Dosera Privacy Notice

Effective: March 19, 2026 Last updated: March 19, 2026

1) Who we are

Dosera is a GLP-1 companion app operated by Virtual Traffic Lights. We help you track medication and wellness—without trading away your privacy. Questions? info@dosera.app

2) What this notice covers

• The information we handle
• How and why we use it
• Where it’s stored and who helps us run the service
• The choices and rights you have

For extra rules that apply to health information, see the Health Data Addendum at the end.

3) Our plain-English promises

• We don’t sell your data.
• We don’t use your health data for ads.
• Your health data stays on your device (not on our servers).
• We collect only what we need to run the app.
• You can export or delete your data.
• We keep server-side data in the EU by default.

4) Where Dosera runs (and what that means for your data)

• iOS & Android apps — Your health tracking data is stored locally on your device, encrypted with SQLCipher. Our EU servers (Hetzner) handle only account registration, device tokens, error logs, and service configuration.
• Sign-in — We use Firebase Authentication (EU) to manage login securely.
• Notifications — If you opt in to push reminders, we use Firebase Cloud Messaging (FCM) to deliver them.
• AI assistance — We use OpenAI for anonymous health insights and symptom guidance. No user identifiers or personal data are sent—only anonymized health information for analysis.
• Barcode lookup — Product barcodes are sent through our EU servers to OpenFoodFacts for food product identification.
• In-app support chat — Messages and optional attachments are sent to our servers for support purposes.
• App error logs — Batched error and warning logs are sent to our own servers (Hetzner EU) for debugging. We do not use Crashlytics.
• Support email — We use AWS to send/receive email.
• Website — Marketing info only. We’re not running analytics or advertising cookies right now.

5) Data we handle (and why)

Account data

Email address and a Dosera account ID

Why: create your account, secure access, sync across devices

Device registration

Hardware ID, device info, app version — used to register your device and provision a device token and encryption key

Why: secure device identification, enable encrypted communication

Health & wellness entries (stored locally on your device)

• GLP-1 medication courses (medication name, dose, frequency, injection site, titration schedule)
• Side effects and notes
• Body measurements (weight, body fat %, circumferences, lean mass, bone mass, water mass)
• Vital signs (heart rate, HRV, blood pressure, blood glucose)
• Nutrition (protein, calories, water)
• Sleep data (total, deep, REM, light, awake time)
• Activity data (steps, distance, exercise sessions, calories burned)
• Medical history and comorbidities
• Progress photos

Why: core app functionality so you can track progress

Health integrations (optional)

With permission, import from Apple Health or Android Health Connect (e.g., weight, nutrition, steps, sleep, heart rate)

Why: reduce manual entry

Camera/Photos (optional)

Photos of food for nutrition tracking, weight scale readings for automatic data entry, progress photos

Why: simplify data entry, improve tracking accuracy, and track visual progress

Device & app diagnostics

App/OS version, device info, batched error/warning logs sent to our EU servers

Why: keep the app reliable and secure

Notifications (optional)

A device token (via FCM) if you enable push

Why: send reminders you asked for

AI-powered insights (optional)

Anonymized health data sent to OpenAI for symptom analysis, side effect guidance, and personalized health insights

Why: provide intelligent assistance and insights about your health journey. All data is anonymized and contains no personal identifiers.

Barcode scanning (optional)

Product barcodes sent to our servers for food product lookup via OpenFoodFacts

Why: quick nutrition data entry by scanning product barcodes

In-app support chat

Messages and optional attachments you send through the app’s support feature

Why: provide customer support and resolve issues

Biometric authentication (optional)

Fingerprint or face recognition handled entirely by your device’s operating system

Why: protect access to the app. Biometric data is never stored or accessed by Dosera.

Cloud backups (optional)

Encrypted backup of your app data to your own Google Drive or iCloud account (AES-256-GCM encrypted with your backup password)

Why: restore your data on a new device or after reinstalling

Payments

If you buy via Apple or Google, they process the payment. We don’t see full payment details.

Support

Emails you send to info@dosera.app

6) How we use data

• Operate and improve Dosera
• Keep accounts secure and troubleshoot issues
• Send essential service messages
• Send opt-in push notifications
• Meet legal requirements and prevent misuse

We do not use health data for advertising. We do not sell personal data.

