Hurtl Privacy Policy

Effective date: May 5, 2026
Last updated: May 5, 2026

This Privacy Policy explains how Hurtl (the “App”) and our related website or services (together, the “Service”) collect, use, store, and share information about you.

Hurtl is operated by Distributed By Design Ltd. (“Hurtl”, “we”, “us”, or “our”). For UK and EU data protection law, we are the controller of the personal data described in this Policy, unless we say otherwise.

Contact: tom@hurtl.app
Address: 230 Brockley Grove, London, SE41HG, United Kingdom

Hurtl helps people track symptoms, medication, journaling, and related health and wellness information. Because this can include sensitive health information, we try to keep the policy clear and practical. This document is also intended to support app-store disclosures, including Apple’s App Privacy requirements.

Hurtl is not a medical device and does not provide medical advice, diagnosis, or treatment. Always speak to a qualified healthcare professional before making medical decisions.

1. Our Privacy Commitments

We do not sell your personal data. We do not sell, rent, or license your personal data to data brokers, advertisers, or other third parties.
We do not use your health data for third-party advertising. We do not show third-party ads in the App and we do not use your information to track you across other companies’ apps or websites for advertising.
You choose what health information to enter. Hurtl stores the information you add so the App can work, sync, back up your data, and provide features you request.
We use service providers to run the Service. These providers process data for us under our instructions, such as cloud hosting, authentication, subscriptions, AI summaries, support, and future product analytics.
Product analytics may be added later. We expect to add first-party, product-focused analytics to understand how people use the App and improve it. This will not be used to sell your data or for third-party advertising, and we will update disclosures where required.

2. Information We Collect

We collect information you provide, information created when you use the Service, and limited technical information from your device and our systems.

Account Information

We may collect your name, email address, account ID, authentication provider information, and account settings. This is used to create and secure your account, sign you in, sync your data, provide support, and communicate with you about the Service.

If you use Sign in with Apple, Google sign-in, or another identity provider, the information we receive depends on that provider and your settings with them.

Health, Wellness, and Journal Information

Hurtl is designed for self-tracking. You may choose to enter:

symptoms, pain, fatigue, flare, or condition-related logs;
medication names, schedules, adherence, and related notes;
tracker entries, scores, dates, and settings;
exercise or activity information;
journal entries and free-text notes;
condition tags or onboarding preferences; and
related summaries, reports, or insights generated from your data.

Some free-text fields, such as journal body text and certain tracker notes, are designed to be encrypted on your device before they are synced. Other fields may remain readable on our backend where needed for app functionality, syncing, reporting, search, or display.

Subscriptions and Purchases

If you buy a subscription or paid feature through an app store, the app store processes your payment. We do not receive your full card number or bank account details. We and our subscription validation provider may receive purchase status, entitlement, transaction, and account-linking information so we can provide paid features.

Usage, Analytics, and Diagnostics

We collect or may collect limited usage and diagnostic information, such as app interactions, feature usage, crash or error information, performance information, logs, device or installation identifiers, IP address, timestamps, and similar technical data.

At present, we primarily use operational logs and vendor tooling needed for hosting, authentication, subscriptions, and reliability. In the future, we plan to add product analytics to understand, in aggregate, how people use the App. For example, we may measure which screens or features are used, where users get stuck, and whether the App is stable.

We will use analytics to improve Hurtl, not to sell your data, not to show third-party ads, and not to track you across other companies’ services for advertising.

AI-Generated Summaries

Some features may generate weekly summaries, report summaries, or other insights. When you use these features, we send a minimized and structured payload derived from your logs to an external model API. We do not intend to send your full diary, full account profile, or contact details for these summaries. The generated output may be stored in your account so we can show it to you again.

Notifications

The App can schedule local reminders on your device, such as medication or journaling reminders. Local reminders do not require us to collect a push notification token. If we later add remote push notifications, we will update this Policy and request permission where required.

Information We Do Not Intentionally Collect

We do not intentionally collect your phone contacts, precise GPS location, browsing history across other companies’ websites, or advertising identifiers for third-party advertising. If you type that kind of information into a journal or note field, it becomes part of the content you chose to store.

3. How We Use Information

We use information for the following purposes:

to create, authenticate, and secure your account;
to provide the App’s core tracking, journaling, reporting, reminder, subscription, and sync features;
to back up and restore your data across devices when you are signed in;
to personalize onboarding and in-app experience based on preferences you provide;
to generate optional AI summaries or insights when you use those features;
to provide customer support and respond to requests;
to export or delete data at your request;
to monitor security, prevent abuse, debug issues, and improve reliability;
to understand and improve how the Service is used, including through planned product analytics; and
to comply with legal obligations and enforce our rights.

We do not use your personal data for third-party advertising. We do not sell it.

4. Apple App Privacy Categories

Apple asks developers to describe data collection using its own categories. Depending on how you use Hurtl, the App may collect the following Apple App Privacy data types:

Apple data type	Examples in Hurtl	Main purposes
Contact Info	Name and email address	Account creation, sign-in, support
Health & Fitness	Symptoms, condition tags, medication logs, tracker scores, exercise/activity entries	App functionality, sync, backup, reports, insights
User Content	Journal text, notes, generated summaries	App functionality, sync, backup, reports
Identifiers	Account ID, subscription or installation identifiers used by providers	Authentication, sync, subscriptions, security
Purchases	Subscription status and entitlements	Paid feature access
Usage Data	Product interaction and future product analytics events	Product improvement, reliability
Diagnostics	Crash, error, performance, logs, request metadata	Security, debugging, performance

This Policy describes our practices generally. App Store Connect answers must always match the actual production build, including any SDKs and service providers included at the time of release.

