Privacy Policy

Effective date: April 1, 2026 · Last updated: April 1, 2026

PainLog ("we," "us," or "our") is operated by Result Horizon LLC. We are committed to protecting your privacy and the security of your personal health information. This Privacy Policy explains how we collect, use, store, and protect your data when you use the PainLog application and website.

1. Information we collect

When you use PainLog, we collect the following types of information:

• Account information: Email address and authentication credentials when you create an account. If you sign in with Google, we receive your name and email from Google.
• Health data: Pain logs you create, including pain level, symptoms, triggers, timestamps, duration, and any notes you enter. This information may constitute Protected Health Information (PHI) under HIPAA.
• Usage data: Basic technical information such as device type and browser version, collected automatically to ensure the app functions correctly.

2. How we use your information

We use your information solely to provide and improve the PainLog service:

• To create and manage your account
• To store and display your pain log entries
• To enable data export features (TXT, CSV, PDF)
• To provide AI-powered backfill features when you request them
• To maintain the security and functionality of the application

We do not sell, rent, or share your personal health information with third parties for marketing or advertising purposes. We will never monetize your health data.

3. Data storage and security

Your data is protected using industry-standard security measures:

• Encryption at rest: All health data is stored in AWS DynamoDB with AES-256 encryption.
• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
• User isolation: Your data is stored with a unique user identifier. No other user can access your entries.
• Authentication: Access to your data requires authentication through AWS Cognito, with optional multi-factor authentication (MFA).
• Session management: Sessions automatically expire after 15 minutes of inactivity.
• Audit logging: All access to infrastructure is logged via AWS CloudTrail.
• Backups: Point-in-time recovery is enabled, allowing data restoration within a 35-day window.

Our infrastructure is hosted on Amazon Web Services (AWS), which maintains HIPAA-eligible services and has signed a Business Associate Agreement (BAA) with us.

4. Third-party services

PainLog integrates with the following third-party services:

• Amazon Web Services (AWS): Cloud infrastructure, authentication (Cognito), and database (DynamoDB). AWS has signed a BAA with us.
• Google Sign-In: Optional authentication method. When used, Google provides us with your name and email address only. Google does not receive your health data.
• Anthropic (Claude API): Powers the AI backfill feature. When you use this feature, your notes are sent to the Anthropic API for processing. No data is retained by Anthropic after processing.
• Cloudflare: Hosts the static frontend application and provides CDN and security services.

5. Your rights

You have the following rights regarding your data:

• Access: You can view all your pain log entries at any time within the app.
• Export: You can export your complete data in TXT, CSV, or PDF format at any time.
• Correction: You can edit any entry at any time through the app.
• Deletion: You can delete individual entries at any time. To request complete account deletion, contact us at the address below.
• Portability: Your data export includes all fields in standard formats that can be used with other tools or shared with your healthcare provider.

6. Data retention

We retain your health data for as long as your account is active. If you delete your account, we will delete your data within 30 days. Backup copies may persist for up to 35 days in our backup systems before being automatically purged.

7. Children's privacy

PainLog is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

8. Cookies and tracking

PainLog does not use cookies for advertising or tracking. We use only essential authentication tokens stored in your browser's local storage to maintain your login session. We do not use analytics tracking, pixels, or third-party advertising scripts.

9. Breach notification

In the event of a data breach that affects your personal health information, we will notify affected users within 60 days of discovering the breach, as required by HIPAA and applicable law. Notification will be sent to the email address associated with your account.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of PainLog after changes constitutes acceptance of the updated policy.

11. Contact us

If you have questions about this Privacy Policy, your data, or believe your privacy rights have been violated, contact us:

Result Horizon LLC
Email: privacy@painlog.org

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be retaliated against for filing a complaint.