Privacy Policy

1. Information We Collect

Information You Provide Directly

• Account information: email address, name (optional), password (hashed)
• Health profile: glucose target range, low threshold, very low threshold, measurement units (mg/dL or mmol/L)
• Lifestyle preferences: typical activity level, dietary preferences, hypo awareness level
• Rescue foods library: foods and portion sizes you define

Health Data You Log

• Blood glucose readings and trends (manual entry)
• Carbohydrate intake during rescue sessions
• Activity level and stress level inputs per session
• Rescue session outcomes (post-rescue glucose levels)
• Insulin information (if you choose to log it)

Automatically Collected Information

• App usage data (screens visited, features used) — used only to improve the app
• Device information: device type, operating system version, app version
• Crash reports and error logs (anonymized)

What We Do Not Collect

• We do not collect your location without explicit permission
• We do not access your contacts, camera, or microphone without your consent
• We do not collect data from other apps or services without your explicit authorization

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the Mr. Spike app and its features
• Generate personalized glucose rescue recommendations based on your history
• Improve the AI recommendation engine using your session outcomes (securely, associated with your account only)
• Send push notifications for rescue session reminders and outcome check-ins
• Provide customer support
• Improve and develop new features (using aggregated, anonymized analytics)
• Ensure the security and integrity of our services

We do not use your health data for advertising, marketing profiling, or any purpose unrelated to providing the Mr. Spike service.

3. Data Storage & Security

Local-First Architecture

All health data is stored locally on your device first. You can use Mr. Spike in offline mode without any data leaving your device.

Account Sync (Optional)

If you create a Mr. Spike account, your data is synced to our secure servers to enable AI personalization across devices and to preserve your history. This sync is encrypted in transit (TLS 1.3) and at rest (AES-256).

Security Measures

• All data transmission is encrypted using TLS 1.3
• Health data at rest is encrypted using AES-256
• Passwords are hashed using bcrypt; we never store plain-text passwords
• We conduct regular security reviews
• Access to your data by our team is restricted and logged

4. Health Data

Mr. Spike handles health data — specifically blood glucose levels, dietary information, and related health metrics. We treat this data with the highest level of care and protection.

• Your health data is used exclusively to provide and improve the Mr. Spike service for you
• Health data is never sold to third parties
• Health data is never used for insurance, employment, or advertising purposes
• We do not share identifiable health data with third parties, except as required to provide the service (e.g., secure cloud storage providers under strict data processing agreements)

5. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share information only in the following limited circumstances:

• Service providers: We use trusted third-party services for secure cloud storage and infrastructure. These providers are bound by strict data processing agreements and may not use your data for their own purposes.
• Legal requirements: We may disclose information if required by law, court order, or governmental authority.
• Safety: We may disclose information if we believe it is necessary to protect the safety of a user or others.
• Business transfers: If Mr. Spike is acquired or merged, your data may be transferred. We will notify you in advance and you may delete your data before any transfer.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the service.

• You may delete your account and all associated data at any time from the app's Settings screen
• Upon account deletion, we will delete your data within 30 days, except where retention is required by law
• Local app data (stored on your device) is deleted when you uninstall the app

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data we hold
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request an export of your data in a portable format
• Restriction: Request that we restrict processing of your data
• Objection: Object to certain types of processing

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

8. Children's Privacy

Mr. Spike is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If a parent or guardian believes their child under 13 has provided us with personal information, please contact us at [email protected] and we will delete that information promptly.

Users aged 13–17 should only use Mr. Spike with parental consent and guidance, and ideally in consultation with their diabetes care team.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app and/or by email at least 14 days before the changes take effect.

Your continued use of Mr. Spike after the effective date of any changes constitutes your acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Support: mrspike.app/support