1. Introduction
OstomyRN, LLC ("OstomyRN," "we," "us," or "our") operates the OstomyRN mobile application (the "App"). This Privacy Policy explains how we collect, use, and protect information when you use our App.
OstomyRN was built with a privacy-first architecture. We intentionally separate authentication, purchases, educational progress, provider links, and chat activity so the App can operate without storing Protected Health Information (PHI) in our application database.
2. Information We Collect
We collect only the minimum information necessary to operate the App:
2.1 Product Interaction Data
We collect limited usage data such as which screens you visit, features you interact with, and general app performance metrics. Where account-based features require it, this data may be associated with an internal account identifier so we can operate the App, prevent abuse, and provide support.
2.2 Purchase History
When you make an in-app purchase (such as a message pack), we store the transaction record needed to credit your account, prevent duplicate crediting, support refunds, and reconcile App Store purchases. All payment processing is handled by Apple through StoreKit; we never see or store your payment method details.
2.3 Device-Stored Authentication Tokens
When you sign in, an authentication token is stored securely on your device using the platform's secure storage (Keychain on iOS). This token remains on your device and is used to verify your session. It is never transmitted to OstomyRN servers for storage.
3. Information We Do NOT Collect
We want to be explicit about what we do not collect or store on our servers:
- Email address — Your email is handled by Auth0 (our authentication provider). New OstomyRN application database records do not store your email address.
- Mailing address or phone number — We do not ask for or store your mailing address or phone number for normal app use.
- Protected Health Information (PHI) — The App is designed to avoid collecting or storing PHI in our application database.
- Background location data — The App does not collect background location data. If you grant location permission, your location is used to find nearby WOC nurses.
- Contacts, photos, or other device data — We do not access your device's contacts, camera roll, or other personal data.
4. Third-Party Services
The App relies on the following third-party services, each with their own privacy practices:
4.1 Auth0 (Authentication)
We use Auth0 to handle user authentication via email/password, Google sign-in, and Sign in with Apple. Auth0 stores your login credentials and provider identity information on their infrastructure. New OstomyRN application database records do not store your email address. Auth0's privacy practices are governed by their own privacy policy, available at auth0.com/privacy.
4.2 Apple (In-App Purchases)
In-app purchases are processed entirely through Apple's StoreKit framework. Your payment information is managed by Apple and is never shared with OstomyRN. Apple's privacy practices are governed by their privacy policy at apple.com/privacy.
4.3 OpenAI (AI Chat Assistant)
The App includes an AI chat assistant called Roxy, powered by OpenAI's language models. When you send a message to Roxy, your message is transmitted to OpenAI for processing. See Section 5 below for details on how chat data is handled.
4.4 Convex (Backend Infrastructure)
Our backend infrastructure is hosted on Convex, a serverless platform. Convex processes and stores the limited account, purchase, usage, and content data described in this Policy. We avoid storing email addresses, payment method details, and PHI in Convex.
5. AI Chat Data
Conversations with Roxy, our AI chat assistant, are handled with the following privacy safeguards:
- Chat content is handled separately from your Auth0 login credentials and is not used for advertising.
- Your recent chat list (the device-local list of conversation IDs used to show past chats) is stored on your device using local storage mechanisms. It is not linked to your identity, and uninstalling the app will erase that local list from your device.
- Messages are transmitted securely via HTTPS/TLS to OpenAI for processing.
- Roxy is designed to provide educational information about ostomy care. She does not provide medical diagnoses and encourages users to consult healthcare professionals.
- We recommend that you do not share personally identifying information (such as your full name, address, or Social Security number) in chat messages.
OpenAI's data usage practices for API customers are governed by their API data usage policy, available at openai.com/policies/api-data-usage-policies.
6. Nurse Finder and Provider Deep-Linking
The App helps you find qualified Wound, Ostomy, and Continence (WOC) nurses. When you choose to connect with a nurse or healthcare provider:
- You are deep-linked to the provider's external system (such as their scheduling platform or telehealth service).
- No health information passes through OstomyRN during this process.
- Any information you share with a provider is governed by that provider's own privacy policy and practices.
- This separation is intentional: booking details and any information you share with a provider are handled by that provider, not by OstomyRN.
7. Data Security
We take the security of your data seriously and employ the following measures:
- Encryption in transit — All connections between the App and our services (Auth0, Convex, and OpenAI) use HTTPS with TLS encryption.
- Secure token storage — Authentication tokens are stored on your device using the platform's secure storage mechanisms (iOS Keychain via expo-secure-store), which provide hardware-backed encryption.
- Minimal data retention — Because we collect so little data, our attack surface is inherently small. We cannot lose what we do not have.
- No intentional PHI collection — The App is designed to avoid collecting or storing Protected Health Information in our application database.
8. Data Retention and Deletion
OstomyRN stores the limited account and usage records needed to operate the App. You can delete your account directly in the App at any time by going to Profile > Delete Account.
- Delete your account in-app — When you confirm account deletion, we immediately schedule your account for deletion, sign you out, and start a 30-day deletion window.
- Reactivate during the 30-day window — If you sign back in before the scheduled deletion date, you can cancel the deletion request and restore access to your account.
- Permanent deletion after 30 days — After the 30-day window expires, we permanently delete your account and associated personal data from our systems and delete your authentication credentials from Auth0.
- Accounting records retained in anonymized form — We retain limited in-app purchase transaction records without a live account link where required for tax, accounting, fraud prevention, and App Store reconciliation.
- Clear local data — Uninstalling the App will remove all locally stored data, including authentication tokens and the device-local recent chat list, from your device.
9. Children's Privacy
OstomyRN is not directed at children under the age of 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has used the App, please contact us at info@ostomyrn.com and we will take appropriate steps to remove any associated data.
10. Your Rights
Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, or port your data. You can exercise the right to delete directly in the App through Profile > Delete Account. For other data-related requests, please contact us at info@ostomyrn.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective" date at the top of this page. If we make material changes to how we handle your data, we will notify you through the App or by other appropriate means before the changes take effect.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
12. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
OstomyRN, LLC
Email: info@ostomyrn.com