Privacy by default
The initial configuration is the most private one. Sharing more requires an explicit action.
Security model
Your medication is not a monetizable data point.
Medtaker is built with the same approach we apply to enterprise clients: privacy by default, least privilege and traceable decisions. Here is how, without marketing.
Threat model
Risks we take seriously before writing code. If your app does not have an explicit threat model, what it has is assumptions.
| Risk | Mitigation |
|---|---|
| Medical data exfiltration via server breach | There is no server. Treatment data does not leave the device, so there is no database to be breached. |
| Reselling health data to brokers or insurers | We do not collect data. No account, no telemetry, no advertising SDKs. The business model does not require extracting user information. |
| Lost phone | The OS encrypts local storage when there is a PIN or biometric lock. We recommend enabling screen lock; without it, no software protects sensitive data. |
| Remote spoofing or tampering with the medication plan | There is no remote API that can change the plan. It can only be changed from the device, with the app open. |
| Reminders not firing on time | We use the OS native local notification APIs, not external push services. Reliability is the system's, not an intermediate server's. |
Principles we apply
Not slogans: each one matches a concrete technical decision.
Least privilege
The app requests the minimum required permissions. If a permission is optional, you can use the app without it.
Local-first
All persistent data lives on the device. There is no automatic cloud sync.
No dark patterns
No giant "accept all" buttons next to tiny "reject" ones. No notifications that pretend to be errors when they are offers. No addictive gamification.
Documented decisions
Every requested permission is documented in this page and in the privacy policy. If something changes, it gets updated with a visible date.
Which data the app touches
Short list. Honest list.
Medication plan
Names, doses and schedules you write. Lives on the device. Encrypted by the OS if you have a PIN or biometric lock.
Intake history
For each dose, we store the timestamp and whether you confirmed it. No location, no sensors, no external data.
Notification preferences
Sounds, vibration, alert window. Local system configuration, not user attributes.
Advertising identifiers
None. The app does not read, store or send them anywhere.
Telemetry / analytics
Zero. We do not use Google Analytics, Firebase Analytics, Mixpanel, Amplitude or equivalents.
System permissions
Each permission justified in one line.
| Permission | Why | Optional |
|---|---|---|
| Notifications | Required for reminders to ring. Without it, the app cannot do its job. | No |
| Exact alarms (Android 12+) | Lets the notification fire at the precise time, not in an approximate window decided by the system. | No |
| Run on device boot | To reschedule upcoming notifications when the phone is restarted. | No |
| Storage | Only if you export the history to a file. If you never export, the app does not request it. | Yes |
Technical FAQ
How can I verify no data is sent to a server?
Turn on airplane mode and use the app for a full medication cycle. If reminders fire normally and history is saved, you have your proof.
Is the app open source?
Not yet. We are evaluating publishing verifiable parts of the code (notification handler, data schema) under a license that allows review without enabling advertising clones. Until then, the privacy policy is binding.
Are there external audits?
Not today. The app is on its first release. Once volume justifies it, we will hire an external review and publish the full report, favorable or not.