Privacy Policy

Last updated: April 2026

1. About FlarePath

FlarePath is a personal symptom diary that helps individuals track gastrointestinal symptoms, food intake, and daily context. It is not a medical device, does not provide medical advice, diagnosis, or treatment, and is intended solely as a personal wellness tool.

2. What Data We Collect

We collect only what you choose to enter:

  • Account information — email address used to create your account
  • Health information — symptoms, severity ratings, stool logs
  • Food information — meals, food items, photos you scan
  • Daily context — sleep quality, stress level, hydration, triggers
  • Clinical assessment scores — IBS-SSS, PHQ-4, Rome IV, IBS-QoL (where completed)
  • Medications — names and dosages you add for adherence tracking

3. How We Use Your Data

  • To display your logs, timeline, and insights within the app
  • To generate AI-powered weekly summaries of your symptom patterns
  • To identify food and lifestyle correlations with your symptoms
  • To generate PDF reports you can share with your doctor
  • To contribute to IBS research — only for users who explicitly opt in (see Section 7)

4. AI Processing

FlarePath uses two AI services to provide features:

  • Anthropic Claude — analyses your weekly symptom and food data to generate plain-language summaries. Data is sent to Anthropic's API and is subject to their privacy policy.
  • OpenAI GPT-4o — analyses meal photos you choose to scan to identify food items. Images are sent to OpenAI's API and is subject to their privacy policy.

No directly identifying information is included in AI requests — only pseudonymised log data referenced by a random internal identifier.

5. Data Storage

Your data is stored securely in Supabase (PostgreSQL database hosted on AWS). All data is protected by Row Level Security — only you can access your own data. Data is encrypted in transit (HTTPS) and at rest.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Your data is shared only in the following circumstances:

  • Infrastructure providers — Supabase, Anthropic, and OpenAI, solely to operate the app's features (see Section 4).
  • IBS research partners — only pseudonymised data, only for users who have explicitly opted in, and only under the conditions described in Section 7.

7. Research Data (Optional Opt-in)

FlarePath is designed to support IBS research. With your explicit opt-in consent, pseudonymised data from your app usage may be contributed to scientific studies. Participation is entirely voluntary and does not affect any app features.

What is contributed

  • Symptom patterns and severity scores
  • Stool log data (Bristol Stool Scale entries)
  • Food and lifestyle correlations
  • Clinical assessment scores (IBS-SSS, PHQ-4, Rome IV, IBS-QoL)

What is never contributed

  • Your name, email address, or any directly identifying information
  • Device identifiers or IP addresses
  • Food photos or any uploaded images

Pseudonymisation, not full anonymisation

Data contributed to research is pseudonymised — your records are linked to a random internal identifier, not your name or email. FlarePath retains a mapping between your account and this identifier; research partners receive only the identifier and health data, never the mapping. Full re-identification by a research partner is not possible. This approach is consistent with Article 89 GDPR safeguards for scientific research.

Who receives the data

Pseudonymised data may be shared with academic institutions, NHS research bodies, or clinical research organisations conducting studies on IBS. Any transfer is governed by a formal data processing agreement. Research use is subject to appropriate ethics committee oversight before any data is accessed or transferred.

Publication

Research findings may be published in peer-reviewed academic journals or presented at scientific conferences. Published results will be reported in aggregate or fully de-identified form. No individual's data will appear in a way that could identify them.

Your control

You can opt in or withdraw at any time via Settings → Research & Data. Withdrawing consent stops any future contributions. Data already incorporated into a completed or ongoing research dataset cannot be retroactively removed, as required by research integrity standards — but no further data will be shared after withdrawal.

8. Legal Basis for Processing (GDPR)

FlarePath processes health data, which is classified as special category data under GDPR Article 9. The legal bases we rely on are:

  • Explicit consent (Article 9(2)(a)) — for all health data collected when you create an account and use the app.
  • Explicit consent + scientific research (Article 9(2)(a) and Article 89(1)) — for any research data contributions, which require a separate opt-in.

You may withdraw consent at any time by deleting your account. For research contributions, you may withdraw via Settings without deleting your account.

9. Data Retention

  • Account and health data — retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Research contributions — pseudonymised data already shared with a research partner may be retained by that partner for the duration of the research study, in accordance with the applicable ethics approval. FlarePath does not retain a separate research copy after account deletion.
  • Backups — encrypted database backups may retain data for up to 30 days after deletion.

10. Your Rights

Under GDPR and UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Portability — export your data at any time via the Report section
  • Rectification — correct inaccurate data
  • Erasure — delete your account and all associated data via Settings, or by contacting us
  • Withdraw consent — stop app use or research contributions at any time
  • Object — object to processing, including research use, at any time

To exercise any right, contact us at umar3061@gmail.com. We will respond within 30 days.

11. Children

FlarePath is intended for users aged 16 and over. Given the health-sensitive nature of the data processed, we do not knowingly collect data from anyone under 16. If you believe a person under 16 has created an account, please contact us and we will delete the account promptly.

12. Changes to This Policy

We may update this policy from time to time. For minor changes, the updated date at the top of this page will be revised. For material changes — particularly any changes to how research data is used or shared — we will notify you by email and require fresh consent before the new terms take effect.

13. Contact

For any privacy questions, data requests, or concerns: umar3061@gmail.com