Back to CardioTrack

Privacy Notice

Draft last updated May 10, 2026. This is not legal advice.

Who is the data controller

The data controller for CardioTrack is Dawood Togoo (sole operator), based in Doha, Qatar. Privacy questions, individuals' rights requests, and data breach reports should be sent to support@cardiotrack.example (also the contact for the designated Privacy Officer, Dawood Togoo).

What data the app may store on this device

Profile information you enter (name, age, sex, country, optional ethnicity), height, weight, blood pressure, heart rate, SpO₂, sleep, steps, medications and dose history, symptoms, documents you upload, lab results, source labels, risk-score inputs and snapshots, family-history entries, alerts, and a privacy audit log.

Health and special-category data

Health data and ethnicity are special-category personal data under Qatar Law No. 13 of 2016 (PDPPL Article 16) and equivalent provisions in GDPR Article 9. The app processes these only on the basis of your explicit consent, captured at onboarding and revocable in Settings → Privacy choices.

How data is used

Data is used solely to provide the in-app tracking, charts with source labels, risk calculations, medication safety rules, and the audit log. The app does not sell data, does not use data for advertising, and does not perform automated decision-making with legal effect. The cardiovascular risk calculators (e.g. AHA PREVENT 2024) are deterministic rule-based tools, not AI/ML systems, and are presented for educational use only.

Where data is stored

Application data is stored exclusively on this device's browser-localStorage (web) or app-sandboxed equivalent (iOS / Android) using local persistence. There is no backend database, no cloud sync, and no telemetry. Clearing browser data, uninstalling the app, or using another device removes or hides records.

Processors and any data sharing

The MVP does not transmit your personal or health data to any third party. The only entities that come into contact with non-data network requests are: hosting providers serving the static web bundle, your operating system platform (Apple HealthKit on iOS / Google Health Connect on Android - which keeps your data on-device), and Apple's App Store / TestFlight for app distribution. Apple and Google never receive your tracked health data; they distribute the app binary only.

Cross-border data transfers

Because data stays on this device, no cross-border transfers of your tracked health data occur. Hosting and app-distribution providers may operate from countries outside Qatar; these providers receive only network metadata (IP, user-agent) and do not receive your tracked data.

Retention

Data is retained on this device until you delete it. There are no automatic-deletion timers in the current build because all data is under your direct control. We recommend reviewing your stored data periodically and using Settings → Delete all data to wipe the device when you no longer want the records.

Your rights

You can: (1) access - every record is visible in the app and exportable as JSON or CSV via Settings → Export my data; (2) rectify - edit medications and onboarding details directly; (3) erase - Settings → Delete all my data clears every entry, or use clearAll-equivalent per-entity controls; (4) object / withdraw consent - Settings → Privacy choices toggles each consent and offers a 'Withdraw all' action; (5) portability - the JSON / CSV export is machine-readable; (6) lodge a complaint with the Qatar National Data Privacy Office (NDPO).

Security

On iOS, app data is sandboxed and protected by the platform's Data Protection class when the device is locked. On Android, app data sits in the per-app sandbox protected by Health Connect / OS controls. On web, browser localStorage is not encrypted at rest - for highly sensitive use, prefer the iOS or Android app. The app uses HTTPS for all network requests. There is no backend that holds your data.

Children

CardioTrack is intended for adults 18 and over. Onboarding asks you to confirm you are 18+. The app does not knowingly process data from minors. If you become aware that a minor has used the app, contact the privacy officer to have data erased.

Changes to this notice

This notice is reviewed at least annually and on any material change to the app's data handling. The current version date is shown above. When the consent-statement version changes, you will be asked to re-confirm consent on next launch.

Legal review status

This notice is a product draft. A Qatar-qualified privacy lawyer should review and approve it (and the Terms of Service) before public launch and before any wider TestFlight distribution beyond the developer's own device.