🏥 Privacy Policy — "Little Patient"

Last updated: April 24, 2026 | Version: 1.2

In short: All your child's health data stays only on your phone, encrypted with AES-256. We have no access to it. The only thing that leaves your device is your email address for Firebase verification.

1. Who we are

The "Little Patient" app is created and maintained by:

Veronika Yankova
Address: Varna, Bulgaria
Email: veronikagrigorova@gmail.com

2. Data we process

2.1. Data that stays only on your device

Parent profile (name, hashed password)
Child profile (name, birth date, gender, school)
Health data: vaccinations, growth, allergies, chronic conditions, blood type and Rh factor, lab results (CBC, Biochemistry, Hormones, Urinalysis, Microbiology, Imaging, Allergy testing), visits, medications, dental, milestones

Protection: SQLCipher AES-256 + Android Keystore (hardware-backed)

2.2. Data that leaves your device

Data	Recipient	Purpose	Retention
Email address	Google Firebase Auth (EU)	Account verification	Until account deletion
Subscription status (yes/no)	Google Play Billing (EU)	Premium features	Until cancellation
Crash reports (opt-in)	Google (EU)	Bug fixing	90 days
Encrypted backup (Premium only, voluntary)	Google Drive API (EU)	Backup when changing phones	Until manually deleted

3. Emergency QR code

⚠️ Important: The QR code contains your child's blood type, allergies, chronic conditions, and GP information. Anyone with a phone camera can scan and read this data. If you add a home screen widget, the QR code is visible without unlocking your device.

4. Medical disclaimer

"Little Patient" is a personal health organizer. It is not a medical device under Regulation (EU) 2017/745. It does not replace medical consultation or clinical judgment. In an emergency, call 112.

5. Data retention and deletion

Data	Retention	How to delete
On-device data	Until uninstall	Settings → Delete all data
QR images	Until uninstall	Automatically deleted on uninstall
Exported files (JSON, PDF)	Your control	Delete manually from file manager
Google Drive backup files (Premium only)	Until manually deleted	Google Drive → Manage storage → App data → Little Patient
Firebase Auth account (email)	Until you delete it	Email veronikagrigorova@gmail.com — deleted within 30 days
Crash reports	90 days	Expire automatically
Google Play transactions	~10 years (tax law)	Legal obligation

6. Your rights (GDPR Art. 15–22)

Access (Art. 15) — Menu → Export
Rectification (Art. 16) — directly in the app
Erasure (Art. 17) — Settings → Delete all data
Portability (Art. 20) — Menu → Export → JSON
For Firebase data: email veronikagrigorova@gmail.com

7. Contact

Email: veronikagrigorova@gmail.com
Subject: "GDPR Request — [type of request]"
We respond within 30 days.

8. Supervisory authority

Commission for Personal Data Protection (CPDP) — Bulgaria
www.cpdp.bg