Privacy Policy

Pain Journal · Effective April 23, 2026

Health data, please read. Pain Journal lets you record information about your pain, symptoms, sleep, medications and other health-related entries. This is "special category" data under Article 9 of the GDPR. We've designed the app so that this data stays on your device by default and is never sent to our servers. We never see your pain entries.

1. Data Controller

The data controller for the Pain Journal application is:

Vizaxis Mateusz Olszewski
ul. Dworcowa 22/32
10-437 Olsztyn, Poland
Email: contact@vizaxis.com

2. What Data We Process and Why

All your pain journal entries (body map selections, severity, pain types, symptoms, sleep, medications, notes, photos, and settings) are stored locally on your device only. We do not operate user accounts, cloud storage, or backend servers. We cannot access your locally stored journal data. Even when you contact support, we cannot read or recover entries from your device.

The app uses the following third-party services that process limited data on our behalf or as independent controllers. None of these services receive your pain journal entries:

Service	Data Processed	Purpose	Legal Basis (GDPR)	Retention
Firebase Analytics Google LLC	Pseudonymous app instance identifier, IP address (used for geolocation and then discarded by Google in the EU), device model, OS version, app usage events (screens viewed, anonymous feature interactions such as "report generated" or "flare mode toggled"), and user properties: subscription status, theme preference, haptics preference, locale. Some events include aggregate pain-entry metadata (overall severity rating and pain type label only). No body map zones, no medication names, no notes, no symptom text are sent.	Understanding how the app is used so we can improve it (e.g. which features are actually used, where users drop off in onboarding).	Consent: Art. 6(1)(a). You can change this any time in Settings → Privacy Settings. When declined, analytics collection is fully disabled.	26 months (Google default). Aggregated, non-identifiable reports may be retained longer.
Firebase Crashlytics Google LLC	Installation UUID (pseudonymous device identifier), device model, OS version, crash stack traces, custom diagnostic keys (subscription status, theme, app screen at crash). Stack traces are application code paths. They do not contain your journal content.	Identifying and fixing app crashes.	Consent: Art. 6(1)(a). You can change this any time in Settings → Privacy Settings. When declined, crash reporting is fully disabled.	90 days for crash data.
Firebase Remote Config Google LLC	Installation UUID, app version, device platform, locale. Used to deliver feature flags and configuration values to the app.	Rolling out features safely (e.g. enabling a new screen for a percentage of users) and fixing config-level bugs without a forced update.	Legitimate interest: Art. 6(1)(f) for safe rollout of app functionality. No personal content is processed.	Active config is fetched on demand; Google may retain request metadata per Firebase defaults.
RevenueCat RevenueCat Inc.	Anonymous app user identifier (generated by RevenueCat, not linked to your identity), purchase tokens from Google Play or Apple App Store, device platform, IP address (used for approximate geolocation).	Managing in-app subscriptions and verifying purchase status across devices.	Contract performance: Art. 6(1)(b). Processing is necessary to deliver and validate the features you purchased.	Purchase records retained for the lifetime of the app user ID. See RevenueCat Privacy Policy.
Google Sign-In + Google Drive (App Data folder) Google LLC, only if you enable cloud backup	If you choose to enable cloud backup: your Google account email address (to identify the destination account), an OAuth access token, and a backup file containing your journal database (a SQLite file) stored in Drive's App Data folder. The App Data folder is a hidden folder in your own Google Drive that only Pain Journal can read or write. Vizaxis cannot see it, and other apps cannot see it. The file is transferred over HTTPS and stored at-rest by Google Drive under their standard server-side encryption. Pain Journal does not currently apply a separate encryption layer to the file before upload; we plan to add this in a future update.	Letting you restore your data on a new device or after reinstall. Backups are stored in your Google Drive, not on our servers.	Consent: Art. 6(1)(a) for the OAuth grant, plus Art. 9(2)(a) explicit consent for processing health-related data via the backup. Backup is opt-in, off by default. You can disable it any time in Settings → Cloud Backup. You can delete backup files directly from your Drive at drive.google.com.	Backup files persist in your Drive until you delete them or revoke the app's access. Revoking access at myaccount.google.com/permissions stops future backups.

3. We Do Not Track You Across Apps

Pain Journal does not use Apple's IDFA advertising identifier, does not show the App Tracking Transparency (ATT) prompt, and does not link any data from this app with third-party data for advertising or measurement. Firebase Analytics, when you opt in, runs in a privacy-respecting mode using only the per-vendor Firebase Installation ID, never IDFA.

4. Data We Do Not Collect

Your name, phone number, postal address, or any directly identifying personal information (we never ask for it)
Your pain journal entries, body map selections, severity ratings, pain types, symptoms, medications, sleep data, notes or photos. These are stored on your device only and are never uploaded to our servers
Precise location data (GPS, Wi-Fi-based location)
Contacts, calendar, microphone or phone call data
Payment card details, billing address, or bank information. All payment processing is handled entirely by Google Play or the Apple App Store
Diagnostic identifiers across apps for advertising. We do not integrate any advertising SDKs or ad networks

We do not serve ads. We do not sell, rent, or trade any data. There is no business model that involves your data being seen by a third party for marketing.

