Privacy

Your data stays on UK servers. We never share it.

This policy explains exactly what YourTracker collects, why, where it lives, and how you can take it back at any time. Plain English. No surprises.

Last updated: 22 June 2026.

1. Who we are

YourTracker is operated by YM Pharma Group Ltd, a UK company registered in England and Wales under company number 15111961, with its registered office in Leicester, United Kingdom. We are the data controller for the personal data this policy describes.

We are registered with the Information Commissioner's Office (ICO) under reference ZB651921, and with the General Pharmaceutical Council as a premises operator (GPhC #9012314).

For any privacy enquiry, email our Data Protection Officer at dpo@yourtracker.co.uk.

2. What we collect, and why

We collect four narrow categories of data — no more.

2.1 Account information

  • Email address — to sign you in via a 6-digit one-time code and to send transactional emails (e.g. dose reminders if you've opted in).
  • First name — to greet you on the Today screen and in emails. No other use.

Lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)) — we can't sign you in or deliver the service without it.

2.2 Health-related data (special category)

  • Your medication setup — drug name, dose strength, anchor habit, reminder time, pack size.
  • Your daily dose logs — one row per day with timestamp and status (taken / late / missed / frozen).
  • Your weight logs — what you typed, on which dates, in your chosen unit.
  • Your refill events — when you started a new pack, plus optional notes you typed.
  • Your notification preferences — which reminders you've turned on or off.

Some of this is data concerning your health. Under UK GDPR Art. 9 that is special category data. Our lawful basis is your explicit consent (Art. 9(2)(a)) — given when you complete onboarding and tap "Continue" on the medication step. You can withdraw that consent at any time by deleting your account from Profile → Privacy & data.

2.3 Technical data

  • Push subscription handles — the technical credentials your browser or device gave us so we can send you medication reminders. On iOS, this is your APNs device token, handled via OneSignal. On web, this is your browser's push subscription.
  • Standard server logs — IP address, user agent, request path, response status, retained for 90 days for security and abuse prevention.

Lawful basis: legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in keeping the service available, secure, and free from abuse. We've balanced this against your interests and concluded the impact is minimal.

2.4 Marketing opt-ins

  • Product updates checkbox — opt-in, off by default. If you tick it, you'll get an occasional email when we release new features.

Lawful basis: consent (Art. 6(1)(a)). Unsubscribe with one click from any email or by toggling the preference on /profile/notifications.

What we never collect: payment details (V1 is free), location data, contacts, device-fingerprint data, analytics events, or third-party advertising identifiers.

3. How we use your data

  • To deliver the core service — sign you in, render your medication + progress, send dose-reminder + eating-window notifications.
  • To compute the on-device features you see — streak count, pack count, weight trend. All calculations happen in our own database or on your device; no data is shared with any analytics tool.
  • To send opted-in product updates if you've ticked that box.
  • To keep the service secure (rate limits, abuse prevention).

We never sell your data. We never share it with advertisers, data brokers, or insurance companies. We never use it to train AI models.

4. Where your data lives, and who processes it

All data lives on UK or EU soil. We use four subprocessors, each bound by a UK GDPR-compliant data processing agreement:

  • Supabase — managed Postgres database. Region: EU (London). Privacy: supabase.com/privacy.
  • Vercel — hosts and serves the application code. Region: regional CDN edges with primary compute in London/Dublin. Privacy: vercel.com/legal/privacy-policy.
  • OneSignal — push notification delivery for medication reminders. Region: data processed in the United States under the EU-US Data Privacy Framework. OneSignal stores: your Supabase user ID (as an external identifier), your device's push notification token, and delivery records of notifications we send you. OneSignal does not have access to your medication data, dose logs, or any other content from the app. Privacy: onesignal.com/privacy_policy.
  • Resend — transactional email delivery (sign-in codes, dose reminders, account notifications). Privacy: resend.com/legal/privacy-policy.

No analytics SDKs. No advertising pixels. No fingerprinting libraries. The four subprocessors listed above are the only third parties that receive your data.

5. Security

  • In transit: TLS 1.2 or higher across every network hop.
  • At rest: database encrypted with AES-256.
  • Access: production database access restricted to a small number of named operators with multi-factor authentication.
  • Row-level security: every query against your data is gated by your authenticated session — even our own code can't accidentally read another user's data.

6. Retention

  • Account data (profile, medications, dose logs, weight logs, refill events, preferences): retained until you delete your account. When you delete, every row is permanently removed within seconds — cascade delete via foreign-key rules.
  • Server logs: auto-deleted after 90 days.
  • Backups: Supabase keeps rolling 7-day operational snapshots for disaster recovery. They age out automatically; you can't be retrieved from a backup after that window.
  • Email transaction logs (Resend's send records): retained per their standard policy — typically 30 days.
  • Push notification delivery records (OneSignal's send records): retained by OneSignal for 30 days for delivery troubleshooting, then automatically deleted by them.

7. Your rights

Under UK GDPR you have the rights below. We aim to action every request within 30 days, and in most cases the in-app tooling completes the action immediately.

  • Right of access — Profile → Privacy & data → "Download my data" returns a complete JSON file with every row we hold.
  • Right to rectification — edit your name and dose at any time via Profile. For anything else, email dpo@yourtracker.co.uk.
  • Right to erasure — Profile → Privacy & data → "Delete my account" permanently removes everything.
  • Right to data portability — the export above is a machine-readable JSON.
  • Right to restrict processing — email us and we'll set your account to a non-processing state pending the dispute.
  • Right to object — turn off any reminder on /profile/notifications. Opt out of marketing emails on /profile/notifications or via the unsubscribe link in any email.
  • Right to withdraw consent — for special-category data, deleting your account is the cleanest way. We can also restrict processing on request.
  • Right to lodge a complaint — with the Information Commissioner's Office (ico.org.uk).

8. Cookies

We use a small number of strictly-necessary cookies. The full list, with purposes and lifetimes, is on the cookies page. No analytics, no advertising, no third-party cookies.

9. Children

YourTracker is for adults on prescribed medication. We don't knowingly accept signups from under-18s. If you believe a child has signed up, email dpo@yourtracker.co.uk and we'll delete the account.

10. Changes to this policy

For material changes we'll send you an email and post an in-app banner. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Data Protection Officer: dpo@yourtracker.co.uk
General enquiries: hello@yourtracker.co.uk
Postal: YM Pharma Group Ltd, Leicester, United Kingdom.

YourTracker

The oral GLP-1 tracker · UK pharmacy-built

YourTracker is a product of YM Pharma Group Ltd. Company No. 15111961. GPhC #9012314. ICO ZB651921. Made in Leicester, UK. We don't dispense, prescribe, or sell medications. We help you remember to take yours.

© 2026 YM Pharma Group Ltd. All rights reserved.