Privacy Policy

Last Updated: May 23, 2026

This Privacy Policy explains how Eodin Inc. ("we," "us," or "our") collects, uses, and protects your personal information when you use the Tempy mobile application ("App").

Information We Collect

Information You Provide

• Account Information: Email address when you create an account; name if you choose to provide it
• Child Health Data: Temperature readings, medication types, dosages, and administration times that you enter
• Child Profile Data: Child's name, date of birth, and weight (optional)
• Family Data: Family group membership and sharing preferences
• Parent Notes: Free-text notes you attach to fever episodes or medication entries (only when you choose to write them; included in PDF medical reports if you generate one)

Information Collected Automatically

• Device Information: Device type, operating system version, unique device identifiers
• Usage Data: App interactions, feature usage, timestamps
• Push Notification Tokens: For sending medication reminders, fever alerts, and outbreak notifications
• Crash Reports: Technical data when the App encounters errors (collected via Firebase Crashlytics; can be disabled in App settings)
• Approximate Location Data (Outbreak feature only): When you first open the Outbreak tab, the App may ask permission to use your device's approximate (city/country-level) location for the sole purpose of detecting which country to show outbreak alerts for. You can decline the prompt and pick a country manually at any time. The location reading itself is never sent to our servers — only the resolved country code (e.g., KR, BR) is used, and it stays on your device unless you've enabled cloud sync.
• Advertising Identifier (IDFA on iOS / Advertising ID on Android): If you grant permission via the Apple App Tracking Transparency prompt, we use this identifier solely for ad performance measurement and attribution (does Tempy convert from ads shown to you on other apps). Declining the prompt limits ad personalization but does not affect any App functionality.

Information from Third Parties

• Authentication Providers: If you sign in with Google or Apple, we receive your email address and basic profile information as permitted by your account settings
• WHO Disease Outbreak News (read-only): The App fetches anonymized public outbreak data from the World Health Organization's official REST API. No personal data is sent to WHO — the request is anonymous and the response is the same global outbreak feed for every Tempy user.

How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Tempy service
• Calculate medication dosage references based on your child's weight
• Send medication reminders, fever alerts, and outbreak notifications you have enabled
• Surface outbreak alerts relevant to your country (via the auto-detected or user-picked country code)
• Share health data with family members you authorize
• Generate PDF medical reports (Pro feature) for sharing with healthcare providers
• Respond to your requests and provide customer support
• Analyze usage patterns to improve the App (using anonymized data)
• Measure advertising performance with the limited scope described above
• Comply with legal obligations

We do NOT use your health data for:

• Advertising or marketing purposes (your fever logs, medication history, and child profile are never used to target ads to you or anyone)
• Selling to third parties
• Creating health profiles for commercial purposes
• Training AI/ML models

Health Data Protection

Special Category Data

Health data is considered sensitive personal information under many privacy laws. We implement enhanced protections:

• Encryption: All health data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase + Firebase managed encryption)
• Access Controls: Strict access limitations to health data
• Minimal Collection: We only collect health data necessary for App functionality
• No Secondary Use: Health data is never used for purposes other than providing the service
• No Symptom Matching: The App displays general outbreak symptom information for awareness only — it never matches your child's logged symptoms against any disease database, because that would classify Tempy as a medical device under EU MDR / US FDA SaMD regulations.

Medical Disclaimer

The App provides dosage information for reference purposes only, based on publicly available FDA/AAP guidelines. The AI Coach feature is a rule-based message engine, not a personalized medical opinion. Outbreak alerts are informational summaries of WHO bulletins and do not replace your local public health authority's guidance. Always consult your pediatrician before giving any medication to your child.

Data Storage and Security

Where We Store Your Data

Your data is stored on secure servers provided by:

• Supabase (Database + Storage) — Servers located in the United States
• Firebase (Google Cloud) — Servers located in the United States
• RevenueCat (Subscription management) — Servers located in the United States

International Data Transfers

If you are located outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (for EU/EEA users)
• Compliance with applicable data transfer regulations (GDPR, UK GDPR, Korean PIPA cross-border transfer requirements, etc.)

Security Measures

• TLS/SSL encryption for all data transmission
• AES-256 encryption for data at rest
• Row-level security (RLS) policies on every database table
• Regular security audits and penetration testing
• Employee access controls and training
• Incident response procedures

Data Sharing

We Do NOT:

• Sell your personal or health data to anyone
• Share your health logs with advertisers
• Use your health data for marketing
• Allow third parties to access your data for their own purposes

Third-Party Service Providers (Data Processors)

We share the minimum data necessary with the following processors, each bound by data-processing agreements (GDPR Article 28 equivalents):

Legal Disclosure

We may disclose your data if required by:

• Law, regulation, or court order
• Government or regulatory request
• Protection of our rights, safety, or property
• Emergency situations involving potential threats to safety

We may also retain data beyond the standard schedule below if subject to a legal hold (litigation, regulatory investigation), strictly for the duration of that obligation.

