PoopApp (“the Application”, “we”, “us”) is a digital-health journaling tool for iOS and Android. This Privacy Policy describes the Personal Data we process, why we process it, how it is stored and shared, and the rights you have over your data. It applies to all Users of the Application worldwide.
PoopApp is a digital-health journaling tool. To provide its core service, the Application collects health-related Personal Data that you choose to log, including:
Apple HealthKit data is read-only. The Application never writes back to HealthKit, and HealthKit data is never used for advertising or shared with data brokers, ad networks, or other third parties for marketing. A copy of the values needed for personalised insights is cached locally on the device and may be sent to our analysis backend (see below) to compute correlations between fibre / water intake and stool patterns.
Bowel-movement photos and the metadata listed above are transmitted over a TLS connection to our backend (hosted on Amazon Web Services) and processed by an artificial-intelligence vision provider acting as a sub-processor of the Owner. Photos and metadata are processed solely to return an analysis to you and are not used to train third-party models, sold, or used for advertising.
The full bowel-movement history and any HealthKit values cached for personalised insights remain on your device by default. Doctor reports (PDF / CSV) are generated locally; nothing is uploaded unless you choose to share the file. You can revoke HealthKit access at any time from iOS Settings › Privacy & Security › Health › PoopApp, and you can erase all locally-stored data and your guest account from the “Account › Delete my data” control in the Application's Settings, or by deleting the Application.
PoopApp is not a medical device and does not provide medical advice, diagnosis or treatment. Always consult a qualified clinician for medical decisions.
The Data Controller responsible for the processing described in this Privacy Policy is the operator of PoopApp. For privacy-related requests — including access, correction, deletion, portability, or revocation of consent — please contact us at support@mobisec.lk.
PoopApp does not require you to create an account, sign in with email or password, or sign in via Google / Facebook / Apple. On first launch the Application creates an anonymous “guest” account that is identified by a JSON Web Token (JWT) stored in the device's secure keychain. The token contains a randomly-generated user identifier, a credit balance, and an issued-at timestamp. It does not contain your name, email, or any other contact detail.
The Application processes the following health-related data that you provide:
Apple HealthKit data and your local journal stay on the device by default. A minimum subset of the entry being analysed (the photo, the self-reported attributes, the Health Mode, the preferred report language, and any HealthKit fibre / water value cached for that entry) is transmitted to our backend each time you request an AI analysis.
The Application and the third-party SDKs listed below process device information (model, OS version, app version, language, country / region), crash diagnostics, performance metrics, and product-interaction events (such as “analysis started”, “paywall viewed”, “health mode changed”).
On iOS, if you grant permission via Apple's App Tracking Transparency prompt, the Application uses your IDFA (Identifier for Advertisers) and sends product-interaction events to TikTok for ad-attribution and measurement. If you decline ATT, no IDFA is collected and no cross-app/cross-site tracking occurs. The decision is reversible at any time from iOS Settings › Privacy & Security › Tracking.
Subscriptions and one-time credit purchases are processed by Apple (App Store) or Google (Google Play). Receipt validation and entitlement management are performed via RevenueCat. The Application receives the entitlement, the price string from RevenueCat, and the platform purchase timestamp; it does not receive your full payment-card number or billing address — those remain with the platform.
Under the EU and UK General Data Protection Regulation (GDPR / UK GDPR), the Brazilian LGPD, and equivalent regimes that require a lawful basis, we process Personal Data on the bases set out below.
We use a small number of third-party services to operate PoopApp. None of them sells your data, and none of them receives your bowel-movement journal in bulk. The current list is:
Some of these processors are located in the United States. Data transfers outside the European Economic Area / United Kingdom rely on the European Commission's Standard Contractual Clauses, on the EU-U.S. / UK-U.S. Data Privacy Framework where the recipient is certified, or on your explicit consent under Article 49 GDPR.
Your bowel-movement journal, your onboarding answers, your selected Health Mode, your fibre-subtype entries, and any HealthKit values cached for insights are stored on your device until you delete the corresponding entry, use “Account › Delete my data” in Settings, or uninstall the Application.
Photos and request context that pass through the analysis backend are retained only for the period strictly necessary to return the analysis and to provide a short anti-abuse and operational audit window (typically days, not months), after which they are deleted. Aggregated, non-identifying telemetry (crash diagnostics and product analytics) may be retained for longer in line with each processor's own retention schedule.
RevenueCat retains purchase metadata for as long as required by Apple / Google for refund and entitlement-management purposes.
Subject to applicable law, you have the right to:
The fastest way to exercise the right of erasure is to use “Settings › Account › Delete my data” inside the Application, which wipes your local journal, your guest JWT, and all locally-cached preferences from the device. For all other rights, please write to support@mobisec.lk.
If you are a resident of California (CCPA / CPRA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) or Virginia (VCDPA), you have additional rights, including the right to know, the right to delete, the right to correct, and the right to opt out of “sale” or “sharing” of Personal Data and of targeted advertising.
PoopApp does not sell your bowel-movement data, your photos, your HealthKit values or your free-text notes. The only Personal Data that may be considered “shared” or used for targeted advertising under these statutes is your IDFA and the conversion events sent to TikTok for ad-attribution — and only when you have granted App Tracking Transparency permission. You can opt out at any time by revoking that permission in iOS Settings.
To exercise any of these rights, contact us at support@mobisec.lk. We will respond within the timeframe required by the applicable law.
If you are in Brazil, the Brazilian General Data Protection Law (LGPD) gives you the rights of access, correction, anonymisation, blocking, deletion, portability, information about with whom your data is shared, and revocation of consent. Health-related data is processed on the basis of explicit consent (Art. 11(I) LGPD), and you may withdraw consent at any time using the in-app deletion control or by contacting us.
PoopApp is not directed at children under 13 (or the equivalent jurisdictional age, where higher) and we do not knowingly collect Personal Data from them. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at support@mobisec.lk and we will delete it.
Photos and request context are transmitted to the analysis backend over
TLS. Your journal and HealthKit cache are stored in the device's local
sandbox using expo-sqlite and platform-level secure storage
for the JWT (Apple Keychain / Android Keystore via
expo-secure-store). No security mechanism can guarantee
absolute protection of data on the internet; however, we follow industry
best practices and we limit the amount of Personal Data leaving the device
to what is strictly necessary to provide the service.
PoopApp is not a medical device. The information that it surfaces — including AI-generated commentary, Health Mode framing, fibre correlations and doctor reports — is provided for informational and educational purposes only and is not a substitute for professional medical advice, diagnosis or treatment. You are encouraged to consult a qualified clinician for any medical decision. The Application explicitly invites you to share its reports with a clinician of your choice; the clinician (not PoopApp) decides what is medically relevant for your care.
We may update this Privacy Policy from time to time. The latest version is always available at this URL, and the “Latest update” date in the footer reflects the most recent change. Where a change materially affects processing carried out on the basis of your consent, we will ask for new consent via the Application before that processing begins.
Questions about this Privacy Policy, or any of the rights described above, should be sent to support@mobisec.lk.