← Back to Sachi Health

SACHI HEALTH

Privacy Policy

---

Sachi Health ("we," "our," or "us") provides a mobile application designed to help individuals living with Polycystic Ovary Syndrome (PCOS) explore research-informed lifestyle approaches through wellness tracking, research-inspired wellness programs, and daily goal tracking.

This Privacy Policy explains what data we collect, how we use it, who has access, and how you can control your information.

This policy applies to all users of the Sachi Health mobile application, website at sachi-health.com, and related services.

Sachi Health is currently in early beta testing. Features may change, and we cannot guarantee uninterrupted availability. We are a small team committed to protecting your data.

1. Information We Collect

1.1 Information You Provide Directly

• Account information: Email address, username, password (securely hashed via AWS Cognito), date of birth (for age verification).
• Profile information: First name, last name, height, weight, country, zipcode, phone number (mostly optional).
• Health tracking data: Daily symptom check-ins, menstrual cycle data (bleeding, flow intensity, cycle length), acne and hirsutism severity assessments, hair loss tracking, oily skin levels, body composition measurements (weight, BMI, body fat percentage, muscle mass, hip/waist circumference, waist-hip ratio).
• Wellness program data: Program enrollment data (which program, enrollment date, duration), daily goal completions, nutrition check-ins (water intake, dietary patterns), exercise tracking (type, duration, frequency), and program progress.
• Medication data: Current medications, dosages, adherence tracking.
• Survey responses: Onboarding questionnaire answers; product feedback surveys (via Mailchimp) about usability; customer research surveys (via Google Forms) potentially addressing diagnosis and symptoms (anonymous unless email voluntarily provided).
• Other: Feedback and support communications.

1.2 Information from Apple HealthKit

With your explicit permission, we read the following data types from Apple Health:

• Body mass (weight)
• Body mass index (BMI)
• Body fat percentage
• Waist circumference
• Lean body mass
• Menstrual flow
• Intermenstrual bleeding
• Step count
• Active energy burned
• Exercise minutes
• Sleep duration

Weight data may be written back to Apple Health. HealthKit data is never shared with advertising networks, data brokers, or any third party for marketing purposes. HealthKit data is used solely to support your wellness tracking.

1.3 Information Collected Automatically

• Device information: Model, operating system version, app version, screen size, language, locale settings
• Network information: IP address (used for security purposes and approximate city/region location by analytics provider)
• Usage data: App screens visited (category-level labels only), session duration, session frequency
• Device identifiers: Vendor-specific device identifier (IDFV) may be collected by analytics provider. Apple's IDFA is not collected. We do not participate in ad tracking.

During the beta testing period, Apple's TestFlight service may collect additional data including crash logs, usage statistics, and device information under Apple's own privacy policy.

2. How We Use Your Information

• Provide and maintain the app: Symptom tracking, medication management, health visualizations, wellness program features, and daily goal tracking
• Present relevant research: Present peer-reviewed research programs related to lifestyle topics you have expressed interest in. This is educational content — not a personalized medical recommendation.
• Sync your data: Preserve your health history across sessions
• Track your progress: Display your daily and program-level progress
• Send notifications: Check-in and medication reminders (if you opted in)
• Improve the app: Understand usage patterns to improve features and fix issues
• Communicate with you: Account updates, relevant wellness content, and support responses
• Comply with legal obligations

We process your health data based on the explicit consent you provide during account setup and program enrollment. You may withdraw this consent at any time through the app settings.

Marketing website (www.sachi-health.com): When you submit your email address (and optionally a first name) on the beta waitlist (/beta) or newsletter (/newsletter) page, we use that information to add you to the corresponding mailing list (Mailchimp for the beta waitlist, Beehiiv for the newsletter), send you the communications you signed up for, and reach out about Sachi Health updates. We also collect anonymized page-view and CTA-click metrics to understand which messaging resonates with visitors. You may unsubscribe from emails at any time using the link in any newsletter, or request full deletion of your record by emailing security@sachi-health.com.

Call recordings: One-on-one onboarding or support calls may be recorded with your verbal consent for product improvement. Fireflies.ai transcribes these calls. You may decline recording at any time. Recordings and transcripts are deleted after a short retention period or immediately upon request to security@sachi-health.com.

3. Who Has Access to Your Data

Provider	Purpose	Data Received	Health Data?
Amazon Web Services (AWS)	Cloud infrastructure: Cognito, API Gateway, Lambda, RDS PostgreSQL	All account and health data (encrypted in transit and at rest)	Yes
Mixpanel	Product analytics (mobile app)	Category-level screen names, session timing, device info, IP address, device identifier, user account ID	No*
Vercel	Website hosting and privacy-first web analytics (www.sachi-health.com)	Page URLs, referrer, country (derived from IP, IP not stored), anonymized session counts, CTA click events; cookieless	No
Microsoft Clarity	Website session recordings and heatmaps (www.sachi-health.com)	Page interactions, mouse movements, scroll depth, click events; form inputs (including email) are masked by default	No
Google Fonts	Web fonts loaded on www.sachi-health.com (DM Sans, Instrument Serif, Geist Mono)	IP address and User-Agent are sent to Google when your browser fetches the font files; no other personal data is shared	No
Mailchimp	Email communications; beta waitlist signups (www.sachi-health.com/beta); product feedback surveys	Email address, name, product feedback survey responses	No
Beehiiv	Newsletter subscriptions (www.sachi-health.com/newsletter)	Email address (and any other fields submitted through the Beehiiv subscription form)	No
Apple	App distribution (TestFlight/App Store), HealthKit access	Standard App Store data; HealthKit data stays on device	No
Google (Forms)	Survey collection	Anonymous survey responses (potentially including PCOS diagnosis, symptom preferences)	Yes**
Calendly	Meeting scheduling	Name, email address, scheduling availability	No
Fireflies.ai	Call transcription (optional, verbal consent only)	Voice recordings of onboarding/support calls	Potentially***

Law Enforcement: We will disclose personal information only in response to valid legal process such as a court order or subpoena.

