Privacy Policy — Creighton Cycle Tracker

Effective date: May 16, 2026

This privacy policy describes how the Creighton Cycle Tracker mobile and web application (the “App”) collects, uses, stores, and shares your information. The App is published by Jacob Stephens as an independent developer (the “Developer,” “we,” “us,” or “our”). Contact: jacob@stephens.page.

This policy is intentionally specific to what the App actually does. It is not a generic template.

1. Summary in one paragraph

The App is a fertility-cycle charting tool based on the Creighton Model FertilityCare™ System. All of your observations are stored on your device by default and never leave it unless you choose to create an account. If you create an account, your observations are encrypted on your device using a key derived from your password (end-to-end encryption) before being backed up to our server. We cannot read your health data. You may optionally generate a time-limited read-only link to share a filtered version of your chart with your FertilityCare Practitioner. The App contains no advertising and no third-party trackers other than Google Analytics, which loads only if you accept the cookie banner.

2. Information we collect

2.1 Information you provide

Account information (only if you create an account): email address, first name, password.
Fertility observations that you enter: bleeding intensity, mucus stretch and characteristics, observation frequency, peak-day marks, manual cycle-start marks, intercourse flag, free-text notes.
Settings: your base-infertile-pattern description, default-view preference, theme, reminder time.

2.2 Information collected automatically

Cookies / local storage: small flags such as a “disclaimer dismissed” indicator, the “last sync time,” and your selected chart zoom level. Stored locally; never sent to us.
Authentication cookie (only if you sign in): an HTTP-only JWT cookie issued by our server to keep you logged in.
Anonymous web analytics: if and only if you click “Accept” on the cookie banner, we load Google Analytics 4 (G-4RXK6BKTKW). This collects standard pageview and session data — never your observations or any other personal information. You can decline or revoke at any time via the in-app Cookie Policy page.
Crash reports: once the App is installed from the Google Play Store, Google Play Console may collect anonymous crash and stability metrics. This is a Google-side feature; we do not operate or directly receive identifying information from it.

2.3 Information we do not collect

No location (precise or approximate).
No advertising identifier (Android AD_ID).
No contacts, calendar, photos, microphone, or camera data.
No device fingerprinting beyond what your browser/WebView normally exposes to any HTTPS site.

3. How we use information

Purpose	Data used
Provide the core charting functionality	Your observations, cycles, settings (stored locally)
Authenticate you across devices	Email, password hash, JWT cookie
Sync your data across your own devices	End-to-end encrypted observations, cycles, settings
Let you share a read-only chart with your practitioner	Filtered observations + cycles (the notes field is stripped)
Send transactional emails (verification, password reset)	Email, first name
Notify the Developer of new account creation	Email, first name (admin notification only)
Improve the App via aggregate analytics (opt-in)	Standard Google Analytics page-view data
Diagnose crashes and stability issues	Anonymous Play Console crash logs (Google-side)

We do not use your data for advertising, profiling, behavioral targeting, or any third-party marketing.

4. End-to-end encryption details

When you create an account, the App derives an AES-256-GCM encryption key from your password using PBKDF2 with a unique per-user salt. This key never leaves your device. Before observations are uploaded for backup, they are encrypted with this key. The server stores only the encrypted blob and an additional server-side encryption layer at rest. If you forget your password, your encrypted data cannot be recovered by us — the password reset flow will let you regain access to your account but the previously synced data will be lost.

Your provider-share link uses a separate filtered payload (with the notes field stripped) so a recipient can read your chart but cannot see your written notes.

5. Storage and security

On your device: observations, cycles, and settings are stored in IndexedDB inside the App's WebView. They persist until you delete observations in-app, sign out, uninstall, or clear app data.
On our server: when you sync, encrypted blobs are stored in a self-hosted SQLite database on a server controlled by the Developer, behind TLS provided by Let's Encrypt. Passwords are hashed with bcrypt (cost 12). Authentication uses HTTP-only signed JWTs.
Transport: all network traffic uses HTTPS.