Data Retention

Inactive Accounts

If your account is inactive for 24 consecutive months, we will notify you by email before taking any action regarding your data.

Your Rights

Depending on your location, you may have the following rights:

All Users

• Access: Request a copy of your personal data
• Correction: Correct inaccurate data
• Deletion: Delete your account and all associated data
• Export: Export your health data in a portable format (CSV via Settings; PDF medical report via the Export Report feature for Pro subscribers)
• Opt-out: Disable non-essential notifications; disable analytics; disable crash reporting; revoke ad-tracking permission

European Union / EEA / UK Users (GDPR / UK GDPR)

• Legal Basis: We process your data based on consent (health data, location, advertising identifier) and contract performance (account data, subscription management)
• Restriction: Request restriction of processing
• Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Complaint: Lodge a complaint with your local data protection authority

California Residents (CCPA / CPRA)

• Know: Know what personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Correct: Correct inaccurate personal information
• Opt-Out: Opt out of the sale or "sharing" of personal information (we do not sell or share your personal data in the CPRA sense)
• Limit: Limit use of sensitive personal information (health data is treated as sensitive by default)
• Non-Discrimination: Not be discriminated against for exercising your rights

Brazilian Residents (LGPD)

• You have rights similar to GDPR, including access, correction, deletion, anonymization, portability, and the right to know with whom your data has been shared

Korean Residents (PIPA — 개인정보 보호법)

• Access (열람권): Request a copy of your personal data
• Correction & Deletion (정정·삭제권): Correct or delete your personal data
• Processing Suspension (처리정지권): Suspend processing of your data
• Withdraw Consent (동의 철회권): Withdraw consent at any time
• Damages Claim: Right to claim damages if our handling causes harm (PIPA Article 39)
• Complaint: Lodge a complaint with the Personal Information Protection Commission (개인정보보호위원회)

For Korean users, the Privacy Officer (개인정보보호책임자) responsible for PIPA compliance is reachable at official@eodin.app.

Other Jurisdictions

• We comply with applicable local privacy laws in your jurisdiction

How to Exercise Your Rights

To exercise any of these rights:

1. In-App: Use the Account Settings to delete your account or export data
2. Email: Contact us at official@eodin.app
3. Response Time: We will respond within 30 days (or as required by law)

We may need to verify your identity before processing your request.

Children's Privacy

About This App

Tempy is designed for parents and guardians to track their children's health. We do not allow children to create accounts or use the App independently.

COPPA Compliance (US)

• We do not knowingly collect personal information directly from children under 13
• All child health data is entered and managed by parents or guardians
• Parents can view, modify, or delete their child's data at any time
• Advertising shown to free-tier users is filtered to non-personalized content when the device is in a likely-child context per Google AdMob's family-safe policies

If You Believe We Have Children's Data

If you believe we have inadvertently collected information directly from a child under 13, please contact us immediately at official@eodin.app and we will delete it.

Cookies and Tracking

What We Use

• Firebase Analytics: App usage patterns (can be disabled in Settings → Privacy)
• Eodin Analytics: Product event tracking (can be disabled in Settings → Privacy)
• Device Identifiers: For push notifications and crash reporting
• Advertising Identifier (IDFA / GAID): Only when you grant permission via Apple ATT or Android equivalent — used for AdMob attribution

Your Choices

You can opt out of analytics and ad tracking at any time:

• iOS: Settings → Privacy & Security → Tracking → Tempy → Off (revokes ATT permission)
• Android: Settings → Google → Ads → Delete advertising ID
• In-App: Settings → Privacy → toggle Analytics / Crash Reporting

Data Breach Notification

In the event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of discovery (or as required by law)
• We will notify relevant regulatory authorities as required (including Korean PIPC for KR users, EU supervisory authority for EU/EEA users)
• We will provide information about what data was affected and steps you can take

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect by:

• Posting a notice in the App
• Sending an email to your registered address

Your continued use after the effective date constitutes acceptance of the updated policy.

Contact Us

For questions about this Privacy Policy or to exercise your rights:

Eodin Inc.

Privacy Inquiries: official@eodin.app

Data Protection Officer (EU/EEA, UK): official@eodin.app

Privacy Officer (개인정보보호책임자, Korea): official@eodin.app

Mailing Address: Eodin Inc. [Mailing address to be confirmed before public release — see TODO in docs/legal-docs-audit.md] United States

Legal Basis for Processing (GDPR / UK GDPR)