Privacy Policy
Effective Date: 24/11/2025
StrokeGuard (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our mobile app and website [https://strokeguard.app] (the “Services”).

1. Who We Are

   StrokeGuard is operated by [Legal Entity / Founder Name], based in Surabaya, Indonesia. For privacy questions or data requests, contact [[email protected]].

   Healthcare stance: StrokeGuard provides clinical decision support (CDS) for post-stroke follow-up. We are not a diagnostic device. In hospital deployments, we may act as a data processor on behalf of the hospital.

2. Information We Collect

2A. Account & Profile

Name (or nickname), email (e.g., via Apple/Google sign-in)

Optional: phone, date of birth, gender, emergency contact

2B. Health & Activity (entered by you or your care team)

Time-series health data: blood pressure (AM/PM, systolic/diastolic, timestamp), medication adherence (taken/missed), rehab tasks (done/skip, duration), symptoms (e.g., dizziness, weakness, speech issues), free-text notes you enter

Care plan & notes added by your assigned clinician(s)

Device readings sent by connected devices (e.g., compatible blood pressure monitors)

2C. Technical & Usage

App/device info, OS version, IP (transient), crash/diagnostic logs, and feature usage analytics (to improve the Services)

2D. Billing (if applicable)

Subscription status, product tier, transaction identifiers via [RevenueCat or hospital invoicing]

We do not collect precise GPS/location by default.

3. Special Category Data (Health Data)

   We process health-related data to deliver the Services with your consent, to perform a contract (provide requested features), for legitimate interests (service safety, research in de-identified form), or to comply with legal obligations. Where required by law or hospital policy, we will obtain explicit consent.

4. How We Use Data

   Provide daily check-ins and AI-generated summaries (e.g., Pretest Probability, Top Contributors, Diagnostic Support Note)

   Send reminders, requests from your doctor (e.g., “BP AM/PM × 7 days”), and safety alerts (e.g., red-flag instructions to seek emergency care)

   Maintain accounts, detect abuse, ensure security, and improve features

   Produce de-identified statistics and product analytics

   We do not use your health data for advertising or sell your personal data.

5. Sharing & Disclosures

   Your care team & hospital: If your account is linked to a hospital/clinic, your assigned clinicians can view your relevant data and generated reports.

   Service providers (sub-processors):

   Supabase (hosting/database/storage)

   OpenAI/OpenRouter (text processing only; no images sent)

   [RevenueCat or equivalent] (subscription management, if consumer plan)

   These vendors access only what’s needed to operate the Services and are bound by contracts and their own privacy policies.

   Legal & safety: We may disclose data if required by law, or to protect you or others from imminent harm.

   Business transfer: If StrokeGuard is acquired/merged, your data may transfer to the new owner, who will continue to honor this Policy.

6. Data Storage & Security

   Encryption in transit (TLS) and at rest (AES-256 where supported)

   Role-based access control, least privilege, and audit logs for clinical actions

   Backups and disaster recovery policies

   We take reasonable administrative, technical, and physical safeguards; however, no system is 100% secure.

7. International Transfers

   Your data may be processed on servers outside your country. Where legally required, we use appropriate safeguards (e.g., contractual clauses) for cross-border transfers.

8. Your Rights

   Depending on your jurisdiction (e.g., Indonesia PDP Law No. 27/2022, GDPR, etc.), you may have rights to:

   Access, correct, or delete your data

   Request portability

   Object to or restrict processing

   Withdraw consent (processing before withdrawal remains lawful)

   Contact [[email protected]] to exercise rights. If your account is managed by a hospital, we may redirect requests to the hospital (as data controller).

9. Children’s Privacy

   StrokeGuard is not directed to children under 13. If you believe a child provided personal data, contact us to delete it. For minors using StrokeGuard under a hospital program, parental/guardian consent may be required per local law.

10. Data Retention

    We retain data as long as your account is active or as needed to provide the Services, comply with legal obligations, or resolve disputes.

    Consumer (direct) accounts: you may request deletion anytime.

    Hospital-managed accounts: retention follows hospital policy and medical record rules; requests may be routed to the hospital.

11. AI & Automated Outputs

    StrokeGuard uses algorithms to produce decision-support outputs (e.g., risk tiers, summaries). Outputs are explainable (e.g., Top Contributors) and are not autonomous diagnoses. Clinical decisions remain with clinicians.

12. Changes to this Policy

    We may update this Policy. We’ll post the new “Effective Date” and, where required, notify you. Continued use means you accept the updated Policy.

13. Contact

    [Legal Entity / DPO (if any)]

    Email: [[email protected]]

    Address: [Address, City, Country]