Legal

Privacy Policy

Last updated: April 2026 Effective: May 2026

Contents

Who we are
What we collect
Why we collect it
Lawful basis
Your health data
How we use your data
Who we share it with
How long we keep it
Your rights
Security
Cookies
Changes to this policy
Contact us

The short version: We collect only the data you give us (like weight, mood, meals) so we can run the app. We store it securely in the UK. We never sell it. You can export or delete it anytime.

1. Who we are

YourTracker is a product operated by YM Pharma Group Ltd ("we", "us", "our"), a company registered in England and Wales.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller of the personal information you provide to us.

Company: YM Pharma Group Ltd
Registered address: 2 Stadium Place, Leicester, LE4 0JS
Company number: 15111961
ICO registration number: ZB651921
Contact: [email protected]

2. What we collect

We only collect information that's necessary to provide and improve YourTracker. This falls into a few categories:

Account information

Your email address
Your name (optional)
Your password (stored as a one-way hash — we never see the plain text)

Health and tracking data

When you use the app, you choose what to log. This may include:

Your weight, height, and body measurements
Your GLP-1 medication type (e.g. Mounjaro, Wegovy), dose, and injection site/date
Your mood, energy, appetite, sleep, and side effects
Food, water, and protein intake
Progress photos (if you choose to upload them)
Goals and notes you create

Technical information

Device type and operating system
App version
Crash logs and anonymised performance data
IP address (used transiently for security)

Payment information

When you subscribe, your payment is processed by our payment provider (Stripe). We receive a transaction reference but do not receive or store your card details.

3. Why we collect it

We collect personal data for a small number of clearly defined purposes:

To provide the service — so you can log, track, and view your GLP-1 journey
To personalise your experience — so reminders, goals, and insights match your situation
To improve the product — understanding which features help people get results
To communicate with you — service updates, reminders, and (if you opt in) product news
To meet legal obligations — tax, consumer protection, fraud prevention

We do not use your personal data for advertising or sell it to third parties.

4. Lawful basis for processing

Under UK GDPR we must have a lawful basis for processing your data. Ours are:

Purpose	Lawful basis
Providing the core app functionality	Contract (Art. 6(1)(b))
Processing your health-related tracking data	Explicit consent (Art. 9(2)(a))
Product improvement and anonymised analytics	Legitimate interests (Art. 6(1)(f))
Marketing emails	Consent (Art. 6(1)(a))
Fraud prevention and security	Legitimate interests (Art. 6(1)(f))
Tax and accounting records	Legal obligation (Art. 6(1)(c))

5. Your health data

Data about your weight, medication, mood, and side effects is classified as special category health data under UK GDPR Article 9. We handle this with particular care.

We only collect health data you voluntarily enter into the app
We process it on the basis of your explicit consent
You can withdraw consent at any time by deleting your account or specific entries
We encrypt it in transit and at rest
We never share it with your employer, insurer, or any advertiser
If you choose to share a progress report with your pharmacist or GP, you control who it goes to and when

6. How we use your data

In practical terms, here's what happens with the data you provide:

On your device: Displayed in the app for your own use
On our servers: Stored encrypted on UK-based cloud infrastructure
For reminders: Processed to send you notifications at the times you set
For aggregate insights: Used in anonymised, combined form to understand what helps users succeed
For support: Accessed by a small authorised team if you raise a support issue

We share your data only with service providers strictly necessary to run YourTracker. These are:

Cloud hosting: [your hosting provider, e.g. Supabase / AWS eu-west-2] — stores your data in the UK/EU
Email delivery: [email provider, e.g. Resend / SendGrid] — to send you transactional and marketing emails
Payment processing: Stripe — to process subscription payments
Analytics: [analytics provider] — anonymised usage data only
Customer support tools: [support provider] — to help you when you contact us

We may also share data if required by law, a court order, or to protect the rights and safety of ourselves and others.

We do not sell your data to anyone.

8. How long we keep it

Account data: For as long as your account is active, plus 30 days after deletion
Health tracking data: For as long as your account is active; deleted within 30 days of account deletion
Billing records: 6 years (UK legal requirement)
Marketing data: Until you unsubscribe
Support tickets: 2 years after resolution

9. Your rights

Under UK GDPR you have the following rights:

Access — request a copy of the data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — have your data deleted ("right to be forgotten")
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Withdraw consent — withdraw any consent you've given, at any time
Complain — lodge a complaint with the Information Commissioner's Office

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

10. Security

We take security seriously:

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
Passwords are hashed using industry-standard algorithms (bcrypt)
Access to production systems is restricted to a small, authorised team
We follow OWASP best practices for application security
Servers are hosted in ISO 27001-certified UK/EU data centres

In the unlikely event of a data breach affecting your personal information, we will notify the Information Commissioner's Office within 72 hours and inform you directly if the breach is likely to result in a high risk to your rights.

11. Cookies

Our website uses a small number of cookies. For details, see our Cookie Policy.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify you by email and update the "Last updated" date at the top of this page. Continued use of YourTracker after changes means you accept the revised policy.

13. Contact us

If you have any questions about this policy or how we handle your data, please get in touch:

Email: [email protected]
Post: YM Pharma Group Ltd, 2 Stadium Place, Leicester, LE4 0JS

You can also complain to the Information Commissioner's Office:

Website: ico.org.uk
Phone: 0303 123 1113