How we handle your data.

Summary

Mapigo stores the readings, triggers, and settings you save in the app, plus the account fields needed to sign you in. The application runs on managed cloud hosting; the database is a managed Postgres-compatible service; transactional emails (password reset, email verification) are delivered through a transactional email relay. There is no third-party analytics, no advertising SDK, and no push-notification backend.

The strongest claim the app ever makes about a reading is “above the target you set.” It does not diagnose. See the terms and the medical disclaimer.

What we store

At a category level, the database holds:

• Account. Your email, an optional display name, and a one-way hash of your password. We never store the plaintext.
• Sign-in state. Active session records so you stay signed in across visits, plus the time and device-type of each sign-in.
• Readings. The numbers you log, when you logged them, and any note you wrote alongside.
• Triggers. The everyday things you choose to track next to your readings, with a quantity and an optional note.
• Settings. Your personal targets and your reminder schedule.
• Doctor shares. The active codes you generate, the date range each one covers, and an audit log of who used each code and when. The plaintext code is shown to you once and never written to the database.

We don’t store anything we don’t need for one of these purposes.

Where it lives

The application runs on managed cloud hosting and is served over HTTPS. The database is a managed Postgres-compatible relational service. The regions and the categories of service providers we use are listed on the service providers page; specific vendor identities are provided to data subjects on request.

The two hostnames are scoped tightly: the marketing apex (mapigo.health) never reads your data — it only renders this site. All authenticated work happens on app.mapigo.health, and the doctor-share entry point lives at app.mapigo.health/share.

Cookies & sessions

• Sign-in cookie on app.mapigo.health— HTTP-only, secure, lasts about a month and renews on activity. It’s how the app remembers you between visits.
• Doctor-share cookie scoped only to /share, so a doctor’s temporary session is fully isolated from your account.
• No analytics or advertising cookies. We don’t load Google Analytics, Segment, PostHog, Meta Pixel, or anything similar.

Third parties

These are the only categories of external systems that touch the data, and only for the purposes listed. The equivalent legal disclosure, including data categories and regions per processor, lives on the service providers page.

• Application hosting & content delivery — runs the web application and serves static assets. Sees request metadata (IP, browser, URL) the way any web host does.
• Managed Postgres-compatible database — stores everything you save through the app.
• Transactional email relay — delivers password-reset and email-verification messages. Sees your email address and the message body.
• Google(optional) — only involved if you press “Continue with Google.” Google’s consent screen returns your basic profile (account ID, email, name, avatar) to Mapigo.

No data is sold. No data is shared with insurers, employers, or advertising networks. No reading or note is sent to a third-party AI model.

Doctor share

The share flow is the most sensitive part of the app, so it has extra rules:

• Share codes are single-use and expire 48 hours after you generate them.
• We never store the plaintext code; if you lose it, you generate a new one.
• The doctor’s session is read-only and scoped to the date range you chose. They can’t see anything outside that window.
• Repeated wrong-code attempts are rate-limited.
• The doctor’s device doesn’t cache your data — the share pages opt out of offline caching.
• When you review who used your share, IP addresses are masked and devices are summarised to “Browser on OS” before being displayed.

Reminders

Reminders are scheduled locally by the installed PWA, not by a server. There’s no push-subscription endpoint and no background worker fanning out notifications. If you uninstall the PWA, no reminders fire — there’s nothing server-side to fire them.

What we don’t do

• No analytics or telemetry.The app doesn’t ship a tracking script.
• No advertising. No SDKs, no pixels, no retargeting.
• No model training.Your readings, notes, and triggers aren’t sent to any third-party model provider.
• No sale of data, ever.
• No diagnostic claims.The strongest line in the app is “above the target you set.”

Your controls

• Export your BP readings as CSV from the History screen — pick a range and tap the CSV button.
• Export everything as JSON from Settings → Your data. Includes BP entries, triggers, settings, doctor-share records, and the access log. The file is safe to share with a developer or doctor; we deliberately strip share-code hashes and lookup digests before writing it.
• Export just your triggers as CSV from Settings → Your data. Same shape as the BP CSV.
• Revoke a doctor share from the Shares screen — the code stops working immediately and the revocation is logged for you.
• Delete a reading or trigger from its screen.
• Delete your entire account from Settings → Your data → Delete account. Wipes every row we hold for you (readings, triggers, settings, shares, share access log). Cannot be undone; we keep only a hashed audit row that cannot be used to re-identify the account.
• Sign out everywhere by signing out — the active session record is removed.
• Off-band requests. If you have lost access to your account but want your data exported or your account deleted, email hello@mapigo.health with the subject line Data subject request. We respond within 30 days.

Children

Mapigo Health isn’t designed for users under 16. Parents tracking a child’s readings should do so under their own account.

Changes

When this page changes meaningfully, the “last updated” date at the top is bumped. Material privacy changes are also reflected in the privacy notice; that document governs your legal relationship with Zeevio LLC.