5. Legal Bases for Processing

Where UK GDPR, EU GDPR, or similar laws apply, we rely on the following legal bases:

Purpose	Legal basis
Creating your account and providing core app features	Performance of a contract
Sync, backup, subscriptions, exports, and support	Performance of a contract
Security, fraud prevention, debugging, and service reliability	Legitimate interests
Product improvement and product analytics	Legitimate interests, or consent where required by law or platform rules
Optional device permissions, such as notifications	Consent through your device settings
Optional AI summaries or similar optional features	Consent or performance of a contract, depending on the feature and applicable law
Legal compliance	Legal obligation

Health information may be treated as special category data under UK and EU law. Where required, we rely on your explicit consent to process health information you choose to enter into Hurtl. You can withdraw that consent by deleting your data, deleting your account where available, contacting us, or stopping use of the health-tracking features. Withdrawal does not affect processing that already happened before withdrawal.

We share information only as needed to operate the Service, comply with law, protect rights and safety, or complete a business transaction such as a merger or acquisition.

We use service providers, also called subprocessors, in categories such as:

cloud hosting, databases, storage, backups, and serverless functions;
authentication and social sign-in;
subscription validation and app-store purchase management;
AI inference for optional summaries;
product analytics and diagnostics, including planned future analytics;
email, support, monitoring, security, and operational tooling.

These providers may process personal data for us, but they are not allowed to use it for their own marketing or to sell it. We require them to process information only for the services they provide to us, subject to their contracts and applicable law.

We may also share information:

with Apple, Google, or app stores when you use their sign-in, subscription, or platform services;
if required by law, regulation, court order, or government request;
to investigate abuse, security incidents, or violations of our terms; or
as part of a merger, acquisition, financing, restructuring, or sale of assets, with appropriate safeguards where required.

7. AI Features

AI summaries are optional product features. If you use them, we send a reduced and structured summary of relevant app data to an external model provider so it can generate text for you. The provider returns the result to us, and we may store that output in your account for display and caching.

AI-generated content may be incomplete, inaccurate, or not clinically appropriate. It should not be used as medical advice or a substitute for a clinician.

8. Analytics and Advertising

We may use first-party analytics to understand and improve Hurtl. Analytics may help us answer questions like whether features are used, whether onboarding works, whether screens load correctly, and where errors occur.

We do not use analytics to sell your data. We do not use analytics for third-party advertising. We do not use analytics to track you across other companies’ apps or websites for advertising.

If we add analytics that require consent under applicable law or platform rules, we will provide the required notice or choice.

9. Storage, Security, and Encryption

Hurtl stores data locally on your device so the App can work offline. When you are signed in, data may sync to our backend so it can be backed up and restored across devices.

We use technical and organizational safeguards designed to protect personal data, including access controls and backend row-level access rules. Certain sensitive text fields are designed to be encrypted on your device before syncing. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

You are responsible for keeping your device, app-store account, and login credentials secure.

10. Retention and Deletion

We keep personal data for as long as needed to provide the Service, maintain your account, comply with legal obligations, resolve disputes, enforce agreements, and maintain security.

You can export data and delete certain data in the App under Settings -> Data & privacy. Current in-app controls may include deleting local device data and permanently deleting synced health data. Deleting synced health data may not automatically delete your authentication account or all operational records.

To request full account deletion, contact tom@hurtl.app or use any account-deletion flow we make available. Some information may remain for a limited period in backups, logs, fraud-prevention records, legal records, or where retention is required by law.

11. Your Rights

Depending on where you live, you may have rights to:

access the personal data we hold about you;
correct inaccurate data;
delete your data;
restrict or object to certain processing;
receive a portable copy of your data;
withdraw consent where processing is based on consent; and
complain to a data protection authority.

To exercise your rights, contact tom@hurtl.app. We may need to verify your identity before acting on a request.

If you are in the UK, you can contact the Information Commissioner’s Office (ICO). If you are in the EEA, you may contact your local data protection authority.

12. U.S. State Privacy Rights

Some U.S. state privacy laws provide additional rights, such as rights to know, access, correct, delete, or port personal information, and to opt out of certain sales, sharing, or targeted advertising.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising. If you have questions or want to exercise a state privacy right, contact tom@hurtl.app.

13. International Transfers

We are based in the United Kingdom, and our service providers may process information in the UK, EEA, United States, or other countries. Where required, we use appropriate safeguards for international transfers, such as adequacy decisions, standard contractual clauses, or equivalent protections.

14. Children’s Privacy

Hurtl is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If a higher minimum age applies in your country, you should only use Hurtl if you meet that age requirement or have appropriate parental or guardian consent. If you believe a child has provided personal data to us, contact tom@hurtl.app.

15. Device Permissions and Third-Party Links

The App may request device permissions, such as notifications. You can manage permissions through your device settings. If you disable a permission, some features may not work.

The Service may include links to third-party websites or services. Their privacy practices are governed by their own policies, not this Policy.

16. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will take reasonable steps to notify you, such as updating the effective date, posting a notice, or providing in-app notice where appropriate. Your continued use of the Service after an update means the updated Policy applies.

17. Contact

For questions, privacy requests, or account deletion requests, contact:

Distributed By Design Ltd.
230 Brockley Grove, London, SE41HG, United Kingdom
Email: tom@hurtl.app

This Privacy Policy is a practical compliance draft and does not constitute legal advice. You should have qualified counsel review it before publication, especially for health data, UK/EU consent, App Store disclosures, and any future analytics implementation.