Privacy Policy
DRAFT — This document is pending review by legal counsel and is not yet in effect.
Effective Date: [EFFECTIVE DATE]
Company: [COMPANY LEGAL NAME]
State of Incorporation: [STATE]
Support: [SUPPORT EMAIL]
Contact for privacy questions: [SUPPORT EMAIL]
Our Privacy Promise (Plain Language Summary)
Porchlight is built on a privacy-first architecture. We believe families deserve peace of mind without sacrificing the parent's dignity or control.
- Health trend computation happens entirely on the parent's device.
- We only ever receive summarized trend data (never raw heart rate samples, sleep stages, or full HealthKit records).
- Summaries are only uploaded with the parent's explicit, revocable consent.
- We never use health data for advertising. We never sell it. We never share it with third parties except the limited processors necessary to deliver the service (and only summaries + first names for digest generation).
- The parent always sees exactly what any family member sees and can revoke access in two taps.
- You can delete your account and all associated data at any time.
This policy explains what we collect, how we use it, and your rights. It applies to the Porchlight iPhone app, Watch app, and getbaseline.app website.
1. Information We Collect
Account & Subscription Information
- Name, email address (via Sign in with Apple)
- Subscription status and purchase history (via App Store / StoreKit)
- App preferences and settings (stored in iCloud Keychain / CloudKit for your devices only — never health data)
Health Trend Summaries (the core of the service)
When you enable family sharing as the parent, your device computes and uploads only:
- Per-metric baseline values (e.g., your typical resting heart rate range over the last 28 days)
- Deviation scores and direction (e.g., "resting heart rate drifting +4% over 6 days")
- Data completeness / confidence percentage
- Period covered (7-day, 28-day windows)
- First name (for personalized digests only)
We never receive raw HealthKit samples. Your Apple Watch continues to store all detailed health data locally on your devices. Porchlight never uploads heart rate time series, ECG, blood oxygen, full sleep architecture, etc.
Family & Consent Data
- Family membership records (who you invited, who accepted)
- Per-metric sharing toggles you set
- Consent timestamps and revocation timestamps
- Audit log entries (every time a family member views your summary — visible to you)
Technical & Diagnostic Data
- App version, device model, OS version (for crash reporting and compatibility)
- Anonymous usage analytics (via Vercel Analytics or Plausible — page views, feature usage; no health data, no cross-app tracking)
Website
- Waitlist email addresses (double opt-in)
- Standard server logs (IP address, user agent) retained briefly for security
We do not collect location data, contacts, photos, or any data from users under 18. The app is rated 17+ and enforces an age gate during onboarding.
2. How We Use Information
- To deliver the core service: Generate weekly plain-language digests, trigger family alerts when trends drift, produce on-device doctor-ready PDF reports, show caregiver dashboards.
- To maintain your account and subscriptions via StoreKit and App Store Server Notifications.
- To improve the product: Aggregate, anonymized trend patterns (e.g., "most 70+ users show stable activity after week 3 of calibration") — never tied to individuals.
- Legal and safety: Respond to lawful requests, prevent abuse, enforce our Terms.
We do not use health summaries to train AI models for any purpose beyond your immediate digest. We do not build profiles for advertising. We do not sell data.
3. Data Sharing & Processors
We share the minimum necessary data with these processors:
| Processor | Purpose | Data Shared | Notes |
|-----------------|----------------------------------|--------------------------------------|-------|
| Vercel | Hosting, API, Analytics | Account info, summaries (for API) | SOC 2, GDPR-ready |
| Neon (Postgres) | Database | Summaries, digests, audit logs, consent records | Encrypted at rest |
| Anthropic (Claude) | Weekly digest generation | Weekly trend summaries + first names only | Prompt strictly forbids medical language; output filtered |
| Apple (Sign in with Apple, APNs, StoreKit) | Authentication, push, billing | Name, email, subscription events | Apple's privacy commitments apply |
We require all processors to maintain appropriate security and confidentiality. They may only use the data for the specific purpose we specify.
No other sharing. We do not share with data brokers, advertisers, insurance companies, employers, or law enforcement except pursuant to a valid legal process (and we will notify you where legally permitted).
4. On-Device Processing & Data Minimization
This is the heart of Porchlight's design:
1. Your iPhone computes all baselines and drift detection locally using the PorchlightEngine (open-sourceable in the future).
2. Only when you explicitly turn on family sharing for a metric does a summary get uploaded over TLS.
3. Raw samples never leave your device.
4. When you revoke consent, the server is instructed to delete your summaries within 24 hours. The parent device can also queue a deletion even if offline.
5. Family members never receive raw data — only the same summarized view you approve.
5. Your Rights & Choices
You have the right to:
- Access your data (export summaries, digests, audit log from within the app)
- Correct inaccuracies (by providing more HealthKit data or adjusting wear habits)
- Delete your account and all associated data (Settings → Delete Account triggers full deletion path across database and any cached digests)
- Revoke family sharing at any time (instant for new views; summaries deleted server-side within 24h)
- Opt out of digests (toggle in settings)
- Request human support at [SUPPORT EMAIL]
For California residents (CCPA/CPRA): You have additional rights to know what personal information we collect, request deletion, and opt-out of any "sale" (we do not sell data).
For EEA/UK residents: We are GDPR-ready in our architecture even if not yet formally designated. You may exercise rights via [SUPPORT EMAIL].
Data Retention Schedule
- Active account: data retained while account is active + 30 days after deletion request to allow for graceful wind-down.
- Audit logs: retained 1 year for abuse prevention and legal compliance, then deleted.
- Waitlist emails: until you unsubscribe or 2 years of inactivity.
6. Security
- All health summary uploads use TLS 1.3.
- Database encrypted at rest.
- No long-lived raw health data on servers.
- App Store Server Notifications v2 for subscription state (no credit card data touches our servers).
- Regular security reviews as the product matures.
Despite our best efforts, no system is 100% secure. If you believe your account has been compromised, contact us immediately.
7. Children's Privacy
Porchlight is not directed to anyone under 18. We do not knowingly collect information from children. If we learn that a user is under 18, we will delete the account promptly. The app enforces an 18+ gate during onboarding.
8. Changes to This Policy
We may update this policy as the service evolves or laws change. Material changes will be notified via in-app message and email (if on file) at least 30 days before they take effect. Continued use after the effective date constitutes acceptance of the updated policy.
9. Contact Us
For any privacy questions, deletion requests, or concerns:
[SUPPORT EMAIL]
You may also write to:
[COMPANY LEGAL NAME]
Attn: Privacy
[STATE address placeholder]
This is a draft. Final version must be reviewed by counsel familiar with health-adjacent wellness apps, App Store Guideline 5.1.3, state privacy laws (CCPA, etc.), and cross-border data transfer rules. The technical claims in this policy (on-device processing, summaries only, 24h deletion commitment) must be verifiably true in the shipped code — this will be audited in Phase 8.
*Draft prepared July 2026*