4. How Your Data Is Stored and Protected

Your health data is stored both on your device and on our encrypted servers. We use encryption to protect your data in transit and at rest. Our servers are hosted on Amazon Web Services (AWS) in the United States.

Check-ins and entries are saved locally first and synced when a network connection is available. If a sync fails, data is retained locally and retried on the next app opening.

If you are located outside the United States, please be aware that your data is processed and stored in the United States.

5. Analytics and Tracking

Event	When It Fires	What's Sent
Registration	When account created	Event name only (no personal details)
Screen Viewed	Each navigation to new screen	Category-level screen label (e.g., "checkin," "insights"); no health data content
Session Start	When app opens	Event name only
Session End	When app goes to background	Session duration in seconds

Your analytics events are linked to your account identifier. We use this to diagnose issues and understand feature adoption, not for advertising or profiling.

Mixpanel automatically collects device model, OS version, app version, screen size, carrier, language, IP address (for city-level geolocation), and vendor device identifier (IDFV). All analytics processing occurs in the United States.

Website Analytics

The Sachi Health marketing website (www.sachi-health.com) uses two analytics tools that are separate from the in-app Mixpanel analytics described above:

• Vercel Web Analytics: Counts page views and CTA clicks (e.g., "Join the beta" or "Sign up for the newsletter"). Cookieless and does not collect personal information. IP addresses are used only for approximate country-level geolocation and are not stored.
• Microsoft Clarity: Records anonymized session playback and heatmaps so we can see how visitors navigate the site. Form fields (including email inputs) are masked by default and never visible in recordings. Clarity may set first-party cookies for session continuity.

Neither tool receives any health, symptom, or PCOS-related information from the marketing site, since the website only collects an email address and (optionally) a first name for the waitlist or newsletter.

6. Apple HealthKit Compliance

HealthKit data is accessed only with your explicit permission, which you can revoke at any time in your device's Settings > Health > Data Access.

HealthKit data is:

• Never shared with third parties
• Never shared with advertising networks or data brokers
• Never used for advertising or marketing
• Never sold
• Not sent to any analytics service (including Mixpanel)

7. Your Rights and Choices

Regardless of where you live, you have the right to:

• Access your data through the app
• Request a copy of your data by emailing security@sachi-health.com
• Correct inaccuracies in your data
• Delete your account and all associated data
• Withdraw consent for health data collection through the app settings
• Revoke HealthKit permissions at any time through your device settings
• Manage notifications through your device settings
• Opt out of non-essential communications

We will not discriminate against you for exercising any of these rights. To exercise your rights, use the in-app options or email security@sachi-health.com. We will respond within 30 days.

California Residents

CCPA/CPRA rights. We do not sell personal information. Health data is sensitive personal information under CPRA.

Washington Residents

My Health My Data Act rights regarding consumer health data, including access, delete, and withdraw consent. Right to know specific third parties (listed in Section 3). We do not sell consumer health data.

Connecticut Residents

CTDPA rights to access, correct, delete, and obtain a copy of personal data including consumer health data.

8. Data Retention and Deletion

• Account and health data (AWS): Retained while account active. Deleted within 30 days of deletion request.
• Analytics data (Mixpanel): Retained per configured retention period. Aggregate statistics may be retained after account deletion.
• Email records (Mailchimp): Retained while account active. Removed upon deletion request.
• Newsletter subscriptions (Beehiiv): Retained while subscribed. Unsubscribe via the link in any newsletter, or email security@sachi-health.com for full deletion.
• Web analytics (Vercel): Cookieless and stored as anonymous aggregate counts only (no per-individual record). Per-user deletion is not applicable because no per-individual data exists.
• Session recordings (Microsoft Clarity): Recordings auto-expire after up to 30 days (Clarity free tier) and are then deleted. To request earlier removal of a specific session, email security@sachi-health.com with the approximate date and time of your visit.
• Web fonts (Google Fonts): Font files are fetched by your browser via standard HTTP requests. Sachi Health does not retain any personal record of these fetches.
• Survey responses (Google Forms): Anonymous. Retained for research. Not deletable per-user unless email voluntarily provided.
• Survey responses (Mailchimp): Linked to subscriber profile. Deleted upon deletion request.
• Local device data: Persists until data deleted or app uninstalled.
• Call recordings/transcripts (Fireflies.ai): Deleted after short retention period or immediately upon request.
• Backup data: May persist in encrypted backups for limited period until automatically rotated.

You may request deletion via "Delete Account" in app or email security@sachi-health.com.

If Sachi Health ceases operations, we will make reasonable efforts to notify you at least 30 days in advance.

9. Age Requirement

Sachi Health is intended for users 18 years of age and older. We do not knowingly collect personal information from individuals under 18. If we become aware, we will delete that information promptly.

10. Data Breach Notification

In the event of a data breach affecting your personal health information, we will:

• Notify affected users by email within 60 days
• Notify the FTC as required by the Health Breach Notification Rule
• Describe the nature of the breach, types of information affected, and steps taken

If 500+ people are affected, we will also notify prominent media outlets as required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email before they take effect and by posting the updated policy on our website and in the app.