1. Controller
The controller is Luis Eduardo Rodríguez Ayuso, owner of Endokaira under the commercial name Daelya. Privacy contact: eduayuso@gmail.com. Full identifying details are listed in the Legal Notice.
2. Data we process
| Category | Examples | Source |
|---|---|---|
| Account | User ID, email, name if provided and sign-in provider. | User, Apple, Google or another authentication provider. |
| Health and wellbeing data | Pain, symptoms, menstrual cycle, factors such as sleep or stress, history, patterns and reports. | User and app-generated calculations. |
| Subscription | Purchase status, product, receipts or store identifiers. | Apple App Store or Google Play. |
| Technical data | Device, app version, language, errors and performance metrics if enabled. | App and technical providers. |
| Preferences | Consents, reminders and notification settings. | User and app. |
3. Legal basis
- Providing the app: contract performance or pre-contractual steps.
- Health data: explicit consent for special-category data.
- Notifications and optional analytics: consent or user-requested settings where required.
- Purchases, support and legal obligations: contract, legal obligation or legitimate interest depending on the case.
- Security and maintenance: legitimate interest unless law requires another basis.
4. Explicit consent for health data
Before the first health log, Endokaira requests two separate actions: acceptance of this policy and the terms, and explicit consent to process health data. You may withdraw consent by writing to eduayuso@gmail.com or using available app options.
Withdrawal does not affect processing that happened before withdrawal, but it may prevent Endokaira from providing features that depend on those data.
5. Purposes
- Show your symptom, cycle, factor and daily log history.
- Generate signals, comparisons, reports and guidance estimates based on your logs.
- Manage account, authentication, support, security and subscriptions.
- Comply with legal obligations and respond to rights requests.
- Improve stability and performance through technical data where applicable.
6. Predictions and automated decisions
Endokaira may process your logs to show probabilistic patterns or estimates. These results are not diagnoses, are not automated clinical decisions and have no legal effect on you.
7. Providers, recipients and international transfers
Endokaira uses technical providers to provide the app, host the legal website, authenticate users, manage purchases, maintain security, respond to support requests, and operate optional features such as notifications or analytics. The current operational list is:
| Provider or recipient | Use | Data it may process |
|---|---|---|
| Cloudflare, Inc. | Website hosting on Cloudflare Pages, CDN, DNS, security and Cloudflare web analytics if enabled. | IP address, visited URL, headers, technical logs, aggregated usage metrics and static files served from daelya.com. |
| Railway Corporation | Hosting for the Daelya backend API in Amsterdam, Netherlands. | API traffic, technical logs, account identifiers and data sent to the backend. |
| MongoDB, Inc. (MongoDB Atlas) | Production database in Paris, France. | Account, profile, consents, daily logs, symptoms, factors, notes and backend-stored derived data. |
| Google LLC / Firebase | Firebase Authentication, Remote Config, Cloud Messaging, Crashlytics when active and Firebase/Google Analytics when you consent and it is active. | User and installation identifiers, email/name if provided by the sign-in provider, tokens, remote configuration, notification tokens, technical metrics, usage events, error reports and device/app metadata. |
| Google LLC / Google Play | Google sign-in and Android purchases or subscriptions through Google Play Billing. | Google account data needed for sign-in, purchased product, subscription status, purchase identifiers and purchase tokens. |
| Apple Inc. | Sign in with Apple, App Store, StoreKit and APNs notifications on iOS. | Apple identity if you share it, private relay or real email, purchased product, subscription status, transactions and technical notification tokens. |
| Google LLC / Gmail | Mailbox for support, privacy and legal communications. | Email address, name and content you voluntarily send to eduayuso@gmail.com. |
We have not identified use of Cloud Firestore, RevenueCat, AdMob, Sentry, Mixpanel, Amplitude, PostHog, Stripe, external Google Fonts delivery or data brokers in the current Endokaira implementation.
If a provider is outside the EEA, we will apply appropriate safeguards such as adequacy decisions, standard contractual clauses, the Data Privacy Framework or other permitted mechanisms.
We do not sell personal data or share health data with advertisers or data brokers.
8. Retention and deletion
We apply storage limitation: each data category is kept only while needed for its purpose or while a legitimate retention obligation applies.
- Local app data: logs stored only on your device are kept until you delete your account from the app, erase the app data or uninstall the app. Account deletion removes the local user and daily logs from the local database.
- Account and synced logs: if you sign in, the backend keeps your account, app profile and daily logs while the account is active. When you confirm account deletion in the app or request it by email, we delete the user, app profiles and associated daily logs from active systems, and request deletion of the Firebase Authentication account.
- Purchases and subscriptions: Google Play and Apple retain transaction records under their own obligations. Endokaira keeps only the status needed to activate or restore a subscription while needed to provide the service, resolve issues or meet legal obligations.
- Support and legal requests: emails and communications are kept while handling the request and, where relevant, for the period needed to evidence the response, meet obligations or defend claims.
- Logs, diagnostics and backups: technical providers may keep logs, diagnostics and temporary backup copies until rotation or deletion under their configuration, security and applicable obligations.
9. Your rights
In the EU/EEA, UK and similar jurisdictions, you may request access, rectification, erasure, objection, restriction, portability and withdrawal of consent. We will respond within the applicable legal period; in the EU, this is normally within one month of receiving the request, extendable where permitted. You may also lodge a complaint with the competent supervisory authority.
10. Minors
Endokaira is not directed to users under 16. If local law requires a higher age or parental consent, you must meet that requirement before using the app.
11. United States users
Some US states recognize specific rights over consumer health data. See the Consumer Health Data Notice. Endokaira is not intended to be offered by a HIPAA covered entity or business associate unless specifically agreed in writing.