Privacy Policy

Lycana ("we," "our," or "the app") is a lupus health companion application built with a privacy-first architecture. All your health data is stored locally on your device, protected by the iOS Keychain, and never transmitted to our servers — because we don't have any.

1. Data We Collect

Information You Provide

Name, date of birth, biological sex, and ethnicity
Lupus diagnosis details (date, type, organ involvement, disease activity)
Medications and supplements (names, dosages, schedules)
Lab results (entered manually or scanned from documents)
Healthcare providers (names, specialties, contact info)
Symptom logs, severity ratings, and daily health entries
Lifestyle information (sleep quality, stress level, activity level, sun sensitivity)
Food logs and dietary preferences
Personal goals for health management

Health & Fitness Data (Apple HealthKit)

With your explicit permission, Lycana reads the following from Apple Health:

Heart rate, resting heart rate, and heart rate variability (HRV)
Step count
Blood oxygen saturation (SpO2)
Skin temperature
Sleep analysis (duration, stages)

Lycana only reads HealthKit data. It never writes data back to Apple Health.

Coarse Location

With your permission, Lycana accesses your approximate location (city-level, ~1 km accuracy) solely for weather and UV index lookups. Your precise location is never stored or transmitted. You can provide a manual location in Settings instead.

Camera & Photo Library

With your permission, Lycana uses the camera or photo library to scan lab documents and nutrition labels. Images are processed on-device using Apple Vision OCR. The images are not stored — only the extracted text and values are retained locally.

Microphone & Speech

With your permission, Lycana uses the microphone and on-device speech recognition to enable voice dictation for symptom notes and health entries. This is an accessibility feature for users who find typing difficult during flares. Audio is processed locally and is never recorded or transmitted.

2. How Your Data Is Stored

On-Device Keychain Storage

Your health data never leaves your device. All Protected Health Information (PHI) — medications, supplements, lab results, symptom logs, diagnosis details, healthcare providers, food logs, and ML model weights — is encrypted using the iOS Keychain with the strictest access level (whenUnlockedThisDeviceOnly). This means:

Data is encrypted by the device's Secure Enclave
Data is only accessible when your device is unlocked
Data is never included in iCloud or iTunes backups
Data cannot be migrated or transferred to another device

Data Category	Storage	Leaves Device?
Medications, supplements, labs	Keychain	Never
Symptom logs, SLEDAI scores	Keychain	Never
User profile, medical history	Keychain	Never
Food logs, dietary data	Keychain	Never
ML model weights, predictions	Keychain	Never
Scanned document images	Not retained	Never
Location (for weather)	Cached 10 min	Coordinates only*

* Approximate coordinates are sent to Apple WeatherKit (or OpenWeather as a fallback) solely to retrieve weather and UV data. No health information is included in these requests.

3. On-Device AI & Machine Learning

All of Lycana's intelligence runs entirely on your device. No health data, model weights, or AI interactions ever leave your iPhone.

Luna AI Coach — powered by Apple Foundation Models running on the device's Neural Engine. Generates personalized greetings, meal ideas, and encouragement. Falls back to built-in templates when the on-device model is unavailable.
Flare Risk Prediction — custom machine learning models (logistic regression and gradient-boosted trees) that train and predict locally using your symptom, wearable, and lab data. When you provide feedback on past predictions, that feedback stays on your device.
Lab Document OCR — Apple Vision framework processes scanned documents on-device. No images are sent to external services.
Speech Recognition — Apple's on-device speech framework converts voice to text locally.

4. Third-Party Services

Lycana does not sell, share, or transmit your health data to any third party. The only network requests Lycana makes are:

Service	Data Sent	Purpose
Apple WeatherKit	Latitude, longitude	Weather and UV index for sun safety alerts
OpenWeather API (fallback)	Latitude, longitude	Weather data when WeatherKit is unavailable
ClinicalTrials.gov	Condition keywords	Browsing public clinical trial listings

No health information, personal details, or identifiers are included in any of these requests. We do not use any analytics SDKs, advertising frameworks, or tracking technologies.

5. Apple HealthKit Compliance

In accordance with Apple's HealthKit guidelines:

HealthKit data is never used for advertising or marketing purposes
HealthKit data is not sold to data brokers or information resellers
HealthKit data is not shared with third parties without your explicit consent
HealthKit data is used exclusively to provide health features within the app
HealthKit data is only read — Lycana never writes data to Apple Health

6. Device Permissions

Lycana requests only the permissions it needs, and each is optional. You can revoke any permission at any time in iOS Settings. The app continues to function with reduced features.

Permission	Why
HealthKit	Read wearable and health data for flare risk analysis
Location (When In Use)	Fetch weather and UV index for sun safety alerts
Camera	Scan lab documents and nutrition labels
Photo Library	Import lab documents from saved photos
Microphone	Voice dictation for symptom notes
Speech Recognition	On-device speech-to-text
Notifications	Medication reminders, UV alerts, flare warnings

7. Security

Lycana's fully on-device architecture is its strongest security feature — your data cannot be breached remotely because it is never transmitted. Additional security measures include:

iOS Keychain encryption with Secure Enclave for all sensitive health data
On-device ML model weights encrypted alongside health data
No servers, no cloud storage, no network transmission of health data
No user accounts — no credentials to compromise
All AI processing runs locally on the device's Neural Engine
Optional biometric authentication (Face ID / Touch ID) for sensitive operations

8. Data Retention & Deletion

Your data is stored on your device for as long as you use the app. You are in full control:

Delete your account — available in Settings → Profile → Delete Account. This permanently erases all data from the Keychain (medications, supplements, labs, symptom logs, user profile, healthcare providers, food logs, ML model weights, and all other health data) and resets the app to its initial state.
Uninstall the app — removing Lycana from your device deletes all stored data, including Keychain entries.

Because Lycana has no servers or cloud storage, there is no remote data to delete. Deletion is immediate and complete.

9. HIPAA Notice

Lycana is a personal health tracking tool and is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). While we implement strong security measures to protect your data, the app is not intended to be used as part of a HIPAA-regulated workflow.

10. Children's Privacy

Lycana is not intended for use by children under the age of 17. We do not knowingly collect personal information from children. If you believe a child has provided information through the app, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes through an in-app notice and by updating the "Last updated" date above. Your continued use of Lycana after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Email: n.g.paskov@gmail.com
Support: lycana.app/support