← HomeБългарски

Privacy Policy

Last updated: 2026-06-10

1. Who we are

Thyroid Rehab is an informational support tool for thyroid rehabilitation. Through the app, users receive a personalised daily plan, symptom tracking and information on supplements. The data controller is the Thyroid Rehab team. For any data-related question please contact us at support@thyroidrehab.bg.

2. What data we collect

We collect the following categories of data:

  • Identification: name, email and profile image from the Google account used to sign in.
  • Health data (special category): symptoms, energy, sleep, pain, mood, weight, journal entries, and blood markers (TSH, fT3, fT4, antibodies) when you voluntarily enter them.
  • Gamification: streaks of completed days, experience points and earned milestones.
  • Technical: push-notification tokens, IP address recorded when you acknowledge the health disclaimer, last login timestamp.

3. Why we collect it (legal basis)

The data is used only to generate your personalised plan, compute AI correlations between symptoms and nutrition, send reminders (push notifications) and present progress analytics inside the app. We do not engage in behavioural advertising and we do not profile users for marketing purposes.

Legal bases under GDPR:

  • Consent (Art. 6(1)(a)) — for creating an account and providing the service.
  • Explicit consent for special category data (Art. 9(2)(a)) — health data (symptoms, blood markers) is processed solely on the basis of your explicit consent, which you may withdraw at any time.
  • Performance of the service (Art. 6(1)(b)) — operation of the app according to your chosen plan.

4. How we store and protect data

  • Encryption at rest: blood markers are stored encrypted with AES-256-GCM in the database.
  • Encryption in transit: all traffic between your device and our servers is protected with HTTPS/TLS.
  • Access control: access to the encryption key is limited to the server processes that read and write markers for your own account.
  • Infrastructure: data is hosted with providers offering GDPR guarantees (see section 8).

5. Data retention

Data is retained while your account is active. After an account deletion request the data is removed within 30 days. Records which we are legally required to retain longer (e.g. financial documents) are processed solely for the relevant purpose.

6. Your rights (GDPR)

Under Regulation (EU) 2016/679 (GDPR) you have the following rights:

  • Right of access — Art. 15.
  • Right to rectification of inaccurate data — Art. 16.
  • Right to erasure (“right to be forgotten”) — Art. 17.
  • Right to restriction of processing — Art. 18.
  • Right to data portability — Art. 20.
  • Right to withdraw consent at any time — Art. 7.

You can exercise your rights by sending an email to support@thyroidrehab.bg. We respond within 30 days. For blood markers there is also a direct in-app consent withdrawal available in the “Settings” section, which automatically deletes all stored markers.

7. Cookies and localStorage

  • Session cookie: required for sign-in and authentication (Google OAuth session).
  • localStorage: storing UI preferences (theme, language, etc.).
  • Push subscription: tokens for sending notifications, until you unsubscribe.

We do not use cookies for advertising or third-party tracking.

8. Third-party sharing

We do not sell personal data. We share a limited dataset only with processors who provide the technical infrastructure:

  • Vercel — application hosting.
  • Turso — managed database.
  • Anthropic — processing of requests to the Claude model for recommendation generation. Requests do not contain personally identifiable information and are not used for model training.
  • Stripe — payment processing (for the future subscription). Payment data is handled directly by Stripe and is not stored on our servers.
  • Google — OAuth login and push notifications.

9. International data transfers

Some of the processors (Vercel, Stripe, Anthropic, Google) are based in the US. Data transfers are carried out based on Standard Contractual Clauses (SCC) pursuant to GDPR Art. 46 and/or the EU-US Data Privacy Framework.

10. Complaints

If you believe that the processing of your data violates GDPR, you have the right to file a complaint with the Commission for Personal Data Protection (CPDP): bul. “Prof. Tsvetan Lazarov” 2, Sofia 1592 · www.cpdp.bg.

11. Changes to this policy

For material changes we will notify you by email and via in-app notification at least 14 days before the changes take effect. The current version of this policy is always available on this page.

12. GDPR contact

For questions about personal data protection or this policy, contact us at support@thyroidrehab.bg. We will respond within 30 calendar days.