Privacy Policy

Last updated: February 17, 2025

Lycana ("we," "our," or "the app") is a lupus health companion application. We are committed to protecting your privacy and handling your health information with the utmost care. This Privacy Policy explains what data we collect, how we use it, and how we protect it.

1. Data We Collect

Health & Fitness Data

With your explicit permission, Lycana accesses health data through Apple HealthKit, including heart rate, heart rate variability (HRV), sleep analysis, step count, blood oxygen saturation, and skin temperature. This data is used solely to provide flare risk predictions and health insights within the app.

Information You Provide

  • Medication names, dosages, and schedules
  • Supplement information
  • Symptom logs and severity ratings
  • Laboratory test results
  • Condition and diagnosis information
  • Notes and journal entries

Anonymous User Identifier

Lycana uses Firebase Anonymous Authentication to create a unique identifier for your account. This ID is not linked to your name, email, or any personally identifiable information. It is used solely for syncing preferences and enabling cloud-based AI features.

Coarse Location

With your permission, Lycana accesses your approximate location to provide UV index warnings and weather-based health recommendations. Your precise location is never stored or transmitted to our servers. You can also set a manual location in Settings instead.

Diagnostics

If you opt in, we collect anonymized crash reports and performance data to improve the app. This data contains no health information or personal identifiers.

2. How Your Data Is Stored

On-Device Storage

Your health data is primarily stored on your device. Sensitive health information (medications, symptoms, lab results) is encrypted using the iOS Keychain, Apple's most secure storage mechanism. Structured data such as schedules and preferences use SwiftData (on-device database). Non-sensitive preferences (appearance settings, onboarding state) use UserDefaults.

What Is NOT Stored on Our Servers

  • Your medications, dosages, or schedules
  • Your symptom logs or severity data
  • Your lab results
  • Your HealthKit data
  • Your precise location

3. Third-Party Services

Firebase (Google)

We use Firebase Anonymous Authentication for account management and Firebase Cloud Functions for server-side AI processing. Firebase receives your anonymous user ID but no health data. See Firebase Privacy Policy.

AI Features (Claude via Firebase Cloud Functions)

Lycana's AI coach "Luna" and meal suggestion features use Anthropic's Claude AI, accessed through our Firebase Cloud Functions. When you use AI features, relevant context (such as your dietary preferences or a general health query) is sent to our secure server function, processed by Claude, and the response is returned to your device. No Protected Health Information (PHI) is stored server-side. AI requests are ephemeral and not logged.

Weather Services

We use Apple WeatherKit and OpenWeather API to provide UV index and weather data based on your location. These services receive only your approximate coordinates, not any health or personal data.

4. Data Sharing

We do not sell your data. We do not share your health information with advertisers, data brokers, or any third parties for marketing purposes.

In the future, Lycana may offer an opt-in research data donation feature. If implemented, all donated data will be fully anonymized and de-identified before being shared with lupus research organizations. Participation will always be voluntary and require explicit consent.

5. Data Retention & Deletion

Your health data is stored on your device for as long as you use the app. You can delete all your data at any time by:

  • Using the "Delete Account" option in Settings, which removes all local data and your anonymous Firebase account
  • Deleting the app from your device
  • Contacting us at privacy@lycana.app for complete data erasure

6. Apple HealthKit Compliance

In accordance with Apple's HealthKit guidelines:

  • HealthKit data is never used for advertising or marketing purposes
  • HealthKit data is not sold to data brokers or information resellers
  • HealthKit data is not shared with third parties without your explicit consent
  • HealthKit data is used exclusively to provide health features within the app

7. Children's Privacy

Lycana is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us so we can delete it.

8. HIPAA Notice

Lycana is a personal health tracking tool and is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). While we implement strong security measures to protect your data, the app is not intended to be used as part of a HIPAA-regulated workflow.

9. Security

We implement industry-standard security measures including:

  • iOS Keychain encryption for all sensitive health data
  • HTTPS/TLS for all network communications
  • Firebase security rules for cloud resources
  • No server-side storage of Protected Health Information
  • Anonymous authentication (no email/password required)

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes through the app or by updating the "Last updated" date. Your continued use of Lycana after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact us: