Sachi Health ("we," "our," or "us") provides a mobile application designed to help individuals manage Polycystic Ovary Syndrome (PCOS) through lifestyle tracking and symptom monitoring. We understand that your health data is deeply personal. This Privacy Policy explains exactly what data we collect, how we use it, who can access it, and how you can control it.
This policy applies to all users of the Sachi Health mobile application, our website at sachi-health.com, and any related services.
When you create an account and use Sachi Health, you may provide:
With your explicit permission, we read the following data types from Apple Health:
We may also write weight data back to Apple Health so your records stay consistent across health apps.
Important: HealthKit data is never sent to third-party analytics services. It is stored locally on your device and synced only to our secure servers (see Section 3).
When you use the app, certain technical information is collected automatically:
We use the information we collect for the following purposes:
We do not use your health data for advertising. We do not share the content of your health entries with any third-party analytics or advertising service.
Call recordings: One-on-one onboarding and support calls may be recorded with your verbal consent for product improvement purposes. We use Fireflies.ai to transcribe these calls. You may decline recording at any time with no impact on your use of the app. Recordings and transcripts are deleted after a short retention period, or immediately upon request to security@sachi-health.com.
We work with a limited number of service providers to operate Sachi Health. Each provider receives only the data necessary for its specific function.
| Provider | Purpose | Data Received | Health Data? |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: Cognito (authentication), API Gateway + Lambda (data processing), RDS PostgreSQL (data storage) | All account and health data (encrypted in transit and at rest on AWS servers) | Yes |
| Mixpanel | Product analytics | Category-level screen names, session timing, device info, IP address, device identifier, user account ID | No* |
| Mailchimp | Email communications; product feedback surveys | Email address, name, subscriber segments, tags, and product feedback survey responses (usability ratings, feature requests, and app experience) | No† |
| Apple | App distribution (TestFlight/App Store), HealthKit data access | Standard App Store data; HealthKit data stays on-device per Apple's requirements | No** |
| Google (Workspace/Gmail/Forms) | Email delivery for account notifications; survey data collection via Google Forms | Email addresses, notification content, anonymous survey responses (which may include health information such as PCOS diagnosis status and symptom tracking preferences). Survey responses are not linked to your account unless you voluntarily provide your email. | Yes‡ |
| Calendly | Meeting scheduling for onboarding and support calls | Name, email address, scheduling availability | No |
| Fireflies.ai | Call transcription (optional — only with your verbal consent) | Voice recordings of onboarding and support calls | Potentially*** |
*Mixpanel and health data: Mixpanel receives category-level screen names (e.g., "checkin" or "insights") that indicate which sections of the app you visit. These labels do not contain the content of your health entries, symptom scores, medication names, or any specific health measurements. However, because Sachi Health is a PCOS management app, screen visit patterns may indirectly reveal that you are tracking health-related activities. Your Mixpanel analytics data is linked to your account identifier.
**Apple HealthKit: HealthKit data accessed by Sachi Health is never shared with third parties, never used for advertising, and is not sent to any analytics service. This is required by Apple's HealthKit guidelines and is enforced at the platform level.
***Fireflies.ai and health data: Onboarding and support calls are only recorded with your verbal consent. You may discuss health context during these calls. Recordings and transcripts are deleted after a short retention period, or immediately upon request. You may decline recording at any time with no impact on your use of the app.
†Mailchimp and health data: Mailchimp receives your name and email address for communications. We may use subscriber segments and tags to manage email lists. We also collect product feedback through Mailchimp surveys, which ask about app usability, feature satisfaction, and your experience with the app. These surveys do not ask about your diagnosis, symptoms, medications, or health status. However, because Sachi Health is a PCOS management app, your participation in a Sachi Health survey may indirectly reveal that you are in the PCOS community. Survey participation is voluntary.
‡Google and health data: We collect user feedback through anonymous Google Forms surveys for customer research and product improvement. These surveys may ask about your PCOS diagnosis or symptom tracking habits. Responses are anonymous unless you voluntarily provide your email address. Because anonymous responses cannot be linked to your account, they cannot be included in account deletion requests.
Your health data is stored locally on your device in two ways:
Your data is synced to our servers hosted on Amazon Web Services (AWS) in the US-East-1 region. Server-side protections include:
Sachi Health works offline. Your check-ins and tracking entries are saved to your device first and synced to our servers when a network connection is available. If a sync fails, the app retains your data locally and retries when the app is next opened.
In the unlikely event of a data breach affecting your personal information, we will notify affected users by email as soon as reasonably practicable after confirmation of the breach, including a description of the data involved and steps you can take to protect yourself.
We use Mixpanel to understand how people use Sachi Health so we can improve the app. Here is exactly what Mixpanel receives:
| Event | When It Fires | What's Sent |
|---|---|---|
| Registration | When you create an account | Event name only (no personal details) |
| Screen Viewed | Each time you navigate to a new screen | A category-level screen label (e.g., "checkin," "insights," "medication_mgmt"). Does not include any health data content. |
| Session Start | When you open the app | Event name only |
| Session End | When the app goes to background | Session duration in seconds |
Account linkage: Your analytics events are linked to your account identifier. This means we can see usage patterns associated with individual accounts. We use this to diagnose issues and understand feature adoption, not for advertising or profiling.
Mixpanel also automatically collects device model, OS version, app version, screen size, carrier, language, IP address (used for approximate city-level geolocation), and a vendor device identifier (IDFV). Mixpanel processes all analytics data in the United States.
Data retention: Analytics data is retained in Mixpanel in accordance with our configured retention period, after which it is automatically deleted.
Our use of Apple HealthKit data complies with Apple's developer guidelines:
You can view all health data you have entered through the app at any time. We are building a data export feature that will allow you to download a complete copy of your data. In the meantime, you may email us at security@sachi-health.com to request a copy of the personal data we hold about you, and we will respond within 30 days.
To delete your account and all associated data (local and server-side), email security@sachi-health.com. We will begin processing your request within 30 days.
You can control Sachi Health's access to your data:
European Economic Area (GDPR): You have the right to access, rectify, erase, restrict processing of, and port your personal data. We process usage analytics data on the basis of our legitimate interest in improving the app. We have assessed that this limited analytics processing does not override your rights, given that screen labels are category-level only and do not contain health entry content. You may object to this processing at any time by contacting us at security@sachi-health.com.
California (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. To exercise your rights, contact us at security@sachi-health.com.
Sachi Health is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at security@sachi-health.com and we will promptly delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
If you have questions about this Privacy Policy, your data, or your privacy rights, contact us at:
Sachi Health
Email: security@sachi-health.com
Website: sachi-health.com
For privacy-related requests (data access, deletion, corrections), please email security@sachi-health.com and we will respond within 30 days.