Legal
Privacy Policy
Last updated:
The short version
- ✓ We do not require an account to use our apps.
- ✓ Your blood pressure readings are stored on your device and synced via your personal iCloud. They only leave that boundary if you choose to use one of our optional AI features - see below.
- ✓ We do not sell, rent, or share your personal data with third parties.
- ✓ The only personal data we hold is what you voluntarily send us via the support form (name, email, message).
- ✓ If you are in the EU/EEA/UK you have full GDPR rights - see the section below.
Who we are
Harbour Made is an independent software studio. For the purposes of data protection law, Harbour Made is the data controller responsible for your personal data collected through this website and our support channel.
Contact: support form or privacy@harbourmade.com
Data we collect
Information you give us
When you submit our support form we collect your name, email address, subject, and message. This is the only personal data Harbour Made directly receives.
Health data in our apps
BP Tracker stores all blood pressure and pulse readings locally on your device. If you enable iCloud sync, Apple synchronises that data across your devices via your personal iCloud account. Harbour Made has no access to this data at any point - it never passes through our servers.
Analytics and crash data
We may receive anonymised, aggregated crash reports and basic usage metrics via Apple's built-in opt-in analytics (App Store Connect). These reports contain no personal identifiers and are subject to Apple's Privacy Policy.
Website server logs
Like all web servers, ours may record standard access logs (IP address, browser type, pages requested, timestamps). These logs are used for security and operational purposes only and are not linked to any personal profile.
How we use data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Name & email (support) | Responding to your support request | Legitimate interest / contract performance |
| Health data (app) | Providing core app functionality | Processed locally - not accessible to Harbour Made |
| Readings sent for AI (opt-in) | Generating AI summaries or reading the display in monitor photos | Explicit consent (Art. 9(2)(a) UK GDPR) - see “AI features” |
| Crash & analytics (Apple) | Improving app stability and performance | Legitimate interest (anonymised) |
| Server logs | Security and infrastructure | Legitimate interest |
We will never use your data for advertising, profiling, or sell it to any third party.
iCloud & Apple services
BP Tracker uses Apple's CloudKit framework to sync data between your devices. This data is stored in your own iCloud account and is subject to Apple's Privacy Policy. Harbour Made cannot access, read, or modify your iCloud data.
In-app purchases are processed entirely by Apple. We do not receive your payment card details. Apple's handling of purchase data is governed by their own privacy policy.
AI features (optional)
BP Tracker has two AI-powered features that, if you choose to use them, briefly send some of your data to a third-party processor. Neither feature runs unless you tap a button to start it - the rest of the app works entirely offline.
What's sent and where
AI summary - when you ask the app to summarise your readings, the readings in the chosen date range are sent to Anthropic (the maker of Claude). The plain-text summary we receive is shown on screen and saved locally.
Camera scan - when you photograph your blood pressure monitor's display, the photo is sent to Anthropic to read the digits. We receive the numbers back and pre-fill the reading form. The photo is not stored.
How the data flows
AI requests are routed through a small, stateless proxy we operate on Cloudflare's network. The proxy forwards your request to Anthropic and returns the response - it does not log or persist your readings, photos, or the AI's responses. Cloudflare acts as a data processor on our behalf.
Anthropic processes your data only to generate the response for that single request. Per their commercial privacy policy: API inputs are not used to train Anthropic's models, and they retain inputs briefly (currently up to 30 days) for trust-and-safety review before deletion. Anthropic acts as a data processor on our behalf.
Legal basis
Blood pressure data is "special category" health data under UK and EU GDPR. We process it through AI features only with your explicit consent (UK GDPR Article 9(2)(a)) - the act of tapping "AI summary" or "Scan" is the consent. You can withdraw consent at any time by simply not using these features; nothing is sent in the background.
Device verification (App Attest)
To stop our proxy being abused by impersonators, the first time you use an AI feature your device uses Apple's App Attest service to register a device-bound public key with us. The key is generated in your device's secure hardware and contains no personal information; we use it only to verify that subsequent requests come from a genuine, unmodified copy of the app on your device. The corresponding private key never leaves your device.
Support contacts
When you contact us via the support form, your name, email address, and message are received and stored securely for the sole purpose of resolving your query. We retain support correspondence for up to 2 years in case of follow-up, after which it is permanently deleted.
We do not add support contacts to any mailing list or newsletter without explicit consent.
Data retention
Support messages - retained for up to 2 years, then permanently deleted.
Server logs - retained for up to 90 days for security purposes.
Health data (app) - stored only on your device/iCloud; deletion is fully in your control.
AI request data - Harbour Made does not store the readings or photos sent to AI features. Anthropic retains them briefly (currently up to 30 days) for trust-and-safety review per their policy, then deletes them.
App Attest device key - retained on our infrastructure for as long as you have the app installed; deleted on next uninstall+reinstall (the device generates a fresh key) or on request via privacy@harbourmade.com.
Your rights under GDPR
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
Right of access
You can request a copy of any personal data we hold about you.
Right to erasure
You can ask us to delete your personal data where there is no compelling reason for us to continue holding it.
Right to rectification
You can ask us to correct inaccurate or incomplete personal data.
Right to portability
You can request your personal data in a structured, machine-readable format.
Right to object
You can object to processing based on legitimate interests at any time.
Right to restrict
You can ask us to pause processing your data in certain circumstances.
To exercise any of these rights, contact us at privacy@harbourmade.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national supervisory authority in the EU).
Children's privacy
Our apps and website are not directed at children under 13 (or under 16 where applicable under GDPR). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. We encourage you to review this page periodically. Significant changes will be communicated via an in-app notice or the App Store release notes.
Contact us
For any privacy-related questions, data requests, or concerns, please reach out: