit a form, Tally collects the information you provide. This is separate from the TrackBack app. Tally's privacy policy: tally.so/help/privacy-policy

Children's Privacy

TrackBack does not impose age restrictions. The app does not collect personal identifiers beyond the health data you voluntarily enter, and all data remains on your device.

There are no social features, in-app purchases requiring parental consent, or targeted advertising. Parents have full control over their child's use of the app since all data is stored locally on the device.

App Tracking Transparency

TrackBack does not track you across other apps or websites. We do not:

  • Collect device identifiers for advertising purposes
  • Participate in any ad networks or data broker services
  • Share your data with third parties for cross-app tracking
  • Use tracking pixels, cookies, or similar technologies

TrackBack respects Apple's App Tracking Transparency framework. We do not request permission to track you because we simply don't track you.

International Users

TrackBack is operated from the United States. If you're using TrackBack from outside the US:

  • Health data storage: Stays on your device (not affected by location)
  • AI processing: Voice/text input may be transmitted to OpenAI's servers (which may be located in the US or other countries)

By using TrackBack, you consent to this arrangement. We're working on GDPR compliance for European users.

Security

We take security seriously:

  • Local-first architecture: Minimizes attack surface by not centralizing data
  • No user accounts: No passwords to steal, no account databases to breach
  • iOS security features: Your data benefits from iOS sandboxing and encryption at rest
  • Encrypted transmission: All data sent to our server and OpenAI uses HTTPS encryption
  • No server-side storage: We don't store your health data on servers that could be breached
  • Temporary processing only: Voice/text is processed in-memory and immediately discarded
  • API key security: OpenAI API keys are stored on our server, never exposed in the app

That said, no system is 100% secure. We recommend:

  • Using a strong device passcode
  • Enabling Face ID / Touch ID
  • Keeping iOS up to date
  • Being cautious about what you share when using voice/natural language features

Changes to This Policy

We may update this privacy policy as TrackBack evolves. When we do:

  • We'll update the "Last Updated" date at the top
  • We'll notify you in-app about significant changes
  • For major changes affecting your rights, we'll ask for renewed consent

You can always find the current policy at gettrackback.app/privacy

Contact Us

Questions about this privacy policy or how we handle data? Reach out:

I personally read and respond to every privacy inquiry.

Legal Disclaimer

Health Disclaimer: TrackBack is designed for tracking and educational purposes only. It is not intended to provide any medical guidance or advice. Always consult with your healthcare provider for any medical decisions or health concerns.

No Warranty: TrackBack is provided "as is" without warranty of any kind. We're not liable for any health decisions made based on data tracked in the app.

Beta Software: TrackBack is currently in beta. While we strive for accuracy and reliability, there may be bugs or data issues. Always keep backups of important health information.