Skip to content
Back to blog

Blog

GDPR and health apps: what to demand before installing

6 min read
privacy GDPR regulation

Why the GDPR matters even outside the EU

The General Data Protection Regulation covers EU residents and the companies processing their data. In practice, almost every international app applies a single GDPR-grade standard, so the protection extends to users elsewhere too. A useful reference even if you live outside Europe.

What it says about health data

Article 9 classifies medical data as a "special category". Processing it requires a specific legal basis (explicit consent, performance of a healthcare contract, etc.) and reinforced obligations apply: minimization, purpose limitation, impact assessments, justified retention periods.

Practical pre-install checklist

  • Identification of the data controller. Name, address and country of the company collecting the data. If it's only an alias and a Gmail address, bad sign.
  • Explicit legal basis. The policy should state under which basis health data is processed. "Legitimate interest" for this kind of data is debatable.
  • List of subprocessors. Which providers receive data (hosting, analytics, support). A local-first app needs no subprocessors.
  • Retention period. How long data is kept and under what criterion. "Indefinitely" is not a valid answer.
  • User rights. How to exercise access, rectification, objection, portability and erasure. The clearer the steps, the more serious the controller.
  • International transfers. If data leaves the EU, what guarantees exist (standard clauses, adequacy decisions). Specially relevant for US apps.
  • DPO or privacy contact. A company processing health data at scale should have an identifiable Data Protection Officer.

Common red flags

  • Generic policy copied from a generator, no names or addresses.
  • "We share with commercial partners to personalize your experience". If your experience is reading medication reminders, it does not need personalization.
  • A contact email that does not reply or that changes between versions.
  • An account-deletion button buried five layers deep.

What Medtaker proposes

Medtaker's model — no account, no server-side data, no subprocessors — simplifies compliance because it removes most of the points where apps tend to fail. The policy fits on one page and does not need to invent legal bases for data that is not processed. When we add any feature that requires off-device processing, we will declare it before enabling it.

Want to try Medtaker?

The app hits Google Play in the coming weeks. Meanwhile, learn how it protects your data and compare it to popular alternatives.

Safety model Compare with Medisafe