PRIVACY POLICY

Last updated: November 24, 2025

This privacy notice for StudySyncs ("we," "us," or "our") describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

    • Download and use our mobile application (StudySyncs), or any other application of ours that links to this privacy notice

    • Participate in our research study

    • Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at arjo@stanford.edu.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice.

What personal information do we collect? We collect personal information you provide to us, including account information through Google Firebase Authentication and health data from Apple HealthKit with your explicit consent.

Do we process any sensitive personal information? Yes. We collect health information from Apple HealthKit when you grant us permission to access this data for research purposes.

Do we receive any information from third parties? We receive authentication information from Google Firebase and health data from Apple HealthKit with your permission.

How do we process your information? We process your information to provide our Services, conduct research, communicate with you, and comply with legal obligations.

How do we keep your information safe? We use organizational and technical security measures to protect your personal information, including secure transmission to our servers.

What are your rights? Depending on your location, you may have certain rights regarding your personal information, including the right to access, correct, or delete your data.

How do you exercise your rights? Contact us at arjo@stanford.edu to exercise your privacy rights.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us, including health data from Apple HealthKit.

We collect personal information that you voluntarily provide to us when you register on the Services, participate in our research study, or otherwise contact us.

Personal Information Provided by You. The personal information we collect may include:

    • Names

    • Email addresses

    • Account credentials (via Google Firebase Authentication)

    • Research study participation information

Apple HealthKit Data. With your explicit consent, we collect health data from Apple HealthKit, including but not limited to:

    • Activity and fitness data (steps, distance, flights climbed, exercise minutes)

    • Body measurements (height, weight, body mass index)

    • Heart data (heart rate, heart rate variability, resting heart rate)

    • Sleep analysis data

    • Nutrition data

    • Mindfulness and mental health data

    • Vital signs (blood pressure, respiratory rate, blood oxygen)

    • Lab and test results

    • Reproductive health data

    • Mobility data

    • Other health records and clinical data available through HealthKit

IMPORTANT NOTICE REGARDING HEALTHKIT DATA: We access HealthKit data solely for research purposes. In accordance with Apple's requirements:

    • We will NOT use or disclose HealthKit data for advertising, marketing, or other use-based data mining purposes

    • We will NOT sell HealthKit data to third parties

    • We will NOT use HealthKit data for purposes other than providing health and/or research services as described in this policy

    • HealthKit data is transmitted securely and stored on our research servers

Sensitive Information. The health data we collect from HealthKit is considered sensitive personal information. We only process this data with your explicit consent and for the research purposes described in this notice.

Information automatically collected

In Short: Some information is collected automatically when you use our Services.

We automatically collect certain information when you use the Services. This information may include:

    • Device information (device type, operating system, unique device identifiers)

    • App usage data

    • IP address

    • Crash and performance data

This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to conduct research, provide our Services, communicate with you, and comply with legal obligations.

We process your personal information for the following purposes:

    • To conduct research. Your health data is used for health research purposes, including studying patterns in health metrics and investigating relationships between lifestyle factors and health outcomes. This research is conducted under the oversight of Stanford University.

    • To facilitate account creation and authentication. We use Google Firebase Authentication to manage user accounts securely.

    • To deliver services to you. We process your information to provide you with the requested service.

    • To respond to user inquiries and offer support. We may process your information to respond to your inquiries and resolve any issues.

    • To protect our Services. We may process your information to identify and prevent fraud, unauthorized access, and other harmful activities.

    • To comply with legal obligations. We may process your information to comply with applicable laws, regulations, and legal processes.

3. HOW IS YOUR HEALTH DATA HANDLED?

In Short: Your HealthKit data is transmitted securely to our research servers and handled with strict protections.

Data Transmission. When you grant permission, your HealthKit data is securely transmitted to our Amazon Web Services (AWS) EC2 servers. We use encryption in transit and at rest to protect your data.

Data Storage. Your health data is stored on secure AWS EC2 instances located in the United States.

Data Retention. We retain your health data for the duration of the research study plus five (5) years for data verification and publication purposes, or until you request deletion.

Research Use. Your data is used exclusively for research purposes as described in this policy and in any informed consent materials provided to you.

Withdrawal. You may withdraw from the study and request deletion of your data at any time by contacting us at arjo@stanford.edu.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We process your personal information based on your consent, contractual necessity, and legitimate interests.

