Last updated: March 2026
BP Tracker is a personal health monitoring application. We take the privacy of your health data seriously. This policy explains exactly what we collect, why, and how it is protected.
1. Who We Are
BP Tracker is developed and operated by FinMedTech. We are the data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Email: hello@finmedtech.co.uk
2. What Data We Collect
2.1 Account Data
- Email address — used to identify your account and allow login
- First name and last name — displayed in the app
- Password — stored as a one-way bcrypt hash; we cannot read your password
2.2 Health Data (Special Category — GDPR Article 9)
- Blood pressure readings — systolic, diastolic, and pulse with date and time
- Optional notes — attached to readings
- Medications — name, dosage, frequency, start and end dates, reminder times
- Health profile — age and gender (used for AI analysis context only; stored locally on your device)
- Blood pressure goal targets — stored locally on your device
2.3 AI Chat Data
- Messages you send to the AI health assistant
- Blood pressure reading context you choose to share with the assistant
- AI responses and conversation history
2.4 Technical Data
- Authentication tokens — stored securely on your device; cleared on logout
- Biometric preference — enabled/disabled flag stored in device secure storage only; we never receive biometric data itself
- Device information — operating system and app version
2.5 What We Do Not Collect
- We do not collect your location
- We do not collect device identifiers or advertising IDs
- We do not use analytics or tracking SDKs
- We do not access your contacts, photos, or camera except when you explicitly use the reading entry feature
3. How We Use Your Data
| Data |
Purpose |
Legal Basis (UK GDPR) |
| Email, name, password |
Account creation and authentication |
Contract (Art. 6(1)(b)) |
| Blood pressure readings |
Storing, displaying, and syncing your health records |
Explicit consent (Art. 9(2)(a)) |
| Medications |
Medication tracking and reminder notifications |
Explicit consent (Art. 9(2)(a)) |
| AI chat messages |
Generating AI health guidance responses |
Explicit consent (Art. 9(2)(a)) |
| Auth tokens |
Maintaining your logged-in session securely |
Contract (Art. 6(1)(b)) |
4. Third-Party Services
4.1 Anthropic (AI Provider)
When you use the AI health assistant, your message and any blood pressure context you share are sent to Anthropic's Claude API to generate a response. Anthropic processes this data as a data processor on our behalf. We do not send your name, email address, or account details to Anthropic.
Anthropic's privacy policy: anthropic.com/privacy
4.2 Cloud Infrastructure
Your account data and readings are stored on an encrypted cloud database server. Data is encrypted in transit (TLS) and at rest. We do not use any third-party analytics, advertising, or tracking services.
4.3 Apple / Google
If you make a purchase through the app, payment is processed entirely by Apple (App Store) or Google (Play Store). We do not receive or store your payment card details. We receive only a confirmation of subscription status.
5. Data Storage and Security
- Encryption in transit — all communication via HTTPS/TLS
- Encryption at rest — database encryption on cloud servers
- Passwords — hashed using bcrypt with unique random salt; we cannot recover or read your password
- On-device storage — blood pressure readings are also stored locally in an encrypted SQLite database so the app works offline
- Biometric data — Face ID and fingerprint data never leaves your device and is handled entirely by the operating system
- Row-Level Security — database policies ensure users can only access their own data
6. Data Retention
We retain your data for as long as your account is active. When you delete your account (via Settings → Delete Account), all of the following are permanently and immediately deleted from our servers:
- Your account details
- All blood pressure readings
- All medication records
- All AI chat history
Local data on your device is also cleared at the time of account deletion.
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Access — request a copy of all data we hold about you
- Rectification — correct any inaccurate data
- Erasure — delete your account and all associated data at any time via Settings → Delete Account, or by contacting us
- Restriction — request we limit how we process your data
- Portability — export your readings as CSV via Settings → Export to CSV
- Objection — object to processing based on legitimate interests
- Withdraw consent — you may withdraw consent at any time by deleting your account
To exercise any right, contact us at hello@finmedtech.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk.
8. Children
BP Tracker is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. International Data Transfers
Your data is primarily stored in the UK/EU. Some third-party services (Anthropic) may process data outside the UK/EU with appropriate safeguards in place.
10. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify you via the app. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact
For any privacy questions, data requests, or concerns:
← Back to BP Tracker