6. Third parties and sub-processors

Vendor	Purpose	What they receive
Google Fonts	Web fonts	Standard HTTP referrer headers from page loads
Google Analytics 4	Anonymous usage stats — opt-in only	Standard GA4 pageview / session signals
Mandrill (Mailchimp Transactional)	Sends verification and password-reset emails	Your email address + the email body
Let's Encrypt	TLS certificate issuer	Public DNS records only
Google Play Services	App distribution + crash logs	Anonymous Play Console signals

We do not use Firebase, Crashlytics, Sentry, Mixpanel, PostHog, Amplitude, Segment, Facebook SDK, or any advertising network.

7. Sharing and disclosure

We do not sell or rent your data. We do not share data with third parties for marketing. The only situations in which your data is disclosed are:

To people you explicitly share with: anyone holding your provider-share-link URL can view your filtered chart until you revoke it (or until its 90-day expiry).
To service providers strictly as needed (e.g., Mandrill to deliver an email).
If legally required (court order, lawful subpoena), we will comply to the extent legally required.

8. Your rights

You can, at any time:

Edit or delete individual observations in the App.
Sign out to keep new observations local-only.
Revoke or regenerate your provider-share link in Settings.
Withdraw analytics consent via the cookie banner / Cookie Policy page.
Delete your account and all server-side data at any time via Settings → Account & Sync → Delete Account in the App. The deletion is immediate and irreversible: it removes your row from users, all server-side observation backups, provider-share-link tokens, and pending email-verification or password-reset tokens, and clears the corresponding on-device data on the device where you confirm. You can also email jacob@stephens.page if you'd prefer a manual deletion.
Export your data: the App's Settings → Data Management page can export your observations as JSON or CSV.

8.1 GDPR (European Economic Area, UK, Switzerland)

If you are in the EEA, UK, or Switzerland, the lawful bases under GDPR Article 6 are:

Article 6(1)(b) — performance of a contract (account creation, sync, sharing).
Article 6(1)(a) — consent (analytics cookies; opt-in only).
Article 6(1)(f) — legitimate interest (transactional emails, security).

Because the App processes special-category data (health information), processing relies on Article 9(2)(a) — explicit consent — implied by your use of the App, with the additional safeguard of end-to-end encryption.

You have the right to access, rectify, erase, restrict, port, and object. You may also lodge a complaint with your local supervisory authority. Contact jacob@stephens.page to exercise these rights.

The Developer is the data controller. There is no DPO (the operation is below the GDPR threshold requiring one).

8.2 CCPA / CPRA (California)

California residents have the right to know what we collect (see Section 2), the right to delete, the right to correct, the right to opt-out of “sale” or “sharing” (we do not sell or share for cross-context behavioral advertising), and the right to non-discrimination. Email jacob@stephens.page to exercise these rights.

9. Data retention

On-device data: kept until you delete observations, uninstall the App, or clear app data.
Account data on our server: kept until you delete your account in-app or request deletion.
Email-verification tokens: 24 hours.
Password-reset tokens: 1 hour.
Provider-share-link tokens: 90 days from creation, then automatic deletion.
Server log files: rotated and retained for no more than 30 days.

10. Children's privacy

The App is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with information, contact jacob@stephens.page and we will delete it.

11. International data transfers

Our server is currently hosted in the United States. If you use the App from outside the United States, your data will be transferred to and stored on infrastructure in the United States. For EEA/UK users, we rely on appropriate safeguards (Standard Contractual Clauses where applicable to sub-processors).

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app and the effective date above will be updated. Continued use of the App constitutes acceptance.

13. Contact

Email: jacob@stephens.page
Developer: Jacob Stephens
App: Creighton Cycle Tracker
Source code: github.com/JacobStephens2/CreightonTrackingApp
Support: creightontracker.com/support