5. Health Data: Special Category Under GDPR Art. 9

Pain entries, symptoms, medications, and sleep data you record in Pain Journal are health data under Article 4(15) of the GDPR and "special category" data under Article 9. Because of how we built the app:

By default this data never leaves your device. We do not process health data on our servers, ever. We don't have servers for it.
If you enable cloud backup, your journal database file is uploaded to your own Google Drive App Data folder over HTTPS. The file is stored at-rest under Google Drive's standard server-side encryption. Pain Journal does not currently add a separate encryption layer of its own (planned for a future update). We treat your decision to enable backup as your explicit consent under Art. 9(2)(a) to processing of health data for the sole purpose of backup and restore.
If you generate a doctor report (PDF) and share it using the system share sheet (e.g. via Mail, Messages, AirDrop, WhatsApp), the destination app or recipient receives the PDF outside our control. Sharing is initiated only by you, on demand.

6. Data Sharing

We do not sell, rent, or trade your data. The third-party services listed in Section 2 process data as follows:

Google (Firebase Analytics, Crashlytics, Remote Config, Sign-In, Drive App Data) acts as a data processor under Google's Data Processing Terms. The Drive App Data folder is private to your Google account; Google's role for the backup files is that of a storage provider for your data, not ours.
RevenueCat acts as a data processor for purchase management. See RevenueCat DPA.

We do not share data with any other third parties. Health data is never shared with anyone, by anyone other than you.

7. Consent and Opt-Out

On first launch, the app requests your consent for analytics and crash reporting. You can change your choices at any time in Settings → Privacy Settings. When you decline:

Firebase Analytics collection is fully disabled
Firebase Crashlytics collection is fully disabled
No usage or crash data is sent to Google
Core app functionality (logging pain, body map, reports, reminders) remains fully available

Cloud backup is a separate, opt-in choice in Settings → Cloud Backup. It is off by default. Disabling backup stops future uploads; existing backup files remain in your Google Drive until you delete them.

Note: opting out does not affect data already collected before you changed your preference. To request deletion of previously collected analytics data, contact us.

8. Data Retention and Deletion

On your device: All journal entries, body map data, settings, and report PDFs are stored locally. You can delete individual entries from the entry detail screen, or wipe everything from Settings → Your Pain Data → Delete All Data. Uninstalling the app permanently deletes all local data.

In your Google Drive (if backup enabled): Backup files persist until you delete them. You can:

Delete the most recent backup from inside the app (Settings → Cloud Backup → Delete backup)
Delete all backup files from your Drive at drive.google.com/drive/u/0/settings → Manage apps
Revoke Pain Journal's Drive access entirely at myaccount.google.com/permissions

Third-party services: Data processed by third-party services is subject to their retention policies as described in Section 2. We do not control third-party retention, but you can contact us to request that we initiate deletion where technically possible.

9. Data Security

Your local data is protected by your device's built-in security (device encryption, screen lock, sandboxed app storage). All network communications with third-party services use HTTPS encryption in transit. Backup files uploaded to Google Drive are stored in the App Data folder, which is private to your Google account and to Pain Journal, and Google encrypts files at rest on their servers.

Pain Journal does not currently apply an additional encryption layer to backup files before upload (the SQLite database file is uploaded as-is over HTTPS). We are working on adding an in-app encryption layer in a future update; this notice will be updated when it ships.

Because journal data lives on your device, the security of the device itself matters: keep your screen lock enabled, keep your operating system updated, and be cautious about who has physical access to your unlocked device.

10. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data, the right to be forgotten (Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20) for the personal data we hold about you. See the explanation under "Data portability" below
Object to processing (Art. 21)
Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3))

For locally stored data and Drive backups, you exercise these rights directly on your device and in your Google account. For data held by third-party processors (Firebase, RevenueCat), contact us at contact@vizaxis.com and we will assist you.

Data portability (Art. 20). Pain Journal stores your journal entries on your device only. Because we never receive that data, we are not the controller of it under Art. 4(7) and Art. 20 does not require us to provide an export of it. You can still export your own journal at any time using the in-app features: PDF reports (free) and CSV export (Pro feature, available in Settings → Your Pain Data → Export Data). For the personal data we do hold about you (Firebase analytics events tied to your app instance, Firebase Crashlytics records, RevenueCat subscription history), email us at contact@vizaxis.com and we will provide a machine-readable export within 30 days at no cost.

We will respond to data rights requests within 30 days.

11. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. For Poland:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
uodo.gov.pl

12. Children's Privacy

Pain Journal is not directed at children under 16 (the age of digital consent in Poland under GDPR). We do not knowingly collect personal information from children. If you believe a child under 16 has used the app in a way that resulted in personal data being processed by our third-party services, contact us and we will take steps to delete such data.

13. International Data Transfers

Third-party services (Google LLC, RevenueCat Inc.) are based in the United States and may process data outside the European Economic Area. These transfers are governed by:

The EU-U.S. Data Privacy Framework (where applicable)
Standard Contractual Clauses (SCCs) incorporated into the providers' data processing agreements

14. Not Medical Advice

Pain Journal is a personal logging tool. It is not a medical device, not a diagnostic tool, and does not provide medical advice. Reports generated by the app summarize what you entered. They do not interpret, diagnose, or recommend treatment. Always consult a qualified healthcare professional for any medical decisions, and do not rely solely on Pain Journal in an emergency. This is also stated in the Terms of Service.

15. Changes to This Policy

We may update this Privacy Policy when our data practices change. The updated version will be posted at this URL with a revised effective date. For material changes that affect how your data is processed, we will provide notice through the app. Continued use of the app after changes constitutes acceptance of the revised policy.

16. Contact

For questions about this Privacy Policy or to exercise your data protection rights:

Vizaxis Mateusz Olszewski
Email: contact@vizaxis.com
ul. Dworcowa 22/32, 10-437 Olsztyn, Poland