Your health data stays yours.
This policy explains what Valeska collects, how it's used, who can see it, and the choices you have. Valeska is built local-first: your data lives in an encrypted database on your device. Pro and Family also use secure cloud sync and controlled sharing.
Who we are
Valeska is a personal chronic-care companion app published byPhoenixCKK LLC ("PhoenixCKK," "we," "us"). This policy applies to the Valeska app on iOS and this website. By using Valeska, you agree to the practices described here.
Our regulatory status
Valeska is a personal health-informatics tool. It helps you organize the data you enter and surfaces observational patterns from it.
- Valeska is not a medical device and does not diagnose, treat, or provide medical advice. Always consult a qualified clinician.
- PhoenixCKK is not a HIPAA-covered entity and does not act as a HIPAA "business associate." We are a consumer software company.
- Even though HIPAA doesn't apply to us, we built Valeska's data handling to a high standard anyway, and we comply with the consumer-health-privacy laws that do apply (see Your rights and Health breach notification).
What we collect
- Account information, your name and email address, received from your sign-in provider (Sign in with Apple, or Sign in with Google) when you create an account.
- Health information you enter, symptoms, medications, conditions, nutrition, water, mood, cycle data, questions for your doctor, severity ratings, notes, and the dates and times you log.
- Voice transcripts, when you use voice input, the transcribed text is processed on your device. Raw audio is never stored or transmitted.
- Apple Health data, only if you opt in: vitals (heart rate, blood pressure, blood oxygen, respiratory rate, body temperature), activity (steps, distance, energy), weight, sleep, and cycle data. If you separately enable write access, the app can also write entries you log yourself back to Apple Health (see Apple Health below).
- Documents you add, photos or scans of insurance cards, IDs, and medical records you choose to store in the app, plus the text the app extracts from them to fill in fields for you.
- Optional profile details, date of birth and gender, if you choose to add them. These stay on your device only, they are never uploaded, even with cloud sync turned on.
- Feature-usage events, if cloud sync is on, the app records which feature was used and when (for example, "water · logged") so we can understand which parts of Valeska matter. These events name features, never the content of what you logged, and are deleted from your device once uploaded.
- Crash & performance diagnostics, to keep the app stable, we collect crash reports and basic performance data through a diagnostics service (Sentry). These are tied only to a random app identifier and contain no health data.
What we do not collect
- Biometric identifiers, fingerprints, or facial-recognition data
- Your precise location
- Your contacts, photos, or files (beyond documents you choose to add)
- Cross-app or cross-website tracking
- Advertising identifiers, or any data used for advertising
How we use your information
Your information is used solely to:
- Provide the Valeska service to you
- Sync data for Pro and Family accounts and support sharing you choose
- Generate the visit-prep summaries you share with your doctor
- Look up reference information (drug and food data) you request
- Understand which features are used, so we can improve them
- Diagnose crashes and keep the app reliable
We do not use your health data for advertising, marketing, profiling, data mining, or to train AI models, and we never sell it.
Cloud sync for Pro and Family
Valeska works offline and keeps an encrypted local record. Cloud sync and backup are included and enabled for Pro and Family accounts so approved devices and caregivers can access the information you allow. You can turn sync off in Settings. While sync is active, data is stored on Supabase infrastructure hosted in the United States, encrypted in transit and at rest, and protected by per-user access controls.
Who has access
Your health data is private to you.
- We do not sell, rent, or share your information with third parties for marketing.
- We do not share your data with insurance companies, employers, data brokers, or advertisers.
- We do not use your data to train AI models.
- Caregivers you invite see only the specific categories of data you grant them, behind an NDA gate. You can change or revoke their access at any time, which removes the shared data from their device.
Dependent profiles and families
Valeska supports profiles for dependents, for example, a parent or legal guardian managing a child's chronic illness, or an adult managing care for a family member. Dependent profiles are created and controlled entirely by the adult account holder:
- All data in a dependent profile is entered by you, or by a caregiver you've invited, the app does not interact with or collect data directly from the dependent.
- Sharing is controlled per profile: a caregiver you invite to one profile sees nothing from your others, and you can revoke access at any time.
- Deleting a dependent profile, or your account, permanently removes that data (see How long we keep it).
