Health Data Processing
This document supplements the Privacy Policy with technical details about how we handle health data. Health data is a special category under Art.9 GDPR, so we describe its processing separately and transparently.
1. Sources of health data
Health data enters Health OS in one of three ways, always initiated by you:
- API integrations — you connect your Oura, RescueTime, or GitLab account. We store OAuth tokens encrypted and periodically pull data.
- File upload — Google Timeline (JSON), YouTube History (Takeout), CSV exports. Files are processed server-side, useful fields are extracted into a normalized format; source files may be retained in Google Cloud Storage (europe-west1) as a backup.
- Manual entry — self-reports (mood, energy, brain fog), cognitive test results (PVT), protocol notes.
You decide which sources to connect and what to upload. Integrations can be disconnected at any time in Settings.
2. Where data is stored
| Layer | Provider | Region | Contents |
|---|---|---|---|
| Primary DB | MongoDB Atlas | EU (Ireland) | Profile, health metrics, protocol runs |
| Files | Google Cloud Storage | europe-west1 | Uploaded exports (Timeline, Takeout) |
| Session store | MongoDB Atlas | EU (Ireland) | Session identifiers (connect.sid) |
| Public site | Cloudflare Pages | Global CDN | Static landing content only, no PII |
| Analytics | PostHog EU | EU (Frankfurt) | Anonymous UI events, no health data |
Data does not leave the EU during processing. Cloudflare serves only the public landing (health-os.app); the app (os.health-os.app) talks directly to EU infrastructure.
3. Encryption
- In transit: all connections over TLS 1.2+. Internal service-to-service likewise.
- At rest:
- MongoDB Atlas encrypts volumes AES-256 at the provider level.
- Google Cloud Storage encrypts objects AES-256 by default.
- Sensitive fields (integration OAuth tokens) are additionally encrypted by the application using
ENCRYPTION_KEY, kept in server secrets and not externally accessible.
- Backups: automated MongoDB Atlas snapshots with 7-day retention; also encrypted.
4. Who has access
- You — to your own data through the UI and via export.
- Operator (Nikita Nikitenok) — has technical access for operational support and development. We do not read individual health data without your explicit request (e.g. when helping you debug). Any such access is logged.
- Providers (Atlas, GCS, PostHog) — have access to encrypted infrastructure within their processor obligations under applicable DPAs.
We do not sell and do not share health data with third parties for marketing or AI-model training.
5. Retention
- Health metrics and test results — as long as the account exists.
- Uploaded files (Timeline, Takeout) — the source file can be deleted after processing; normalized data stays with your account.
- Integration OAuth tokens — until the integration is disconnected, then deleted within 24 hours.
- Application logs — 14 days (no health data, request traces only).
- Analytics events (PostHog) — 90 days.
- Backups — 7 days after deletion.
6. Deletion
- Account deletion — email [email protected] from your account email. After we confirm:
- The session is terminated and the account is locked out.
- Within 30 days, health data, protocol runs, settings, OAuth tokens, and GCS files are cascade-deleted (the admin path performs a single cascade-delete pass over the user’s documents; backups expire separately).
- Within 7 days after cascade-delete, data is purged from backups (retention expires). (A self-service delete button in Settings is on the roadmap.)
- Integration disconnect — Settings → Integrations → Disconnect removes the stored OAuth token and stops future sync. Previously imported metrics stay under your account; to remove them too, email us with the integration name and date range, or request full account deletion.
- Data export — Settings → Export all data (full ZIP / metrics CSV·JSON / events CSV·JSON), or by email.
7. Data breach plan
If we discover a breach affecting your health data:
- We will notify the regulator (State Data Protection Inspectorate of Lithuania) within 72 hours.
- We will notify you by email without undue delay.
- We will describe the nature of the breach, the data categories involved, and recommended actions.
8. Sub-processors (list)
- MongoDB Atlas (MongoDB Inc., servers in Ireland) — primary storage.
- Google Cloud Platform (Google Ireland Ltd., europe-west1) — compute + GCS.
- Cloudflare (Cloudflare Inc., global CDN, EU edge where possible) — public site only.
- PostHog (PostHog Inc., EU region) — analytics.
- Google OAuth (Google Ireland Ltd.) — authentication.
This list is kept current; changes are reflected in updatedAt.
9. Contact
Data protection questions: [email protected].