OnTrack Privacy Policy

Effective date: March 2026

OnTrack, developed and operated by Orange LabX, is an AI-supported diabetes nutrition and health tracking product. This policy explains what data we collect, how we use it, where it is stored, and what rights users have over that data.

1. Medical Disclaimer

Important Notice

OnTrack is NOT for medical purpose and is NOT a medical device. It is intended for general wellness and educational purposes only and should not be used as a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition.

Providing medication records or A1C estimates within the app is for your internal tracking only and does not constitute a clinical diagnosis or medical prescription.

2. Applicable Regulations

Ghana

Data Protection Act, 2012 (Act 843)
National Information Technology Agency (NITA) guidelines

UAE / DIFC

UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
DIFC Data Protection Law, where applicable
Dubai Healthcare City rules, where applicable to health technology operations

International

GDPR, applicable to EU and UK users
Google Play Developer Program Policies, including health data requirements
Google Play Health App Policy & Health App Declaration
CCPA / CPRA, where serving California users
POPIA, where serving South African users
NDPR, where serving Nigerian users

3. Data We Collect

We collect account, profile, and health-related data needed to operate the app’s logging, meal planning, insight, and AI support features.

Data Type	Category	Sensitivity
Email address	Personal	Medium
Name	Personal	Medium
Blood sugar readings	Health / Medical	High
Meal plans and food logs	Health	Medium
Exercise logs	Health	Medium
Sleep logs	Health	Medium
Stress logs	Health / Mental	High
Medication records	Health / Medical	High
A1C estimates	Health / Medical	High
AI chat history	Health	High
Location (city / country)	Personal	Medium
Cuisine preferences	Personal	Low

4. Permissions & Prominent Disclosure

In-App Consent

In accordance with Google Play’s User Data Policy, OnTrack provides a Prominent Disclosure of sensitive data handling (such as blood sugar, medication, and stress logs) before any such data is collected. Users must provide explicit, affirmative consent within the app interface before recording starts.

5. Where Data Is Stored and How It Is Secured

Primary storage: Cloud Firestore on Google Cloud Platform
Region: us-central1 (Iowa, USA)
Firebase Authentication is required for all protected data access
Encryption at rest: AES-256, provided by Firebase by default
Encryption in transit: TLS 1.2+, provided by Firebase by default

Access controls

Personal data (`/users/uid/…`)

Users can only read and write documents under their own UID
No cross-user access to personal health data is allowed
No unauthenticated access

Anonymized system data (`/sharedMeals/…`)

Contains AI-generated meal templates, including titles, nutrition, and cooking instructions
Contains no personally identifiable information or raw health metrics
Readable by authenticated users as part of the shared meal cache
Write-capped at five variations per cache bucket through security rules
No user IDs, blood sugar values, or personal data are stored in this collection

6. How Data Flows Through the Product

User enters data in the app after reviewing the Prominent Disclosure.
Firebase Authentication verifies the user identity.
Firestore stores the data under that user’s unique UID.
For AI features, relevant health context is sent over HTTPS to a Cloud Function.
The Cloud Function verifies the auth token and calls the Gemini API.
The response is returned to the user for guidance purposes only.
AI-generated meal templates with NO PII may be stored in a global `sharedMeals` collection for efficiency.

On-device storage is limited to non-sensitive settings in SharedPreferences and Firestore offline persistence cache, protected by the device OS. Sensitive data is never stored in plain text outside managed app flows.

7. AI Processing & Generative AI Policies

OnTrack uses Google’s Gemini API for meal generation and guidance. We strictly adhere to Google’s Generative AI Prohibited Use Policy.

Data sent to Gemini is limited to what is necessary for processing the request.
Name and email address are NOT sent to the AI.
Gemini API use is stateless and data is NOT used for model training under applicable Google Cloud Enterprise terms.

8. Analytics

OnTrack uses Firebase Analytics to understand product usage and improve the app.

Analytics events use categorical labels (e.g., "meal_logged") to preserve privacy.
Raw health values (blood sugar, medication dosages) are NEVER sent to analytics.
User properties may include broad context like "Diabetes Type 2" for onboarding accuracy.

9. User Rights

Right	Implementation
Right to access	Users can view their data in the app.
Right to deletion	Delete My Account permanently removes account data.
Right to portability	Data export is available on request.
Right to rectification	Users can edit or delete logged entries.
Right to withdraw consent	Users can stop using the service and delete their account at any time.

10. Data Retention & Deletion

Active accounts: Data is retained for the duration of account activity.
Deleted accounts: Account data is permanently purged from Firestore within 30 days.
Users may initiate account deletion directly in the "Profile" section of the app.
AI chat logs under the user UID are deleted immediately upon account removal.

11. Third-Party Data Sharing

Orange LabX does not sell, rent, or share personal health data for advertising.

We share data only with infrastructure providers (Google/Firebase) strictly as service processors to enable core functionality. We do not use third-party advertising SDKs or sell data to brokers.

12. Contact

For privacy, deletion, export, or data handling requests, contact the Orange LabX Data Privacy Team at:
info@orangelabx.com.