We rely on the following legal bases to process your personal information:

    • Consent. We process your HealthKit data based on your explicit consent. You can withdraw your consent at any time by contacting us or revoking HealthKit permissions in your device settings.

    • Performance of a Contract. We process your account information to provide you with our Services.

    • Legitimate Interests. We may process your information for our legitimate research interests, where such interests are not overridden by your rights.

    • Legal Obligations. We may process your information to comply with applicable laws and regulations.

If you are located in the EU or UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information, as described above.

If you are located in Canada, we may process your information with your express or implied consent, or as otherwise permitted by applicable law.

5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information with specific third parties to provide our Services and conduct research.

We may share your personal information in the following situations:

    • Service Providers. We share information with third-party service providers that perform services on our behalf:

        - Google Firebase (authentication services)

        - Amazon Web Services (data storage and processing)

    • Research Collaborators. We may share de-identified or aggregated data with research collaborators at Stanford University for the purposes described in this policy.

    • Legal Requirements. We may disclose your information where required by law, court order, or governmental authority.

    • Business Transfers. We may share or transfer your information in connection with a merger, acquisition, or sale of assets.

We do NOT:

    • Sell your personal information or HealthKit data

    • Share HealthKit data for advertising or marketing purposes

    • Use HealthKit data for purposes unrelated to health services or research

6. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary for research and legal purposes.

We retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy notice, unless a longer retention period is required by law.

    • Account Information: Retained while your account is active and for one (1) year after account deletion.

    • HealthKit Data: Retained for the duration of the research study plus five (5) years for data verification and publication purposes.

When we have no ongoing legitimate need to process your personal information, we will either delete or anonymize it, or securely store it until deletion is possible.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use technical and organizational security measures to protect your personal information.

We implement appropriate security measures including:

    • Encryption of data in transit (TLS/SSL)

    • Encryption of data at rest

    • Secure authentication through Firebase

    • Access controls limiting who can access research data

    • Regular security assessments

However, no electronic transmission or storage method is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to individuals under 18 years of age.

We do not knowingly collect or solicit data from individuals under 18 years of age. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to delete such data. If you become aware of any data we may have collected from individuals under 18, please contact us at arjo@stanford.edu.

9. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: You have rights regarding your personal information, including access, correction, deletion, and withdrawal of consent.

Your Rights:

    • Access. You may request access to the personal information we hold about you.

    • Correction. You may request correction of inaccurate personal information.

    • Deletion. You may request deletion of your personal information, subject to certain exceptions.

    • Withdraw Consent. You may withdraw consent for HealthKit data collection at any time through your device settings or by contacting us.

    • Data Portability. You may request a copy of your data in a portable format.

    • Opt-Out. You may opt out of certain data processing activities.

To exercise these rights, contact us at arjo@stanford.edu.

Withdrawing HealthKit Access: You can revoke our access to HealthKit data at any time by going to Settings > Health > Data Access & Devices > StudySyncs on your iOS device.

Withdrawing from Research: If you wish to withdraw from the research study and have your data deleted, please contact us at arjo@stanford.edu.

10. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California or other states with privacy laws, you have specific rights regarding your personal information.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

    • Know what personal information we collect and how it is used

    • Request deletion of your personal information

    • Opt-out of the sale of personal information (note: we do not sell personal information)

    • Non-discrimination for exercising your privacy rights

Categories of Personal Information Collected:

    • Identifiers (name, email, device identifiers)

    • Personal information under California Customer Records statute

    • Health information (from HealthKit, with consent)

    • Internet or network activity information

We do not sell personal information to third parties.

To exercise your California privacy rights, contact us at arjo@stanford.edu.

Other State Residents

Residents of Colorado, Connecticut, Utah, and Virginia have similar rights under their respective state privacy laws. To exercise these rights, contact us at arjo@stanford.edu.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track ("DNT") feature. We do not currently respond to DNT signals as no uniform standard has been adopted. If a standard is adopted in the future, we will update this notice accordingly.

12. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date. If we make material changes, we may notify you through the app or by other means. We encourage you to review this notice periodically.

13. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at:

arjo@stanford.edu

14. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have the right to request access to the personal information we collect from you, change that information, or delete it. To submit a request, please email us at arjo@stanford.edu.

To revoke HealthKit access, go to Settings > Health > Data Access & Devices > StudySyncs on your iOS device.