Subscriptions and payments
Valeska's paid tiers (Pro and Family) are billed through Apple. The App Store processes the payment, we never see or store your card details. We receive and keep only your subscription status (which tier is active) so the app can unlock your features.
Third-party services we rely on
We keep third parties to a minimum, and we never send them data that identifies you alongside your health information:
- Apple, Sign in with Apple (name + email), Apple Health (if you opt in), and on-device AI (see below).
- Google, Sign in with Google (name and email), if you choose that sign-in option.
- Supabase (US-hosted), stores synced data while cloud sync is active.
- Sentry, crash and performance diagnostics, tied to a random identifier, with no health data.
- Open Food Facts and USDA FoodData Central, when you scan a food or beverage barcode, we send the barcode number to look up product nutrition. We do not send anything that identifies you.
- U.S. government health databases (NIH / National Library of Medicine RxNorm & RxTerms, and the FDA's openFDA / DailyMed), when you add a medication or run an interaction check, we send the drug identifier needed for the lookup. We do not send your name, account, or any data identifying you.
Apple Health (HealthKit)
If you enable HealthKit in Settings, Valeska readshealth data to display trends and include them in the visit-prep summaries you choose to share. If you separately enablewrite access, Valeska can also write entries you log yourself back to Apple Health, water intake, period and spotting days, cervical mucus, and sexual activity, so your Apple Health record stays complete. We only ever write what you logged. With HealthKit data, we do not:
- Share HealthKit data with advertisers, data brokers, or any third party
- Use HealthKit data for marketing or advertising
- Sell HealthKit data
- Use HealthKit data to train machine-learning models
You can turn HealthKit off any time in Settings → Apple Health, or revoke access in iOS Settings → Privacy & Security → Health → Valeska.
On-device AI
Valeska's AI runs on your device using Apple's on-device foundation models. Pattern detection and the language-model narration that explains your insights happen entirely on your device. No voice audio, transcripts, or health data is sent to any external AI service, not to us, and not to OpenAI, Google, Anthropic, or anyone else.
How long we keep it
Data you sync is kept for as long as your account exists. When you delete your account:
- Your data is permanently removed from our servers within 30 days.
- Locally cached data is deleted from your device immediately.
You can delete your account from inside the app, or request deletion without signing in from our account-deletion page.
Your rights
- Access, your data is visible to you in the app at any time.
- Export, via the visit-prep share function.
- Delete, delete your account and all data from Settings, or via our account-deletion page without signing in.
- Correct, by editing any entry in the app.
- Withdraw consent, by deleting your account at any time.
Washington residents (My Health My Data Act): you have the right to know what consumer health data we collect, to request its deletion, and to withdraw consent. We do not sell consumer health data.
California residents (CMIA / CCPA): you have the right to know, delete, and opt out of any sale of personal information. We do not sell personal information.
Other U.S. states: if you live in a state with a comprehensive consumer-privacy law (for example Virginia, Colorado, Connecticut, Oregon, Texas, or Florida), you may have similar rights to access, correct, delete, and opt out. Contact us and we'll honor them.
Security
- Encrypted connections (TLS) for all data in transit
- Encrypted local database (SQLCipher, AES-256) on your device
- Encrypted storage at the server database level
- Authentication required for all data access
- Per-user row-level authorization controls
- Optional two-factor authentication (TOTP)
No system is perfectly secure, but we design, test, and operate Valeska to keep your data protected.
Health breach notification
In the event of a breach of unsecured health data, we will notify affected users in accordance with the FTC Health Breach Notification Rule and applicable state breach-notification laws.
Children's privacy
Valeska is intended for adults managing chronic illness, including parents or caregivers managing a child's chronic illness. We do not knowingly collect data directly from children under 13. Health information about a child in a dependent profile is provided and controlled by the parent or guardian who created that profile (see "Dependent profiles and families" above). If you believe a child has provided us data directly, contact us and we'll remove it.
Changes to this policy
If we materially change how we handle your data, we'll notify you in the app and update the "Last updated" date at the top of this page.
Governing law
This policy is governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws rules. Valeska is offered to users across the United States, and we honor the privacy rights described above regardless of where in the U.S. you live.
Contact us
Questions about this policy or your data? Emailinfo@valeska.app.
PhoenixCKK LLC