Your health data stays yours.

Who we are

Valeska is a personal chronic-care companion app published by PhoenixCKK LLC ("PhoenixCKK," "we," "us"). This policy applies to the Valeska iOS app and this website. By using Valeska, you agree to the practices described here.

Our regulatory status

Valeska is a personal health-informatics tool. It helps you organize the data you enter and surfaces observational patterns from it.

• Valeska is not a medical device and does not diagnose, treat, or provide medical advice. Always consult a qualified clinician.
• PhoenixCKK is not a HIPAA-covered entity and does not act as a HIPAA "business associate." We are a consumer software company.
• Even though HIPAA doesn't apply to us, we built Valeska's data handling to a high standard anyway — and we comply with the consumer-health-privacy laws that do apply (see Your rights and Health breach notification).

What we collect

• Account information — your name and email address, received from your sign-in provider (e.g., Sign in with Apple) when you create an account.
• Health information you enter — symptoms, medications, conditions, nutrition, water, mood, cycle data, questions for your doctor, severity ratings, notes, and the dates and times you log.
• Voice transcripts — when you use voice input, the transcribed text is processed on your device. Raw audio is never stored or transmitted.
• Apple Health data — only if you opt in: vitals (heart rate, blood pressure, blood oxygen, respiratory rate, body temperature), activity (steps, distance, energy), weight, sleep, and cycle data, read one-way into the app.
• Crash & performance diagnostics — to keep the app stable, we collect crash reports and basic performance data through a diagnostics service (Sentry). These are tied only to a random app identifier and contain no health data.

What we do not collect

• Biometric identifiers, fingerprints, or facial-recognition data
• Your precise location
• Your contacts, photos, or files (beyond documents you choose to add)
• Cross-app or cross-website tracking
• Advertising identifiers, or any data used for advertising

How we use your information

Your information is used solely to:

• Provide the Valeska service to you
• Sync your data across your devices (only if you enable cloud sync)
• Generate the visit-prep summaries you share with your doctor
• Look up reference information (drug and food data) you request
• Diagnose crashes and keep the app reliable

We do not use your health data for advertising, marketing, profiling, data mining, or to train AI models — and we never sell it.

Cloud sync is off by default

Valeska works fully offline. Unless you turn on cloud sync (a Pro feature), your health data never leaves your device — there is no copy of it on our servers. When you do enable sync, your data is stored on Supabase infrastructure (hosted in the United States) under our control, encrypted in transit and at rest, and protected by per-user access controls.

Who has access

Your health data is private to you.

• We do not sell, rent, or share your information with third parties for marketing.
• We do not share your data with insurance companies, employers, data brokers, or advertisers.
• We do not use your data to train AI models.
• Caregivers you invite see only the specific categories of data you grant them, behind an NDA gate. You can change or revoke their access at any time, which removes the shared data from their device.

Third-party services we rely on

We keep third parties to a minimum, and we never send them data that identifies you alongside your health information:

• Apple — Sign in with Apple (name + email), Apple Health (if you opt in), and on-device AI (see below).
• Supabase (US-hosted) — stores your synced data only if you enable cloud sync.
• Sentry — crash and performance diagnostics, tied to a random identifier, with no health data.
• Open Food Facts and USDA FoodData Central — when you scan a food or beverage barcode, we send the barcode number to look up product nutrition. We do not send anything that identifies you.
• U.S. government health databases (NIH / National Library of Medicine RxNorm & RxTerms, and the FDA's openFDA / DailyMed) — when you add a medication or run an interaction check, we send the drug identifier needed for the lookup. We do not send your name, account, or any data identifying you.

Apple Health (HealthKit)

If you enable HealthKit in Settings, Valeska reads health data to display trends and include them in the visit-prep summaries you choose to share. Specifically, we do not:

• Write data back to Apple Health
• Share HealthKit data with advertisers, data brokers, or any third party
• Use HealthKit data for marketing or advertising
• Sell HealthKit data
• Use HealthKit data to train machine-learning models

You can turn HealthKit off any time in Settings → Apple Health, or revoke access in iOS Settings → Privacy & Security → Health → Valeska.

On-device AI

Valeska's AI runs on Apple's on-device foundation models. Pattern detection and the language-model narration that explains your insights happen entirely on your device. No voice audio, transcripts, or health data is sent to any external AI service — not to us, and not to OpenAI, Google, Anthropic, or anyone else.

How long we keep it

Data you sync is kept for as long as your account exists. When you delete your account:

• Your data is permanently removed from our servers within 30 days.
• Locally cached data is deleted from your device immediately.

Your rights

• Access — your data is visible to you in the app at any time.
• Export — via the visit-prep share function.
• Delete — delete your account and all data from Settings.
• Correct — by editing any entry in the app.
• Withdraw consent — by deleting your account at any time.

Washington residents (My Health My Data Act): you have the right to know what consumer health data we collect, to request its deletion, and to withdraw consent. We do not sell consumer health data.

California residents (CMIA / CCPA): you have the right to know, delete, and opt out of any sale of personal information. We do not sell personal information.

Other U.S. states: if you live in a state with a comprehensive consumer-privacy law (for example Virginia, Colorado, Connecticut, Oregon, Texas, or Florida), you may have similar rights to access, correct, delete, and opt out. Contact us and we'll honor them.

Security

• Encrypted connections (TLS) for all data in transit
• Encrypted local database (SQLCipher, AES-256) on your device
• Encrypted storage at the server database level
• Authentication required for all data access
• Per-user row-level authorization controls
• Optional two-factor authentication (TOTP)

No system is perfectly secure, but we design, test, and operate Valeska to keep your data protected.

Health breach notification

In the event of a breach of unsecured health data, we will notify affected users in accordance with the FTC Health Breach Notification Rule and applicable state breach-notification laws.

Children's privacy

Valeska is intended for adults managing chronic illness — including parents or caregivers managing a child's chronic illness. We do not knowingly collect data directly from children under 13. If you believe a child has provided us data directly, contact us and we'll remove it.

Changes to this policy

If we materially change how we handle your data, we'll notify you in the app and update the "Last updated" date at the top of this page.

Governing law

This policy is governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws rules. Valeska is offered to users across the United States, and we honor the privacy rights described above regardless of where in the U.S. you live.

Contact us

Questions about this policy or your data? Email jackwilliams@phoenixckk.com.

PhoenixCKK LLC