Legal

Privacy Policy

Last updated: May 6, 2026

The short version

• We collect only what we need to make Tralo work for you.
• Sensitive entries are encrypted at rest using strong, modern ciphers.
• We don't sell your data. Ever. We don't share it with advertisers.
• You can export everything any time. You can delete your account any time.
• Tralo is built to HIPAA standards and complies with GDPR, CCPA, and equivalent laws.

1. Who we are

Tralo ("we", "our", "us") provides the Tralo mobile application and related services. We're committed to protecting your privacy and the security of your health information.

Important: Tralo is a personal health-tracking tool. It is not a medical device. It does not diagnose, treat, cure, or prevent any condition. Always consult a qualified healthcare professional.

2. Information we collect

From you, directly

• Account information: email, password (hashed), display name, date of birth
• Health information you log: symptoms, conditions, medications, mood, vitals, sleep, meals, photos, voice notes, journal entries
• Sharing data: the people you grant access to, what they can see, when access expires
• Communications: anything you send us through the contact form or by email

Automatically

• Device and usage data: device type, OS, app version, crash reports (anonymized)
• IP address (used for security, abuse prevention, and rough geolocation for compliance)
• Cookies on the website (see our Cookies page)

3. How we use information

• To provide and maintain the Tralo app and website
• To detect patterns in your own data and surface insights to you
• To send essential service emails (account verification, password reset, security alerts)
• To respond to your messages
• To improve the product through aggregated, anonymized analytics — never tied to your identity
• To comply with legal obligations

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use your health entries to train AI models.

4. How we protect information (HIPAA)

Tralo implements technical, physical, and administrative safeguards consistent with the HIPAA Security Rule:

• End-to-end encryption in transit (TLS 1.2+)
• AES-256-GCM encryption of sensitive fields at rest
• Strict access controls, audit logs, and least-privilege defaults
• Secure infrastructure providers with their own SOC 2 / ISO 27001 attestations
• Routine security review and breach response procedures

5. Sharing your information

We share information only in narrow, well-defined cases:

• People you choose: when you grant access via a Tralo share code
• Service providers: infrastructure, email delivery, error monitoring. All operate under strict data processing agreements.
• Legal requirements: if compelled by valid legal process; we'll notify you unless prohibited
• Business transfers: if Tralo is acquired, your data transfers under the same protections

6. Your rights

Regardless of where you live, you have the right to:

• Access a copy of your data
• Correct inaccurate information
• Delete your account and data
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent at any time
• Lodge a complaint with a data protection authority

Email [email protected] to exercise any right. We respond within 30 days.

7. International users

We comply with GDPR (EU/UK), CCPA (California), PIPEDA (Canada), the Privacy Act 1988 (Australia), the Privacy Act 2020 (New Zealand), and equivalent regimes in the regions we serve. We may transfer data internationally under appropriate safeguards (Standard Contractual Clauses or equivalent).

8. Children

Tralo is not intended for children under 13 (under 16 in some jurisdictions). We do not knowingly collect data from children. If we learn we have, we will delete it immediately.

9. Retention

We keep your data only as long as your account is active or as required by law. When you delete your account, your data is removed from our active systems immediately and from backups within 30 days.

10. Changes to this policy

We'll post material changes to this page and notify you by email before they take effect. Your continued use after the effective date means you accept the updated policy.

11. Contact

• General privacy questions: [email protected]
• EU/UK data subjects: [email protected]
• Data Protection Officer: [email protected]
• Security disclosures: [email protected]