7) Legal bases (EEA/UK)

• Consent: health entries; Apple Health/Health Connect import; push notifications; camera/photo capture; AI-powered insights; in-app support chat; barcode scanning
• Contract: creating and maintaining your account; providing core app features; device registration; backup encryption key provisioning
• Legitimate interests: safeguarding the service; error log monitoring

You can withdraw consent in Settings. This won’t undo past lawful use.

8) Where we store data (our data map)

• Health & tracking data: Locally on your device (SQLCipher encrypted)
• Account & device registration: EU (our servers on Hetzner)
• Authentication: EU (Firebase Authentication)
• Error logs: EU (our servers on Hetzner) — batched app logs
• Push notifications: (Firebase Cloud Messaging) — device tokens only
• Email: (AWS) — transactional/support email
• Google Drive backup: User’s own Google Drive account (AES-256-GCM encrypted)
• iCloud backup: User’s own iCloud account (AES-256-GCM encrypted)
• Barcode lookup: OpenFoodFacts (proxied through our EU servers)
• AI processing: OpenAI (anonymized data only, no personal identifiers)
• Support chat: EU (our servers on Hetzner)

We work to keep data in the EU. If a provider processes limited data elsewhere, we use appropriate safeguards (e.g., SCCs).

9) How long we keep data

• Local app data: kept on your device until you delete items or uninstall the app
• Account & server data: kept until you delete your account
• Error logs: short operational periods for debugging
• Emails: as long as needed to respond and for records, unless you ask us to delete (where permitted)

We may retain minimal information required by law.

10) Your controls and rights

• Export: Settings → Import / Export data (CSV)
• Delete entries: delete individual entries in the app
• Delete account: in-app or by emailing us. Removes all server-side data. Local data is deleted when you uninstall the app. Google Drive or iCloud backups remain in your account.
• Access/Correct/Restrict/Object/Withdraw consent: available under applicable laws; we’ll help via info@dosera.app

We do not “sell” or “share” personal data for cross-context behavioral advertising.

11) Children and teens

• Under 13: you can’t use Dosera.
• Ages 13–17: you need parental consent to use the app.

12) International transfers

We prioritize EU hosting. If transfer outside your region happens, we use legally required safeguards.

13) Security—in short

Encryption in transit and at rest, role-based access, and vendor due diligence. No system is perfect, but we work hard to protect your data.

14) Changes to this notice

If we change this notice, we’ll update the date above and post the new version at dosera.app/privacy.

15) Contact

Virtual Traffic Lights info@dosera.app ULICA IVANA KUKULJEVIĆA 10 42000 Varaždin, Croatia

---

Health Data Addendum (extra rules for sensitive info)

What counts as health data

GLP-1 medication courses (medication name, dose, frequency, injection site, titration); side effects and wellness notes; body measurements (weight, body fat %, circumferences, lean mass, bone mass, water mass); vital signs (heart rate, HRV, blood pressure, blood glucose); nutrition (protein, calories, water); sleep data (total, deep, REM, light, awake); activity and exercise data (steps, distance, sessions, calories burned); progress photos; medical history and comorbidities; data you import from Apple Health/Health Connect; anonymized health information processed by AI for insights.

How we use it

Provide core features, help you track progress, improve reliability and security, meet legal duties. Never for advertising. Never sold.

Where it lives

Stored locally on your device (SQLCipher encrypted). Backed up to your own Google Drive or iCloud if you choose (AES-256-GCM encrypted with your backup password). Health data is not stored on Dosera’s servers.

Sharing

Only with providers that help run Dosera (Hetzner for account/device services, Firebase Auth/FCM, AWS email, OpenAI for anonymized AI processing, OpenFoodFacts for barcode lookup), or as required by law, or with your request. Providers must protect it and can’t use it for their own purposes. AI processing uses only anonymized data with no personal identifiers.

Your choices

• Turn health integrations, camera features, and AI insights on/off at any time
• Export (CSV) or delete in the app
• Withdraw consent (EEA/UK) in Settings or by contacting us
• Appeal a denied request where local law provides that right

Geofencing

We do not create or use geofences to target people based on health information.